chore: cleanup IT tests (#2040)

pom.xml

@@ -242,18 +242,6 @@
       <scope>provided</scope>
       <optional>true</optional>
     </dependency>
-    <dependency>
-      <groupId>org.testcontainers</groupId>
-      <artifactId>testcontainers</artifactId>
-      <version>1.20.5</version>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.testcontainers</groupId>
-      <artifactId>junit-jupiter</artifactId>
-      <version>1.20.5</version>
-      <scope>test</scope>
-    </dependency>
     <dependency>
       <groupId>javax.xml.bind</groupId>
       <artifactId>jaxb-api</artifactId>

src/it/java/org/owasp/webgoat/integration/AccessControlIntegrationTest.java

@@ -29,7 +29,7 @@ class AccessControlIntegrationTest extends IntegrationTest {
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
         .contentType(ContentType.JSON)
-        .get(url("access-control/users-admin-fix"))
+        .get(webGoatUrlConfig.url("access-control/users-admin-fix"))
         .then()
         .statusCode(HttpStatus.SC_FORBIDDEN);
 
@@ -44,7 +44,7 @@ class AccessControlIntegrationTest extends IntegrationTest {
         .cookie("JSESSIONID", getWebGoatCookie())
         .contentType(ContentType.JSON)
         .body(String.format(userTemplate, this.getUser(), this.getUser()))
-        .post(url("access-control/users"))
+        .post(webGoatUrlConfig.url("access-control/users"))
         .then()
         .statusCode(HttpStatus.SC_OK);
 
@@ -55,14 +55,14 @@ class AccessControlIntegrationTest extends IntegrationTest {
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .contentType(ContentType.JSON)
-            .get(url("access-control/users-admin-fix"))
+            .get(webGoatUrlConfig.url("access-control/users-admin-fix"))
             .then()
             .statusCode(200)
             .extract()
             .jsonPath()
             .get("find { it.username == \"Jerry\" }.userHash");
 
-    checkAssignment(url("access-control/user-hash-fix"), Map.of("userHash", userHash), true);
+      checkAssignment(webGoatUrlConfig.url("access-control/user-hash-fix"), Map.of("userHash", userHash), true);
   }
 
   private void assignment2() {
@@ -72,18 +72,18 @@ class AccessControlIntegrationTest extends IntegrationTest {
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .contentType(ContentType.JSON)
-            .get(url("access-control/users"))
+            .get(webGoatUrlConfig.url("access-control/users"))
             .then()
             .statusCode(200)
             .extract()
             .jsonPath()
             .get("find { it.username == \"Jerry\" }.userHash");
 
-    checkAssignment(url("access-control/user-hash"), Map.of("userHash", userHash), true);
+      checkAssignment(webGoatUrlConfig.url("access-control/user-hash"), Map.of("userHash", userHash), true);
   }
 
   private void assignment1() {
     var params = Map.of("hiddenMenu1", "Users", "hiddenMenu2", "Config");
-    checkAssignment(url("access-control/hidden-menu"), params, true);
+      checkAssignment(webGoatUrlConfig.url("access-control/hidden-menu"), params, true);
   }
 }

src/it/java/org/owasp/webgoat/integration/CSRFIntegrationTest.java

@@ -5,7 +5,7 @@
 package org.owasp.webgoat.integration;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 
 import io.restassured.RestAssured;
@@ -68,12 +68,12 @@ public class CSRFIntegrationTest extends IntegrationTest {
   public void init() {
     startLesson("CSRF");
     webwolfFileDir = getWebWolfFileServerLocation();
-    uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", url("csrf/basic-get-flag")));
+      uploadTrickHtml("csrf3.html", trickHTML3.replace("WEBGOATURL", webGoatUrlConfig.url("csrf/basic-get-flag")));
-    uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", url("csrf/review")));
+      uploadTrickHtml("csrf4.html", trickHTML4.replace("WEBGOATURL", webGoatUrlConfig.url("csrf/review")));
-    uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", url("csrf/feedback/message")));
+      uploadTrickHtml("csrf7.html", trickHTML7.replace("WEBGOATURL", webGoatUrlConfig.url("csrf/feedback/message")));
       uploadTrickHtml(
         "csrf8.html",
-        trickHTML8.replace("WEBGOATURL", url("login")).replace("USERNAME", this.getUser()));
+        trickHTML8.replace("WEBGOATURL", webGoatUrlConfig.url("login")).replace("USERNAME", this.getUser()));
   }
 
   @TestFactory
@@ -107,7 +107,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
         .relaxedHTTPSValidation()
         .cookie("WEBWOLFSESSION", getWebWolfCookie())
         .multiPart("file", htmlName, htmlContent.getBytes())
-        .post(new WebWolfUrlBuilder().path("fileupload").build())
+        .post(webWolfUrlConfig.url("fileupload"))
         .then()
         .extract()
         .response()
@@ -122,7 +122,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(new WebWolfUrlBuilder().path("files/%s/%s", this.getUser(), htmlName).build())
+            .get(webWolfUrlConfig.url("files/%s/%s".formatted(this.getUser(), htmlName)))
             .then()
             .extract()
             .response()
@@ -140,7 +140,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build())
+            .header("Referer", webWolfUrlConfig.url("files/fake.html"))
             .post(goatURL)
             .then()
             .extract()
@@ -148,15 +148,13 @@ public class CSRFIntegrationTest extends IntegrationTest {
             .toString();
 
     Map<String, Object> params = new HashMap<>();
-    params.clear();
     params.put("confirmFlagVal", flag);
-    checkAssignment(url("csrf/confirm-flag-1"), params, true);
+      checkAssignment(webGoatUrlConfig.url("csrf/confirm-flag-1"), params, true);
   }
 
   private void checkAssignment4(String goatURL) {
 
     Map<String, Object> params = new HashMap<>();
-    params.clear();
     params.put("reviewText", "test review");
     params.put("stars", "5");
     params.put(
@@ -167,13 +165,13 @@ public class CSRFIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build())
+            .header("Referer", webWolfUrlConfig.url("files/fake.html"))
             .formParams(params)
             .post(goatURL)
             .then()
             .extract()
             .path("lessonCompleted");
-    assertEquals(true, result);
+    assertTrue(result);
   }
 
   private void checkAssignment7(String goatURL) {
@@ -188,7 +186,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build())
+            .header("Referer", webWolfUrlConfig.url("files/fake.html"))
             .contentType(ContentType.TEXT)
             .body(
                 "{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is"
@@ -202,7 +200,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
 
     params.clear();
     params.put("confirmFlagVal", flag);
-    checkAssignment(url("csrf/feedback"), params, true);
+      checkAssignment(webGoatUrlConfig.url("csrf/feedback"), params, true);
   }
 
   private void checkAssignment8(String goatURL) {
@@ -211,7 +209,6 @@ public class CSRFIntegrationTest extends IntegrationTest {
     registerCSRFUser();
 
     Map<String, Object> params = new HashMap<>();
-    params.clear();
     params.put("username", "csrf-" + this.getUser());
     params.put("password", "password");
 
@@ -221,7 +218,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .header("Referer", new WebWolfUrlBuilder().path("files/fake.html").build())
+            .header("Referer", webWolfUrlConfig.url("files/fake.html"))
             .params(params)
             .post(goatURL)
             .then()
@@ -233,7 +230,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
         .when()
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", newCookie)
-        .get(url("CSRF.lesson.lesson"))
+        .get(webGoatUrlConfig.url("CSRF.lesson.lesson"))
         .then()
         .statusCode(200);
 
@@ -243,7 +240,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", newCookie)
-            .post(url("csrf/login"))
+            .post(webGoatUrlConfig.url("csrf/login"))
             .then()
             .statusCode(200)
             .extract()
@@ -258,7 +255,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
         RestAssured.given()
             .cookie("JSESSIONID", getWebGoatCookie())
             .relaxedHTTPSValidation()
-            .get(url("service/lessonoverview.mvc/CSRF"))
+            .get(webGoatUrlConfig.url("service/lessonoverview.mvc/CSRF"))
             .then()
             .extract()
             .jsonPath()
@@ -285,6 +282,6 @@ public class CSRFIntegrationTest extends IntegrationTest {
         .formParam("password", "password")
         .formParam("matchingPassword", "password")
         .formParam("agree", "agree")
-        .post(url("register.mvc"));
+        .post(webGoatUrlConfig.url("register.mvc"));
   }
 }

src/it/java/org/owasp/webgoat/integration/ChallengeIntegrationTest.java

@@ -26,7 +26,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("challenge/logo"))
+            .get(webGoatUrlConfig.url("challenge/logo"))
             .then()
             .statusCode(200)
             .extract()
@@ -38,14 +38,14 @@ public class ChallengeIntegrationTest extends IntegrationTest {
     params.put("username", "admin");
     params.put("password", "!!webgoat_admin_1234!!".replace("1234", pincode));
 
-    checkAssignment(url("challenge/1"), params, true);
+      checkAssignment(webGoatUrlConfig.url("challenge/1"), params, true);
       String result =
         RestAssured.given()
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .formParams(params)
-            .post(url("challenge/1"))
+            .post(webGoatUrlConfig.url("challenge/1"))
             .then()
             .statusCode(200)
             .extract()
@@ -54,7 +54,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
     String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
     params.clear();
     params.put("flag", flag);
-    checkAssignment(url("challenge/flag/1"), params, true);
+      checkAssignment(webGoatUrlConfig.url("challenge/flag/1"), params, true);
 
     checkResults("Challenge1");
 
@@ -63,7 +63,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("scoreboard-data"))
+            .get(webGoatUrlConfig.url("scoreboard-data"))
             .then()
             .statusCode(200)
             .extract()
@@ -87,7 +87,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .formParams(params)
-            .post(url("challenge/5"))
+            .post(webGoatUrlConfig.url("challenge/5"))
             .then()
             .statusCode(200)
             .extract()
@@ -96,7 +96,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
     String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
     params.clear();
     params.put("flag", flag);
-    checkAssignment(url("challenge/flag/5"), params, true);
+      checkAssignment(webGoatUrlConfig.url("challenge/flag/5"), params, true);
 
     checkResults("Challenge5");
 
@@ -105,7 +105,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("scoreboard-data"))
+            .get(webGoatUrlConfig.url("scoreboard-data"))
             .then()
             .statusCode(200)
             .extract()
@@ -124,7 +124,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
         .when()
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
-        .get(url("challenge/7/.git"))
+        .get(webGoatUrlConfig.url("challenge/7/.git"))
         .then()
         .statusCode(200)
         .extract()
@@ -136,7 +136,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
         .formParams("email", getUser() + "@webgoat.org")
-        .post(url("challenge/7"))
+        .post(webGoatUrlConfig.url("challenge/7"))
         .then()
         .statusCode(200)
         .extract()
@@ -148,7 +148,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(new WebWolfUrlBuilder().path("mail").build())
+            .get(webWolfUrlConfig.url("mail"))
             .then()
             .extract()
             .response()
@@ -162,13 +162,13 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
+            .get(webGoatUrlConfig.url("challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
             .then()
             .statusCode(HttpStatus.ACCEPTED.value())
             .extract()
             .asString();
 
     String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
-    checkAssignment(url("challenge/flag/7"), Map.of("flag", flag), true);
+      checkAssignment(webGoatUrlConfig.url("challenge/flag/7"), Map.of("flag", flag), true);
   }
 }

src/it/java/org/owasp/webgoat/integration/CryptoIntegrationTest.java

@@ -56,7 +56,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("crypto/encoding/basic"))
+            .get(webGoatUrlConfig.url("crypto/encoding/basic"))
             .then()
             .extract()
             .asString();
@@ -68,7 +68,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
     params.clear();
     params.put("answer_user", answer_user);
     params.put("answer_pwd", answer_pwd);
-    checkAssignment(url("crypto/encoding/basic-auth"), params, true);
+      checkAssignment(webGoatUrlConfig.url("crypto/encoding/basic-auth"), params, true);
   }
 
   private void checkAssignment3() {
@@ -76,7 +76,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
     Map<String, Object> params = new HashMap<>();
     params.clear();
     params.put("answer_pwd1", answer_1);
-    checkAssignment(url("crypto/encoding/xor"), params, true);
+      checkAssignment(webGoatUrlConfig.url("crypto/encoding/xor"), params, true);
   }
 
   private void checkAssignment4() throws NoSuchAlgorithmException {
@@ -86,7 +86,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("crypto/hashing/md5"))
+            .get(webGoatUrlConfig.url("crypto/hashing/md5"))
             .then()
             .extract()
             .asString();
@@ -96,7 +96,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("crypto/hashing/sha256"))
+            .get(webGoatUrlConfig.url("crypto/hashing/sha256"))
             .then()
             .extract()
             .asString();
@@ -116,7 +116,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
     params.clear();
     params.put("answer_pwd1", answer_1);
     params.put("answer_pwd2", answer_2);
-    checkAssignment(url("crypto/hashing"), params, true);
+      checkAssignment(webGoatUrlConfig.url("crypto/hashing"), params, true);
   }
 
   private void checkAssignmentSigning() throws NoSuchAlgorithmException, InvalidKeySpecException {
@@ -126,7 +126,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("crypto/signing/getprivate"))
+            .get(webGoatUrlConfig.url("crypto/signing/getprivate"))
             .then()
             .extract()
             .asString();
@@ -139,7 +139,7 @@ public class CryptoIntegrationTest extends IntegrationTest {
     params.clear();
     params.put("modulus", modulus);
     params.put("signature", signature);
-    checkAssignment(url("crypto/signing/verify"), params, true);
+      checkAssignment(webGoatUrlConfig.url("crypto/signing/verify"), params, true);
   }
 
   private void checkAssignmentDefaults() {
@@ -155,6 +155,6 @@ public class CryptoIntegrationTest extends IntegrationTest {
     params.clear();
     params.put("secretText", text);
     params.put("secretFileName", "default_secret");
-    checkAssignment(url("crypto/secure/defaults"), params, true);
+      checkAssignment(webGoatUrlConfig.url("crypto/secure/defaults"), params, true);
   }
 }

src/it/java/org/owasp/webgoat/integration/DeserializationIntegrationTest.java

@@ -30,7 +30,7 @@ public class DeserializationIntegrationTest extends IntegrationTest {
       params.put(
           "token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5")));
     }
-    checkAssignment(url("InsecureDeserialization/task"), params, true);
+      checkAssignment(webGoatUrlConfig.url("InsecureDeserialization/task"), params, true);
 
     checkResults("InsecureDeserialization");
   }

src/it/java/org/owasp/webgoat/integration/GeneralLessonIntegrationTest.java

@@ -21,19 +21,19 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
     Map<String, Object> params = new HashMap<>();
     params.clear();
     params.put("person", "goatuser");
-    checkAssignment(url("HttpBasics/attack1"), params, true);
+      checkAssignment(webGoatUrlConfig.url("HttpBasics/attack1"), params, true);
 
     params.clear();
     params.put("answer", "POST");
     params.put("magic_answer", "33");
     params.put("magic_num", "4");
-    checkAssignment(url("HttpBasics/attack2"), params, false);
+      checkAssignment(webGoatUrlConfig.url("HttpBasics/attack2"), params, false);
 
     params.clear();
     params.put("answer", "POST");
     params.put("magic_answer", "33");
     params.put("magic_num", "33");
-    checkAssignment(url("HttpBasics/attack2"), params, true);
+      checkAssignment(webGoatUrlConfig.url("HttpBasics/attack2"), params, true);
 
     checkResults("HttpBasics");
   }
@@ -45,7 +45,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
     Map<String, Object> params = new HashMap<>();
     params.clear();
     params.put("person", "goatuser");
-    checkAssignment(url("HttpBasics/attack1"), params, true);
+      checkAssignment(webGoatUrlConfig.url("HttpBasics/attack1"), params, true);
   }
 
   @Test
@@ -58,7 +58,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
             .cookie("JSESSIONID", getWebGoatCookie())
             .header("x-request-intercepted", "true")
             .contentType(ContentType.JSON)
-            .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
+            .get(webGoatUrlConfig.url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
             .then()
             .statusCode(200)
             .extract()
@@ -86,7 +86,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
     params.put(
         "question_3_solution",
         "Solution 2: The systems security is compromised even if only one goal is harmed.");
-    checkAssignment(url("cia/quiz"), params, true);
+      checkAssignment(webGoatUrlConfig.url("cia/quiz"), params, true);
     checkResults("CIA");
   }
 
@@ -109,7 +109,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
       Map<String, Object> params = new HashMap<>();
       params.clear();
       params.put("payload", solution);
-      checkAssignment(url("VulnerableComponents/attack1"), params, true);
+        checkAssignment(webGoatUrlConfig.url("VulnerableComponents/attack1"), params, true);
       checkResults("VulnerableComponents");
     }
   }
@@ -121,7 +121,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
     params.clear();
     params.put("username", "CaptainJack");
     params.put("password", "BlackPearl");
-    checkAssignment(url("InsecureLogin/task"), params, true);
+      checkAssignment(webGoatUrlConfig.url("InsecureLogin/task"), params, true);
     checkResults("InsecureLogin");
   }
 
@@ -131,7 +131,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
     Map<String, Object> params = new HashMap<>();
     params.clear();
     params.put("password", "ajnaeliclm^&&@kjn.");
-    checkAssignment(url("SecurePasswords/assignment"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SecurePasswords/assignment"), params, true);
     checkResults("SecurePasswords");
 
     startLesson("AuthBypass");
@@ -141,7 +141,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
     params.put("jsEnabled", "1");
     params.put("verifyMethod", "SEC_QUESTIONS");
     params.put("userId", "12309746");
-    checkAssignment(url("auth-bypass/verify-account"), params, true);
+      checkAssignment(webGoatUrlConfig.url("auth-bypass/verify-account"), params, true);
     checkResults("AuthBypass");
 
     startLesson("HttpProxies");
@@ -152,7 +152,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
             .cookie("JSESSIONID", getWebGoatCookie())
             .header("x-request-intercepted", "true")
             .contentType(ContentType.JSON)
-            .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
+            .get(webGoatUrlConfig.url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
             .then()
             .statusCode(200)
             .extract()
@@ -178,7 +178,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
             .header("webgoat-requested-by", "dom-xss-vuln")
             .header("X-Requested-With", "XMLHttpRequest")
             .formParams(params)
-            .post(url("CrossSiteScripting/phone-home-xss"))
+            .post(webGoatUrlConfig.url("CrossSiteScripting/phone-home-xss"))
             .then()
             .statusCode(200)
             .extract()
@@ -187,12 +187,12 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
 
     params.clear();
     params.put("successMessage", secretNumber);
-    checkAssignment(url("ChromeDevTools/dummy"), params, true);
+      checkAssignment(webGoatUrlConfig.url("ChromeDevTools/dummy"), params, true);
 
     params.clear();
     params.put("number", "24");
     params.put("network_num", "24");
-    checkAssignment(url("ChromeDevTools/network"), params, true);
+      checkAssignment(webGoatUrlConfig.url("ChromeDevTools/network"), params, true);
 
     checkResults("ChromeDevTools");
   }
@@ -207,7 +207,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
     params.put("jsEnabled", "1");
     params.put("verifyMethod", "SEC_QUESTIONS");
     params.put("userId", "12309746");
-    checkAssignment(url("auth-bypass/verify-account"), params, true);
+      checkAssignment(webGoatUrlConfig.url("auth-bypass/verify-account"), params, true);
     checkResults("AuthBypass");
   }
 
@@ -218,7 +218,7 @@ public class GeneralLessonIntegrationTest extends IntegrationTest {
     params.clear();
     params.put("param1", "secr37Value");
     params.put("param2", "Main");
-    checkAssignment(url("lesson-template/sample-attack"), params, true);
+      checkAssignment(webGoatUrlConfig.url("lesson-template/sample-attack"), params, true);
     checkResults("LessonTemplate");
   }
 }

src/it/java/org/owasp/webgoat/integration/IDORIntegrationTest.java

@@ -43,7 +43,7 @@ public class IDORIntegrationTest extends IntegrationTest {
     params.put("username", "tom");
     params.put("password", "cat");
 
-    checkAssignment(url("IDOR/login"), params, true);
+      checkAssignment(webGoatUrlConfig.url("IDOR/login"), params, true);
   }
 
   private void profile() {
@@ -54,7 +54,7 @@ public class IDORIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("IDOR/profile"))
+            .get(webGoatUrlConfig.url("IDOR/profile"))
             .then()
             .statusCode(200)
             .extract()
@@ -64,12 +64,12 @@ public class IDORIntegrationTest extends IntegrationTest {
     // Show difference - assignment 3b
     Map<String, Object> params = new HashMap<>();
     params.put("attributes", "userId,role");
-    checkAssignment(url("IDOR/diff-attributes"), params, true);
+      checkAssignment(webGoatUrlConfig.url("IDOR/diff-attributes"), params, true);
 
     // View profile another way - assignment 4
     params.clear();
     params.put("url", "WebGoat/IDOR/profile/2342384");
-    checkAssignment(url("IDOR/profile/alt-path"), params, true);
+      checkAssignment(webGoatUrlConfig.url("IDOR/profile/alt-path"), params, true);
 
     // assignment 5a
       MatcherAssert.assertThat(
@@ -77,7 +77,7 @@ public class IDORIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("IDOR/profile/2342388"))
+            .get(webGoatUrlConfig.url("IDOR/profile/2342388"))
             .then()
             .statusCode(200)
             .extract()
@@ -94,7 +94,7 @@ public class IDORIntegrationTest extends IntegrationTest {
             .body(
                 "{\"role\":\"1\", \"color\":\"red\", \"size\":\"large\", \"name\":\"Buffalo Bill\","
                     + " \"userId\":\"2342388\"}")
-            .put(url("IDOR/profile/2342388"))
+            .put(webGoatUrlConfig.url("IDOR/profile/2342388"))
             .then()
             .statusCode(200)
             .extract()

src/it/java/org/owasp/webgoat/integration/IntegrationTest.java

@@ -20,66 +20,13 @@ import org.springframework.http.HttpStatus;
 
 public abstract class IntegrationTest {
 
-  private final ServerUrlConfig webGoatUrlConfig = ServerUrlConfig.webGoat();
+  protected final ServerUrlConfig webGoatUrlConfig = ServerUrlConfig.webGoat();
-  @Getter private final ServerUrlConfig webWolfUrlConfig = ServerUrlConfig.webWolf();
+  protected final ServerUrlConfig webWolfUrlConfig = ServerUrlConfig.webWolf();
 
   @Getter private String webGoatCookie;
   @Getter private String webWolfCookie;
   @Getter private final String user = "webgoat";
 
-  protected String url(String url) {
-    return webGoatUrlConfig.url(url);
-  }
-
-  protected class WebWolfUrlBuilder {
-
-    private boolean attackMode = false;
-    private String path = null;
-
-    protected String build() {
-      return webWolfUrlConfig.url(path != null ? path : "");
-    }
-
-    /**
-     * In attack mode it means WebGoat calls WebWolf to perform an attack. In this case we need to
-     * use port 9090 in a Docker environment.
-     */
-    protected WebWolfUrlBuilder attackMode() {
-      attackMode = true;
-      return this;
-    }
-
-    protected WebWolfUrlBuilder path(String path) {
-      this.path = path;
-      return this;
-    }
-
-    protected WebWolfUrlBuilder path(String path, String... uriVariables) {
-      this.path = path.formatted(uriVariables);
-      return this;
-    }
-  }
-
-  /**
-   * Debugging options: install TestContainers Desktop and map port 5005 to the host machine with
-   * https://newsletter.testcontainers.com/announcements/set-fixed-ports-to-easily-debug-development-services
-   *
-   * <p>Start the test and connect a remote debugger in IntelliJ to localhost:5005 and attach it.
-   */
-  //  private static GenericContainer<?> webGoatContainer =
-  //      new GenericContainer(new ImageFromDockerfile("webgoat").withFileFromPath("/",
-  // Paths.get(".")))
-  //          .withLogConsumer(new Slf4jLogConsumer(LoggerFactory.getLogger("webgoat")))
-  //          .withExposedPorts(8080, 9090, 5005)
-  //          .withEnv(
-  //              "_JAVA_OPTIONS",
-  //              "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=0.0.0.0:5005")
-  //          .waitingFor(Wait.forHealthcheck());
-  //
-  //  static {
-  //    webGoatContainer.start();
-  //  }
-
   @BeforeEach
   public void login() {
     login("webgoat");
@@ -92,7 +39,7 @@ public abstract class IntegrationTest {
             .relaxedHTTPSValidation()
             .formParam("username", user)
             .formParam("password", "password")
-            .post(url("login"))
+            .post(webGoatUrlConfig.url("login"))
             .then()
             .log()
             .ifValidationFails(LogDetail.ALL) // Log the response details if validation fails
@@ -109,7 +56,7 @@ public abstract class IntegrationTest {
               .formParam("password", "password")
               .formParam("matchingPassword", "password")
               .formParam("agree", "agree")
-              .post(url("register.mvc"))
+              .post(webGoatUrlConfig.url("register.mvc"))
               .then()
               .cookie("JSESSIONID")
               .statusCode(302)
@@ -122,7 +69,7 @@ public abstract class IntegrationTest {
               .relaxedHTTPSValidation()
               .formParam("username", user)
               .formParam("password", "password")
-              .post(url("login"))
+              .post(webGoatUrlConfig.url("login"))
               .then()
               .cookie("JSESSIONID")
               .statusCode(302)
@@ -136,7 +83,7 @@ public abstract class IntegrationTest {
             .relaxedHTTPSValidation()
             .formParam("username", user)
             .formParam("password", "password")
-            .post(new WebWolfUrlBuilder().path("login").build())
+            .post(webWolfUrlConfig.url("login"))
             .then()
             .statusCode(302)
             .cookie("WEBWOLFSESSION")
@@ -146,7 +93,12 @@ public abstract class IntegrationTest {
 
   @AfterEach
   public void logout() {
-    RestAssured.given().when().relaxedHTTPSValidation().get(url("logout")).then().statusCode(200);
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .get(webGoatUrlConfig.url("logout"))
+        .then()
+        .statusCode(200);
   }
 
   public void startLesson(String lessonName) {
@@ -158,7 +110,7 @@ public abstract class IntegrationTest {
         .when()
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
-        .get(url(lessonName + ".lesson.lesson"))
+        .get(webGoatUrlConfig.url(lessonName + ".lesson.lesson"))
         .then()
         .statusCode(200);
 
@@ -167,7 +119,7 @@ public abstract class IntegrationTest {
           .when()
           .relaxedHTTPSValidation()
           .cookie("JSESSIONID", getWebGoatCookie())
-          .get(url("service/restartlesson.mvc/%s.lesson".formatted(lessonName)))
+          .get(webGoatUrlConfig.url("service/restartlesson.mvc/%s.lesson".formatted(lessonName)))
           .then()
           .statusCode(200);
     }
@@ -209,7 +161,7 @@ public abstract class IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("service/lessonoverview.mvc/%s.lesson".formatted(lesson)))
+            .get(webGoatUrlConfig.url("service/lessonoverview.mvc/%s.lesson".formatted(lesson)))
             .andReturn();
 
     MatcherAssert.assertThat(
@@ -223,7 +175,7 @@ public abstract class IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("service/lessonoverview.mvc"))
+            .get(webGoatUrlConfig.url("service/lessonoverview.mvc"))
             .andReturn();
 
     MatcherAssert.assertThat(
@@ -269,7 +221,7 @@ public abstract class IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(new WebWolfUrlBuilder().path("file-server-location").build())
+            .get(webWolfUrlConfig.url("file-server-location"))
             .then()
             .extract()
             .response()
@@ -284,7 +236,7 @@ public abstract class IntegrationTest {
         .when()
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
-        .get(url("server-directory"))
+        .get(webGoatUrlConfig.url("server-directory"))
         .then()
         .extract()
         .response()
@@ -297,7 +249,7 @@ public abstract class IntegrationTest {
         .when()
         .relaxedHTTPSValidation()
         .cookie("WEBWOLFSESSION", getWebWolfCookie())
-        .delete(new WebWolfUrlBuilder().path("mail").build())
+        .delete(webWolfUrlConfig.url("mail"))
         .then()
         .statusCode(HttpStatus.ACCEPTED.value());
   }

src/it/java/org/owasp/webgoat/integration/JWTLessonIntegrationTest.java

@@ -90,7 +90,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .formParam("jwt-encode-user", "user")
-            .post(url("JWT/decode"))
+            .post(webGoatUrlConfig.url("JWT/decode"))
             .then()
             .statusCode(200)
             .extract()
@@ -105,7 +105,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("JWT/secret/gettoken"))
+            .get(webGoatUrlConfig.url("JWT/secret/gettoken"))
             .then()
             .extract()
             .response()
@@ -119,7 +119,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .formParam("token", generateToken(secret))
-            .post(url("JWT/secret"))
+            .post(webGoatUrlConfig.url("JWT/secret"))
             .then()
             .statusCode(200)
             .extract()
@@ -133,7 +133,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("JWT/votings/login?user=Tom"))
+            .get(webGoatUrlConfig.url("JWT/votings/login?user=Tom"))
             .then()
             .extract()
             .cookie("access_token");
@@ -166,7 +166,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .cookie("access_token", replacedToken)
-            .post(url("JWT/votings"))
+            .post(webGoatUrlConfig.url("JWT/votings"))
             .then()
             .statusCode(200)
             .extract()
@@ -207,7 +207,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .header("Authorization", "Bearer " + replacedToken)
-            .post(url("JWT/refresh/checkout"))
+            .post(webGoatUrlConfig.url("JWT/refresh/checkout"))
             .then()
             .statusCode(200)
             .extract()
@@ -240,7 +240,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .post(url("JWT/kid/delete?token=" + token))
+            .post(webGoatUrlConfig.url("JWT/kid/delete?token=" + token))
             .then()
             .statusCode(200)
             .extract()
@@ -258,7 +258,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
         .relaxedHTTPSValidation()
         .cookie("WEBWOLFSESSION", getWebWolfCookie())
         .multiPart("file", "jwks.json", jwks.toJson().getBytes())
-        .post(new WebWolfUrlBuilder().path("fileupload").build())
+        .post(webWolfUrlConfig.url("fileupload"))
         .then()
         .extract()
         .response()
@@ -268,8 +268,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
     Map<String, Object> header = new HashMap();
     header.put(Header.TYPE, Header.JWT_TYPE);
     header.put(
-        JwsHeader.JWK_SET_URL,
+        JwsHeader.JWK_SET_URL, webWolfUrlConfig.url("files/%s/jwks.json".formatted(getUser())));
-        new WebWolfUrlBuilder().attackMode().path("files/%s/jwks.json", getUser()).build());
 
     String token =
         Jwts.builder()
@@ -290,7 +289,7 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
-            .post(url("JWT/jku/delete?token=" + token))
+            .post(webGoatUrlConfig.url("JWT/jku/delete?token=" + token))
             .then()
             .statusCode(200)
             .extract()
@@ -303,6 +302,6 @@ public class JWTLessonIntegrationTest extends IntegrationTest {
     params.put("question_0_solution", "Solution 1");
     params.put("question_1_solution", "Solution 2");
 
-    checkAssignment(url("JWT/quiz"), params, true);
+    checkAssignment(webGoatUrlConfig.url("JWT/quiz"), params, true);
   }
 }

src/it/java/org/owasp/webgoat/integration/LabelAndHintIntegrationTest.java

@@ -28,7 +28,7 @@ public class LabelAndHintIntegrationTest extends IntegrationTest {
             .contentType(ContentType.JSON)
             .header("Accept-Language", "en")
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("service/labels.mvc"))
+            .get(webGoatUrlConfig.url("service/labels.mvc"))
             .then()
             .statusCode(200)
             .extract()
@@ -46,7 +46,7 @@ public class LabelAndHintIntegrationTest extends IntegrationTest {
             .contentType(ContentType.JSON)
             .header("Accept-Language", "en")
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("service/labels.mvc?lang=nl"))
+            .get(webGoatUrlConfig.url("service/labels.mvc?lang=nl"))
             .then()
             .statusCode(200)
             .extract()
@@ -62,7 +62,7 @@ public class LabelAndHintIntegrationTest extends IntegrationTest {
             .contentType(ContentType.JSON)
             .header("Accept-Language", "en")
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("service/labels.mvc?lang=de"))
+            .get(webGoatUrlConfig.url("service/labels.mvc?lang=de"))
             .then()
             .statusCode(200)
             .extract()
@@ -79,7 +79,7 @@ public class LabelAndHintIntegrationTest extends IntegrationTest {
             .contentType(ContentType.JSON)
             .header("Accept-Language", "nl")
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("service/labels.mvc?lang=xx"))
+            .get(webGoatUrlConfig.url("service/labels.mvc?lang=xx"))
             .then()
             .statusCode(200)
             .extract()
@@ -95,7 +95,7 @@ public class LabelAndHintIntegrationTest extends IntegrationTest {
             .contentType(ContentType.JSON)
             .header("Accept-Language", "xx_YY")
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("service/labels.mvc"))
+            .get(webGoatUrlConfig.url("service/labels.mvc"))
             .then()
             .statusCode(200)
             .extract()
@@ -207,7 +207,7 @@ public class LabelAndHintIntegrationTest extends IntegrationTest {
         .header("Accept-Language", lang)
         .cookie("JSESSIONID", getWebGoatCookie())
         // .log().headers()
-        .get(url("service/labels.mvc"))
+        .get(webGoatUrlConfig.url("service/labels.mvc"))
         .then()
         // .log().all()
         .statusCode(200)
@@ -222,7 +222,7 @@ public class LabelAndHintIntegrationTest extends IntegrationTest {
             .relaxedHTTPSValidation()
             .contentType(ContentType.JSON)
             .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("service/hint.mvc"))
+            .get(webGoatUrlConfig.url("service/hint.mvc"))
             .then()
             // .log().all()
             .statusCode(200)

src/it/java/org/owasp/webgoat/integration/PasswordResetLessonIntegrationTest.java

@@ -36,11 +36,11 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
 
   public void assignment2() {
       checkAssignment(
-        url("PasswordReset/simple-mail/reset"),
+              webGoatUrlConfig.url("PasswordReset/simple-mail/reset"),
         Map.of("emailReset", this.getUser() + "@webgoat.org"),
         false);
       checkAssignment(
-        url("PasswordReset/simple-mail"),
+              webGoatUrlConfig.url("PasswordReset/simple-mail"),
         Map.of(
             "email",
             this.getUser() + "@webgoat.org",
@@ -51,18 +51,18 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
 
   public void assignment4() {
       checkAssignment(
-        url("PasswordReset/questions"),
+              webGoatUrlConfig.url("PasswordReset/questions"),
         Map.of("username", "tom", "securityQuestion", "purple"),
         true);
   }
 
   public void assignment5() {
       checkAssignment(
-        url("PasswordReset/SecurityQuestions"),
+              webGoatUrlConfig.url("PasswordReset/SecurityQuestions"),
         Map.of("question", "What is your favorite animal?"),
         false);
       checkAssignment(
-        url("PasswordReset/SecurityQuestions"),
+              webGoatUrlConfig.url("PasswordReset/SecurityQuestions"),
         Map.of("question", "What is your favorite color?"),
         true);
   }
@@ -76,7 +76,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
     // WebGoat
     changePassword(link);
       checkAssignment(
-        url("PasswordReset/reset/login"),
+              webGoatUrlConfig.url("PasswordReset/reset/login"),
         Map.of("email", "tom@webgoat-cloud.org", "password", "123456"),
         true);
   }
@@ -89,7 +89,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(new WebWolfUrlBuilder().path("mail").build())
+            .get(webWolfUrlConfig.url("mail"))
             .then()
             .extract()
             .response()
@@ -112,7 +112,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
         .formParams("resetLink", link, "password", "123456")
-        .post(url("PasswordReset/reset/change-password"))
+        .post(webGoatUrlConfig.url("PasswordReset/reset/change-password"))
         .then()
         .statusCode(200);
   }
@@ -123,7 +123,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(new WebWolfUrlBuilder().path("requests").build())
+            .get(webWolfUrlConfig.url("requests"))
             .then()
             .extract()
             .response()
@@ -140,11 +140,11 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
   private void clickForgotEmailLink(String user) {
       RestAssured.given()
         .when()
-        .header(HttpHeaders.HOST, String.format("%s:%s", "127.0.0.1", getWebWolfUrlConfig().port()))
+        .header(HttpHeaders.HOST, String.format("%s:%s", "127.0.0.1", webWolfUrlConfig.port()))
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
         .formParams("email", user)
-        .post(url("PasswordReset/ForgotPassword/create-password-reset-link"))
+        .post(webGoatUrlConfig.url("PasswordReset/ForgotPassword/create-password-reset-link"))
         .then()
         .statusCode(200);
   }

src/it/java/org/owasp/webgoat/integration/PathTraversalIntegrationTest.java

@@ -59,7 +59,7 @@ class PathTraversalIT extends IntegrationTest {
             .cookie("JSESSIONID", getWebGoatCookie())
             .multiPart("uploadedFile", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
             .param("fullName", "../John Doe")
-            .post(url("PathTraversal/profile-upload"))
+            .post(webGoatUrlConfig.url("PathTraversal/profile-upload"))
             .then()
             .statusCode(200)
             .extract()
@@ -75,7 +75,7 @@ class PathTraversalIT extends IntegrationTest {
             .cookie("JSESSIONID", getWebGoatCookie())
             .multiPart("uploadedFileFix", "test.jpg", Files.readAllBytes(fileToUpload.toPath()))
             .param("fullNameFix", "..././John Doe")
-            .post(url("PathTraversal/profile-upload-fix"))
+            .post(webGoatUrlConfig.url("PathTraversal/profile-upload-fix"))
             .then()
             .statusCode(200)
             .extract()
@@ -93,7 +93,7 @@ class PathTraversalIT extends IntegrationTest {
                 "uploadedFileRemoveUserInput",
                 "../test.jpg",
                 Files.readAllBytes(fileToUpload.toPath()))
-            .post(url("PathTraversal/profile-upload-remove-user-input"))
+            .post(webGoatUrlConfig.url("PathTraversal/profile-upload-remove-user-input"))
             .then()
             .statusCode(200)
             .extract()
@@ -108,13 +108,13 @@ class PathTraversalIT extends IntegrationTest {
         .when()
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
-        .get(url(uri))
+        .get(webGoatUrlConfig.url(uri))
         .then()
         .statusCode(200)
         .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
 
       checkAssignment(
-        url("PathTraversal/random"),
+              webGoatUrlConfig.url("PathTraversal/random"),
         Map.of("secret", Sha512DigestUtils.shaHex(this.getUser())),
         true);
   }
@@ -137,7 +137,7 @@ class PathTraversalIT extends IntegrationTest {
             .relaxedHTTPSValidation()
             .cookie("JSESSIONID", getWebGoatCookie())
             .multiPart("uploadedFileZipSlip", "upload.zip", Files.readAllBytes(zipFile.toPath()))
-            .post(url("PathTraversal/zip-slip"))
+            .post(webGoatUrlConfig.url("PathTraversal/zip-slip"))
             .then()
             .log()
             .all()

src/it/java/org/owasp/webgoat/integration/ProgressRaceConditionIntegrationTest.java

@@ -33,7 +33,7 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
               .relaxedHTTPSValidation()
               .cookie("JSESSIONID", getWebGoatCookie())
               .formParams(Map.of("flag", "test"))
-              .post(url("challenge/flag/1"));
+              .post(webGoatUrlConfig.url("challenge/flag/1"));
         };
     ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS);
     List<? extends Callable<Response>> flagCalls =

src/it/java/org/owasp/webgoat/integration/SSRFIntegrationTest.java

@@ -18,11 +18,11 @@ public class SSRFIntegrationTest extends IntegrationTest {
     params.clear();
     params.put("url", "images/jerry.png");
 
-    checkAssignment(url("SSRF/task1"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SSRF/task1"), params, true);
     params.clear();
     params.put("url", "http://ifconfig.pro");
 
-    checkAssignment(url("SSRF/task2"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SSRF/task2"), params, true);
 
     checkResults("SSRF");
   }

src/it/java/org/owasp/webgoat/integration/SessionManagementIntegrationTest.java

@@ -19,7 +19,7 @@ class SessionManagementIT extends IntegrationTest {
     startLesson("HijackSession");
 
       checkAssignment(
-        url(HIJACK_LOGIN_CONTEXT_PATH),
+              webGoatUrlConfig.url(HIJACK_LOGIN_CONTEXT_PATH),
         Map.of("username", "webgoat", "password", "webgoat"),
         false);
   }

src/it/java/org/owasp/webgoat/integration/SqlInjectionAdvancedIntegrationTest.java

@@ -20,27 +20,27 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
     params.put("password_reg", "password");
     params.put("email_reg", "someone@microsoft.com");
     params.put("confirm_password", "password");
-    checkAssignmentWithPUT(url("SqlInjectionAdvanced/challenge"), params, true);
+      checkAssignmentWithPUT(webGoatUrlConfig.url("SqlInjectionAdvanced/challenge"), params, true);
 
     params.clear();
     params.put("username_login", "tom");
     params.put("password_login", "thisisasecretfortomonly");
-    checkAssignment(url("SqlInjectionAdvanced/challenge_Login"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/challenge_Login"), params, true);
 
     params.clear();
     params.put("userid_6a", "'; SELECT * FROM user_system_data;--");
-    checkAssignment(url("SqlInjectionAdvanced/attack6a"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/attack6a"), params, true);
 
     params.clear();
     params.put(
         "userid_6a",
         "Smith' union select userid,user_name, user_name,user_name,password,cookie,userid from"
             + " user_system_data --");
-    checkAssignment(url("SqlInjectionAdvanced/attack6a"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/attack6a"), params, true);
 
     params.clear();
     params.put("userid_6b", "passW0rD");
-    checkAssignment(url("SqlInjectionAdvanced/attack6b"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/attack6b"), params, true);
 
     params.clear();
     params.put(
@@ -58,7 +58,7 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
     params.put(
         "question_4_solution",
         "Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'.");
-    checkAssignment(url("SqlInjectionAdvanced/quiz"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/quiz"), params, true);
 
     checkResults("SqlInjectionAdvanced");
   }

src/it/java/org/owasp/webgoat/integration/SqlInjectionLessonIntegrationTest.java

@@ -38,44 +38,44 @@ public class SqlInjectionLessonIntegrationTest extends IntegrationTest {
     Map<String, Object> params = new HashMap<>();
     params.clear();
     params.put("query", sql_2);
-    checkAssignment(url("SqlInjection/attack2"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjection/attack2"), params, true);
 
     params.clear();
     params.put("query", sql_3);
-    checkAssignment(url("SqlInjection/attack3"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjection/attack3"), params, true);
 
     params.clear();
     params.put("query", sql_4_add);
-    checkAssignment(url("SqlInjection/attack4"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjection/attack4"), params, true);
 
     params.clear();
     params.put("query", sql_5);
-    checkAssignment(url("SqlInjection/attack5"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjection/attack5"), params, true);
 
     params.clear();
     params.put("operator", sql_9_operator);
     params.put("account", sql_9_account);
     params.put("injection", sql_9_injection);
-    checkAssignment(url("SqlInjection/assignment5a"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjection/assignment5a"), params, true);
 
     params.clear();
     params.put("login_count", sql_10_login_count);
     params.put("userid", sql_10_userid);
-    checkAssignment(url("SqlInjection/assignment5b"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjection/assignment5b"), params, true);
 
     params.clear();
     params.put("name", sql_11_a);
     params.put("auth_tan", sql_11_b);
-    checkAssignment(url("SqlInjection/attack8"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjection/attack8"), params, true);
 
     params.clear();
     params.put("name", sql_12_a);
     params.put("auth_tan", sql_12_b);
-    checkAssignment(url("SqlInjection/attack9"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjection/attack9"), params, true);
 
     params.clear();
     params.put("action_string", sql_13);
-    checkAssignment(url("SqlInjection/attack10"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjection/attack10"), params, true);
 
     checkResults("SqlInjection");
   }

src/it/java/org/owasp/webgoat/integration/SqlInjectionMitigationIntegrationTest.java

@@ -27,7 +27,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
     params.put("field5", "?");
     params.put("field6", "prep.setString(1,\"\")");
     params.put("field7", "prep.setString(2,\\\"\\\")");
-    checkAssignment(url("SqlInjectionMitigations/attack10a"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjectionMitigations/attack10a"), params, true);
 
     params.put(
         "editor",
@@ -41,18 +41,18 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
             + "} catch (Exception e) {\r\n"
             + "    System.out.println(\"Oops. Something went wrong!\");\r\n"
             + "}");
-    checkAssignment(url("SqlInjectionMitigations/attack10b"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjectionMitigations/attack10b"), params, true);
 
     params.clear();
     params.put(
         "userid_sql_only_input_validation", "Smith';SELECT/**/*/**/from/**/user_system_data;--");
-    checkAssignment(url("SqlOnlyInputValidation/attack"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlOnlyInputValidation/attack"), params, true);
 
     params.clear();
     params.put(
         "userid_sql_only_input_validation_on_keywords",
         "Smith';SESELECTLECT/**/*/**/FRFROMOM/**/user_system_data;--");
-    checkAssignment(url("SqlOnlyInputValidationOnKeywords/attack"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlOnlyInputValidationOnKeywords/attack"), params, true);
 
       RestAssured.given()
         .when()
@@ -60,8 +60,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
         .cookie("JSESSIONID", getWebGoatCookie())
         .contentType(ContentType.JSON)
         .get(
-            url(
+                webGoatUrlConfig.url("SqlInjectionMitigations/servers?column=(case when (true) then hostname"
-                "SqlInjectionMitigations/servers?column=(case when (true) then hostname"
                         + " else id end)"))
         .then()
         .statusCode(200);
@@ -71,7 +70,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
         .contentType(ContentType.JSON)
-        .get(url("SqlInjectionMitigations/servers?column=unknown"))
+        .get(webGoatUrlConfig.url("SqlInjectionMitigations/servers?column=unknown"))
         .then()
         .statusCode(500)
         .body(
@@ -82,7 +81,7 @@ public class SqlInjectionMitigationIntegrationTest extends IntegrationTest {
 
     params.clear();
     params.put("ip", "104.130.219.202");
-    checkAssignment(url("SqlInjectionMitigations/attack12a"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjectionMitigations/attack12a"), params, true);
 
     checkResults("SqlInjectionMitigations");
   }

src/it/java/org/owasp/webgoat/integration/WebWolfIntegrationTest.java

@@ -20,14 +20,14 @@ public class WebWolfIntegrationTest extends IntegrationTest {
     // Assignment 3
     Map<String, Object> params = new HashMap<>();
     params.put("email", this.getUser() + "@webgoat.org");
-    checkAssignment(url("WebWolf/mail/send"), params, false);
+      checkAssignment(webGoatUrlConfig.url("WebWolf/mail/send"), params, false);
 
     String responseBody =
         RestAssured.given()
             .when()
             .relaxedHTTPSValidation()
             .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(new WebWolfUrlBuilder().path("mail").build())
+            .get(webWolfUrlConfig.url("mail"))
             .then()
             .extract()
             .response()
@@ -41,7 +41,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
             uniqueCode.lastIndexOf("your unique code is: ") + (21 + this.getUser().length()));
     params.clear();
     params.put("uniqueCode", uniqueCode);
-    checkAssignment(url("WebWolf/mail"), params, true);
+      checkAssignment(webGoatUrlConfig.url("WebWolf/mail"), params, true);
 
     // Assignment 4
       RestAssured.given()
@@ -49,7 +49,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
         .relaxedHTTPSValidation()
         .cookie("JSESSIONID", getWebGoatCookie())
         .queryParams(params)
-        .get(url("WebWolf/landing/password-reset"))
+        .get(webGoatUrlConfig.url("WebWolf/landing/password-reset"))
         .then()
         .statusCode(200);
     RestAssured.given()
@@ -57,7 +57,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
         .relaxedHTTPSValidation()
         .cookie("WEBWOLFSESSION", getWebWolfCookie())
         .queryParams(params)
-        .get(new WebWolfUrlBuilder().path("landing").build())
+        .get(webWolfUrlConfig.url("landing"))
         .then()
         .statusCode(200);
     responseBody =
@@ -65,7 +65,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(new WebWolfUrlBuilder().path("requests").build())
+            .get(webWolfUrlConfig.url("requests"))
             .then()
             .extract()
             .response()
@@ -74,7 +74,7 @@ public class WebWolfIntegrationTest extends IntegrationTest {
     assertTrue(responseBody.contains(uniqueCode));
     params.clear();
     params.put("uniqueCode", uniqueCode);
-    checkAssignment(url("WebWolf/landing"), params, true);
+      checkAssignment(webGoatUrlConfig.url("WebWolf/landing"), params, true);
 
     checkResults("WebWolfIntroduction");
   }

src/it/java/org/owasp/webgoat/integration/XSSIntegrationTest.java

@@ -18,7 +18,7 @@ public class XSSIntegrationTest extends IntegrationTest {
     Map<String, Object> params = new HashMap<>();
     params.clear();
     params.put("checkboxAttack1", "value");
-    checkAssignment(url("CrossSiteScripting/attack1"), params, true);
+      checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/attack1"), params, true);
 
     params.clear();
     params.put("QTY1", "1");
@@ -27,11 +27,11 @@ public class XSSIntegrationTest extends IntegrationTest {
     params.put("QTY4", "1");
     params.put("field1", "<script>alert('XSS+Test')</script>");
     params.put("field2", "111");
-    checkAssignmentWithGet(url("CrossSiteScripting/attack5a"), params, true);
+      checkAssignmentWithGet(webGoatUrlConfig.url("CrossSiteScripting/attack5a"), params, true);
 
     params.clear();
     params.put("DOMTestRoute", "start.mvc#test");
-    checkAssignment(url("CrossSiteScripting/attack6a"), params, true);
+      checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/attack6a"), params, true);
 
     params.clear();
     params.put("param1", "42");
@@ -45,7 +45,7 @@ public class XSSIntegrationTest extends IntegrationTest {
             .header("webgoat-requested-by", "dom-xss-vuln")
             .header("X-Requested-With", "XMLHttpRequest")
             .formParams(params)
-            .post(url("CrossSiteScripting/phone-home-xss"))
+            .post(webGoatUrlConfig.url("CrossSiteScripting/phone-home-xss"))
             .then()
             .statusCode(200)
             .extract()
@@ -54,7 +54,7 @@ public class XSSIntegrationTest extends IntegrationTest {
 
     params.clear();
     params.put("successMessage", secretNumber);
-    checkAssignment(url("CrossSiteScripting/dom-follow-up"), params, true);
+      checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/dom-follow-up"), params, true);
 
     params.clear();
     params.put(
@@ -77,7 +77,7 @@ public class XSSIntegrationTest extends IntegrationTest {
         "question_4_solution",
         "Solution 4: No there are many other ways. Like HTML, Flash or any other type of code that"
             + " the browser executes.");
-    checkAssignment(url("CrossSiteScripting/quiz"), params, true);
+      checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/quiz"), params, true);
 
     params.clear();
     params.put(
@@ -103,7 +103,7 @@ public class XSSIntegrationTest extends IntegrationTest {
             + "</table>"
             + "</body>"
             + "</html>");
-    checkAssignment(url("CrossSiteScripting/attack3"), params, true);
+      checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/attack3"), params, true);
 
     params.clear();
     params.put(
@@ -113,7 +113,7 @@ public class XSSIntegrationTest extends IntegrationTest {
             + "s.scan(newComment,\"\");"
             + "CleanResults();"
             + "MyCommentDAO.addComment(threadID, userID).getCleanHTML());");
-    checkAssignment(url("CrossSiteScripting/attack4"), params, true);
+      checkAssignment(webGoatUrlConfig.url("CrossSiteScripting/attack4"), params, true);
 
     checkResults("CrossSiteScripting");
   }

src/it/java/org/owasp/webgoat/integration/XXEIntegrationTest.java

@@ -61,7 +61,7 @@ public class XXEIntegrationTest extends IntegrationTest {
    */
   private String getSecret() {
     String secretFile = webGoatHomeDirectory.concat("/XXE/" + getUser() + "/secret.txt");
-    String webWolfCallback = new WebWolfUrlBuilder().path("landing").attackMode().build();
+    String webWolfCallback = webWolfUrlConfig.url("landing");
     String dtd7String = dtd7.replace("WEBWOLFURL", webWolfCallback).replace("SECRET", secretFile);
 
     // upload DTD
@@ -70,7 +70,7 @@ public class XXEIntegrationTest extends IntegrationTest {
         .relaxedHTTPSValidation()
         .cookie("WEBWOLFSESSION", getWebWolfCookie())
         .multiPart("file", "blind.dtd", dtd7String.getBytes())
-        .post(new WebWolfUrlBuilder().path("fileupload").build())
+        .post(webWolfUrlConfig.url("fileupload"))
         .then()
         .extract()
         .response()
@@ -79,9 +79,9 @@ public class XXEIntegrationTest extends IntegrationTest {
 
     // upload attack
     String xxe7String =
-        xxe7.replace("WEBWOLFURL", new WebWolfUrlBuilder().attackMode().path("files").build())
+        xxe7.replace("WEBWOLFURL", webWolfUrlConfig.url("files"))
             .replace("USERNAME", this.getUser());
-    checkAssignment(url("xxe/blind"), ContentType.XML, xxe7String, false);
+      checkAssignment(webGoatUrlConfig.url("xxe/blind"), ContentType.XML, xxe7String, false);
 
     // read results from WebWolf
     String result =
@@ -89,7 +89,7 @@ public class XXEIntegrationTest extends IntegrationTest {
             .when()
             .relaxedHTTPSValidation()
             .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(new WebWolfUrlBuilder().path("requests").build())
+            .get(webWolfUrlConfig.url("requests"))
             .then()
             .extract()
             .response()
@@ -109,10 +109,10 @@ public class XXEIntegrationTest extends IntegrationTest {
   public void runTests() throws IOException {
     startLesson("XXE", true);
     webGoatHomeDirectory = webGoatServerDirectory();
-    checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, true);
+      checkAssignment(webGoatUrlConfig.url("xxe/simple"), ContentType.XML, xxe3, true);
-    checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, true);
+      checkAssignment(webGoatUrlConfig.url("xxe/content-type"), ContentType.XML, xxe4, true);
       checkAssignment(
-        url("xxe/blind"),
+              webGoatUrlConfig.url("xxe/blind"),
         ContentType.XML,
         "<comment><text>" + getSecret() + "</text></comment>",
         true);

src/main/java/org/owasp/webgoat/lessons/missingac/DisplayUser.java

@@ -13,8 +13,8 @@ import lombok.Getter;
 public class DisplayUser {
   // intended to provide a display version of WebGoatUser for admins to view user attributes
 
-  private String username;
+  private final String username;
-  private boolean admin;
+  private final boolean admin;
   private String userHash;
 
   public DisplayUser(User user, String passwordSalt) {

src/test/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignmentTest.java

@@ -31,7 +31,8 @@ class HijackSessionAssignmentTest extends LessonTest {
   private static final String COOKIE_NAME = "hijack_cookie";
   private static final String LOGIN_CONTEXT_PATH = "/HijackSession/login";
 
-  @MockBean Authentication authenticationMock;
+  @MockBean
+  Authentication authenticationMock;
 
   @MockBean HijackSessionAuthenticationProvider providerMock;