More CSRF Updates

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java

@@ -40,6 +40,7 @@ import org.joda.time.DateTime;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.WebSession;
@@ -58,6 +59,7 @@ import static org.springframework.http.MediaType.ALL_VALUE;
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
 @AssignmentPath("/csrf/review")
+@AssignmentHints({"csrf-review-hint1","csrf-review-hint2","csrf-review-hint3"})
 public class ForgedReviews extends AssignmentEndpoint {
 
     @Autowired

webgoat-lessons/csrf/src/main/resources/html/CSRF.html

@@ -50,7 +50,7 @@
 
     <div class="lesson-page-wrapper">
 
-        <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7b.adoc"></div>-->
+        <div class="adoc-content" th:replace="doc:CSRF_Reviews.adoc"></div>
 
         <!-- comment area -->
         <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@@ -113,7 +113,9 @@
 
     </div>
 
-
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:CSRF_Impact_Defense.adocc"></div>
+    </div>
     <!--</div>-->
 
 </html>

webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties

@@ -13,3 +13,7 @@ csrf-same-host=It appears your request is coming from the same host you are subm
 csrf-you-forgot-something=There's something missing from your request it appears, so I can't process it.
 
 csrf-review.success=It appears you have submitted correctly from another site. Go reload and see if your post is there.
+
+csrf-review-hint1=Again, you will need to submit from an external domain/host to trigger this action. While CSRF can often be triggered from the same host (e.g. via persisted payload), this doesn't work that way.
+csrf-review-hint2=Remember, you need to mimic the existing workflow/form.
+csrf-review-hint3=This one has a weak anti-CSRF protection, but you do need to overcome (mimic) it

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Basic_Get.adoc

@@ -1,9 +0,0 @@
-== The Base Form
-
-The form below has hidden elements and submits to an action of TBD.  You can try it out and watch what it does, but it won't get you the flag. Once you can
-
-Every attack in this lesson will need to be done through another page or site. To see your progress, you will need to reload the
-pages or re-navigate back through the lesson to see your progress.
-
-Just to get your feet wet, issue a request to _SERVER_/WebGoat/csrf/basic-get-flag with a parameter named 'csrf' equal to 'true'. Your request needs to
-come from a local file or be hosted on a different website.

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc

@@ -0,0 +1,20 @@
+== CSRF Impact
+
+The impact is limited only by what the logged in user can do (if the site/function/action is not protected properly).
+The areas that are really prone to CSRF attacks are IoT devices and 'smart' appliances.  Sadly, many consumer-grade routers
+have also proven vulnerable to CSRF.
+
+== CSRF Solution
+
+Fortunately, many (web) application frameworks now come with built in support to handle CSRF attacks.  For example, Spring and
+Tomcat have this on by default.  As long as you don't turn it off (like it is in WebGoat), you should be safe from CSRF attacks.
+
+See the following for more information on CSRF protections:
+
+https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet (Prevention/Defense)
+
+https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  (Attack)
+
+https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter / https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CSRF_Prevention_Filter (Tomcat)
+
+https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc

@@ -0,0 +1,9 @@
+== Post a review on someone else's behalf
+
+The page below simulates a comment/review page.  The difference here is that you have to inititate the submission elsewhere as you might
+with a CSRF attack and like the previous exercise. It's easier than you think. In most cases, the trickier part is
+finding somewhere that you want to execute the CSRF attack. The classic example is account/wire transfers in someone's bank account.
+
+But we're keepoing it simple here.  In this case, you just need to trigger a review submission on behalf of the currently
+logged in user.
+

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_plan.adoc

@@ -1,10 +0,0 @@
-= Cross-site request forgery (CSRF)
-
-== Concept
-
-This lesson teaches how to what a CSRF attack is and how it can be abused and protected against.
-
-== Goals
-
-* The user should have basic knowledge of JavaScript
-* The user will learn to perform a CSRF attack and how to protected against it.