Challenge 3: displaying comments

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java

@@ -50,8 +50,8 @@ public class Challenge3 extends AssignmentEndpoint {
 
     @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
     @ResponseBody
-    public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
+    public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
-        Comment comment = new Comment();
+        Comment comment = null;
         AttackResult attackResult = failed().build();
         if (APPLICATION_JSON_VALUE.equals(contentType)) {
             comment = parseJson(commentStr);
@@ -63,10 +63,13 @@ public class Challenge3 extends AssignmentEndpoint {
             comment.setDateTime(DateTime.now().toString());
             comment.setUser(webSession.getUserName());
         }
-
+        if (comment != null) {
-        if (checkSolution(comment)) {
+            comments.add(comment);
-            attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build();
+            if (checkSolution(comment)) {
+                attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build();
+            }
         }
+
         return attackResult;
     }
 

webgoat-lessons/challenge/src/main/resources/html/Challenge.html

@@ -195,49 +195,6 @@
                 </div>
                 <ul class="comments-list">
                     <div id="list">
-                        <li class="comment">
-                            <div class="pull-left">
-                                <img class="avatar"
-                                     src="http://bootdey.com/img/Content/avatar/avatar1.png"
-                                     alt="avatar"/>
-                            </div>
-                            <div class="comment-body">
-                                <div class="comment-heading">
-                                    <h4 class="user">John dOE</h4>
-                                    <h5 class="time">7 minutes ago</h5>
-                                </div>
-                                <p>I really love this picture. I really wish i could have been
-                                    there.</p>
-                            </div>
-                        </li>
-                        <li class="comment">
-                            <div class="pull-left" href="javascript:void(0);">
-                                <img class="avatar"
-                                     src="http://bootdey.com/img/Content/avatar/avatar2.png"
-                                     alt="avatar"/>
-                            </div>
-                            <div class="comment-body">
-                                <div class="comment-heading">
-                                    <h4 class="user">John Doe</h4>
-                                    <h5 class="time">3 minutes ago</h5>
-                                </div>
-                                <p>I think I might you this for one of my projects.</p>
-                            </div>
-                        </li>
-                        <li class="comment">
-                            <div class="pull-left" href="javascript:void(0);">
-                                <img class="avatar"
-                                     src="http://bootdey.com/img/Content/avatar/avatar4.png"
-                                     alt="avatar"/>
-                            </div>
-                            <div class="comment-body">
-                                <div class="comment-heading">
-                                    <h4 class="user">John Doe</h4>
-                                    <h5 class="time">10 seconds ago</h5>
-                                </div>
-                                <p>Wow! This is gorgeous.</p>
-                            </div>
-                        </li>
                     </div>
                 </ul>
             </div>

webgoat-lessons/challenge/src/main/resources/js/challenge3.js

@@ -1,15 +1,35 @@
 $(document).ready(function () {
-    $("#postComment").on("blur", function () {
+    $("#postComment").on("click", function () {
-        var comment = $("#commentInput").val();
+        var commentInput = $("#commentInput").val();
-        $.post("challenge3", function (result, status) {
+        $.ajax({
-            var json;
+            type: 'POST',
-            json = '{' +
+            url: 'challenge/3',
-                '   "comment":' + '"' + comment + '"'
+            data: JSON.stringify ({comment: commentInput}),
-                '}';
+            contentType: "application/json",
-        })
+            dataType: 'json'
+        });
     })
 
+    var html = '<li class="comment">' +
+        '<div class="pull-left">' +
+        '<img class="avatar" src="http://bootdey.com/img/Content/avatar/avatar1.png" alt="avatar"/>' +
+        '</div>' +
+        '<div class="comment-body">' +
+        '<div class="comment-heading">' +
+        '<h4 class="user">USER</h4>' +
+        '<h5 class="time">DATETIME</h5>' +
+        '</div>' +
+        '<p>COMMENT</p>' +
+        '</div>' +
+        '</li>';
+
     $.get("challenge/3", function (result, status) {
-        alert("Hello");
+        for (var i = 0; i < result.length; i++) {
-    })
+            var comment = html.replace('USER', result[i].user);
+            comment = comment.replace('DATETIME', result[i].dateTime);
+            comment = comment.replace('COMMENT', result[i].comment);
+            $("#list").append(comment);
+        }
+
+    });
 })