Merge branch 'develop' of https://github.com/WebGoat/WebGoat into develop

webgoat-container/pom.xml

@@ -166,6 +166,18 @@
                     </filesets>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>3.0.2</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>test-jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 

webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java

@@ -31,6 +31,8 @@
 package org.owasp.webgoat;
 
 import com.google.common.collect.Sets;
+import org.owasp.webgoat.i18n.Messages;
+import org.owasp.webgoat.i18n.PluginMessages;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.LabelDebugger;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -38,13 +40,14 @@ import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect;
 import org.thymeleaf.spring4.SpringTemplateEngine;
 import org.thymeleaf.spring4.templateresolver.SpringResourceTemplateResolver;
-import org.thymeleaf.templatemode.StandardTemplateModeHandlers;
 import org.thymeleaf.templateresolver.TemplateResolver;
 
 import java.io.File;
@@ -114,6 +117,24 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginTargetDirectory.toString() + "/");
     }
 
+    @Bean
+    public PluginMessages pluginMessages(Messages messages) {
+        return new PluginMessages(messages);
+    }
+
+    @Bean
+    public Messages messageSource(LocaleResolver localeResolver) {
+        Messages messages = new Messages(localeResolver);
+        messages.setBasename("classpath:/i18n/messages");
+        return messages;
+    }
+
+    @Bean
+    public LocaleResolver localeResolver() {
+        SessionLocaleResolver slr = new SessionLocaleResolver();
+        return slr;
+    }
+
     @Bean
     public HammerHead hammerHead(Course course) {
         return new HammerHead(course);

webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java

@@ -34,6 +34,7 @@ import com.fasterxml.jackson.annotation.JsonInclude;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.catalina.Context;
+import org.owasp.webgoat.i18n.PluginMessages;
 import org.owasp.webgoat.plugins.PluginClassLoader;
 import org.owasp.webgoat.plugins.PluginEndpointPublisher;
 import org.owasp.webgoat.plugins.PluginsExtractor;
@@ -91,8 +92,8 @@ public class WebGoat extends SpringBootServletInitializer {
     }
 
     @Bean
-    public PluginsExtractor pluginsLoader(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory, PluginClassLoader classLoader) {
+    public PluginsExtractor pluginsLoader(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory, PluginClassLoader classLoader, PluginMessages messages) {
-        return new PluginsExtractor(pluginTargetDirectory, classLoader);
+        return new PluginsExtractor(pluginTargetDirectory, classLoader, messages);
     }
 
     @Bean

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java

@@ -1,9 +1,8 @@
-/**
+/*
- * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -23,19 +22,15 @@
  * projects.
  * <p>
  */
-package org.owasp.webgoat.endpoints;
+package org.owasp.webgoat.assignments;
 
 import lombok.Getter;
-import org.owasp.webgoat.i18n.LabelManager;
+import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.i18n.LabelProvider;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 
-import javax.ws.rs.Path;
-
 /**
  * Each lesson can define an endpoint which can support the lesson. So for example if you create a lesson which uses JavaScript and
  * needs to call out to the server to fetch data you can define an endpoint in that lesson. WebGoat will pick up this endpoint and
@@ -53,10 +48,9 @@ public abstract class AssignmentEndpoint extends Endpoint {
 	private WebSession webSession;
     @Autowired
     private UserSessionData userSessionData;
-    @Autowired
     @Getter
-    private LabelManager labelProvider;
+    @Autowired
-
+    private PluginMessages messages;
 
 	//// TODO: 11/13/2016 events better fit?
     protected AttackResult trackProgress(AttackResult attackResult) {
@@ -80,4 +74,32 @@ public abstract class AssignmentEndpoint extends Endpoint {
     public final String getPath() {
         return this.getClass().getAnnotationsByType(AssignmentPath.class)[0].value();
     }
+
+    /**
+     * Convenience method for create a successful result:
+     *
+     * - Assignment is set to solved
+     * - Feedback message is set to 'assignment.solved'
+     *
+     * Of course you can overwrite these values in a specific lesson
+     *
+     * @return a builder for creating a result from a lesson
+     */
+    protected AttackResult.AttackResultBuilder success() {
+        return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved");
+    }
+
+    /**
+     * Convenience method for create a failed result:
+     *
+     * - Assignment is set to not solved
+     * - Feedback message is set to 'assignment.not.solved'
+     *
+     * Of course you can overwrite these values in a specific lesson
+     *
+     * @return a builder for creating a result from a lesson
+     */
+    protected AttackResult.AttackResultBuilder failed() {
+        return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved");
+    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentHints.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.endpoints;
+package org.owasp.webgoat.assignments;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java

@@ -1,6 +1,4 @@
-package org.owasp.webgoat.endpoints;
+package org.owasp.webgoat.assignments;
-
-import org.springframework.core.annotation.AliasFor;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java

@@ -0,0 +1,94 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+
+package org.owasp.webgoat.assignments;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import org.owasp.webgoat.i18n.PluginMessages;
+
+@AllArgsConstructor
+public class AttackResult {
+
+    public static class AttackResultBuilder {
+
+        private boolean lessonCompleted;
+        private PluginMessages messages;
+        private Object[] feedbackArgs;
+        private String feedbackResourceBundleKey;
+        private String output;
+        private Object[] outputArgs;
+
+        public AttackResultBuilder(PluginMessages messages) {
+            this.messages = messages;
+        }
+
+        public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
+            this.lessonCompleted = lessonCompleted;
+            this.feedbackResourceBundleKey = "lesson.completed";
+            return this;
+        }
+
+        public AttackResultBuilder feedbackArgs(Object... args) {
+            this.feedbackArgs = args;
+            return this;
+        }
+
+        public AttackResultBuilder feedback(String resourceBundleKey) {
+            this.feedbackResourceBundleKey = resourceBundleKey;
+            return this;
+        }
+
+        public AttackResultBuilder output(String output) {
+            this.output = output;
+            return this;
+        }
+
+        public AttackResultBuilder outputArgs(Object... args) {
+            this.outputArgs = args;
+            return this;
+        }
+
+        public AttackResult build() {
+            return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs));
+        }
+    }
+
+    @Getter
+    private boolean lessonCompleted;
+    @Getter
+    private String feedback;
+    @Getter
+    private String output;
+
+
+    public static AttackResultBuilder builder(PluginMessages messages) {
+        return new AttackResultBuilder(messages);
+    }
+
+    public boolean assignmentSolved() {
+        return lessonCompleted;
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/assignments/Endpoint.java

@@ -1,17 +1,8 @@
-package org.owasp.webgoat.endpoints;
+/*
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
-
-import java.io.File;
-
-/**
- * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -30,11 +21,16 @@ import java.io.File;
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  * <p>
- *
- * @author nbaars
- * @version $Id: $Id
- * @since November 13, 2016
  */
+
+package org.owasp.webgoat.assignments;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
+
+import java.io.File;
+
 public abstract class Endpoint implements MvcEndpoint {
 
     @Autowired

webgoat-container/src/main/java/org/owasp/webgoat/i18n/ExposedReloadableResourceMessageBundleSource.java

@@ -1,24 +0,0 @@
-package org.owasp.webgoat.i18n;
-
-import org.springframework.context.support.ReloadableResourceBundleMessageSource;
-
-import java.util.Locale;
-import java.util.Properties;
-
-/**
- * <p>ExposedReloadableResourceMessageBundleSource class.</p>
- * Extends the reloadable message source with a way to get all messages
- *
- * @author zupzup
- */
-
-public class ExposedReloadableResourceMessageBundleSource extends ReloadableResourceBundleMessageSource {
-    /**
-     * Gets all messages for presented Locale.
-     * @param locale user request's locale
-     * @return all messages
-     */
-    public Properties getMessages(Locale locale) {
-        return getMergedProperties(locale).getProperties();
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java

@@ -1,78 +0,0 @@
-
-package org.owasp.webgoat.i18n;
-
-import org.owasp.webgoat.session.LabelDebugger;
-import org.springframework.stereotype.Component;
-
-import java.io.Serializable;
-import java.util.Locale;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
- * free software projects.
- *
- * @version $Id: $Id
- * @author dm
- */
-@Component
-public class LabelManager
-{
-	private static final long serialVersionUID = 1L;
-
-	private LabelProvider labelProvider;
-	private LabelDebugger labelDebugger;
-	private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE);
-
-	/**
-	 * <p>Constructor for LabelManagerImpl.</p>
-	 *
-	 * @param labelProvider a {@link LabelProvider} object.
-	 */
-	protected LabelManager(LabelProvider labelProvider, LabelDebugger labelDebugger) {
-		this.labelDebugger = labelDebugger;
-		this.labelProvider = labelProvider;
-	}
-
-	/** {@inheritDoc} */
-	public void setLocale(Locale locale)
-	{
-		if (locale != null)
-		{
-			this.locale = locale;
-		}
-	}
-
-	/** {@inheritDoc} */
-	public String get(String labelKey, Object... params)
-	{
-		String label = labelProvider.get(locale, labelKey, params);
-		if (labelDebugger.isEnabled()) {
-			label = "<font color=\"#00CD00\">" + label + "</font>";
-		}
-		return label;
-	}
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java

@@ -1,128 +0,0 @@
-
-package org.owasp.webgoat.i18n;
-
-import org.springframework.context.support.ReloadableResourceBundleMessageSource;
-import org.springframework.core.io.Resource;
-import org.springframework.core.io.ResourceLoader;
-import org.springframework.core.io.UrlResource;
-import org.springframework.stereotype.Component;
-
-import java.net.MalformedURLException;
-import java.nio.file.Path;
-import java.util.*;
-
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- * @version $Id: $Id
- * @author dm
- */
-@Component
-public class LabelProvider {
-    /** Constant <code>DEFAULT_LANGUAGE="Locale.ENGLISH.getLanguage()"</code> */
-    public final static String DEFAULT_LANGUAGE = Locale.ENGLISH.getLanguage();
-
-    private static final List<Locale> SUPPORTED = Arrays.asList(Locale.GERMAN, Locale.FRENCH, Locale.ENGLISH,
-            Locale.forLanguageTag("ru"));
-    private final ExposedReloadableResourceMessageBundleSource labels = new ExposedReloadableResourceMessageBundleSource();
-    private static final ExposedReloadableResourceMessageBundleSource pluginLabels = new ExposedReloadableResourceMessageBundleSource();
-
-    /**
-     * <p>Constructor for LabelProvider.</p>
-     */
-    public LabelProvider() {
-        labels.setBasename("classpath:/i18n/WebGoatLabels");
-        labels.setFallbackToSystemLocale(false);
-        labels.setUseCodeAsDefaultMessage(true);
-        pluginLabels.setParentMessageSource(labels);
-    }
-
-    /**
-     * <p>updatePluginResources.</p>
-     *
-     * @param propertyFile a {@link java.nio.file.Path} object.
-     */
-    public static void updatePluginResources(final Path propertyFile) {
-        pluginLabels.setBasename("WebGoatLabels");
-        pluginLabels.setFallbackToSystemLocale(false);
-        pluginLabels.setUseCodeAsDefaultMessage(true);
-        pluginLabels.setResourceLoader(new ResourceLoader() {
-            @Override
-            public Resource getResource(String location) {
-                try {
-                    return new UrlResource(propertyFile.toUri());
-                } catch (MalformedURLException e) {
-                    throw new RuntimeException(e);
-                }
-            }
-
-            @Override
-            public ClassLoader getClassLoader() {
-                return Thread.currentThread().getContextClassLoader();
-            }
-        });
-        pluginLabels.clearCache();
-    }
-
-    /**
-     * <p>get.</p>
-     *
-     * @param locale a {@link java.util.Locale} object.
-     * @param strName a {@link java.lang.String} object.
-     * @return a {@link java.lang.String} object.
-     */
-    public String get(Locale locale, String strName, Object... params) {
-        return pluginLabels.getMessage(strName, params, useLocaleOrFallbackToEnglish(locale));
-    }
-
-    private Locale useLocaleOrFallbackToEnglish(Locale locale) {
-        return SUPPORTED.contains(locale) ? locale : Locale.ENGLISH;
-    }
-
-    /**
-     * <p>getLabels.</p>
-     * Returns a merged map of all the labels for a specified language or the
-     * default language, if the given language is not supported
-     *
-     * @param locale The Locale to get all the labels for
-     * @return A Map of all properties with their values
-     */
-    public Map<String, String> getLabels(Locale locale) {
-        Properties messages = labels.getMessages(locale);
-        messages.putAll(pluginLabels.getMessages(useLocaleOrFallbackToEnglish(locale)));
-        Map<String,String> labelsMap = new HashMap<>();
-        for (Map.Entry<Object, Object> entry : messages.entrySet()) {
-            if (entry.getKey() != null && entry.getValue() != null) {
-                labelsMap.put(entry.getKey().toString(), entry.getValue().toString());
-            }
-        }
-        return labelsMap;
-    }
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java

@@ -0,0 +1,70 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+package org.owasp.webgoat.i18n;
+
+import lombok.AllArgsConstructor;
+import org.springframework.context.support.ReloadableResourceBundleMessageSource;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+import org.springframework.web.servlet.LocaleResolver;
+
+import java.util.Locale;
+import java.util.Properties;
+
+/**
+ * <p>ExposedReloadableResourceMessageBundleSource class.</p>
+ * Extends the reloadable message source with a way to get all messages
+ *
+ * @author zupzup
+ */
+@AllArgsConstructor
+public class Messages extends ReloadableResourceBundleMessageSource {
+
+    private final LocaleResolver localeResolver;
+
+    /**
+     * Gets all messages for presented Locale.
+     *
+     * @return all messages
+     */
+    public Properties getMessages() {
+        return getMergedProperties(resolveLocale()).getProperties();
+    }
+
+    public String getMessage(String code, Object... args) {
+        return getMessage(code, args, resolveLocale());
+    }
+
+    public String getMessage(String code, String defaultValue, Object... args) {
+        return super.getMessage(code, args, defaultValue, resolveLocale());
+    }
+
+    protected Locale resolveLocale() {
+        return localeResolver.resolveLocale(((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());
+    }
+
+
+
+}

webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java

@@ -0,0 +1,80 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+
+package org.owasp.webgoat.i18n;
+
+import lombok.SneakyThrows;
+import org.springframework.context.support.ReloadableResourceBundleMessageSource;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+import org.springframework.core.io.UrlResource;
+
+import java.io.File;
+import java.util.Properties;
+
+/**
+ * Message resource bundle for plugins. The files is created after startup during the init of the plugins so we
+ * need to load this file through a ResourceLoader instead of location on the classpath.
+ *
+ * @author nbaars
+ * @date 2/4/17
+ */
+public class PluginMessages extends ReloadableResourceBundleMessageSource {
+
+    private Messages messages;
+
+    public PluginMessages(Messages messages) {
+        this.messages = messages;
+        this.setParentMessageSource(messages);
+    }
+
+    public Properties getMessages() {
+        return getMergedProperties(messages.resolveLocale()).getProperties();
+    }
+
+    public String getMessage(String code, Object... args) {
+        return getMessage(code, args, messages.resolveLocale());
+    }
+
+    public String getMessage(String code, String defaultValue, Object... args) {
+        return super.getMessage(code, args, defaultValue, messages.resolveLocale());
+    }
+
+    public void addPluginMessageBundles(final File i18nPluginDirectory) {
+        this.setBasename("WebGoatLabels");
+        this.setResourceLoader(new ResourceLoader() {
+            @Override
+            @SneakyThrows
+            public Resource getResource(String location) {
+                return new UrlResource(new File(i18nPluginDirectory, location).toURI());
+            }
+
+            @Override
+            public ClassLoader getClassLoader() {
+                return Thread.currentThread().getContextClassLoader();
+            }
+        });
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/lessons/AttackResult.java

@@ -1,72 +0,0 @@
-package org.owasp.webgoat.lessons;
-
-import lombok.Getter;
-
-/**
- * ************************************************************************************************
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- *
- * @author WebGoat
- * @version $Id: $Id
- * @since August 13, 2016
- */
-@Getter
-public class AttackResult {
-
-    private boolean assignmentCompleted;
-    private String feedback;
-    private String output;
-
-    public static AttackResult success() {
-        return AttackResult.success("Congratulations");
-    }
-
-    public static AttackResult success(String feedback) {
-        return success(feedback, "");
-    }
-
-    public static AttackResult success(String feedback, String output) {
-        AttackResult attackResult = new AttackResult();
-        attackResult.assignmentCompleted = true;
-        attackResult.feedback = feedback;
-        attackResult.output = output;
-        return attackResult;
-    }
-
-    public static AttackResult failed(String feedback) {
-        return failed(feedback, "");
-    }
-
-    public static AttackResult failed(String feedback, String output) {
-        AttackResult attackResult = new AttackResult();
-        attackResult.assignmentCompleted = false;
-        attackResult.feedback = feedback;
-        attackResult.output = output;
-        return attackResult;
-    }
-
-    public boolean assignmentSolved() {
-        return assignmentCompleted;
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/plugins/MessagePropertyMerger.java

@@ -0,0 +1,72 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+package org.owasp.webgoat.plugins;
+
+import lombok.SneakyThrows;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.InputStream;
+import java.util.Properties;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipFile;
+
+import static com.google.common.io.Files.createParentDirs;
+
+/**
+ * Merges the main message.properties with the plugins WebGoatLabels
+ */
+public class MessagePropertyMerger {
+
+    private final File targetDirectory;
+
+    public MessagePropertyMerger(File targetDirectory) {
+        this.targetDirectory = targetDirectory;
+    }
+
+    @SneakyThrows
+    public void merge(ZipFile zipFile, ZipEntry zipEntry) {
+        Properties messageProperties = new Properties();
+        try (InputStream zis = zipFile.getInputStream(zipEntry)) {
+            messageProperties.load(zis);
+        }
+
+        Properties messagesFromHome = new Properties();
+        File pluginMessageFiles = new File(targetDirectory, zipEntry.getName());
+        if (pluginMessageFiles.exists()) {
+            try (FileInputStream fis = new FileInputStream(pluginMessageFiles)) {
+                messagesFromHome.load(fis);
+            }
+        }
+
+        messageProperties.putAll(messagesFromHome);
+
+        createParentDirs(pluginMessageFiles);
+        try (FileOutputStream fos = new FileOutputStream(pluginMessageFiles)) {
+            messageProperties.store(fos, "Plugin message properties");
+        }
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java

@@ -3,10 +3,10 @@ package org.owasp.webgoat.plugins;
 import com.google.common.base.Optional;
 import com.google.common.collect.Lists;
 import lombok.Getter;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.Endpoint;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.NewLesson;

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java

@@ -71,6 +71,9 @@ public class PluginExtractor {
             throws IOException {
         if (zipEntry.getName().endsWith(".properties")) {
             final File targetFile = new File(targetDirectory, zipEntry.getName());
+            if ("WebGoatLabels.properties".equals(targetFile.getName())) {
+                new MessagePropertyMerger(targetDirectory).merge(zipFile, zipEntry);
+            }
             copyFile(zipFile, zipEntry, targetFile, true);
             return true;
         }
@@ -99,6 +102,7 @@ public class PluginExtractor {
         return targetFile;
     }
 
+
     /**
      * <p>Getter for the field <code>classes</code>.</p>
      *

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsExtractor.java

@@ -3,28 +3,16 @@ package org.owasp.webgoat.plugins;
 import com.google.common.collect.Lists;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
-import org.owasp.webgoat.i18n.LabelProvider;
+import org.owasp.webgoat.i18n.PluginMessages;
 import org.springframework.util.ResourceUtils;
 
-import java.io.File;
+import java.io.*;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
 import java.net.URL;
-import java.nio.file.FileVisitResult;
+import java.nio.file.*;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.nio.file.SimpleFileVisitor;
 import java.nio.file.attribute.BasicFileAttributes;
 import java.util.Enumeration;
 import java.util.List;
-import java.util.concurrent.Callable;
+import java.util.concurrent.*;
-import java.util.concurrent.CompletionService;
-import java.util.concurrent.ExecutorCompletionService;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipFile;
 
@@ -41,10 +29,12 @@ public class PluginsExtractor {
     private static final int BUFFER_SIZE = 32 * 1024;
     private final File pluginTargetDirectory;
     private final PluginClassLoader classLoader;
+    private final PluginMessages messages;
 
-    public PluginsExtractor(File pluginTargetDirectory, PluginClassLoader pluginClassLoader) {
+    public PluginsExtractor(File pluginTargetDirectory, PluginClassLoader pluginClassLoader, PluginMessages messages) {
         this.classLoader = pluginClassLoader;
         this.pluginTargetDirectory = pluginTargetDirectory;
+        this.messages = messages;
     }
 
     /**
@@ -150,8 +140,7 @@ public class PluginsExtractor {
                             plugin.getOriginationJar());
                 }
             }
-            LabelProvider.updatePluginResources(
+            messages.addPluginMessageBundles(new File(pluginTargetDirectory, "plugin/i18n"));
-                    pluginTargetDirectory.toPath().resolve("plugin/i18n/WebGoatLabels.properties"));
             return plugins;
         } finally {
             executorService.shutdown();

webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java

@@ -6,7 +6,6 @@
 package org.owasp.webgoat.service;
 
 import com.google.common.collect.Lists;
-import org.owasp.webgoat.i18n.LabelManager;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.Hint;

webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java

@@ -30,7 +30,8 @@ package org.owasp.webgoat.service;
 
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.i18n.LabelProvider;
+import org.owasp.webgoat.i18n.Messages;
+import org.owasp.webgoat.i18n.PluginMessages;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
@@ -39,10 +40,12 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.LocaleResolver;
+import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.Locale;
-import java.util.Map;
+import java.util.Properties;
 
 
 /**
@@ -50,19 +53,24 @@ import java.util.Map;
  *
  * @author zupzup
  */
-
 @RestController
 @Slf4j
 @AllArgsConstructor
 public class LabelService {
 
     public static final String URL_LABELS_MVC = "/service/labels.mvc";
-    private final LabelProvider labelProvider;
+    private LocaleResolver localeResolver;
+    private Messages messages;
+    private PluginMessages pluginMessages;
 
     /**
-     * Fetches labels for given language
+     * We use Springs session locale resolver which also gives us the option to change the local later on. For
-     * If no language is provided, the language is determined from the request headers
+     * now it uses the accept-language from the HttpRequest. If this language is not found it will default back
-     * Otherwise, fall back to default language
+     * to messages.properties.
+     *
+     * Note although it is possible to use Spring language interceptor we for now opt for this solution, the UI
+     * will always need to fetch the labels with the new language set by the user. So we don't need to intercept each
+     * and every request to see if the language param has been set in the request.
      *
      * @param lang the language to fetch labels for (optional)
      * @return a map of labels
@@ -70,18 +78,15 @@ public class LabelService {
      */
     @GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
-    public ResponseEntity<Map<String, String>> fetchLabels(@RequestParam(value = "lang", required = false) String lang, HttpServletRequest request) {
+    public ResponseEntity<Properties> fetchLabels(@RequestParam(value = "lang", required = false) String lang, HttpServletRequest request) {
-        Locale locale;
+        if (!StringUtils.isEmpty(lang)) {
-        if (StringUtils.isEmpty(lang)) {
+            Locale locale = Locale.forLanguageTag(lang);
-            log.debug("No language provided, determining from request headers");
+            ((SessionLocaleResolver)localeResolver).setDefaultLocale(locale);
-            locale = request.getLocale();
-            if (locale != null) {
-                log.debug("Locale set to {}", locale);
-            }
-        } else {
-            locale = Locale.forLanguageTag(lang);
             log.debug("Language provided: {} leads to Locale: {}", lang, locale);
         }
-        return new ResponseEntity<>(labelProvider.getLabels(locale), HttpStatus.OK);
+        Properties allProperties = new Properties();
+        allProperties.putAll(messages.getMessages());
+        allProperties.putAll(pluginMessages.getMessages());
+        return new ResponseEntity<>(allProperties, HttpStatus.OK);
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java

@@ -1,10 +1,9 @@
 package org.owasp.webgoat.service;
 
-import org.owasp.webgoat.i18n.LabelManager;
+import lombok.AllArgsConstructor;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.LessonInfoModel;
 import org.owasp.webgoat.session.WebSession;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
@@ -17,15 +16,10 @@ import org.springframework.web.bind.annotation.RestController;
  * @version $Id: $Id
  */
 @RestController
+@AllArgsConstructor
 public class LessonInfoService {
 
     private final WebSession webSession;
-    private final LabelManager labelManager;
-
-    public LessonInfoService(WebSession webSession, LabelManager labelManager) {
-        this.webSession = webSession;
-        this.labelManager = labelManager;
-    }
 
     /**
      * <p>getLessonInfo.</p>
@@ -36,7 +30,7 @@ public class LessonInfoService {
     public @ResponseBody
     LessonInfoModel getLessonInfo() {
         AbstractLesson lesson = webSession.getCurrentLesson();
-        return new LessonInfoModel(labelManager.get(lesson.getTitle()), false, false, false);
+        return new LessonInfoModel(lesson.getTitle(), false, false, false);
     }
 
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java

@@ -4,7 +4,6 @@ import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
-import org.owasp.webgoat.i18n.LabelManager;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.LessonInfoModel;
@@ -29,7 +28,6 @@ import java.util.Map;
 @AllArgsConstructor
 public class LessonProgressService {
 
-    private LabelManager labelManager;
     private UserTracker userTracker;
     private WebSession webSession;
 
@@ -47,7 +45,7 @@ public class LessonProgressService {
         boolean lessonCompleted = false;
         if (lessonTracker != null) {
             lessonCompleted = lessonTracker.isLessonSolved();
-            successMessage = labelManager.get("LessonCompleted");
+            successMessage = "LessonCompleted"; //@todo we still use this??
         }
         json.put("lessonCompleted", lessonCompleted);
         json.put("successMessage", successMessage);

webgoat-container/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,7 +0,0 @@
-#General
-LessonCompleted=Congratulations. You have successfully completed this lesson.
-RestartLesson=Restart this Lesson
-SolutionVideos=Solution Videos
-ErrorGenerating=Error generating
-InvalidData=Invalid Data
-Go!=Go!

webgoat-container/src/main/resources/i18n/WebGoatLabels_de.properties

@@ -1,7 +0,0 @@
-#General
-LessonCompleted=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
-RestartLesson=Lektion neu beginnen
-SolutionVideos=L\u00f6sungsvideos
-ErrorGenerating=Fehler beim Generieren von
-InvalidData=Ung\u00fcltige Daten
-Go!=Los gehts!

webgoat-container/src/main/resources/i18n/WebGoatLabels_en.properties

@@ -1,7 +0,0 @@
-#General
-LessonCompleted=Congratulations. You have successfully completed this lesson.
-RestartLesson=Restart this Lesson
-SolutionVideos=Solution Videos
-ErrorGenerating=Error generating
-InvalidData=Invalid Data
-Go!=Go!

webgoat-container/src/main/resources/i18n/WebGoatLabels_fr.properties

@@ -1,7 +0,0 @@
-#General
-LessonCompleted=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
-RestartLesson=Recommencer cette le\u00e7on
-SolutionVideos=Solution vid\u00e9os
-ErrorGenerating=Error generating
-InvalidData=Donn\u00e9e invalide
-Go!=Go!

webgoat-container/src/main/resources/i18n/WebGoatLabels_ru.properties

@@ -1,7 +0,0 @@
-#General
-LessonCompleted=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
-RestartLesson=\u041d\u0430\u0447\u0430\u043b\u044c \u0441\u043d\u0430\u0447\u0430\u043b\u0430
-SolutionVideos=\u0412\u0438\u0434\u0435\u043e \u0441 \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c
-ErrorGenerating=\u041f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u0430 \u043e\u0448\u0438\u0431\u043a\u0430
-InvalidData=\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435
-Go!=\u0412\u043f\u0435\u0440\u0451\u0434!

webgoat-container/src/main/resources/i18n/messages.properties

@@ -0,0 +1,52 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+
+lesson.completed=Congratulations. You have successfully completed this lesson.
+assignment.solved=Congratulations. You have successfully complete the assignment.
+assignment.not.solved=Sorry the solution is not correct, please try again.
+RestartLesson=Restart this Lesson
+SolutionVideos=Solution Videos
+ErrorGenerating=Error generating
+InvalidData=Invalid Data
+Go!=Go!
+password=Password
+username=Username
+logged_out=You've been logged out successfully.
+invalid_username_password=Invalid username and password.
+login.page.title=Login Page
+accounts.build.in=The following accounts are built into WebGoat
+accounts.table.account=Account
+accounts.table.user=User
+accounts.table.password=Password
+logout=Logout
+version=Version
+build=Build
+report.card=Report card
+about=About WebGoat
+contact=Contact Us
+show.hints=Show hints
+lesson.overview=Lesson overview
+reset.lesson=Reset lesson
+sign.in=Sign in

webgoat-container/src/main/resources/i18n/messages_de.properties

@@ -0,0 +1,32 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+
+#General
+LessonCompleted=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
+RestartLesson=Lektion neu beginnen
+SolutionVideos=L\u00f6sungsvideos
+ErrorGenerating=Fehler beim Generieren von
+InvalidData=Ung\u00fcltige Daten
+Go!=Los gehts!

webgoat-container/src/main/resources/i18n/messages_fr.properties

@@ -0,0 +1,32 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+
+#General
+LessonCompleted=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
+RestartLesson=Recommencer cette le\u00e7on
+SolutionVideos=Solution vid\u00e9os
+ErrorGenerating=Error generating
+InvalidData=Donn\u00e9e invalide
+Go!=Go!

webgoat-container/src/main/resources/i18n/messages_nl.properties

@@ -0,0 +1,49 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+LessonCompleted=Gefeliciteerd, je hebt de les succesvol afgerond.
+RestartLesson=Herstart de les
+SolutionVideos=Video oplossingen
+ErrorGenerating=Fout opgetreden tijdens generatie
+InvalidData=Ongeldige invoer
+Go!=Go!
+password=Wachtwoord
+username=Gebruikersnaam
+logged_out=Je bent succesvol uitgelogd.
+invalid_username_password=Ongeldige gebruikersnaam/wachtwoord combinatie
+login.page.title=Inlog pagina
+accounts.build.in=De volgende account zijn standaard beschikbaar binnen WebGoat
+accounts.table.account=Account
+accounts.table.user=Gebruikersnaam
+accounts.table.password=Wachtwoord
+logout=Uitloggen
+version=Versie
+build=Build
+report.card=Rapport
+about=Over WebGoat
+contact=Neem contact met ons op
+show.hints=Toon hints
+lesson.overview=Overzicht les
+reset.lesson=Herstart les
+sign.in=Log in

webgoat-container/src/main/resources/i18n/messages_ru.properties

@@ -0,0 +1,32 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+
+#General
+LessonCompleted=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
+RestartLesson=\u041d\u0430\u0447\u0430\u043b\u044c \u0441\u043d\u0430\u0447\u0430\u043b\u0430
+SolutionVideos=\u0412\u0438\u0434\u0435\u043e \u0441 \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c
+ErrorGenerating=\u041f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u0430 \u043e\u0448\u0438\u0431\u043a\u0430
+InvalidData=\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435
+Go!=\u0412\u043f\u0435\u0440\u0451\u0434!

webgoat-container/src/main/resources/static/js/goatApp/goatApp.js

@@ -14,7 +14,7 @@ define(['jquery',
         return {
             initApp: function () {
                 var locale = localStorage.getItem('locale') || 'en';
-                $.getJSON('service/labels.mvc?lang=' +  locale, function(data) {
+                $.getJSON('service/labels.mvc', function(data) {
                     window.polyglot = new Polyglot({phrases: data});
                     asyncErrorHandler.init();
                     var goatRouter = new Router();

webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js

@@ -148,13 +148,13 @@ define(['jquery',
         },
 
         renderFeedback: function(feedback) {
-            this.$curFeedback.html(feedback || "");
+            this.$curFeedback.html(polyglot.t(feedback) || "");
             this.$curFeedback.show(400)
 
         },
 
         renderOutput: function(output) {
-            this.$curOutput.html(output || "");
+            this.$curOutput.html(polyglot.t(output) || "");
             this.$curOutput.show(400)
         },
 

webgoat-container/src/main/resources/static/js/goatApp/view/TitleView.js

@@ -6,7 +6,7 @@ function($,_,Backbone) {
 		el:'#header #lesson-title-wrapper',
 		
 		render:function(title) {
-			var lessonTitleEl = $('<h1>',{id:'lesson-title',text:title});
+			var lessonTitleEl = $('<h1>',{id:'lesson-title',text:polyglot.t(title)});
 			this.$el.html(lessonTitleEl);
 		}
 	});

webgoat-container/src/main/resources/templates/login.html

@@ -1,64 +1,71 @@
 <!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
 <head>
-    <title>Login Page</title>
+    <title th:text="#{login.page.title}">Login Page</title>
-    <!--  CSS -->
+    <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
-    <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}" />
+    <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
-    <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}" />
+    <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
-    <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}" />
+    <link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}"/>
-    <link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}" />
 </head>
 <body>
 <section id="container">
     <header id="header">
-        <!--logo start-->
         <div class="brand">
-            <a href="${pageContext.request.contextPath}/start.mvc" class="logo"><span>Web</span>Goat</a>
+            <a th:href="@{/start.mvc}" class="logo"><span>Web</span>Goat</a>
         </div>
-        <!--logo end-->
         <div class="toggle-navigation toggle-left">
-
+        </div>
-        </div><!--toggle navigation end-->
+        <div class="lessonTitle">
-        <div class="lessonTitle" >
+        </div>
-
-        </div><!--lesson title end-->
 
     </header>
     <section class="main-content-wrapper">
 
-        <section id="main-content" >
+        <section id="main-content">
             <div th:if="${param.error}">
-                Invalid username and password.
+                <p th:text="#{invalid_username_password}">Invalid username and password.</p>
             </div>
             <div th:if="${param.logout}">
-                You've been logged out successfully.
+                <p th:text="#{logged_out}">You've been logged out successfully.</p>
             </div>
             <br/><br/>
             <form th:action="@{/login}" method='POST' style="width: 400px;">
                 <div class="form-group">
-                    <label for="exampleInputEmail1">Username</label>
+                    <label for="exampleInputEmail1" th:text="#{username}">Username</label>
-                    <input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control" id="exampleInputEmail1" placeholder="Username" name='username'/>
+                    <input autofocus="dummy_for_thymeleaf_parser" type="text" class="form-control"
+                           id="exampleInputEmail1" placeholder="Username" name='username' value="guest"/>
                 </div>
                 <div class="form-group">
-                    <label for="exampleInputPassword1">Password</label>
+                    <label for="exampleInputPassword1" th:text="#{password}">Password</label>
-                    <input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password" name='password'/>
+                    <input type="password" class="form-control" id="exampleInputPassword1" placeholder="Password"
+                           name='password' value="guest"/>
                 </div>
-                <button class="btn btn-large btn-primary" type="submit">Sign in</button>
+                <button class="btn btn-large btn-primary" type="submit" th:text="#{sign.in}">Sign in</button>
             </form>
             <br/><br/>
-            <h4>The following accounts are built into Webgoat</h4>
+            <h4 th:text="#{accounts.build.in}">The following accounts are built into Webgoat</h4>
             <table class="table table-bordered" style="width:400px;">
                 <thead>
-                <tr class="warning"><th>Account</th><th>User</th><th>Password</th></tr>
+                <tr class="warning">
+                    <th th:text="#{accounts.table.account}">Account</th>
+                    <th th:text="#{accounts.table.user}">User</th>
+                    <th th:text="#{accounts.table.password}">Password</th>
+                </tr>
                 </thead>
                 <tbody>
-                <tr><td>Webgoat User</td><td>guest</td><td>guest</td></tr>
+                <tr>
-                <tr><td>Webgoat Admin</td><td>webgoat</td><td>webgoat</td></tr>
+                    <td>Webgoat User</td>
+                    <td>guest</td>
+                    <td>guest</td>
+                </tr>
+                <tr>
+                    <td>Webgoat Admin</td>
+                    <td>webgoat</td>
+                    <td>webgoat</td>
+                </tr>
                 </tbody>
             </table>
             <br/><br/>
-
-
         </section>
     </section>
 </section>

webgoat-container/src/main/resources/templates/main_new.html

@@ -62,7 +62,7 @@
                     <i class="fa fa-user"></i> <span class="caret"></span>
                 </button>
                 <ul class="dropdown-menu dropdown-menu-left">
-                    <li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/login(logout)}">Logout</a></li>
+                    <li role="presentation"><a role="menuitem" tabindex="-1" th:href="@{/login(logout)}" th:text="#{logout}">Logout</a></li>
                     <li role="presentation" class="divider"></li>
                     <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: <span
                             th:text="${#authentication.name}"></span></a>
@@ -73,12 +73,10 @@
                     </a>
                     </li>
                     <li role="presentation" class="divider"></li>
-                    <li role="presentation"><a role="menuitem" tabindex="-1" href="#developer-controls">Show developer
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" th:text="#{version}">Version: <span
-                        controls</a></li>
-                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Version: <span
                             th:text="${@environment.getProperty('webgoat.build.version')}"></span></a>
                     </li>
-                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Build:
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#" th:text="#{build}">Build:
                         <span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li>
 
                 </ul>
@@ -88,7 +86,7 @@
                     <!--<i class="fa fa-cog"></i>-->
                 <!--</button>-->
                 <button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up"
-                        title="Report card">
+                        th:title="#{report.card}">
                     <a href="#reportCard"><i class="fa fa-bar-chart-o"></i></a>
                 </button>
                 <!--<button type="button" id="user-management" class="btn btn-default right_nav_button"-->
@@ -96,12 +94,12 @@
                     <!--<i class="fa fa-users"></i>-->
                 <!--</button>-->
             </div>
-            <button type="button" id="about-button" class="btn btn-default right_nav_button" title="About WebGoat"
+            <button type="button" id="about-button" class="btn btn-default right_nav_button" th:title="#{about}"
                     data-toggle="modal" data-target="#about-modal">
                 <i class="fa fa-info"></i>
             </button>
             <a href="mailto:${contactEmail}?Subject=Webgoat%20feedback" target="_top">
-                <button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip" title="Contact Us">
+                <button type="button" class="btn btn-default right_nav_button" data-toggle="tooltip" th:title="#{contact}">
                     <i class="fa fa-envelope"></i>
                 </button>
             </a>
@@ -139,16 +137,12 @@
                                         <i class="fa fa-code"/>
                                     </button>
                                     <button class="btn btn-primary btn-xs btn-danger help-button"
-                                            id="show-hints-button">Show Hints
+                                            id="show-hints-button" th:text="#{show.hints}">Show hints
                                     </button>
-                                    <!--<button class="btn btn-primary btn-xs btn-danger help-button" id="show-attack-button">-->
-                                    <!--Attack It-->
-                                    <!--</button>-->
                                     <button class="btn btn-primary btn-xs btn-danger help-button"
-                                            id="show-lesson-overview-button">Lesson overview
+                                            id="show-lesson-overview-button" th:text="#{lesson.overview}">Lesson overview
                                     </button>
-                                    <button class="btn btn-xs help-button" id="restart-lesson-button">
+                                    <button class="btn btn-xs help-button" id="restart-lesson-button" th:text="#{reset.lesson}">Reset Lesson
-                                        Reset Lesson
                                     </button>
                                 </div>
 

webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java

@@ -0,0 +1,74 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+
+package org.owasp.webgoat.assignments;
+
+import org.mockito.Mock;
+import org.owasp.webgoat.i18n.Messages;
+import org.owasp.webgoat.i18n.PluginMessages;
+import org.owasp.webgoat.session.UserSessionData;
+import org.owasp.webgoat.session.UserTracker;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.web.servlet.LocaleResolver;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Locale;
+
+public class AssignmentEndpointTest {
+
+    @Mock
+    protected UserTracker userTracker;
+    @Mock
+    protected WebSession webSession;
+    @Mock
+    protected UserSessionData userSessionData;
+    protected Messages messages = new Messages(new LocaleResolver() {
+        @Override
+        public Locale resolveLocale(HttpServletRequest request) {
+            return Locale.ENGLISH;
+        }
+
+        @Override
+        public void setLocale(HttpServletRequest request, HttpServletResponse response, Locale locale) {
+
+        }}){
+        @Override
+        protected Locale resolveLocale() {
+            return Locale.ENGLISH;
+        }
+    };
+    protected PluginMessages pluginMessages = new PluginMessages(messages);
+
+    public void init(AssignmentEndpoint a) {
+        messages.setBasenames("classpath:/i18n/messages", "classpath:/plugin/i18n/WebGoatLabels");
+        ReflectionTestUtils.setField(a, "userTracker", userTracker);
+        ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
+        ReflectionTestUtils.setField(a, "webSession", webSession);
+        ReflectionTestUtils.setField(a, "messages", pluginMessages);
+    }
+
+}

webgoat-container/src/test/java/org/owasp/webgoat/plugins/PluginTestHelper.java

@@ -1,31 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import java.io.IOException;
-import java.net.URISyntaxException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-
-public class PluginTestHelper {
-
-    private static Path tempDirectory;
-
-    public static Path createTmpDir() throws IOException {
-        tempDirectory = Files.createTempDirectory(PluginTestHelper.class.getSimpleName());
-        tempDirectory.toFile().deleteOnExit();
-        return tempDirectory;
-    }
-
-    public static Path pathForLoading() throws IOException, URISyntaxException {
-        Path path = Paths.get(PluginTestHelper.class.getProtectionDomain().getCodeSource().getLocation().toURI());
-        return Paths.get(path.toString(), "org/owasp/webgoat/plugins");
-    }
-
-//    public static Plugin createPluginFor(Class pluginClass) throws Exception {
-//        Path pluginTargetPath = Files.createDirectory(Paths.get(tempDirectory.toString(), "pluginTargetPath"));
-//        Map<String, byte[]> classes = new HashMap<>();
-//        classes.put(pluginClass.getName(), Files.readAllBytes(Paths.get(pathForLoading().toString(), pluginClass.getSimpleName() + ".class")));
-//        Plugin plugin = new Plugin(pluginTargetPath, classes);
-//        return plugin;
-//    }
-}

webgoat-container/src/test/java/org/owasp/webgoat/service/HintServiceTest.java

@@ -8,19 +8,14 @@ import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.runners.MockitoJUnitRunner;
-import org.owasp.webgoat.i18n.LabelManager;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import static org.junit.Assert.*;
-import static org.mockito.AdditionalAnswers.returnsFirstArg;
-import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.when;
 import static org.owasp.webgoat.service.HintService.URL_HINTS_MVC;
-import static org.owasp.webgoat.service.LabelService.URL_LABELS_MVC;
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java

@@ -1,10 +1,9 @@
 package org.owasp.webgoat.service;
 
-import org.assertj.core.util.Maps;
 import org.hamcrest.CoreMatchers;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.owasp.webgoat.i18n.LabelProvider;
+import org.owasp.webgoat.session.Course;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
@@ -13,9 +12,6 @@ import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
-import java.util.Locale;
-
-import static org.mockito.Mockito.when;
 import static org.owasp.webgoat.service.LabelService.URL_LABELS_MVC;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@@ -49,30 +45,28 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * @version $Id: $Id
  * @since November 29, 2016
  */
-@WebMvcTest(value = {LabelService.class, LabelProvider.class})
+@WebMvcTest(value = {LabelService.class})
 @RunWith(SpringRunner.class)
 public class LabelServiceTest {
 
     @Autowired
     public MockMvc mockMvc;
     @MockBean
-    private LabelProvider labelProvider;
+    private Course course;
 
     @Test
     @WithMockUser(username = "guest", password = "guest")
     public void withoutLocale() throws Exception {
-        when(labelProvider.getLabels(Locale.ENGLISH)).thenReturn(Maps.newHashMap("key", "value"));
         mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("key", CoreMatchers.is("value")));
+                .andExpect(jsonPath("password", CoreMatchers.is("Password")));
     }
 
     @Test
     @WithMockUser(username = "guest", password = "guest")
     public void withLocale() throws Exception {
-        when(labelProvider.getLabels(Locale.GERMAN)).thenReturn(Maps.newHashMap("key", "value"));
+        mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC).param("lang", "nl"))
-        mockMvc.perform(MockMvcRequestBuilders.get(URL_LABELS_MVC).param("lang", "de"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("key", CoreMatchers.is("value")));
+                .andExpect(jsonPath("password", CoreMatchers.is("Wachtwoord")));
     }
 }

webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java

@@ -6,7 +6,6 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
-import org.owasp.webgoat.i18n.LabelManager;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.session.LessonTracker;
@@ -65,9 +64,6 @@ public class LessonProgressServiceTest {
     private LessonTracker lessonTracker;
     @Mock
     private WebSession websession;
-    @Mock
-    private LabelManager labelManager;
-
 
     @Before
     public void setup() {
@@ -75,7 +71,7 @@ public class LessonProgressServiceTest {
         when(userTracker.getLessonTracker(any())).thenReturn(lessonTracker);
         when(websession.getCurrentLesson()).thenReturn(lesson);
         when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));
-        this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(labelManager, userTracker, websession)).build();
+        this.mockMvc = MockMvcBuilders.standaloneSetup(new LessonProgressService(userTracker, websession)).build();
     }
 
     @Test

webgoat-container/src/test/java/org/owasp/webgoat/util/LabelProviderTest.java

@@ -1,34 +0,0 @@
-package org.owasp.webgoat.util;
-
-import org.hamcrest.CoreMatchers;
-import org.junit.Test;
-import org.owasp.webgoat.i18n.LabelProvider;
-
-import java.util.Locale;
-
-import static org.junit.Assert.assertThat;
-
-public class LabelProviderTest  {
-
-    @Test
-    public void defaultLabelsShouldBePresent() {
-        LabelProvider labelProvider = new LabelProvider();
-        assertThat(labelProvider.get(Locale.ENGLISH, "LessonCompleted"), CoreMatchers.equalTo(
-                "Congratulations. You have successfully completed this lesson."));
-    }
-
-    @Test
-    public void shouldFallBackToEnglishIfLanguageNotSupported() {
-        LabelProvider labelProvider = new LabelProvider();
-        assertThat(labelProvider.get(Locale.CHINESE, "LessonCompleted"), CoreMatchers.equalTo(
-                "Congratulations. You have successfully completed this lesson."));
-    }
-
-    @Test
-    public void shouldUseProvidedLanguageIfSupported() {
-        LabelProvider labelProvider = new LabelProvider();
-        assertThat(labelProvider.get(Locale.GERMAN, "RestartLesson"), CoreMatchers.equalTo(
-                "Lektion neu beginnen"));
-    }
-
-}

webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Attack.java

@@ -1,15 +1,13 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.ws.rs.Path;
 import java.io.IOException;
 
 /**
@@ -47,9 +45,9 @@ public class Attack extends AssignmentEndpoint {
     @RequestMapping(method = RequestMethod.POST)
     public @ResponseBody AttackResult completed(@RequestParam String answer) throws IOException {
         if ("450000".equals(answer)) {
-            return trackProgress(AttackResult.success());
+            return trackProgress(success().build());
         } else {
-            return trackProgress(AttackResult.failed("You are close, try again"));
+            return trackProgress(failed().build());
         }
     }
 }

webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/Salaries.java

@@ -6,7 +6,7 @@ package org.owasp.webgoat.plugin;
 
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.Endpoint;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.w3c.dom.Node;

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java

@@ -1,19 +1,17 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-
+import org.owasp.webgoat.assignments.AssignmentPath;
-import javax.servlet.http.HttpServletRequest;
+import org.owasp.webgoat.assignments.AttackResult;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
 
 
 /***************************************************************************************************
@@ -52,9 +50,9 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String answer_xss_1, HttpServletRequest request) throws IOException {
 	    if (answer_xss_1.toString().toLowerCase().equals("yes")) {
-	        return trackProgress(AttackResult.success());
+	        return trackProgress(success().build());
 	    } else {
-	        return trackProgress(AttackResult.failed("Are you sure?  Try using a tab from a different site."));
+	        return trackProgress(failed().feedback("xss.lesson1.failure").build());
 	    }
 	}
 }

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java

@@ -1,19 +1,17 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-
+import org.owasp.webgoat.assignments.AssignmentPath;
-import javax.servlet.http.HttpServletRequest;
+import org.owasp.webgoat.assignments.AttackResult;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
 
 
 /***************************************************************************************************
@@ -64,6 +62,6 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
        	cart.append("<p>We have chaged credit card:" + field1 + "<br />");
        	cart.append(   "                             ------------------- <br />");
        	cart.append(   "                               $" + totalSale);
-        return trackProgress(AttackResult.failed(cart.toString()));
+        return trackProgress(failed().output(cart.toString()).build());
 	}
 }

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5b.java

@@ -2,24 +2,8 @@ package org.owasp.webgoat.plugin;
 
 
 
-import java.io.IOException;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import java.sql.Connection;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
 
 
 
@@ -55,7 +39,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
  */
 @AssignmentPath("/CrossSiteScripting/attack5b")
 public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
-
+/*
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String userid, HttpServletRequest request) throws IOException {
 		return injectableQuery(userid);
@@ -225,6 +209,6 @@ public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
 //
 //    }
 
- 
+ */
 
 }

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java

@@ -1,24 +1,8 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import java.sql.Connection;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
-import org.owasp.webgoat.session.DatabaseUtilities;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
 
 
 
@@ -54,7 +38,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
  */
 @AssignmentPath("/CrossSiteScripting/attack6a")
 public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
-
+/*
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String userid_6a, HttpServletRequest request) throws IOException {
 		return injectableQuery(userid_6a);
@@ -224,6 +208,6 @@ public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
 //
 //    }
 
- 
+*/
 
 }

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6b.java

@@ -1,24 +1,22 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import java.sql.Connection;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import java.sql.ResultSet;
+import org.owasp.webgoat.assignments.AttackResult;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
 
 
 /***************************************************************************************************
@@ -57,9 +55,9 @@ public class CrossSiteScriptingLesson6b extends AssignmentEndpoint {
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
 	    if (userid_6b.toString().equals(getPassword())) {
-	        return trackProgress(AttackResult.success());
+	        return trackProgress(success().build());
 	    } else {
-	        return trackProgress(AttackResult.failed("You are close, try again"));
+	        return trackProgress(failed().build());
 	    }
 	}
 

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java

@@ -1,15 +1,14 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
 import java.io.IOException;
 
 /**
@@ -24,9 +23,9 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
             throws IOException {
         
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
-            return trackProgress(AttackResult.success("well done!"));
+            return trackProgress(success().build());
         } else {
-            return trackProgress(AttackResult.failed("keep trying!"));
+            return trackProgress(failed().build());
         }
     }
 }

webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -6,3 +6,5 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at
 SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
 SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
 SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
+
+xss.lesson1.failure=Are you sure? Try using a tab from a different site.

webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java

@@ -1,59 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- * For details, please see http://webgoat.github.io
- *
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-@AssignmentPath("/HttpBasics/intercept-request")
-public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
-
-	@RequestMapping(method = RequestMethod.GET)
-	public @ResponseBody AttackResult completed(HttpServletRequest request) throws IOException {
-		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
-            return trackProgress(AttackResult.success("Well done, you tampered the request as expected"));
-		} else {
-            return trackProgress(AttackResult.failed("Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!"));
-        }
-	}
-}

webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsLesson.java

@@ -1,48 +1,44 @@
 package org.owasp.webgoat.plugin;
 
-import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
 import java.io.IOException;
-import java.util.List;
 
 /**
  * *************************************************************************************************
- *
+ * <p>
- *
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
  * Foundation; either version 2 of the License, or (at your option) any later
  * version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with
  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
  * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
- *
+ * <p>
  * For details, please see http://webgoat.github.io
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
@@ -52,12 +48,17 @@ import java.util.List;
 @AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
 public class HttpBasicsLesson extends AssignmentEndpoint {
 
-	@RequestMapping(method = RequestMethod.POST)
+    @RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String person) throws IOException {
+    public
-	    if (!person.toString().equals("")) {
+    @ResponseBody
-	        return trackProgress(AttackResult.success(getLabelProvider().get("http-basics.reversed", new StringBuffer(person).reverse().toString())));
+    AttackResult completed(@RequestParam String person) throws IOException {
-	    } else {
+        if (!person.toString().equals("")) {
-	        return trackProgress(AttackResult.failed(getLabelProvider().get("http-basics.close")));
+            return trackProgress(success()
-	    }
+                .feedback("http-basics.reversed")
-	}
+                .feedbackArgs(new StringBuffer(person).reverse().toString())
+                .build());
+        } else {
+            return trackProgress(failed().feedback("http-basics.close").build());
+        }
+    }
 }

webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasicsQuiz.java

@@ -1,24 +1,18 @@
 package org.owasp.webgoat.plugin;
 
-import com.beust.jcommander.internal.Lists;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
 import java.io.IOException;
-import java.util.List;
 
 /**
- * *************************************************************************************************
- *
- *
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  *
@@ -55,16 +49,15 @@ public class HttpBasicsQuiz extends AssignmentEndpoint {
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String answer, @RequestParam String magic_answer, @RequestParam String magic_num, HttpServletRequest request) throws IOException {
         if ("POST".equals(answer.toUpperCase()) && magic_answer.equals(magic_num)) {
-	        return trackProgress(AttackResult.success());
+	        return trackProgress(success().build());
 	    } else {
-	    	StringBuffer message = new StringBuffer();
 	    	if (!"POST".equals(answer.toUpperCase())) {
-	    		message.append(getLabelProvider().get("http-basics.incorrect"));
+                return trackProgress(failed().feedback("http-basics.incorrect").build());
  			}
 	    	if (!magic_answer.equals(magic_num)){
-	    		message.append(getLabelProvider().get("http-basics.magic"));
+                return trackProgress(failed().feedback("http-basics.magic").build());
 	    	}
-	        return trackProgress(AttackResult.failed(getLabelProvider().get("http-basics.close", message.toString())));
 	    }
+	    return trackProgress(failed().build());
 	}
 }

webgoat-lessons/http-basics/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -10,6 +10,5 @@ http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='h
 
 http-basics.reversed=The server has reversed your name: {0}
 
-http-basics.close=You are close, try again: {0}
+http-basics.incorrect=You are close, try again: the HTTP Command is incorrect.
-http-basics.incorrect=the HTTP Command is incorrect.
+http-basics.magic=You are close, try again: the magic number is incorrect.
-http-basics.magic=the magic number is incorrect.

webgoat-lessons/http-proxies/pom.xml

@@ -9,4 +9,26 @@
         <version>8.0-SNAPSHOT</version>
     </parent>
 
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <version>4.1.3.RELEASE</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>${junit.version}</version>
+            <type>jar</type>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
 </project>

webgoat-lessons/http-proxies/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java

@@ -1,12 +1,10 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
@@ -49,11 +47,12 @@ import java.io.IOException;
 public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
 
 	@RequestMapping(method = RequestMethod.GET)
-	public @ResponseBody AttackResult completed(HttpServletRequest request) throws IOException {
+	public @ResponseBody
+	AttackResult completed(HttpServletRequest request) throws IOException {
 		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
-            return trackProgress(AttackResult.success("Well done, you tampered the request as expected"));
+            return trackProgress(success().feedback("http-proxies.intercept.success").build());
 		} else {
-            return trackProgress(AttackResult.failed("Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!"));
+            return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
         }
 	}
 }

webgoat-lessons/http-proxies/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -1,15 +1,4 @@
-http-basics.EnterYourName=Enter your Name
-http-basics.Go!=Go!
 http-proxies.title=HTTP Proxies
 
-
+http-proxies.intercept.success=Well done, you tampered the request as expected
-http-basics.hints.http_basics_lesson.1=Type in your name and press 'go'
+http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!
-http-basics.hints.http_basic_quiz.1=Turn on Show Parameters or other features
-http-basics.hints.http_basic_quiz.2=Try to intercept the request with <a href='https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' title='Link to ZAP'>OWASP ZAP</a>
-
-
-http-basics.reversed=The server has reversed your name: {0}
-
-http-basics.close=You are close, try again: {0}
-http-basics.incorrect=the HTTP Command is incorrect.
-http-basics.magic=the magic number is incorrect.

webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java

@@ -0,0 +1,73 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2017 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ */
+
+package org.owasp.webgoat.plugin;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
+
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+@RunWith(MockitoJUnitRunner.class)
+public class HttpBasicsInterceptRequestTest extends AssignmentEndpointTest {
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        HttpBasicsInterceptRequest httpBasicsInterceptRequest = new HttpBasicsInterceptRequest();
+        init(httpBasicsInterceptRequest);
+        this.mockMvc = standaloneSetup(httpBasicsInterceptRequest).build();
+    }
+
+    @Test
+    public void success() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
+                .header("x-request-intercepted", "true")
+                .param("changeMe", "Requests are tampered easily"))
+                .andExpect(status().isOk()).andDo(MockMvcResultHandlers.print())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.success"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+
+    @Test
+    public void failure() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/HttpProxies/intercept-request")
+                .header("x-request-intercepted", "false")
+                .param("changeMe", "Requests are tampered easily"))
+                .andExpect(status().isOk()).andDo(MockMvcResultHandlers.print())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("http-proxies.intercept.failure"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+}

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java

@@ -1,15 +1,14 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
 import java.io.IOException;
 
 /**
@@ -51,13 +50,13 @@ public class IDORDiffAttributes extends AssignmentEndpoint {
         attributes = attributes.trim();
         String[] diffAttribs = attributes.split(",");
         if (diffAttribs.length < 2) {
-            return AttackResult.failed("You did not list two attributes, comma delimited");
+            return trackProgress(failed().feedback("idor.diff.attributes.missing").build());
         }
         if (diffAttribs[0].toLowerCase().trim().equals("userid") && diffAttribs[1].toLowerCase().trim().equals("role") ||
                 diffAttribs[1].toLowerCase().trim().equals("userid") && diffAttribs[0].toLowerCase().trim().equals("role")) {
-            return trackProgress(AttackResult.success("Correct, the two attributes not displayed are userId & role. Keep those in mind"));
+            return trackProgress(success().feedback("idor.diff.success").build());
         } else {
-            return trackProgress(AttackResult.failed("Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen."));
+            return trackProgress(failed().feedback("idor.diff.failure").build());
         }
     }
 }

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java

@@ -1,18 +1,12 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
@@ -65,28 +59,42 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
             // we will persist in the session object for now in case we want to refer back or use it later
             userSessionData.setValue("idor-updated-other-profile",currentUserProfile);
             if (currentUserProfile.getRole() <= 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
-                return trackProgress(AttackResult.success("Well done, you have modified someone else's profile (as displayed below)",currentUserProfile.profileToMap().toString()));
+                return trackProgress(success()
+                    .feedback("idor.edit.profile.success1")
+                    .output(currentUserProfile.profileToMap().toString())
+                    .build());
             }
 
             if (currentUserProfile.getRole() > 1 && currentUserProfile.getColor().toLowerCase().equals("red")) {
-                return trackProgress(AttackResult.success("Close ... you've got the technique. Now try for a lower role number)",currentUserProfile.profileToMap().toString()));
+                return trackProgress(success()
+                        .feedback("idor.edit.profile.failure1")
+                        .output(currentUserProfile.profileToMap().toString())
+                        .build());
             }
 
             if (currentUserProfile.getRole() <= 1 && !currentUserProfile.getColor().toLowerCase().equals("red")) {
-                return trackProgress(AttackResult.success("Close ... you've got the technique. Now change the color in their profile to red.)",currentUserProfile.profileToMap().toString()));
+                return trackProgress(success()
+                    .feedback("idor.edit.profile.failure2")
+                    .output(currentUserProfile.profileToMap().toString())
+                    .build());
             }
 
             // else
-            return trackProgress(AttackResult.success("Try again. Use the hints if you need to.",currentUserProfile.profileToMap().toString()));
+            return trackProgress(failed().
-
+                feedback("idor.edit.profile.failure3")
+                .output(currentUserProfile.profileToMap().toString())
+                .build());
         } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
-            return AttackResult.failed("Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.");
+            return failed().feedback("idor.edit.profile.failure4").build();
         }
 
         if (currentUserProfile.getColor().equals("black") && currentUserProfile.getRole() <= 1 ) {
-            return trackProgress(AttackResult.success("Good work! View the updated profile below",userSessionData.getValue("idor-updated-own-profile").toString()));
+            return trackProgress(success()
+                .feedback("idor.edit.profile.success2")
+                .output(userSessionData.getValue("idor-updated-own-profile").toString())
+                .build());
         } else {
-            return trackProgress(AttackResult.failed("Please try again. Use the hints if need be."));
+            return trackProgress(failed().feedback("idor.edit.profile.failure3").build());
         }
 
     }

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORLogin.java

@@ -1,16 +1,13 @@
 package org.owasp.webgoat.plugin;
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AttackResult;
 
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.web.bind.annotation.*;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -67,9 +64,8 @@ public class IDORLogin extends AssignmentEndpoint {
     }
 
     @PostMapping
-    public
     @ResponseBody
-    AttackResult completed(@RequestParam String username, @RequestParam String password) {
+    public AttackResult completed(@RequestParam String username, @RequestParam String password) {
         initIDORInfo();
         UserSessionData userSessionData = getUserSessionData();
 
@@ -77,12 +73,12 @@ public class IDORLogin extends AssignmentEndpoint {
             if ("tom".equals(username) && idorUserInfo.get("tom").get("password").equals(password)) {
                 userSessionData.setValue("idor-authenticated-as", username);
                 userSessionData.setValue("idor-authenticated-user-id", idorUserInfo.get(username).get("id"));
-                return trackProgress(AttackResult.success("You are now logged in as " + username + ". Please proceed."));
+                return trackProgress(success().feedback("idor.login.success").feedbackArgs(username).build());
             } else {
-                return trackProgress(AttackResult.failed("credentials provided are not correct"));
+                return trackProgress(failed().feedback("idor.login.failure").build());
             }
         } else {
-            return trackProgress(AttackResult.failed("credentials provided are not correct"));
+            return trackProgress(failed().feedback("idor.login.failure").build());
         }
     }
 

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java

@@ -1,10 +1,9 @@
 package org.owasp.webgoat.plugin;
 
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -12,11 +11,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.Path;
-import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -69,15 +64,15 @@ public class IDORViewOtherProfile extends AssignmentEndpoint{
                 UserProfile requestedProfile = new UserProfile(userId);
                 // secure code would ensure there was a horizontal access control check prior to dishing up the requested profile
                 if (requestedProfile.getUserId().equals("2342388")){
-                    return trackProgress(AttackResult.success("Well done, you found someone else's profile",requestedProfile.profileToMap().toString()));
+                    return trackProgress(success().feedback("idor.view.profile.success").output(requestedProfile.profileToMap().toString()).build());
                 } else {
-                    return trackProgress((AttackResult.failed("You're on the right path, try a different id")));
+                    return trackProgress(failed().feedback("idor.view.profile.close1").build());
                 }
             } else {
-                return trackProgress((AttackResult.failed("Try again. You need to use the same method/URL you used to access your own profile via direct object reference.")));
+                return trackProgress(failed().feedback("idor.view.profile.close2").build());
             }
         }
-        return trackProgress((AttackResult.failed("Try again. ")));
+        return trackProgress(failed().build());
     }
 
 }

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfile.java

@@ -1,7 +1,7 @@
 package org.owasp.webgoat.plugin;
 
 
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.Endpoint;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -12,12 +12,9 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import com.google.common.collect.Lists;
 
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 
 /**
  * ************************************************************************************************

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java

@@ -1,10 +1,9 @@
 package org.owasp.webgoat.plugin;
 
 
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
@@ -65,17 +64,17 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
                 String[] urlParts = url.split("/");
                 if (urlParts[0].equals("WebGoat") && urlParts[1].equals("IDOR") && urlParts[2].equals("profile") && urlParts[3].equals(authUserId)) {
                     UserProfile userProfile = new UserProfile(authUserId);
-                    return trackProgress(AttackResult.success("congratultions, you have used the alternate Url/route to view your own profile.",userProfile.profileToMap().toString()));
+                    return trackProgress(success().feedback("idor.view.own.profile.success").output(userProfile.profileToMap().toString()).build());
                 } else {
-                    return trackProgress(AttackResult.failed("please try again. The alternoute route is very similar to the previous way you viewed your profile. Only one difference really"));
+                    return trackProgress(failed().feedback("idor.view.own.profile.failure1").build());
                 }
 
             } else {
-                return trackProgress(AttackResult.failed("You need to authenticate as tom first."));
+                return trackProgress(failed().feedback("idor.view.own.profile.failure2").build());
             }
         } catch (Exception ex) {
             System.out.println(ex.getMessage());
-            return AttackResult.failed("an error occurred with your request");
+            return failed().feedback("an error occurred with your request").build();
         }
     }
 

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java

@@ -1,9 +1,9 @@
 package org.owasp.webgoat.plugin;
 
 import com.google.common.collect.Lists;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -13,7 +13,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.ws.rs.Path;
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.List;
@@ -43,7 +42,7 @@ public class ViewOtherUserProfile extends AssignmentEndpoint {
 
         if (userSessionData.getValue("idor-authenticated-as") == null) {
             json.add(errorMap);
-            return trackProgress(AttackResult.failed("You must authenticate first"));
+            return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
         } else {
             if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
                 System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
@@ -52,11 +51,11 @@ public class ViewOtherUserProfile extends AssignmentEndpoint {
                 //secure code would check to make sure authUserId matches userId or some similar access control
                 // ... and in this endpoint, we won't bother with that
                 UserProfile userProfile = new UserProfile(userId);
-                return trackProgress(AttackResult.failed("still working"));
+                return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
             }
         }
         // else
-        return trackProgress(AttackResult.failed("fall back"));
+        return trackProgress(failed().build());
     }
 
 

webgoat-lessons/idor/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -1,3 +1,29 @@
 idor.title=Insecure Direct Object References
 
 idor.hints.idor_login=Log in first
+
+
+idor.diff.attributes.missing=You did not list two attributes, comma delimited
+idor.diff.success=Correct, the two attributes not displayed are userId & role. Keep those in mind
+idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare to what's displayed on the screen.
+
+idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below)
+idor.edit.profile.success2=Good work! View the updated profile below
+idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number
+idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.)
+idor.edit.profile.failure3=Try again. Use the hints if you need to.
+idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.
+
+idor.login.success=You are now logged in as {0}. Please proceed.
+idor.login.failure=Credentials provided are not correct
+
+idor.view.profile.success=Well done, you found someone else's profile
+idor.view.profile.close1=You're on the right path, try a different id
+idor.view.profile.close2=Try again. You need to use the same method/URL you used to access your own profile via direct object reference.
+
+idor.view.own.profile.success=Congratulations, you have used the alternate Url/route to view your own profile.
+idor.view.own.profile.failure1=Please try again. The alternate route is very similar to the previous way you viewed your profile. Only one difference really
+idor.view.own.profile.failure2=You need to authenticate as tom first.
+
+idor.view.other.profile.failure1=You must authenticate first
+idor.view.other.profile.failure2=<<still working>>

webgoat-lessons/pom.xml

@@ -37,6 +37,13 @@
             <artifactId>commons-exec</artifactId>
             <version>1.3</version>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat</groupId>
+            <artifactId>webgoat-container</artifactId>
+            <version>${project.version}</version>
+            <classifier>tests</classifier>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
     <dependencyManagement>
         <dependencies>

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5a.java

@@ -1,25 +1,19 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import java.sql.Connection;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import java.sql.ResultSet;
+import org.owasp.webgoat.assignments.AttackResult;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.*;
+
 
 
 /***************************************************************************************************
@@ -84,26 +78,25 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
                     // If they get back more than one user they succeeded
                     if (results.getRow() >= 6)
                     {
-                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
+                    	return trackProgress(success().feedback("sql-injection.5a.success").feedbackArgs(output.toString()).build());
                    } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
+                	   return trackProgress(failed().output(output.toString()).build());
                    }
-                    
                 }
                 else
                 {
-                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
+                	return trackProgress(failed().feedback("sql-injection.5a.no.results").build());
 
                 }
             } catch (SQLException sqle)
             {
             	
-            	return trackProgress(AttackResult.failed(sqle.getMessage()));
+            	return trackProgress(failed().output(sqle.getMessage()).build());
             }
         } catch (Exception e)
         {
         	e.printStackTrace();
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+        	return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
         }
     }
     

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson5b.java

@@ -2,25 +2,19 @@ package org.owasp.webgoat.plugin;
 
 
 
-import java.io.IOException;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import java.sql.Connection;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import java.sql.ResultSet;
+import org.owasp.webgoat.assignments.AttackResult;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.*;
+
 
 
 /***************************************************************************************************
@@ -86,27 +80,27 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
                     // If they get back more than one user they succeeded
                     if (results.getRow() >= 6)
                     {
-                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
+                    	return trackProgress(success().feedback("sql-injection.5b.success").feedbackArgs(output.toString()).build());
                    } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
+                	   return trackProgress(failed().output(output.toString()).build());
                    }
                     
                 }
                 else
                 {
-                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
+                	return trackProgress(failed().feedback("sql-injection.5b.no.results").build());
 
 //                    output.append(getLabelManager().get("NoResultsMatched"));
                 }
             } catch (SQLException sqle)
             {
             	
-            	return trackProgress(AttackResult.failed(sqle.getMessage()));
+            	return trackProgress(failed().output(sqle.getMessage()).build());
             }
         } catch (Exception e)
         {
         	e.printStackTrace();
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+        	return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
         }
     }
     

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6a.java

@@ -1,25 +1,19 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import java.sql.Connection;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import java.sql.ResultSet;
+import org.owasp.webgoat.assignments.AttackResult;
-import java.sql.ResultSetMetaData;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.*;
+
 
 
 /***************************************************************************************************
@@ -86,26 +80,26 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
                     // If they get back more than one user they succeeded
                     if (results.getRow() >= 6)
                     {
-                    	return trackProgress(AttackResult.success("You have succeed: " + output.toString()));
+                    	return trackProgress(success().feedback("sql-injection.6b.success").feedbackArgs(output.toString()).build());
                    } else {
-                	   return trackProgress(AttackResult.failed("You are close, try again. " + output.toString()));
+                	   return trackProgress(failed().output(output.toString()).build());
                    }
                     
                 }
                 else
                 {
-                	return trackProgress(AttackResult.failed("No Results Matched. Try Again. "));
+                	return trackProgress(failed().feedback("sql-injection.6b.no.results").build());
 
                 }
             } catch (SQLException sqle)
             {
             	
-            	return trackProgress(AttackResult.failed(sqle.getMessage()));
+            	return trackProgress(failed().output(sqle.getMessage()).build());
             }
         } catch (Exception e)
         {
         	e.printStackTrace();
-        	return trackProgress(AttackResult.failed( "ErrorGenerating" + this.getClass().getName() + " : " + e.getMessage()));
+        	return trackProgress(failed().output(this.getClass().getName() + " : " + e.getMessage()).build());
         }
     }
     

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java

@@ -1,24 +1,22 @@
 
 package org.owasp.webgoat.plugin;
 
-import java.io.IOException;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import java.sql.Connection;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import java.sql.ResultSet;
+import org.owasp.webgoat.assignments.AttackResult;
-import java.sql.SQLException;
-import java.sql.Statement;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Path;
-
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
 
 
 /***************************************************************************************************
@@ -57,9 +55,9 @@ public class SqlInjectionLesson6b extends AssignmentEndpoint {
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
 	    if (userid_6b.toString().equals(getPassword())) {
-	        return trackProgress(AttackResult.success());
+	        return trackProgress(success().build());
 	    } else {
-	        return trackProgress(AttackResult.failed("You are close, try again"));
+	        return trackProgress(failed().build());
 	    }
 	}
 

webgoat-lessons/sql-injection/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -6,3 +6,13 @@ SqlStringInjectionHint1=The application is taking your input and inserting it at
 SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
 SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true
 SqlStringInjectionHint4=Try entering [ smith' OR '1' = '1 ].
+
+
+sql-injection.5a.success=You have succeed:
+sql-injection.5a.no.results=No results matched. Try Again.
+
+sql-injection.5b.success=You have succeed:
+sql-injection.5b.no.results=No results matched. Try Again.
+
+sql-injection.6b.success=You have succeed:
+sql-injection.6b.no.results=No results matched. Try Again.

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java

@@ -2,16 +2,15 @@ package org.owasp.webgoat.plugin;
 
 import com.google.common.base.Joiner;
 import org.apache.commons.lang.exception.ExceptionUtils;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.ws.rs.Path;
 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Paths;
@@ -66,9 +65,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
         boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent();
         logFile.delete();
         if (solved) {
-            return AttackResult.success(String.format("Contents of the file is: %s", Joiner.on('\n').join(lines)));
+            return success().output("xxe.blind.output").outputArgs(Joiner.on('\n').join(lines)).build();
         } else {
-            return AttackResult.failed("Try again...", error);
+            return failed().output(error).build();
         }
     }
 

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java

@@ -1,9 +1,10 @@
 package org.owasp.webgoat.plugin;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestHeader;
@@ -11,7 +12,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.ws.rs.Path;
 import java.io.IOException;
 
 import static org.owasp.webgoat.plugin.SimpleXXE.checkSolution;
@@ -47,24 +47,25 @@ import static org.owasp.webgoat.plugin.SimpleXXE.parseXml;
  * @since November 17, 2016
  */
 @AssignmentPath("XXE/content-type")
+@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
 public class ContentTypeAssignment extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
     public AttackResult createNewUser(@RequestBody String userInfo, @RequestHeader("Content-Type") String contentType) throws Exception {
         User user = new User();
-        AttackResult attackResult = AttackResult.failed("Try again!");
+        AttackResult attackResult = failed().build();
         if (MediaType.APPLICATION_JSON_VALUE.equals(contentType)) {
             user = parseJson(userInfo);
-            attackResult = AttackResult.failed("You are posting JSON which does not work with a XXE");
+            attackResult = failed().feedback("xxe.content.type.feedback.json").build();
         }
         if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
             user = parseXml(userInfo);
-            attackResult = AttackResult.failed("You are posting XML but there is no XXE attack performed");
+            attackResult = failed().feedback("xxe.content.type.feedback.xml").build();
         }
 
         if (checkSolution(user)) {
-            attackResult = AttackResult.success(String.format("Welcome %s", user.getUsername()));
+            attackResult = success().output("xxe.content.output").outputArgs(user.getUsername()).build();
         }
         return attackResult;
     }

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java

@@ -1,7 +1,7 @@
 package org.owasp.webgoat.plugin;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.endpoints.Endpoint;
+import org.owasp.webgoat.assignments.Endpoint;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java

@@ -1,16 +1,16 @@
 package org.owasp.webgoat.plugin;
 
 import org.apache.commons.exec.OS;
-import org.owasp.webgoat.endpoints.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.endpoints.AssignmentPath;
+import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.lessons.AttackResult;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.ws.rs.Path;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Unmarshaller;
 import javax.xml.stream.XMLInputFactory;
@@ -47,6 +47,7 @@ import java.io.StringReader;
  * @since November 17, 2016
  */
 @AssignmentPath("XXE/simple")
+@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4"})
 public class SimpleXXE extends AssignmentEndpoint {
 
     private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
@@ -57,13 +58,11 @@ public class SimpleXXE extends AssignmentEndpoint {
     public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
         User user = parseXml(userInfo);
         if (checkSolution(user)) {
-          return AttackResult.success("Congratulation", String.format("Welcome %s you can now login to our website", user.getUsername()));
+          return trackProgress(success()
-        }
+              .output("xxe.simple.output")
-        if (userInfo.contains("<!DOCTYPE")) {
+              .outputArgs(user.getUsername()).build());
-            return AttackResult.failed("Try again you did include a doctype in the xml!");
-        } else {
-            return AttackResult.failed(String.format("Welcome %s you can now login to our website", user.getUsername()));
         }
+        return trackProgress(failed().build());
     }
 
     public static User parseXml(String xml) throws Exception {

webgoat-lessons/xxe/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -0,0 +1,37 @@
+#
+# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+# please see http://www.owasp.org/
+# <p>
+# Copyright (c) 2002 - 2017 Bruce Mayhew
+# <p>
+# This program is free software; you can redistribute it and/or modify it under the terms of the
+# GNU General Public License as published by the Free Software Foundation; either version 2 of the
+# License, or (at your option) any later version.
+# <p>
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+# <p>
+# You should have received a copy of the GNU General Public License along with this program; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+# 02111-1307, USA.
+# <p>
+# Getting Source ==============
+# <p>
+# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+# projects.
+# <p>
+#
+xxe.simple.output=Welcome {0} you can now login to our website
+xxe.content.type.feedback.json=You are posting JSON which does not work with a XXE
+xxe.content.type.feedback.xml=You are posting XML but there is no XXE attack performed
+xxe.content.output=Welcome {0} you can now login to our website
+xxe.blind.output=Contents of the file is:
+
+xxe.hints.simple.xxe.1=Try submitting the form and see what happens
+xxe.hints.simple.xxe.2=XXE stands for XML External Entity attack
+xxe.hints.simple.xxe.3=Try to include your own DTD
+xxe.hints.simple.xxe.4=Try to include a doctype (<!DOCTYPE...) in the xml
+
+xxe.hints.content.type.xxe.1=Take a look at the content type
+xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?