Refactoring (#1201)

* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: #1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <rene@zubcevic.com>

src/main/resources/lessons/ssrf/documentation/SSRF_Intro.adoc

@@ -0,0 +1,12 @@
+== Concept
+In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to. Moreover, by carefully selecting the URLs, the attacker may read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services that are not intended to be exposed.
+
+== Goals
+In the exercises on the following pages, you need to examine what the browser sends to the server and adjust the request to get other things from the server.
+
+== SSRF How-To
+* https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
+
+== A New Era of SSRF by Orange Tsai
+
+video::D1S-G8rJrEk[youtube, height=480, width=100%]

src/main/resources/lessons/ssrf/documentation/SSRF_Prevent.adoc

@@ -0,0 +1,11 @@
+== Prevent
+
+To prevent SSRF vulnerabilities in web applications, it is recommended to adhere to the following guidelines:
+
+* Use a whitelist of allowed domains, resources, and protocols from where the webserver can fetch resources.
+* Any input accepted from the user should be validated and rejected if it does not match the positive specification expected.
+* If possible, do not accept user input in functions that control where the webserver can fetch resources.
+
+== References
+* https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
+

src/main/resources/lessons/ssrf/documentation/SSRF_Task1.adoc

@@ -0,0 +1,2 @@
+=== Find and modify the request to display Jerry 
+Click the button and figure out what happened.

src/main/resources/lessons/ssrf/documentation/SSRF_Task2.adoc

@@ -0,0 +1,2 @@
+=== Change the request, so the server gets information from http://ifconfig.pro
+Click the button and figure out what happened.

src/main/resources/lessons/ssrf/html/SSRF.html

@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Intro.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Task1.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="form"
+                  action="/WebGoat/SSRF/task1">
+                <table>
+                    <tr>
+                        <td><input type="hidden" id="url1" name="url" value="images/tom.png"/></td>
+
+                        <td><input
+                                name="Steal the Cheese" value="Steal the Cheese" type="SUBMIT"/></td>
+                        <td></td>
+                    </tr>
+                </table>
+            </form>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Task2.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="form"
+                  action="/WebGoat/SSRF/task2">
+                <table>
+                    <tr>
+                        <td><input type="hidden" id="url2" name="url" value="images/cat.png"/></td>
+
+                        <td><input
+                                name="try this" value="try this" type="SUBMIT"/></td>
+                        <td></td>
+                    </tr>
+                </table>
+            </form>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:lessons/ssrf/documentation/SSRF_Prevent.adoc"></div>
+    </div>
+</html>

src/main/resources/lessons/ssrf/i18n/WebGoatLabels.properties

@@ -0,0 +1,9 @@
+ssrf.title=Server-Side Request Forgery
+
+ssrf.tom=You failed to steal the cheese!
+ssrf.success=You rocked the SSRF!
+ssrf.failure=You need to stick to the game plan!
+
+ssrf.hint1=You should use an HTTP proxy to intercept the request and change the URL.
+ssrf.hint2=If Tom is images/tom.png, Jerry would be images/jerry.png.
+ssrf.hint3=You need to put the protocol, "http://" in front of ifconfig.pro.

src/main/resources/lessons/ssrf/js/credentials.js

@@ -0,0 +1,6 @@
+function submit_secret_credentials() {
+    var xhttp = new XMLHttpRequest();
+    xhttp['open']('POST', '#attack/307/100', true);
+	//sending the request is obfuscated, to descourage js reading
+	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
+}