From 990bf079d3139196cd31281e85fdabe188b544ed Mon Sep 17 00:00:00 2001
From: Benedikt - Desktop <benedikt.stuhrmann@gmail.com>
Date: Sun, 18 Nov 2018 13:19:26 +0100
Subject: [PATCH] Added hints for dom-based xss assignment (part 2)

---
 .../owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java | 2 ++
 .../src/main/resources/i18n/WebGoatLabels.properties        | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java
index 7f1444a3f..6ee699bef 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java
@@ -32,6 +32,7 @@
 package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
@@ -47,6 +48,7 @@ import java.io.IOException;
  * Created by jason on 11/23/16.
  */
 @AssignmentPath("/CrossSiteScripting/dom-follow-up")
+@AssignmentHints(value = {"xss-dom-message-hint-1", "xss-dom-message-hint-2", "xss-dom-message-hint-3", "xss-dom-message-hint-4", "xss-dom-message-hint-5", "xss-dom-message-hint-6"})
 public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
     @RequestMapping(method = RequestMethod.POST)
     public @ResponseBody
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index 66cb0a4cc..940c79523 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -19,6 +19,12 @@ xss-reflected-6a-hint-4=Still didn't find it? Check the <a href="/WebGoat/js/goa
 xss.lesson1.failure=Are you sure? Try using a tab from a different site.
 xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
 xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
+xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson.
+xss-dom-message-hint-2=Your url should look something like that http://localhost:8080/WebGoat/start.mvc#REPLACE-WITH-THE-TEST-ROUTE/some_parameters
+xss-dom-message-hint-3=Note how the parameters you send to the test-route get reflected back to the page. Now add your javascript to it.
+xss-dom-message-hint-4=You have to use script tags, so your javascript code gets executed when being rendered into the DOM.
+xss-dom-message-hint-5=Since you're working with an URL, you might have to URL-encode your parameters.
+xss-dom-message-hint-6=Replace '/' with '%2F' in your URL parameters.
 xss-stored-comment-success=It appears your payload should invoke the function. To tell for sure, you need to capture the value and put it in the form below. Then we will really know.
 xss-stored-comment-failure=We can't see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
 xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called).