Refactoring (#1201)

* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: #1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <rene@zubcevic.com>

src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java

@@ -0,0 +1,135 @@
+package org.owasp.webgoat.lessons.cryptography;
+
+import lombok.extern.slf4j.Slf4j;
+
+import javax.xml.bind.DatatypeConverter;
+import java.math.BigInteger;
+import java.nio.charset.Charset;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.Signature;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.RSAKeyGenParameterSpec;
+import java.util.Base64;
+
+@Slf4j
+public class CryptoUtil {
+
+	private static final BigInteger[] FERMAT_PRIMES = 
+		{	BigInteger.valueOf(3), 
+			BigInteger.valueOf(5), 
+			BigInteger.valueOf(17), 
+			BigInteger.valueOf(257), 
+			BigInteger.valueOf(65537) };
+
+	public static KeyPair generateKeyPair() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+		KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+		RSAKeyGenParameterSpec kpgSpec = new RSAKeyGenParameterSpec(2048, FERMAT_PRIMES[new SecureRandom().nextInt(FERMAT_PRIMES.length)]);
+		keyPairGenerator.initialize(kpgSpec);
+		//keyPairGenerator.initialize(2048);
+        return keyPairGenerator.generateKeyPair();
+    }
+
+    public static String getPrivateKeyInPEM(KeyPair keyPair) {
+        String encodedString = "-----BEGIN PRIVATE KEY-----\n";
+        encodedString = encodedString+new String(Base64.getEncoder().encode(keyPair.getPrivate().getEncoded()),Charset.forName("UTF-8"))+"\n";
+        encodedString = encodedString+"-----END PRIVATE KEY-----\n";
+        return encodedString;
+    }
+
+    public static String signMessage(String message, PrivateKey privateKey) {
+
+        log.debug("start signMessage");
+        String signature = null;
+		
+		try {
+			//Initiate signature verification
+			Signature instance = Signature.getInstance("SHA256withRSA");
+			instance.initSign(privateKey);
+            instance.update(message.getBytes("UTF-8"));
+            
+            //actual verification against signature
+			signature = new String(Base64.getEncoder().encode(instance.sign()), Charset.forName("UTF-8"));
+
+			log.info("signe the signature with result: {}", signature);
+		} catch (Exception e) {
+			log.error("Signature signing failed", e);
+		}
+
+		log.debug("end signMessage");
+		return signature;
+	}
+    
+    public static boolean verifyMessage(String message, String base64EncSignature,
+			PublicKey publicKey) {
+
+		log.debug("start verifyMessage");
+		boolean result = false;
+		
+		try {
+			
+			base64EncSignature = base64EncSignature.replace("\r", "").replace("\n", "")
+					.replace(" ", "");
+			//get raw signature from base64 encrypted string in header
+			byte[] decodedSignature = Base64.getDecoder().decode(base64EncSignature);
+			
+			//Initiate signature verification
+			Signature instance = Signature.getInstance("SHA256withRSA");
+			instance.initVerify(publicKey);
+            instance.update(message.getBytes("UTF-8"));
+            
+            //actual verification against signature
+			result = instance.verify(decodedSignature);
+
+			log.info("Verified the signature with result: {}", result);
+		} catch (Exception e) {
+			log.error("Signature verification failed", e);
+		}
+
+		log.debug("end verifyMessage");
+		return result;
+	}
+
+	public static boolean verifyAssignment(String modulus, String signature, PublicKey publicKey) {
+
+		/* first check if the signature is correct, i.e. right private key and right hash */
+		boolean result = false;
+		
+		if (modulus != null && signature != null) {
+			result = verifyMessage(modulus, signature, publicKey);
+
+			/*
+			 * next check if the submitted modulus is the correct modulus of the public key
+			 */
+			RSAPublicKey rsaPubKey = (RSAPublicKey) publicKey;
+			if (modulus.length()==512) {
+				modulus = "00".concat(modulus);
+			}
+			result = result && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(modulus.toUpperCase()));
+		}
+		return result;
+
+	}
+
+	public static PrivateKey getPrivateKeyFromPEM(String privateKeyPem) throws NoSuchAlgorithmException, InvalidKeySpecException {
+		privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
+		privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
+		privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
+		
+
+      	byte [] decoded = Base64.getDecoder().decode(privateKeyPem);
+
+      	PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
+      	KeyFactory kf = KeyFactory.getInstance("RSA");
+      	return kf.generatePrivate(spec);
+	}
+
+}

src/main/java/org/owasp/webgoat/lessons/cryptography/Cryptography.java

@@ -0,0 +1,41 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.cryptography;
+
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.springframework.stereotype.Component;
+
+@Component
+public class Cryptography extends Lesson {
+    @Override
+    public Category getDefaultCategory() {
+        return Category.GENERAL;
+    }
+
+    @Override
+    public String getTitle() {
+        return "6.crypto.title";//first lesson in general
+    }
+
+}

src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java

@@ -0,0 +1,73 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.cryptography;
+
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Base64;
+import java.util.Random;
+
+@RestController
+public class EncodingAssignment extends AssignmentEndpoint {
+
+	public static String getBasicAuth(String username, String password) {
+    	return Base64.getEncoder().encodeToString(username.concat(":").concat(password).getBytes());
+    }
+	
+	@GetMapping(path="/crypto/encoding/basic",produces=MediaType.TEXT_HTML_VALUE)
+    @ResponseBody
+    public String getBasicAuth(HttpServletRequest request) {
+		
+		String basicAuth = (String) request.getSession().getAttribute("basicAuth");
+		String username = request.getUserPrincipal().getName();
+		if (basicAuth == null) {
+			String password = HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
+			basicAuth = getBasicAuth(username, password);
+			request.getSession().setAttribute("basicAuth", basicAuth);
+		}
+		return "Authorization: Basic ".concat(basicAuth);
+    }
+	
+    @PostMapping("/crypto/encoding/basic-auth")
+    @ResponseBody
+    public AttackResult completed(HttpServletRequest request, @RequestParam String answer_user, @RequestParam String answer_pwd) {
+    	String basicAuth = (String) request.getSession().getAttribute("basicAuth");
+    	if (basicAuth !=null && answer_user!=null && answer_pwd !=null 
+        		&& basicAuth.equals(getBasicAuth(answer_user,answer_pwd))) 
+        {
+            return success(this)
+                .feedback("crypto-encoding.success")
+                .build();
+        } else {
+            return failed(this).feedback("crypto-encoding.empty").build();
+        }
+    }
+}

src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java

@@ -0,0 +1,110 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.cryptography;
+
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.bind.DatatypeConverter;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Random;
+
+@RestController
+@AssignmentHints({"crypto-hashing.hints.1","crypto-hashing.hints.2"})
+public class HashingAssignment extends AssignmentEndpoint {
+	
+	public static final String[] SECRETS = {"secret","admin","password", "123456", "passw0rd"};
+
+	@RequestMapping(path="/crypto/hashing/md5",produces=MediaType.TEXT_HTML_VALUE)
+    @ResponseBody
+    public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException {
+		
+		String md5Hash = (String) request.getSession().getAttribute("md5Hash");
+		if (md5Hash == null) {
+			
+			String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+	         
+		    MessageDigest md = MessageDigest.getInstance("MD5");
+		    md.update(secret.getBytes());
+		    byte[] digest = md.digest();
+		    md5Hash = DatatypeConverter
+		      .printHexBinary(digest).toUpperCase();
+			request.getSession().setAttribute("md5Hash", md5Hash);
+			request.getSession().setAttribute("md5Secret", secret);
+		}
+		return md5Hash;
+    }
+	
+	@RequestMapping(path="/crypto/hashing/sha256",produces=MediaType.TEXT_HTML_VALUE)
+    @ResponseBody
+    public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmException {
+		
+		String sha256 = (String) request.getSession().getAttribute("sha256");
+		if (sha256 == null) {
+			String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+		    sha256 = getHash(secret, "SHA-256");
+			request.getSession().setAttribute("sha256Hash", sha256);
+			request.getSession().setAttribute("sha256Secret", secret);
+		}
+		return sha256;
+    }
+	
+    @PostMapping("/crypto/hashing")
+    @ResponseBody
+    public AttackResult completed(HttpServletRequest request, @RequestParam String answer_pwd1, @RequestParam String answer_pwd2) {
+        
+    	String md5Secret = (String) request.getSession().getAttribute("md5Secret");
+    	String sha256Secret = (String) request.getSession().getAttribute("sha256Secret");
+    	
+    	if (answer_pwd1!=null && answer_pwd2 !=null) {
+        	if (answer_pwd1.equals(md5Secret)
+        		&& answer_pwd2.equals(sha256Secret)) {
+        		return success(this)
+        				.feedback("crypto-hashing.success")
+        				.build();
+        	} else if (answer_pwd1.equals(md5Secret)
+            		|| answer_pwd2.equals(sha256Secret)) {
+        		return failed(this).feedback("crypto-hashing.oneok").build();
+        	} 
+        } 
+        return failed(this).feedback("crypto-hashing.empty").build(); 
+    }
+    
+    public static String getHash(String secret, String algorithm) throws NoSuchAlgorithmException {
+    	MessageDigest md = MessageDigest.getInstance(algorithm);
+	    md.update(secret.getBytes());
+	    byte[] digest = md.digest();
+	    return DatatypeConverter
+	      .printHexBinary(digest).toUpperCase();
+    }
+    
+}

src/main/java/org/owasp/webgoat/lessons/cryptography/SecureDefaultsAssignment.java

@@ -0,0 +1,53 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.cryptography;
+
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.security.NoSuchAlgorithmException;
+
+@RestController
+@AssignmentHints({"crypto-secure-defaults.hints.1", "crypto-secure-defaults.hints.2", "crypto-secure-defaults.hints.3"})
+public class SecureDefaultsAssignment extends AssignmentEndpoint {
+
+    @PostMapping("/crypto/secure/defaults")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String secretFileName,  @RequestParam String secretText) throws NoSuchAlgorithmException {
+        if (secretFileName!=null && secretFileName.equals("default_secret")) {
+        	if (secretText!=null && HashingAssignment.getHash(secretText, "SHA-256").equalsIgnoreCase("34de66e5caf2cb69ff2bebdc1f3091ecf6296852446c718e38ebfa60e4aa75d2")) {
+        		return success(this)
+        				.feedback("crypto-secure-defaults.success")
+        				.build();
+        	} else {
+        		return failed(this).feedback("crypto-secure-defaults.messagenotok").build(); 
+        	}
+        } 
+        return failed(this).feedback("crypto-secure-defaults.notok").build(); 
+    }
+}

src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java

@@ -0,0 +1,86 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.cryptography;
+
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.bind.DatatypeConverter;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.RSAPublicKey;
+
+@RestController
+@AssignmentHints({"crypto-signing.hints.1","crypto-signing.hints.2", "crypto-signing.hints.3", "crypto-signing.hints.4"})
+@Slf4j
+public class SigningAssignment extends AssignmentEndpoint {
+	
+	@RequestMapping(path="/crypto/signing/getprivate",produces=MediaType.TEXT_HTML_VALUE)
+    @ResponseBody
+    public String getPrivateKey(HttpServletRequest request) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+		
+		String privateKey = (String) request.getSession().getAttribute("privateKeyString");
+		if (privateKey == null) {			
+			KeyPair keyPair = CryptoUtil.generateKeyPair();
+			privateKey = CryptoUtil.getPrivateKeyInPEM(keyPair);
+			request.getSession().setAttribute("privateKeyString", privateKey);
+			request.getSession().setAttribute("keyPair", keyPair);
+		}
+		return privateKey;
+    }
+	
+    @PostMapping("/crypto/signing/verify")
+    @ResponseBody
+    public AttackResult completed(HttpServletRequest request, @RequestParam String modulus, @RequestParam String signature) {
+		
+		String tempModulus = modulus;/* used to validate the modulus of the public key but might need to be corrected */
+    	KeyPair keyPair = (KeyPair) request.getSession().getAttribute("keyPair");
+		RSAPublicKey rsaPubKey = (RSAPublicKey) keyPair.getPublic();
+		if (tempModulus.length() == 512) {
+			tempModulus = "00".concat(tempModulus);
+		}
+		if (!DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray()).equals(tempModulus.toUpperCase())) {
+			log.warn("modulus {} incorrect", modulus);
+			return failed(this).feedback("crypto-signing.modulusnotok").build();
+		}
+		/* orginal modulus must be used otherwise the signature would be invalid */
+		if (CryptoUtil.verifyMessage(modulus, signature, keyPair.getPublic())) {
+			return success(this).feedback("crypto-signing.success").build();
+		} else {
+			log.warn("signature incorrect");
+			return failed(this).feedback("crypto-signing.notok").build();
+		}
+       
+    }
+    
+}

src/main/java/org/owasp/webgoat/lessons/cryptography/XOREncodingAssignment.java

@@ -0,0 +1,47 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.cryptography;
+
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@AssignmentHints({"crypto-encoding-xor.hints.1"})
+public class XOREncodingAssignment extends AssignmentEndpoint {
+
+    @PostMapping("/crypto/encoding/xor")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String answer_pwd1) {
+        if (answer_pwd1!=null && answer_pwd1.equals("databasepassword")) {
+        	return success(this)
+        				.feedback("crypto-encoding-xor.success")
+        				.build();
+        } 
+        return failed(this).feedback("crypto-encoding-xor.empty").build(); 
+    }
+}