Posting a flag shows a response in the UI (correct or incorrect)

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java

@@ -51,6 +51,12 @@ public class AttackResult {
             return this;
         }
 
+        public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
+            this.lessonCompleted = lessonCompleted;
+            this.feedbackResourceBundleKey = resourceBundleKey;
+            return this;
+        }
+
         public AttackResultBuilder feedbackArgs(Object... args) {
             this.feedbackArgs = args;
             return this;

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java

@@ -4,17 +4,18 @@ import com.google.common.collect.Maps;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.assignments.Endpoint;
+import org.owasp.webgoat.i18n.PluginMessages;
+import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.users.UserTracker;
 import org.owasp.webgoat.users.UserTrackerRepository;
-import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.annotation.PostConstruct;
 import java.util.Map;
@@ -33,6 +34,8 @@ public class Flag extends Endpoint {
     private UserTrackerRepository userTrackerRepository;
     @Autowired
     private WebSession webSession;
+    @Autowired
+    private PluginMessages pluginMessages;
 
     @AllArgsConstructor
     private class FlagPosted {
@@ -52,21 +55,21 @@ public class Flag extends Endpoint {
     }
 
     @RequestMapping(method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseStatus(HttpStatus.OK)
-    public void postFlag(@RequestParam String flag) {
+    @ResponseBody
+    public AttackResult postFlag(@RequestParam String flag) {
         UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
-        if (userTracker == null) {
-            userTracker = new UserTracker(webSession.getUserName());
-        }
         String currentChallenge = webSession.getCurrentLesson().getName();
         int challengeNumber = Integer.valueOf(currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
         String expectedFlag = FLAGS.get(challengeNumber);
+        final AttackResult attackResult;
         if (expectedFlag.equals(flag)) {
             userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
+            attackResult = new AttackResult.AttackResultBuilder(pluginMessages).lessonCompleted(true, "challenge.flag.correct").build();
         } else {
             userTracker.assignmentFailed(webSession.getCurrentLesson());
+            attackResult = new AttackResult.AttackResultBuilder(pluginMessages).feedback("challenge.flag.incorrect").build();
         }
         userTrackerRepository.save(userTracker);
+        return attackResult;
     }
-
 }

webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties

@@ -10,3 +10,6 @@ challenge.close=This is not the correct password for tom, please try again.
 user.exists=User {0} already exists please try to register with a different username.
 user.created=User {0} created, please proceed to the login page.
 input.invalid=Input for user, email and/or password is empty or too long, please fill in all field and/or limit all fields to 30 characters.
+
+challenge.flag.correct=Congratulations you have solved the challenge!!
+challenge.flag.incorrect=Sorry this is not the correct flag, please try again.