css and xss updates

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java

@@ -52,7 +52,7 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
     AttackResult completed(@RequestParam Integer param1,
                            @RequestParam Integer param2, HttpServletRequest request)  throws IOException {
 
-        UserSessionData userSessionData = getUserSessionData();
+            UserSessionData userSessionData = getUserSessionData();
         SecureRandom number = new SecureRandom();
         userSessionData.setValue("randValue",number.nextInt());
 

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java

@@ -49,7 +49,9 @@ import org.owasp.encoder.*;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.List;
 import java.util.Map;
 
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
@@ -65,6 +67,7 @@ public class StoredXssComments extends AssignmentEndpoint {
     private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
     private static final String phoneHomeString = "<script>webgoat.customjs.phoneHome()</script>";
 
+
     static {
         comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
         comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe"));
@@ -76,7 +79,11 @@ public class StoredXssComments extends AssignmentEndpoint {
     @ResponseBody
     public Collection<Comment> retrieveComments() {
         Collection<Comment> allComments = Lists.newArrayList();
-        // no filtering applied here at render
+        Collection<Comment> newComments = userComments.get(webSession.getUserName());
+        if (newComments != null) {
+            allComments.addAll(newComments);
+        }
+
         allComments.addAll(comments);
 
         return allComments;
@@ -89,10 +96,10 @@ public class StoredXssComments extends AssignmentEndpoint {
         Comment comment = parseJson(commentStr);
 
         EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
-        comments.add(comment);
         comment.setDateTime(DateTime.now().toString(fmt));
         comment.setUser(webSession.getUserName());
 
+        comments.add(comment);
         userComments.put(webSession.getUserName(), comments);
 
         if (comment.getText().contains(phoneHomeString)) {

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc

@@ -29,5 +29,6 @@ javascript:alert(document.cookie);
 ----
 
 == Try It!  Using Chrome or Firefox 
-Type in `javascript:alert(document.cookie);` in the URL bar.  *NOTE:* If you /cut/paste you'll need to add the `javascript:` back in.
-Try it on a different tab (with WebGoat open in that tab).
+
+* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat)
+* Then, in the address bar on each tab, type `javascript:alert(document.cookie);` *NOTE:* If you /cut/paste you'll need to add the `javascript:` back in.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc

@@ -7,4 +7,4 @@ Why is that?
 That is because there is no link that would tigger that XSS.
 You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to):
 
-link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my javascript here')</script>4128+3214+0002+1999&field2=111
+link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('myjavascripthere')</script>4128+3214+0002+1999&field2=111