From 99435a107320df6e3cdca06afac813f48b4b86ca Mon Sep 17 00:00:00 2001
From: Rene Zubcevic <git@zubcevic.com>
Date: Fri, 19 Jul 2019 12:16:06 +0200
Subject: [PATCH 1/7] increased sql form fields and fixed chrome progress

---
 .../owasp/webgoat/plugin/NetworkDummy.java    | 14 ++++++-
 .../owasp/webgoat/plugin/NetworkLesson.java   | 10 ++++-
 .../main/resources/html/ChromeDevTools.html   | 41 ++++---------------
 .../src/main/resources/html/SqlInjection.html |  8 ++--
 4 files changed, 33 insertions(+), 40 deletions(-)

diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
index 9a462f77a..e5efd285d 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
+++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
@@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -21,7 +22,16 @@ public class NetworkDummy extends AssignmentEndpoint {
   @RequestMapping(method = RequestMethod.POST)
   public
   @ResponseBody
-  AttackResult completed(@RequestParam String networkNum) throws IOException {
-    return trackProgress(failed().feedback("network.request").build());
+  AttackResult completed(@RequestParam String successMessage) throws IOException {
+	  
+	  UserSessionData userSessionData = getUserSessionData();
+      String answer = (String) userSessionData.getValue("randValue");
+
+      if (successMessage!=null && successMessage.equals(answer)) {
+          return trackProgress(success().feedback("xss-dom-message-success").build());
+      } else {
+          return trackProgress(failed().feedback("xss-dom-message-failure").build());
+      }
+	    
   }
 }
\ No newline at end of file
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
index 41071eaff..1969e53e9 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
+++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
@@ -4,6 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -21,7 +22,7 @@ import java.io.IOException;
 @AssignmentHints({"networkHint1", "networkHint2"})
 public class NetworkLesson extends AssignmentEndpoint {
 
-  @RequestMapping(method = RequestMethod.POST)
+  @RequestMapping(method = RequestMethod.POST, params= {"network_num","number"})
   public
   @ResponseBody
   AttackResult completed(@RequestParam String network_num, @RequestParam String number) throws IOException {
@@ -31,4 +32,11 @@ public class NetworkLesson extends AssignmentEndpoint {
       return trackProgress(failed().feedback("network.failed").build());
     }
   }
+  
+  @RequestMapping(method = RequestMethod.POST, params="networkNum")
+  public
+  @ResponseBody
+  ResponseEntity<?> ok(@RequestParam String networkNum) throws IOException {
+	  return ResponseEntity.ok().build();
+  }
 }
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html b/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html
index d8d576bb6..807cc5a4b 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html
+++ b/webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html
@@ -2,25 +2,29 @@
 
 <html xmlns:th="http://www.thymeleaf.org">
 
+<!-- 1 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_intro.adoc"></div>
 </div>
 
+<!-- 2 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_elements.adoc"></div>
 </div>
 
+<!-- 3 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_console.adoc"></div>
 </div>
 
+<!-- 4 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="DOMFollowUp"
-              action="/WebGoat/CrossSiteScripting/dom-follow-up"
+              action="/WebGoat/ChromeDevTools/dummy"
               enctype="application/json;charset=UTF-8">
             <input name="successMessage" value="" type="TEXT" />
             <input name="submitMessage" value="Submit" type="SUBMIT"/>
@@ -30,17 +34,19 @@
     </div>
 </div>
 
+<!-- 5 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_sources.adoc"></div>
 </div>
 
+<!-- 6 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment_Network.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/ChromeDevTools/dummy"
+              action="/WebGoat/ChromeDevTools/network"
               enctype="application/json;charset=UTF-8">
             <script>
                 // sample custom javascript in the recommended way ...
@@ -79,35 +85,4 @@
     </div>
 </div>
 
-<!--
-<div class="lesson-page-wrapper">
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
-              method="POST" name="form"
-              action="/WebGoat/HttpBasics/attack1"
-              enctype="application/json;charset=UTF-8">
-            <script>
-                console.log("in listener");
-                document.getElementById("butn").addEventListener("click", function() {
-                    document.getElementById("inp").value = Math.random() * 100;
-                });
-            </script>
-            <table>
-                <tr>
-                    <td>Click this Button to make a request</td>
-                    <td><Button id="butn"></Button></td>
-                    <td><input id="inp" name="networkNumber" value="" type="hidden"/><input
-                            name="SUBMIT" value="Go!" type="SUBMIT" /></td>
-                </tr>
-                <tr>
-                    <td>The Network Number is:</td>
-                    <td><input name="number" value="" type="text" /></td>
-                    <td><button type="submit" formaction="/WebGoat/ChromeDevTools/network">Check</button></td>
-                </tr>
-            </table>
-        </form>
-    </div>
-</div>
--->
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
index 862a35991..a4f5dd7f2 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html
@@ -21,7 +21,7 @@
             <table>
                 <tr>
                     <td><label>SQL query</label></td>
-                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                    <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
                 </tr>
                 <tr>
                     <td><button type="SUBMIT">Submit</button></td>
@@ -46,7 +46,7 @@
             <table>
                 <tr>
                     <td><label>SQL query</label></td>
-                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                    <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
                 </tr>
                 <tr>
                     <td><button type="SUBMIT">Submit</button></td>
@@ -71,7 +71,7 @@
             <table>
                 <tr>
                     <td><label>SQL query</label></td>
-                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                    <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
                 </tr>
                 <tr>
                     <td><button type="SUBMIT">Submit</button></td>
@@ -96,7 +96,7 @@
             <table>
                 <tr>
                     <td><label>SQL query</label></td>
-                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                    <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
                 </tr>
                 <tr>
                     <td><button type="SUBMIT">Submit</button></td>

From 656fa40182e07b9025f8fda364e4fe45a4a52cc2 Mon Sep 17 00:00:00 2001
From: Rene Zubcevic <git@zubcevic.com>
Date: Fri, 19 Jul 2019 16:49:30 +0200
Subject: [PATCH 2/7] style sheet and advanced sql

---
 .../src/main/resources/application.properties |  4 ++++
 .../src/main/resources/static/css/main.css    |  8 ++++++-
 .../advanced/SqlInjectionChallenge.java       |  2 +-
 .../advanced/SqlInjectionChallengeLogin.java  |  2 +-
 .../plugin/advanced/SqlInjectionLesson6a.java |  2 +-
 .../plugin/advanced/SqlInjectionLesson6b.java |  2 +-
 .../plugin/advanced/SqlInjectionQuiz.java     |  2 +-
 .../resources/html/SqlInjectionAdvanced.html  | 22 +++++++++----------
 .../SqlInjectionLesson6aTest.java             | 12 +++++-----
 .../SqlInjectionLesson6bTest.java             |  4 ++--
 .../src/main/resources/application.properties |  4 ++++
 11 files changed, 38 insertions(+), 26 deletions(-)

diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties
index 281b53230..899683c57 100644
--- a/webgoat-container/src/main/resources/application.properties
+++ b/webgoat-container/src/main/resources/application.properties
@@ -1,3 +1,7 @@
+spring.mandatory-file-encoding=UTF-8
+spring.http.encoding.charset=UTF-8
+spring.http.encoding.enabled=true
+
 server.error.include-stacktrace=always
 server.error.path=/error.html
 server.session.timeout=600
diff --git a/webgoat-container/src/main/resources/static/css/main.css b/webgoat-container/src/main/resources/static/css/main.css
index 59f674616..27a4e6d83 100644
--- a/webgoat-container/src/main/resources/static/css/main.css
+++ b/webgoat-container/src/main/resources/static/css/main.css
@@ -1001,9 +1001,15 @@ cookie-container {
     margin: 3px;
 }
 
+@keyframes blink { 
+   50% { border-color: white; } 
+}
+
 .cur-page {
-    border-bottom: 2px solid #000;
+    animation: blink 1.5s 2 forwards;
+    border: 3px solid blue;
     color:#aaa;
+    background-color: lightsalmon;
 }
 
 span.show-next-page, span.show-prev-page {
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
index 674efb000..3f13d819f 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
@@ -20,7 +20,7 @@ import java.sql.*;
  * @author nbaars
  * @since 4/8/17.
  */
-@AssignmentPath("SqlInjection/challenge")
+@AssignmentPath("/SqlInjectionAdvanced/challenge")
 @AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
 @Slf4j
 public class SqlInjectionChallenge extends AssignmentEndpoint {
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java
index 05816c434..4ca99b883 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java
@@ -17,7 +17,7 @@ import java.sql.*;
 
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 
-@AssignmentPath("SqlInjection/challenge_Login")
+@AssignmentPath("/SqlInjectionAdvanced/challenge_Login")
 @Slf4j
 @AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
 public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
index e72c74577..9bf990d3c 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
@@ -42,7 +42,7 @@ import java.sql.*;
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/SqlInjection/attack6a")
+@AssignmentPath("/SqlInjectionAdvanced/attack6a")
 @AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
 "SqlStringInjectionHint-advanced-6a-4"})
 public class SqlInjectionLesson6a extends AssignmentEndpoint {
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java
index 74fc5d2ad..a6e276bd2 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java
@@ -47,7 +47,7 @@ import java.sql.Statement;
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/SqlInjection/attack6b")
+@AssignmentPath("/SqlInjectionAdvanced/attack6b")
 public class SqlInjectionLesson6b extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionQuiz.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionQuiz.java
index 52a800142..6367c48f7 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionQuiz.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionQuiz.java
@@ -21,7 +21,7 @@ import java.sql.Statement;
  * 3. add Request param with name of question to method head
  * For a more detailed description how to implement the quiz go to the quiz.js file in webgoat-container -> js
  */
-@AssignmentPath("/SqlInjection/quiz")
+@AssignmentPath("/SqlInjectionAdvanced/quiz")
 public class SqlInjectionQuiz extends AssignmentEndpoint {
 
     String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"};
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
index 896dcf48f..1158f0661 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
@@ -3,22 +3,24 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
 
+<!-- 1 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div>
 </div>
 
-
+<!-- 2 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
 </div>
 
+<!-- 3 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack6a"
+              action="/WebGoat/SqlInjectionAdvanced/attack6a"
               enctype="application/json;charset=UTF-8">
             <table>
                 <tr>
@@ -29,15 +31,10 @@
                     <td></td>
                 </tr>
             </table>
-        </form>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        </form>        
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack6b"
+              action="/WebGoat/SqlInjectionAdvanced/attack6b"
               enctype="application/json;charset=UTF-8">
             <table>
                 <tr>
@@ -54,6 +51,7 @@
     </div>
 </div>
 
+<!-- 4 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_content6c.adoc"></div>
 </div>
@@ -83,7 +81,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="SqlInjection/challenge_Login"
+                                          action="SqlInjectionAdvanced/challenge_Login"
                                           enctype="application/json;charset=UTF-8" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
@@ -119,7 +117,7 @@
                                     </form>
                                     <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="PUT" name="form"
-                                          action="SqlInjection/challenge"
+                                          action="SqlInjectionAdvanced/challenge"
                                           enctype="application/json;charset=UTF-8" style="display: none;" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_reg" id="username" tabindex="1"
@@ -172,7 +170,7 @@
             <div class="container-fluid">
                 <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                       method="POST" name="form"
-                      action="SqlInjection/quiz"
+                      action="/WebGoat/SqlInjectionAdvanced/quiz"
                       enctype="application/json;charset=UTF-8" role="form">
                     <div id="q_container"></div>
                     <br />
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
index 71d85443c..be88f4b75 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
@@ -30,7 +30,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void wrongSolution() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "John"))
 
                 .andExpect(status().isOk())
@@ -39,7 +39,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void wrongNumberOfColumns() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith' union select userid,user_name, password,cookie from user_system_data --"))
 
                 .andExpect(status().isOk())
@@ -49,7 +49,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void wrongDataTypeOfColumns() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith' union select 1,password, 1,'2','3', '4',1 from user_system_data --"))
 
                 .andExpect(status().isOk())
@@ -59,7 +59,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void correctSolution() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith'; SELECT * from user_system_data; --"))
                 .andExpect(status().isOk())
                 .andExpect(jsonPath("$.lessonCompleted", is(false)))
@@ -68,7 +68,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void noResultsReturned() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith' and 1 = 2 --"))
 
                 .andExpect(status().isOk())
@@ -78,7 +78,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void noUnionUsed() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "S'; Select * from user_system_data; --"))
 
                 .andExpect(status().isOk())
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java
index 7341a6d3a..cfb8aebfe 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java
@@ -29,7 +29,7 @@ public class SqlInjectionLesson6bTest extends LessonTest {
 
     @Test
     public void submitCorrectPassword() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
                 .param("userid_6b", "passW0rD"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
@@ -37,7 +37,7 @@ public class SqlInjectionLesson6bTest extends LessonTest {
 
     @Test
     public void submitWrongPassword() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
                 .param("userid_6b", "John"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
diff --git a/webwolf/src/main/resources/application.properties b/webwolf/src/main/resources/application.properties
index 981ce87aa..d9d29d25b 100644
--- a/webwolf/src/main/resources/application.properties
+++ b/webwolf/src/main/resources/application.properties
@@ -1,3 +1,7 @@
+spring.mandatory-file-encoding=UTF-8
+spring.http.encoding.charset=UTF-8
+spring.http.encoding.enabled=true
+
 server.error.include-stacktrace=always
 server.error.path=/error.html
 server.session.timeout=6000

From f9e78739f3638d815ffac8c44c1d658c8fd61273 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Sat, 20 Jul 2019 09:13:21 +0200
Subject: [PATCH 3/7] reverted mandatory file encoding which will make it worse
 on windows

---
 webgoat-container/src/main/resources/application.properties | 4 ----
 webwolf/src/main/resources/application.properties           | 4 ----
 2 files changed, 8 deletions(-)

diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties
index 899683c57..281b53230 100644
--- a/webgoat-container/src/main/resources/application.properties
+++ b/webgoat-container/src/main/resources/application.properties
@@ -1,7 +1,3 @@
-spring.mandatory-file-encoding=UTF-8
-spring.http.encoding.charset=UTF-8
-spring.http.encoding.enabled=true
-
 server.error.include-stacktrace=always
 server.error.path=/error.html
 server.session.timeout=600
diff --git a/webwolf/src/main/resources/application.properties b/webwolf/src/main/resources/application.properties
index d9d29d25b..981ce87aa 100644
--- a/webwolf/src/main/resources/application.properties
+++ b/webwolf/src/main/resources/application.properties
@@ -1,7 +1,3 @@
-spring.mandatory-file-encoding=UTF-8
-spring.http.encoding.charset=UTF-8
-spring.http.encoding.enabled=true
-
 server.error.include-stacktrace=always
 server.error.path=/error.html
 server.session.timeout=6000

From 7d0a63ac950b102e7577af2e0fdf0b342cc8c19f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Sat, 20 Jul 2019 09:34:27 +0200
Subject: [PATCH 4/7] small html changes to improve progress

---
 .../src/main/resources/html/SqlInjectionAdvanced.html       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
index 1158f0661..de3c4dee2 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
@@ -18,7 +18,7 @@
     <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
+        <form class="att-form" accept-charset="UNKNOWN"
               method="POST" name="form"
               action="/WebGoat/SqlInjectionAdvanced/attack6a"
               enctype="application/json;charset=UTF-8">
@@ -81,7 +81,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="SqlInjectionAdvanced/challenge_Login"
+                                          action="/WebGoat/SqlInjectionAdvanced/challenge_Login"
                                           enctype="application/json;charset=UTF-8" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
@@ -117,7 +117,7 @@
                                     </form>
                                     <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="PUT" name="form"
-                                          action="SqlInjectionAdvanced/challenge"
+                                          action="/WebGoat/SqlInjectionAdvanced/challenge"
                                           enctype="application/json;charset=UTF-8" style="display: none;" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_reg" id="username" tabindex="1"

From ea389730689203dfca067866152be430291d7904 Mon Sep 17 00:00:00 2001
From: Rene Zubcevic <git@zubcevic.com>
Date: Mon, 22 Jul 2019 08:21:34 +0200
Subject: [PATCH 5/7] UTF-8 config added for ThymeLeaf

---
 .../src/main/java/org/owasp/webgoat/MvcConfiguration.java    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
index fd2bf0333..e26aa0b5e 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
@@ -58,6 +58,8 @@ import java.io.File;
  */
 @Configuration
 public class MvcConfiguration extends WebMvcConfigurerAdapter {
+	
+	private static final String UTF8 = "UTF-8";
 
     @Autowired
     @Qualifier("pluginTargetDirectory")
@@ -80,6 +82,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         resolver.setSuffix(".html");
         resolver.setOrder(1);
         resolver.setCacheable(false);
+        resolver.setCharacterEncoding(UTF8);
         resolver.setApplicationContext(applicationContext);
         return resolver;
     }
@@ -89,6 +92,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         LessonTemplateResolver resolver = new LessonTemplateResolver(pluginTargetDirectory, resourceLoader);
         resolver.setOrder(2);
         resolver.setCacheable(false);
+        resolver.setCharacterEncoding(UTF8);
         return resolver;
     }
 
@@ -97,6 +101,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(language);
         resolver.setCacheable(false);
         resolver.setOrder(3);
+        resolver.setCharacterEncoding(UTF8);
         return resolver;
     }
 

From b65644edee7f1120a698e60ea111ed4be68ff8ba Mon Sep 17 00:00:00 2001
From: Rene Zubcevic <git@zubcevic.com>
Date: Mon, 22 Jul 2019 12:16:18 +0200
Subject: [PATCH 6/7] progress fix for SqlInjectionMitigations

---
 .../webgoat/plugin/mitigation/Servers.java    |  2 +-
 .../mitigation/SqlInjectionLesson10a.java     |  2 +-
 .../mitigation/SqlInjectionLesson10b.java     |  2 +-
 .../mitigation/SqlInjectionLesson12a.java     |  2 +-
 .../html/SqlInjectionMitigations.html         |  6 ++---
 .../mitigation/SqlInjectionLesson12aTest.java | 22 +++++++++----------
 6 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java
index cb7ee35c0..cef07f2c4 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java
@@ -20,7 +20,7 @@ import java.util.List;
  * @since 6/13/17.
  */
 @RestController
-@RequestMapping("SqlInjection/servers")
+@RequestMapping("SqlInjectionMitigations/servers")
 public class Servers {
 
     @AllArgsConstructor
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
index 57add71e3..1c531e2df 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
@@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-@AssignmentPath("SqlInjection/attack10a")
+@AssignmentPath("SqlInjectionMitigations/attack10a")
 @Slf4j
 @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"})
 public class SqlInjectionLesson10a extends AssignmentEndpoint {
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
index 3b358c99a..b47c7580c 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
@@ -18,7 +18,7 @@ import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-@AssignmentPath("SqlInjection/attack10b")
+@AssignmentPath("SqlInjectionMitigations/attack10b")
 @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3", "SqlStringInjectionHint-mitigation-10b-4", "SqlStringInjectionHint-mitigation-10b-5"})
 public class SqlInjectionLesson10b extends AssignmentEndpoint {
 
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
index 8d1820cdd..d99be9505 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
@@ -20,7 +20,7 @@ import java.sql.*;
  * @author nbaars
  * @since 6/13/17.
  */
-@AssignmentPath("SqlInjection/attack12a")
+@AssignmentPath("SqlInjectionMitigations/attack12a")
 @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-12a-1", "SqlStringInjectionHint-mitigation-12a-2", "SqlStringInjectionHint-mitigation-12a-3", "SqlStringInjectionHint-mitigation-12a-4"})
 @Slf4j
 public class SqlInjectionLesson12a extends AssignmentEndpoint {
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
index 6f17f56ea..92cc1eca7 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
@@ -23,7 +23,7 @@
     <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_completion.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10a" enctype="application/json;charset=UTF-8">
+        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10a" enctype="application/json;charset=UTF-8">
             <div>
                 <p>Connection conn = DriverManager.<input type="text" name="field1" id="field1" />(DBURL, DBUSER, DBPW);</p>
                 <p><input type="text" name="field2" id="field2" /> = conn.<input type="text" name="field3" id="field3" />("SELECT status FROM users WHERE name=<input type="text" name="field4" id="field4" /> AND mail=<input type="text" name="field5" id="field5" />");</p>
@@ -42,7 +42,7 @@
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div>
     <div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
-        <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8">
+        <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10b" enctype="application/json;charset=UTF-8">
             <div>
                 <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 300px;" name="editor"></div>
                 <script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
@@ -78,7 +78,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack12a"
+              action="/WebGoat/SqlInjectionMitigations/attack12a"
               enctype="application/json;charset=UTF-8">
             <div class="container-fluid">
                 <div class="row">
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java
index cee8e8c13..974d48b7f 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java
@@ -38,7 +38,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void knownAccountShouldDisplayData() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "id"))
 
                 .andExpect(status().isOk());
@@ -46,7 +46,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void addressCorrectShouldOrderByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
@@ -54,17 +54,17 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '1') IS NOT NULL then hostname else id end"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
 
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,2,1) = '0') IS NOT NULL then hostname else id end"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
 
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,3,1) = '4') IS NOT NULL then hostname else id end"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
@@ -72,7 +72,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '9') IS NOT NULL then hostname else id end"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
@@ -80,7 +80,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void trueShouldSortByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "(case when (true) then hostname else id end)"))
 
                 .andExpect(status().isOk())
@@ -89,7 +89,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void falseShouldSortById() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "(case when (true) then hostname else id end)"))
 
                 .andExpect(status().isOk())
@@ -98,7 +98,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void addressIncorrectShouldOrderByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
@@ -106,7 +106,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void postingCorrectAnswerShouldPassTheLesson() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a")
                 .param("ip", "104.130.219.202"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
@@ -114,7 +114,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void postingWrongAnswerShouldNotPassTheLesson() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a")
                 .param("ip", "192.168.219.202"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));

From 7ad3996f2fe1905107d7b24d7f3c369e794e7d76 Mon Sep 17 00:00:00 2001
From: Rene Zubcevic <git@zubcevic.com>
Date: Mon, 22 Jul 2019 15:36:31 +0200
Subject: [PATCH 7/7] fix 6a6b page

---
 .../owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java    | 2 +-
 .../src/main/resources/html/SqlInjectionAdvanced.html          | 2 +-
 .../webgoat/plugin/introduction/SqlInjectionLesson6aTest.java  | 3 ++-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
index 9bf990d3c..f2affbeee 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java
@@ -83,7 +83,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
 
                     if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
                         output.append(appendingWhenSucceded);
-                        return trackProgress(informationMessage().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
+                        return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
                     } else {
                         return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
                     }
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
index de3c4dee2..bca28bd63 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
@@ -18,7 +18,7 @@
     <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="att-form" accept-charset="UNKNOWN"
+        <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
               action="/WebGoat/SqlInjectionAdvanced/attack6a"
               enctype="application/json;charset=UTF-8">
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
index be88f4b75..dc65e7eb3 100644
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
@@ -62,7 +62,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
         mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith'; SELECT * from user_system_data; --"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)))
+                .andExpect(jsonPath("$.lessonCompleted", is(true)))
                 .andExpect(jsonPath("$.feedback", containsString("passW0rD")));
     }
 
@@ -82,6 +82,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
                 .param("userid_6a", "S'; Select * from user_system_data; --"))
 
                 .andExpect(status().isOk())
+                .andExpect(jsonPath("$.lessonCompleted", is(true)))
                 .andExpect(jsonPath("$.feedback", containsString("UNION")));
     }
 }
\ No newline at end of file