Solved issue with POST in vulnerable components lesson

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java

@@ -4,9 +4,9 @@ import com.thoughtworks.xstream.XStream;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import java.io.IOException;
@@ -49,7 +49,7 @@ import java.io.IOException;
 public class VulnerableComponentsLesson extends AssignmentEndpoint {
 
 	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestBody String payload) throws IOException {
+	public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException {
 		String process = "open"; 		
 		String arguments = "/Applications/Calculator.app";		
 		

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html

@@ -131,35 +131,23 @@
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
-		<div class="attack-container">
-			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
-			<div id="lessonContent">
-				<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
-				<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-				<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-				<form class="attack-form" accept-charset="UNKNOWN"
-					  method="POST" name="form"
-					  action="/WebGoat/VulnerableComponents/attack1"
-					  enctype="application/json;charset=UTF-8">
-							Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
-								name="SUBMIT" value="Go!" type="SUBMIT"/>
-				</form>
-				<!-- do not remove the two following div's, this is where your feedback/output will land -->
-				<div class="attack-feedback"></div>
-				<div class="attack-output"></div>
-				<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
-			</div>
-
-		</div>
-
-
-
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
             <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
             <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-
+			<form class="attack-form" accept-charset="UNKNOWN"
+				method="POST" name="form"
+				action="/WebGoat/VulnerableComponents/attack1"
+				enctype="application/json;charset=UTF-8">
+				<div id="lessonContent">
+					<form accept-charset="UNKNOWN" method="POST" name="form"
+						action="#attack/307/100" enctype="">
+						Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
+							name="SUBMIT" value="Go!" type="SUBMIT"/>
+					</form>
+				</div>
+			</form>
 			<!-- do not remove the two following div's, this is where your feedback/output will land -->
 			<div class="attack-feedback"></div>
 			<div class="attack-output"></div>