added assignment draft (not working yet)

webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html

@@ -5,10 +5,35 @@
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScriptingMitigation_plan.adoc"></div>
 </div>
+
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
 </div>
 
+<div class="lesson-page-wrapper">
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8a.adoc"></div>
+	<div class="attack-container" style="height: 300px; border: none !important">
+		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+		<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3" enctype="application/json;charset=UTF-8">
+			<div>
+				<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div>
+				<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
+				<script th:src="@{/lesson_js/assignment10b.js}" type="text/javascript" charset="utf-8"></script>
+				<script>
+                    var editor = ace.edit("editor");
+                    editor.setTheme("ace/theme/monokai");
+                    editor.session.setMode("ace/mode/html");
+				</script>
+			</div>
+			<div class="input-group" style="margin-top: 10px">
+				<button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button>
+			</div>
+		</form>
+		<div class="attack-feedback"></div>
+		<div class="attack-output"></div>
+	</div>
+</div>
+
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
 </div>

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc

@@ -0,0 +1,65 @@
+== Reflective XSS
+
+See the HTML file below which passes data to a JSP file.
+
+[source,html]
+-------------------------------------------------------
+<html>
+   <body>
+
+      <form action = "main.jsp" method = "POST">
+         First Name: <input type = "text" name = "first_name">
+         <br />
+         Last Name: <input type = "text" name = "last_name" />
+         <input type = "submit" value = "Submit" />
+      </form>
+
+   </body>
+</html>
+-------------------------------------------------------
+
+Here is the JSP file:
+
+[source,html]
+-------------------------------------------------------
+<html>
+   <head>
+      <title>Using GET and POST Method to Read Form Data</title>
+   </head>
+
+   <body>
+      <center>
+      <h1>Using POST Method to Read Form Data</h1>
+
+      <ul>
+         <li><p><b>First Name:</b>
+            <%= request.getParameter("first_name")%>
+         </p></li>
+         <li><p><b>Last  Name:</b>
+            <%= request.getParameter("last_name")%>
+         </p></li>
+      </ul>
+
+   </body>
+</html>
+-------------------------------------------------------
+
+
+As you can see the JSP file prints unfiltered user input which is never a good idea.
+You want people to accesses the page like this:
+
+----
+http://hostname.com/mywebapp/main.jsp?first_name=John&last_name=Smith
+----
+
+But what happens if someone uses this link:
+----
+http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</script>
+----
+
+=== It's your turn!
+
+Try to prevent this kind of XSS by escaping the url parameters:
+
+
+