XXE successfully completed message was no longer shown, fixed it by using form POST together with customjs functions.

Introduced callback functionality which you can specify after the posting in order to be able to load the comments list again.

webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js

@@ -80,7 +80,9 @@ define(['jquery',
             var self = this;
             // TODO custom Data prep for submission
             var prepareDataFunctionName = $(curForm).attr('prepareData');
+            var callbackFunctionName = $(curForm).attr('callback');
             var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
+            var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {};
             // var submitData = this.$form.serialize();
             this.curForm = curForm;
             this.$curFeedback = $(curForm).closest('.attack-container').find('.attack-feedback');
@@ -93,14 +95,16 @@ define(['jquery',
                 url:formUrl,
                 method:formMethod,
                 contentType:contentType,
-                data: submitData
+                data: submitData,
+                complete: function (data) {
+                    callbackFunction();
+                }
             }).then(self.onSuccessResponse.bind(self), self.onErrorResponse.bind(self));
             return false;
          },
 
         onSuccessResponse: function(data) {
             this.renderFeedback(data.feedback);
-
             this.renderOutput(data.output || "");
             //TODO: refactor back assignmentCompleted in Java
             if (data.lessonCompleted || data.assignmentCompleted) {

webgoat-lessons/sol.txt

@@ -11,7 +11,7 @@ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from
 
 ## XXE ##
 
-Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
+Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>
 
 Modern Rest Framework - change content type to: Content-Type: application/xml && 
 <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java

@@ -9,7 +9,6 @@ import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
@@ -65,7 +64,7 @@ public class SimpleXXE extends AssignmentEndpoint {
 
     @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
     @ResponseBody
-    public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
+    public AttackResult createNewComment(@RequestBody String commentStr) throws Exception {
         String error = "";
         try {
             Comment comment = comments.parseXml(commentStr);

webgoat-lessons/xxe/src/main/resources/html/XXE.html

@@ -24,8 +24,10 @@
 
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/xxe/simple"
-              enctype="application/json;charset=UTF-8">
+              prepareData="simpleXXE"
+              callback="simpleXXECallback"
+              contentType="application/xml"
+              action="/WebGoat/xxe/simple">
             <div class="container-fluid">
                 <div class="panel post">
                     <div class="post-heading">
@@ -54,7 +56,7 @@
                             <input class="form-control" id="commentInputSimple" placeholder="Add a comment"
                                    type="text"/>
                             <span class="input-group-addon">
-                                <i id="postCommentSimple" class="fa fa-edit" style="font-size: 20px"></i>
+                                <button id="postCommentSimple" class="fa fa-edit" style="font-size: 20px"></button>
                             </span>
                         </div>
                         <ul class="comments-list">

webgoat-lessons/xxe/src/main/resources/js/xxe.js

@@ -1,23 +1,17 @@
+webgoat.customjs.simpleXXE = function () {
+    var commentInput = $("#commentInputSimple").val();
+    var xml = '<?xml version="1.0"?>' +
+        '<comment>' +
+        '  <text>' + commentInput + '</text>' +
+        '</comment>';
+    return xml;
+}
+
+webgoat.customjs.simpleXXECallback = function() {
+    getComments('#commentsListSimple');
+}
+
 $(document).ready(function () {
-    $("#postCommentSimple").unbind();
-    $("#postCommentSimple").on("click", function () {
-        var commentInput = $("#commentInputSimple").val();
-        var xml = '<?xml version="1.0"?>' +
-            '<comment>' +
-            '  <text>' + commentInput + '</text>' +
-            '</comment>';
-        $.ajax({
-            type: 'POST',
-            url: 'xxe/simple',
-            data: xml,
-            contentType: "application/xml",
-            dataType: 'xml',
-            complete: function (data) {
-                $("#commentInputSimple").val('');
-                getComments('#commentsListSimple')
-            }
-        })
-    });
     getComments('#commentsListSimple');
 });