Challenge 4: First setup

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java

@@ -29,7 +29,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
  * @author nbaars
  * @since 4/8/17.
  */
-@AssignmentPath("/challenge3")
+@AssignmentPath("/challenge/3")
 public class Challenge3 extends AssignmentEndpoint {
 
     @Autowired

webgoat-lessons/challenge/src/main/resources/html/Challenge.html

@@ -250,5 +250,106 @@
     </div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Challenge_4.adoc"></div>
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/>
+    <script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/challenge/4"
+              enctype="application/json;charset=UTF-8">
+
+            <input id="discount" type="hidden" value="0"/>
+            <div class="row">
+
+                <div class="col-xs-3 item-photo">
+                    <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
+                </div>
+                <div class="col-xs-5" style="border:0px solid gray">
+                    <h3>Samsung Galaxy S8</h3>
+                    <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
+                        <small style="color:#337ab7">(124421 reviews)</small>
+                    </h5>
+
+                    <h6 class="title-price">
+                        <small>PRICE</small>
+                    </h6>
+                    <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
+
+                    <div class="section">
+                        <h6 class="title-attr" style="margin-top:15px;">
+                            <small>COLOR</small>
+                        </h6>
+                        <div>
+                            <div class="attr" style="width:25px;background:lightgrey;"></div>
+                            <div class="attr" style="width:25px;background:black;"></div>
+                        </div>
+                    </div>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>CAPACITY</small>
+                        </h6>
+                        <div>
+                            <div class="attr2">64 GB</div>
+                            <div class="attr2">128 GB</div>
+                        </div>
+                    </div>
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>QUANTITY</small>
+                        </h6>
+                        <div>
+                            <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
+                            <input class="quantity" value="1"/>
+                            <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
+                        </div>
+                    </div>
+
+                    <div class="section" style="padding-bottom:5px;">
+                        <h6 class="title-attr">
+                            <small>CHECKOUT CODE</small>
+                        </h6>
+                        <!--
+                          Checkout code: webgoat, owasp, owasp-webgoat
+                        -->
+                        <input name="checkoutCode" class="checkoutCode" value=""/>
+
+                    </div>
+
+                    <div class="section" style="padding-bottom:20px;">
+                        <button type="submit" class="btn btn-success"><span style="margin-right:20px"
+                                                                            class="glyphicon glyphicon-shopping-cart"
+                                                                            aria-hidden="true"></span>Buy
+                        </button>
+                        <h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
+                                              style="cursor:pointer;"></span>
+                            Like</a></h6>
+                    </div>
+                </div>
+            </div>
+
+        </form>
+        <br/>
+        <div>
+            <form class="form-inline" method="POST" name="form" action="/WebGoat/challenge/flag">
+                <div class="form-group">
+                    <div class="input-group">
+                        <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
+                                                          style="font-size:20px"></i></div>
+                        <input type="text" class="form-control"
+                               placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
+                    </div>
+                </div>
+                <button type="submit" class="btn btn-primary">Submit flag</button>
+            </form>
+        </div>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
 
 </html>

webgoat-lessons/challenge/src/main/resources/js/challenge3.js

@@ -9,7 +9,7 @@ $(document).ready(function () {
         })
     })
 
-    $.get("challenge3", function (result, status) {
+    $.get("challenge/3", function (result, status) {
         alert("Hello");
     })
 })

webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_1.adoc

@@ -1 +1 @@
-==== Admin forgot password can you help?
+Admin forgot password can you help?

webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc

@@ -0,0 +1 @@
+No need to pay (fixed after private disclosure), do you need to pay now?