From 65d728dfffb3d3e4548866e205ac8b9f719c4393 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 7 Feb 2017 23:49:26 +0100
Subject: [PATCH] Solved issue with POST in vulnerable components lesson

---
 .../plugin/VulnerableComponentsLesson.java    |  6 ++--
 .../html/VulnerableComponents.html            | 36 +++++++------------
 2 files changed, 15 insertions(+), 27 deletions(-)

diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
index 80933dfa2..be22ed45e 100644
--- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
+++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
@@ -4,9 +4,9 @@ import com.thoughtworks.xstream.XStream;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import java.io.IOException;
@@ -49,11 +49,11 @@ import java.io.IOException;
 public class VulnerableComponentsLesson extends AssignmentEndpoint {
 
 	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestBody String payload) throws IOException {
+	public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException {
 		String process = "open"; 		
 		String arguments = "/Applications/Calculator.app";		
 		
-		String payload2 = "<sorted-set>" +
+		String payload2 = "<sorted-set>" +  
 						 "<string>foo</string>" +
 						 "<dynamic-proxy>" + 
 						 "<interface>java.lang.Comparable</interface>" +
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html
index e35a3d6f4..8151c06ce 100644
--- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html
+++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html
@@ -131,35 +131,23 @@
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
-		<div class="attack-container">
-			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
-			<div id="lessonContent">
-				<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
-				<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-				<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-				<form class="attack-form" accept-charset="UNKNOWN"
-					  method="POST" name="form"
-					  action="/WebGoat/VulnerableComponents/attack1"
-					  enctype="application/json;charset=UTF-8">
-							Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
-								name="SUBMIT" value="Go!" type="SUBMIT"/>
-				</form>
-				<!-- do not remove the two following div's, this is where your feedback/output will land -->
-				<div class="attack-feedback"></div>
-				<div class="attack-output"></div>
-				<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
-			</div>
-
-		</div>
-
-
-
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
             <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
             <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-
+			<form class="attack-form" accept-charset="UNKNOWN"
+				method="POST" name="form"
+				action="/WebGoat/VulnerableComponents/attack1"
+				enctype="application/json;charset=UTF-8">
+				<div id="lessonContent">
+					<form accept-charset="UNKNOWN" method="POST" name="form"
+						action="#attack/307/100" enctype="">
+						Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
+							name="SUBMIT" value="Go!" type="SUBMIT"/>
+					</form>
+				</div>
+			</form>
 			<!-- do not remove the two following div's, this is where your feedback/output will land -->
 			<div class="attack-feedback"></div>
 			<div class="attack-output"></div>