diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java index fcd9138da..fa3a0a3c2 100644 --- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java +++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java @@ -15,7 +15,8 @@ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Getting Source ============== + * Getting Source + * ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ @@ -30,12 +31,9 @@ import org.owasp.webgoat.container.assignments.AttackResult; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -// @RestController -@Deprecated -// TODO This assignment seems not to be in use in the UI -// it is there to make sure the lesson can be marked complete -// in order to restore it, make it accessible through the UI and uncomment RestController +@RestController @AssignmentHints( value = { "xss-mitigation-3-hint1", @@ -60,9 +58,9 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint { String lastNameElement = doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text(); - Boolean includeCorrect = false; - Boolean firstNameCorrect = false; - Boolean lastNameCorrect = false; + boolean includeCorrect = false; + boolean firstNameCorrect = false; + boolean lastNameCorrect = false; if (include.contains("<%@") && include.contains("taglib") diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java index 7a487471e..1bf5fbe01 100644 --- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java +++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java @@ -22,20 +22,15 @@ package org.owasp.webgoat.lessons.xss; -import lombok.extern.slf4j.Slf4j; import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AttackResult; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RestController; -// @RestController -@Deprecated -// TODO This assignment seems not to be in use in the UI -// it is there to make sure the lesson can be marked complete -// in order to restore it, make it accessible through the UI and uncomment RestController@Slf4j -@Slf4j +@RestController @AssignmentHints(value = {"xss-mitigation-4-hint1"}) public class CrossSiteScriptingLesson4 extends AssignmentEndpoint { @@ -44,7 +39,6 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint { public AttackResult completed(@RequestParam String editor2) { String editor = editor2.replaceAll("\\<.*?>", ""); - log.debug(editor); if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") @@ -54,10 +48,8 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint { && editor.contains("CleanResults") && editor.contains("MyCommentDAO.addComment(threadID, userID") && editor.contains(".getCleanHTML());")) { - log.debug("true"); return success(this).feedback("xss-mitigation-4-success").build(); } else { - log.debug("false"); return failed(this).feedback("xss-mitigation-4-failed").build(); } } diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java index 89977ea79..bf5b77763 100644 --- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java +++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java @@ -15,7 +15,8 @@ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. * - * Getting Source ============== + * Getting Source + * ============== * * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. */ @@ -24,7 +25,9 @@ package org.owasp.webgoat.lessons.xss; import org.owasp.webgoat.container.lessons.Category; import org.owasp.webgoat.container.lessons.Lesson; +import org.springframework.stereotype.Component; +@Component public class CrossSiteScriptingMitigation extends Lesson { @Override public Category getDefaultCategory() { @@ -33,6 +36,6 @@ public class CrossSiteScriptingMitigation extends Lesson { @Override public String getTitle() { - return "xss-mitigation.title"; + return "6.xss-mitigation.title"; } } diff --git a/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties b/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties index b0eca9483..e105a6d13 100644 --- a/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties +++ b/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties @@ -1,7 +1,7 @@ # XSS success, failure messages and hints 4.xss.title=Cross Site Scripting 5.xss-stored.title=Cross Site Scripting (stored) -xss-mitigation.title=Cross Site Scripting (mitigation) +6.xss-mitigation.title=Cross Site Scripting (mitigation) xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment. xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment.