From ac6e8b59b7f480de66bdf55d481c2f0067010cb5 Mon Sep 17 00:00:00 2001
From: Jason White <jason.white@owasp.org>
Date: Fri, 17 Feb 2017 15:59:38 -0500
Subject: [PATCH] XSS updates

---
 .../webgoat/plugin/DOMCrossSiteScripting.java |   2 +-
 .../plugin/DOMCrossSiteScriptingFollowUp.java |  35 +++
 .../html/CrossSiteScripting.html              | 261 ++++++++++--------
 .../en/CrossSiteScripting_content6a.adoc      |   2 +-
 .../en/CrossSiteScripting_content6b.adoc      |   9 +
 .../plugin/i18n/WebGoatLabels.properties      |   2 +
 6 files changed, 193 insertions(+), 118 deletions(-)
 create mode 100644 webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java
 create mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
index c4ceea5b4..7bd3456ff 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
@@ -21,7 +21,7 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
     AttackResult completed(@RequestParam Integer param1,
                            @RequestParam Integer param2, HttpServletRequest request)  throws IOException {
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
-            System.out.println("DOM-XSS successful");
+            System.out.println("DOM-XSS successful, param1 is 42");
             return trackProgress(success().build());
         } else {
             return trackProgress(failed().build());
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java
new file mode 100644
index 000000000..846c1eaa4
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java
@@ -0,0 +1,35 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * Created by jason on 11/23/16.
+ */
+@AssignmentPath("/CrossSiteScripting/dom-follow-up")
+public class DOMCrossSiteScriptingFollowUp extends AssignmentEndpoint {
+    @RequestMapping(method = RequestMethod.POST)
+    public @ResponseBody
+    AttackResult completed(@RequestParam String successMessage)  throws IOException {
+        if (successMessage.equals("DOM-XSS successful, param1 is 42")) {
+            return trackProgress(success().feedback("xss-dom-message-success").build());
+        } else {
+            return trackProgress(failed().feedback("xss-dom-message-success").build());
+        }
+    }
+}
+// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
+
+
+
+
+
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
index 884674f49..e754d0527 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
@@ -184,7 +184,8 @@
 	<div class="lesson-page-wrapper">
 		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6.adoc"></div>
 	</div>
-	<div class="lesson-page-wrapper">
+
+    <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
@@ -208,133 +209,161 @@
 			<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
 		</div>
 	</div>
-	<div class="lesson-page-wrapper">
+
+    <div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+        <!-- include content here. Content will be presented via asciidocs files,
+        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+        <div class="adoc-content" th:replace="doc:CrossSiteScripting_content6b.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
+            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
+            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="DOMFollowUp"
+                  action="/WebGoat/CrossSiteScripting/dom-follow-up"
+                  enctype="application/json;charset=UTF-8">
+                <input name="successMessage" value="" type="TEXT" />
+                <input name="submitMessage" value="Submit" type="SUBMIT"/>
+            </form>
+            <!-- do not remove the two following div's, this is where your feedback/output will land -->
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+            <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
+        </div>
+    </div>
+
+
+    <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
 	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
-	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
-		<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" />
-	</div>
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>-->
+	<!--</div>-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>-->
+		<!--<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" />-->
+	<!--</div>-->
 
 
-	<div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-	        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content"
-			th:replace="doc:CrossSiteScripting_content9a.adoc"></div>
-		<div class="attack-container">
-			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
+	<!--<div class="lesson-page-wrapper">-->
+		<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here. Content will be presented via asciidocs files,-->
+	        <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content"-->
+			<!--th:replace="doc:CrossSiteScripting_content9a.adoc"></div>-->
+		<!--<div class="attack-container">-->
+			<!--<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
+			<!--&lt;!&ndash; using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat &ndash;&gt;-->
 
-			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
-			<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-			<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-			<form class="attack-form" accept-charset="UNKNOWN" method="POST"
-				name="form" action="/WebGoat/CrossSiteScripting/attack9a"
-				enctype="application/json;charset=UTF-8">
+			<!--&lt;!&ndash; using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat &ndash;&gt;-->
+			<!--&lt;!&ndash; you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework &ndash;&gt;-->
+			<!--&lt;!&ndash; of course, you can write your own ajax submission /handling in your own javascript if you like &ndash;&gt;-->
+			<!--<form class="attack-form" accept-charset="UNKNOWN" method="POST"-->
+				<!--name="form" action="/WebGoat/CrossSiteScripting/attack9a"-->
+				<!--enctype="application/json;charset=UTF-8">-->
 
-				<table cellspacing="0" cellpadding="0" border="0">
-					<tbody>
-						<tr>
-							<td>Title:</td>
-							<td><input name="title" value="" type="TEXT" /></td>
-						</tr>
-						<tr>
-							<td valign="TOP">Message:</td>
-							<td><textarea cols="60" name="message" rows="5"></textarea></td>
-						</tr>
-					</tbody>
-				</table>
-				<p>
-					<input name="SUBMIT" value="Submit" type="SUBMIT" />
-				</p>
-				<hr />
-				<hr />
-				<h1>Message List</h1>
-				<table cellspacing="0" cellpadding="0" border="0">
-					<tbody>
-						<tr>
-							<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td>
-						</tr>
-					</tbody>
-				</table>
-			</form>
+				<!--<table cellspacing="0" cellpadding="0" border="0">-->
+					<!--<tbody>-->
+						<!--<tr>-->
+							<!--<td>Title:</td>-->
+							<!--<td><input name="title" value="" type="TEXT" /></td>-->
+						<!--</tr>-->
+						<!--<tr>-->
+							<!--<td valign="TOP">Message:</td>-->
+							<!--<td><textarea cols="60" name="message" rows="5"></textarea></td>-->
+						<!--</tr>-->
+					<!--</tbody>-->
+				<!--</table>-->
+				<!--<p>-->
+					<!--<input name="SUBMIT" value="Submit" type="SUBMIT" />-->
+				<!--</p>-->
+				<!--<hr />-->
+				<!--<hr />-->
+				<!--<h1>Message List</h1>-->
+				<!--<table cellspacing="0" cellpadding="0" border="0">-->
+					<!--<tbody>-->
+						<!--<tr>-->
+							<!--<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td>-->
+						<!--</tr>-->
+					<!--</tbody>-->
+				<!--</table>-->
+			<!--</form>-->
 
-			<!-- do not remove the two following div's, this is where your feedback/output will land -->
-			<div class="attack-feedback"></div>
-			<div class="attack-output"></div>
-			<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
-		</div>
-	</div>
+			<!--&lt;!&ndash; do not remove the two following div's, this is where your feedback/output will land &ndash;&gt;-->
+			<!--<div class="attack-feedback"></div>-->
+			<!--<div class="attack-output"></div>-->
+			<!--&lt;!&ndash; ... of course, you can move them if you want to, but that will not look consistent to other lessons &ndash;&gt;-->
+		<!--</div>-->
+	<!--</div>-->
 
 
 
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div>
-	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div>
-	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div>
-	</div>
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div>
-	</div>	
-	<div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div>
-	</div>	
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div>-->
+	<!--</div>-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div>-->
+	<!--</div>-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div>-->
+	<!--</div>-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div>-->
+	<!--</div>	-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div>-->
+	<!--</div>	-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div>-->
+	<!--</div>	-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div>-->
+	<!--</div>	-->
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div>-->
+	<!--</div>-->
+
+	<!--<div class="lesson-page-wrapper">-->
+        <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
+		<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
+		<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
+		<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div>-->
+	<!--</div>	-->
 
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
index 9d4ce0689..08176abe4 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
@@ -1,4 +1,4 @@
-== Try It!   DOM-Based XSS
+== Ientify Potential for DOM-Based XSS
 
 For this, you'll want to look for some 'test' code in the route handlers (javascript/backbone). Sometimes, test code gets left in.
 (Often times test code is very simple and lacks security or any quality controls!).
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc
new file mode 100644
index 000000000..d66d36423
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc
@@ -0,0 +1,9 @@
+== Try It!   DOM-Based XSS
+
+Some attacks are 'blind'. Fortunately, you have the server running here so you will be able to tell if you are successful. Use the route you just found and see if
+you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat. The function you want to execute is ...
+
+*webgoat.customjs.phoneHome()*
+
+Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.  Once you complete it, paste the output message from the log below ...
+
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
index af10c440a..68d7f6267 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
@@ -6,5 +6,7 @@ xss-reflected-5b-failure=Nope, pretty easy to guess now though.
 xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
 xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
 xss.lesson1.failure=Are you sure? Try using a tab from a different site.
+xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
+xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
 
 #xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this.
\ No newline at end of file