Merge branch 'release/v8.2.2'

.github/workflows/release.yml

@@ -88,7 +88,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push"
-        uses: docker/build-push-action@v2.4.0
+        uses: docker/build-push-action@v2.7.0
         with:
           context: ./docker
           file: docker/Dockerfile

CREATE_RELEASE.MD

@@ -15,12 +15,11 @@ At the moment we use Gitflow, for a release you create a new release branch and
 
 ```
 git checkout develop
-git flow release start <version>
-mvn versions:set <<version>  
-git commit -am "New release, updating pom.xml" 
+git flow release start <version> 
 git flow release publish
 
 <<Make changes if necessary>>
+<<Update RELEASE_NOTES.md>>
 
 git flow release finish <version>
 git push origin develop

README.MD

@@ -1,6 +1,6 @@
 # WebGoat 8: A deliberately insecure Web Application
 
-[![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat)
+[![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
 [![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
@@ -27,46 +27,39 @@ you are caught engaging in unauthorized hacking, most companies will fire you.
 Claiming that you were doing security research will not work as that is the
 first thing that all hackers claim.*
 
-# Installation Instructions:
+# Installation instructions:
 
 ## 1. Run using Docker
 
-Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
-
-### Using docker run
+Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf).
 
 The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
 
 ```shell
-docker run -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
+
+docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.1
 ```
 
-WebGoat will be located at: http://127.0.0.1:8080/WebGoat
-WebWolf will be located at: http://127.0.0.1:9090/WebWolf
+The landing page will be located at: http://localhost  
+WebGoat will be located at: http://localhost:8080/WebGoat  
+WebWolf will be located at: http://localhost:9090/WebWolf
 
-**Important**: Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.
+**Important**: *Change the ports if necessary, for example use `127.0.0.1:7777:9090` to map WebWolf to `http://localhost:7777/WebGoat`*  
+
+**Important**: *Choose the correct timezone, so that the docker container and your host are in the same timezone. As it is important for the validity of JWT tokens used in certain exercises.*
 
 
 ## 2. Standalone
 
 Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
-```Shell
-java -jar webgoat-server-8.1.0.jar [--server.port=8080] [--server.address=localhost]
-java -jar webwolf-8.1.0.jar [--server.port=9090] [--server.address=localhost]
+```shell
+java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.1.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001]
+java -Dfile.encoding=UTF-8 -jar webwolf-8.2.1.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001]
 ```
 
-The latest version of WebGoat needs Java 15 or above. By default, WebGoat and Webwolf start on port 8080, 9000 and 9090 with the environment variable WEBGOAT_PORT, WEBGOAT_HSQLPORT and WEBWOLF_PORT you can set different values.
-```Shell
-export WEBGOAT_PORT=18080
-export WEBGOAT_HSQLPORT=19001
-export WEBWOLF_PORT=19090
-java -jar webgoat-server-8.1.0.jar
-java -jar webwolf-8.1.0.jar 
-```
-
-Use `set` instead of export if you're using Windows cmd. 
-
+WebGoat will be located at: http://localhost:8080/WebGoat and   
+WebWolf will be located at: http://localhost:9090/WebWolf (change ports if necessary)
 
 ## 3. Run from the sources
 

RELEASE_NOTES.md

@@ -1,5 +1,25 @@
 # WebGoat release notes 
 
+## Version 8.2.2
+
+### New functionality
+
+- Docker image now supports nginx when browsing to http://localhost a landing page is shown. 
+
+### Bug fixes
+
+- [#1039 jwt-7-Code review](https://github.com/WebGoat/WebGoat/issues/1039)
+- [#1031 SQL Injection (intro) 5: Data Control Language (DCL) the wiki's solution is not correct](https://github.com/WebGoat/WebGoat/issues/1031)
+- [#1027 Webgoat 8.2.1 Vulnerable_Components_12 Shows internal server error](https://github.com/WebGoat/WebGoat/issues/1027)
+
+
+## Version 8.2.1
+
+### New functionality
+
+- New Docker image for arm64 architecture is now available (for Apple M1)
+
+
 ## Version 8.2.0
 
 ### New functionality

docker/Dockerfile

@@ -18,12 +18,5 @@ COPY --chown=webgoat start.sh /home/webgoat
 EXPOSE 8080
 EXPOSE 9090
 
-ENV WEBGOAT_PORT 8080
-ENV WEBGOAT_SSLENABLED false
-
-ENV GOATURL https://127.0.0.1:$WEBGOAT_PORT
-ENV WOLFURL http://127.0.0.1:9090
-
-
 WORKDIR /home/webgoat
 ENTRYPOINT /bin/bash /home/webgoat/start.sh $webgoat_version_env

docker/Readme.md

@@ -9,5 +9,5 @@ docker build --no-cache --build-arg webgoat_version=8.2.0-SNAPSHOT -t webgoat/go
 ## Docker run
 
 ```shell
-docker run -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest
+docker run -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest
 ```

docker/index.html

@@ -1,43 +1,70 @@
 <!DOCTYPE html>
 <html>
-  <body>
-    <h1>OWASP WebGoat Training tools</h1>
-    <p>
-      Use the following links to access the WebGoat and WebWolf applications.
-      Register a user using WebGoat. The same user can access WebWolf.
-    </p>
-	
-	<h2>Use without special host name entries</h2>
-	
-	<table>
-	<tr>
-		<td>WebGoat URL</td>
-		<td><a href="http://127.0.0.1:8080/WebGoat" target="_blank">http://127.0.0.1:8080/WebGoat</a></td>
-	</tr>
-	<tr>
-		<td>WebWolf URL</td>
-		<td><a href="http://127.0.0.1:9090/WebWolf" target="_blank">http://127.0.0.1:9090/WebWolf</a></td>
-	</tr>
-	<table>
-	
-	<h2>Use with www.webgoat.local and www.webwolf.local</h2>
-	<p>
-      Add the following entries to your local <b><i>hosts</i></b> file on Windows (c:\Windows\System32\drivers\etc\hosts) or Linux (/etc/hosts)
-	  
-<pre>
-127.0.0.1 www.webgoat.local www.webwolf.local
-</pre>
-	Then use the following URL's:
-    </p>
-	<table>
-	<tr>
-		<td>WebGoat URL</td>
-		<td><a href="http://www.webgoat.local/WebGoat" target="_blank">http://www.webgoat.local/WebGoat</a></td>
-	</tr>
-	<tr>
-		<td>WebWolf URL</td>
-		<td><a href="http://www.webwolf.local/WebWolf" target="_blank">http://www.webwolf.local/WebWolf</a></td>
-	</tr>
-	<table>
-  </body>
+<head>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <style>
+
+        .p1 {
+            font-family: Arial, Helvetica, sans-serif;
+        }
+
+        .webgoat {
+            float: left;
+            margin-right: 250px;
+            text-align: center;
+        }
+
+        .webwolf {
+            float: left;
+            width: 40%;
+            height: 40%;
+            text-align: center;
+        }
+
+        #images {
+            display: flex;
+            align-items: center;
+            justify-content: center;
+        }
+
+        body {
+
+            text-align: center;
+
+        }
+    </style>
+</head>
+<body>
+
+
+<h1>
+    <center>
+        Landing page for WebGoat and WebWolf
+    </center>
+</h1>
+<blockquote class="p1">
+    WebGoat is a deliberately insecure web application maintained by <a href="http://www.owasp.org/">OWASP</a> designed
+    to teach web
+    application security lessons.
+
+    This program is a demonstration of common server-side application flaws. The
+    exercises are intended to be used by people to learn about application security and
+    penetration testing techniques.
+</blockquote>
+
+<br/>
+
+<p class="p1">Click on one of the images to go to WebGoat or WebWolf</p>
+
+<br/>
+<br/>
+
+<div id="images">
+    <a href="http://127.0.0.1:8080/WebGoat" title="Open WebGoat" target="_blank"><img class="webgoat"
+                                                                                      src="http://127.0.0.1:8080/WebGoat/css/img/logoBG.jpg"></a>
+    <a href="http://127.0.0.1:9090/WebWolf" title="Open WebWolf" target="_blank"><img class="webwolf"
+                                                                                      src="http://127.0.0.1:9090/images/wolf.png"></a>
+</div>
+
+</body>
 </html>

docker/start.sh

@@ -4,13 +4,23 @@ cd /home/webgoat
 service nginx start
 sleep 1
 echo "Starting WebGoat..."
-java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0  > webgoat.log &
+
+java \
+ -Duser.home=/home/webgoat \
+ -Dfile.encoding=UTF-8 \
+ --add-opens java.base/java.util=ALL-UNNAMED \
+ --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
+ --add-opens java.base/java.text=ALL-UNNAMED \
+ --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
+ --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
+ --add-opens java.base/java.io=ALL-UNNAMED \
+ -jar webgoat.jar --webgoat.build.version="$1" --server.address=0.0.0.0 > webgoat.log &
 
 sleep 10
 
 echo "Starting WebWolf..."
 java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
 
-echo "Browse to http://localhost" to get started >> webgoat.log
+echo "Browse to http://localhost to get started" >> webgoat.log
 
 tail -300f webgoat.log

pom.xml

@@ -131,7 +131,7 @@
         <commons-lang3.version>3.4</commons-lang3.version>
         <commons-io.version>2.6</commons-io.version>
         <guava.version>30.1-jre</guava.version>
-        <lombok.version>1.18.4</lombok.version>
+        <lombok.version>1.18.20</lombok.version>
         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
         <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>

webgoat-lessons/cross-site-scripting/pom.xml

@@ -13,7 +13,7 @@
             <!-- jsoup HTML parser library @ https://jsoup.org/ -->
             <groupId>org.jsoup</groupId>
             <artifactId>jsoup</artifactId>
-            <version>1.13.1</version>
+            <version>1.14.2</version>
         </dependency>
     </dependencies>
     <build>

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java

@@ -62,7 +62,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 
         userSessionData.setValue("xss-reflected1-complete", "false");
         StringBuffer cart = new StringBuffer();
-        cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
+        cart.append("Thank you for shopping at WebGoat. <br />Your support is appreciated<hr />");
         cart.append("<p>We have charged credit card:" + field1 + "<br />");
         cart.append("                             ------------------- <br />");
         cart.append("                               $" + totalSale);
@@ -87,4 +87,4 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
                     .build();
         }
     }
-}
+}

webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_libraries_assignment.adoc

@@ -4,7 +4,7 @@ Now let's look at a code review and try to think on an attack with the `alg: non
 
 [source]
 ----
-eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.
+eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwidXNlciI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.
 ----
 
 [source%linenums, java]

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5.java

@@ -39,7 +39,7 @@ import java.sql.Statement;
 
 
 @RestController
-@AssignmentHints(value = {"SqlStringInjectionHint5-a"})
+@AssignmentHints(value = {"SqlStringInjectionHint5-1", "SqlStringInjectionHint5-2", "SqlStringInjectionHint5-3", "SqlStringInjectionHint5-4"})
 public class SqlInjectionLesson5 extends AssignmentEndpoint {
 
     private final LessonDataSource dataSource;
@@ -50,7 +50,7 @@ public class SqlInjectionLesson5 extends AssignmentEndpoint {
 
     @PostConstruct
     public void createUser() {
-        // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (DROP first will throw error if user does not exists)
+        // HSQLDB does not support CREATE USER with IF NOT EXISTS so we need to do it in code (using DROP first will throw error if user does not exists)
         try (Connection connection = dataSource.getConnection()) {
             try (var statement = connection.prepareStatement("CREATE USER unauthorized_user PASSWORD test")) {
                 statement.execute();

webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties

@@ -24,8 +24,10 @@ SqlStringInjectionHint4-1=ALTER TABLE alters the structure of an existing databa
 SqlStringInjectionHint4-2=Do not forget the data type of the new column (e.g. varchar(size) or int(size))
 SqlStringInjectionHint4-3=ALTER TABLE table name ADD column name data type(size);
 
-SqlStringInjectionHint5-1=Take a look at how to use a grant statement.
-SqlStringInjectionHint5-2=You are using 'tom' trying to grant access to tom 
+SqlStringInjectionHint5-1=Take a look at how to use a grant statement (WebGoat uses HSQLDB)
+SqlStringInjectionHint5-2=You can grant to a user or a role.
+SqlStringInjectionHint5-3=Try to grant 'select' privilege to 'unauthorized_user'.
+SqlStringInjectionHint5-4=Use 'grant select on <<table>> to <<user>>' to solve the assignment.
 
 sql-injection.5a.success=You have succeeded: {0}
 sql-injection.5a.no.results=No results matched. Try Again.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content4.adoc

@@ -8,9 +8,6 @@ If an attacker successfully "injects" DCL type SQL commands into a database, he
 * DCL commands are used to implement access control on database objects.
 * GRANT -  give a user access privileges on database objects
 * REVOKE - withdraw user privileges that were previously given using GRANT
-* Example:
-** GRANT CREATE TABLE TO operator;
-** This statement gives all users of the operator-role the privilege to create new tables in the database.
 
 
 Try to grant rights to the table `grant_rights` to user `unauthorized_user`:

webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc

@@ -1,5 +1,7 @@
 == Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream)
 
+NOTE: This lesson only works when you are using the Docker image of WebGoat.
+
 WebGoat uses an XML document to add contacts to a contacts database.  
 [source,xml]
 ----