Merge pull request #620 from zubcevic/july2019-bugfixes

increased sql form fields and fixed chrome progress

webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java

@@ -59,6 +59,8 @@ import java.io.File;
 @Configuration
 public class MvcConfiguration extends WebMvcConfigurerAdapter {
 	
+	private static final String UTF8 = "UTF-8";
+
     @Autowired
     @Qualifier("pluginTargetDirectory")
     private File pluginTargetDirectory;
@@ -80,6 +82,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         resolver.setSuffix(".html");
         resolver.setOrder(1);
         resolver.setCacheable(false);
+        resolver.setCharacterEncoding(UTF8);
         resolver.setApplicationContext(applicationContext);
         return resolver;
     }
@@ -89,6 +92,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         LessonTemplateResolver resolver = new LessonTemplateResolver(pluginTargetDirectory, resourceLoader);
         resolver.setOrder(2);
         resolver.setCacheable(false);
+        resolver.setCharacterEncoding(UTF8);
         return resolver;
     }
 
@@ -97,6 +101,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(language);
         resolver.setCacheable(false);
         resolver.setOrder(3);
+        resolver.setCharacterEncoding(UTF8);
         return resolver;
     }
 

webgoat-container/src/main/resources/static/css/main.css

@@ -1001,9 +1001,15 @@ cookie-container {
     margin: 3px;
 }
 
+@keyframes blink { 
+   50% { border-color: white; } 
+}
+
 .cur-page {
-    border-bottom: 2px solid #000;
+    animation: blink 1.5s 2 forwards;
+    border: 3px solid blue;
     color:#aaa;
+    background-color: lightsalmon;
 }
 
 span.show-next-page, span.show-prev-page {

webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java

@@ -3,6 +3,7 @@ package org.owasp.webgoat.plugin;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -21,7 +22,16 @@ public class NetworkDummy extends AssignmentEndpoint {
   @RequestMapping(method = RequestMethod.POST)
   public
   @ResponseBody
-  AttackResult completed(@RequestParam String networkNum) throws IOException {
+  AttackResult completed(@RequestParam String successMessage) throws IOException {
-    return trackProgress(failed().feedback("network.request").build());
+	  
+	  UserSessionData userSessionData = getUserSessionData();
+      String answer = (String) userSessionData.getValue("randValue");
+
+      if (successMessage!=null && successMessage.equals(answer)) {
+          return trackProgress(success().feedback("xss-dom-message-success").build());
+      } else {
+          return trackProgress(failed().feedback("xss-dom-message-failure").build());
+      }
+	    
   }
 }

webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java

@@ -4,6 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -21,7 +22,7 @@ import java.io.IOException;
 @AssignmentHints({"networkHint1", "networkHint2"})
 public class NetworkLesson extends AssignmentEndpoint {
 
-  @RequestMapping(method = RequestMethod.POST)
+  @RequestMapping(method = RequestMethod.POST, params= {"network_num","number"})
   public
   @ResponseBody
   AttackResult completed(@RequestParam String network_num, @RequestParam String number) throws IOException {
@@ -31,4 +32,11 @@ public class NetworkLesson extends AssignmentEndpoint {
       return trackProgress(failed().feedback("network.failed").build());
     }
   }
+  
+  @RequestMapping(method = RequestMethod.POST, params="networkNum")
+  public
+  @ResponseBody
+  ResponseEntity<?> ok(@RequestParam String networkNum) throws IOException {
+	  return ResponseEntity.ok().build();
+  }
 }

webgoat-lessons/chrome-dev-tools/src/main/resources/html/ChromeDevTools.html

@@ -2,25 +2,29 @@
 
 <html xmlns:th="http://www.thymeleaf.org">
 
+<!-- 1 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_intro.adoc"></div>
 </div>
 
+<!-- 2 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_elements.adoc"></div>
 </div>
 
+<!-- 3 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_console.adoc"></div>
 </div>
 
+<!-- 4 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="DOMFollowUp"
-              action="/WebGoat/CrossSiteScripting/dom-follow-up"
+              action="/WebGoat/ChromeDevTools/dummy"
               enctype="application/json;charset=UTF-8">
             <input name="successMessage" value="" type="TEXT" />
             <input name="submitMessage" value="Submit" type="SUBMIT"/>
@@ -30,17 +34,19 @@
     </div>
 </div>
 
+<!-- 5 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_sources.adoc"></div>
 </div>
 
+<!-- 6 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:ChromeDevTools_Assignment_Network.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/ChromeDevTools/dummy"
+              action="/WebGoat/ChromeDevTools/network"
               enctype="application/json;charset=UTF-8">
             <script>
                 // sample custom javascript in the recommended way ...
@@ -79,35 +85,4 @@
     </div>
 </div>
 
-<!--
-<div class="lesson-page-wrapper">
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
-              method="POST" name="form"
-              action="/WebGoat/HttpBasics/attack1"
-              enctype="application/json;charset=UTF-8">
-            <script>
-                console.log("in listener");
-                document.getElementById("butn").addEventListener("click", function() {
-                    document.getElementById("inp").value = Math.random() * 100;
-                });
-            </script>
-            <table>
-                <tr>
-                    <td>Click this Button to make a request</td>
-                    <td><Button id="butn"></Button></td>
-                    <td><input id="inp" name="networkNumber" value="" type="hidden"/><input
-                            name="SUBMIT" value="Go!" type="SUBMIT" /></td>
-                </tr>
-                <tr>
-                    <td>The Network Number is:</td>
-                    <td><input name="number" value="" type="text" /></td>
-                    <td><button type="submit" formaction="/WebGoat/ChromeDevTools/network">Check</button></td>
-                </tr>
-            </table>
-        </form>
-    </div>
-</div>
--->
 </html>

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java

@@ -20,7 +20,7 @@ import java.sql.*;
  * @author nbaars
  * @since 4/8/17.
  */
-@AssignmentPath("SqlInjection/challenge")
+@AssignmentPath("/SqlInjectionAdvanced/challenge")
 @AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
 @Slf4j
 public class SqlInjectionChallenge extends AssignmentEndpoint {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java

@@ -17,7 +17,7 @@ import java.sql.*;
 
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 
-@AssignmentPath("SqlInjection/challenge_Login")
+@AssignmentPath("/SqlInjectionAdvanced/challenge_Login")
 @Slf4j
 @AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
 public class SqlInjectionChallengeLogin extends AssignmentEndpoint {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6a.java

@@ -42,7 +42,7 @@ import java.sql.*;
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/SqlInjection/attack6a")
+@AssignmentPath("/SqlInjectionAdvanced/attack6a")
 @AssignmentHints(value = {"SqlStringInjectionHint-advanced-6a-1", "SqlStringInjectionHint-advanced-6a-2", "SqlStringInjectionHint-advanced-6a-3",
 "SqlStringInjectionHint-advanced-6a-4"})
 public class SqlInjectionLesson6a extends AssignmentEndpoint {
@@ -83,7 +83,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
 
                     if (output.toString().contains("dave") && output.toString().contains("passW0rD")) {
                         output.append(appendingWhenSucceded);
-                        return trackProgress(informationMessage().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
+                        return trackProgress(success().feedback("sql-injection.advanced.6a.success").feedbackArgs(output.toString()).output(" Your query was: " + query).build());
                     } else {
                         return trackProgress(failed().output(output.toString() + "<br> Your query was: " + query).build());
                     }

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionLesson6b.java

@@ -47,7 +47,7 @@ import java.sql.Statement;
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/SqlInjection/attack6b")
+@AssignmentPath("/SqlInjectionAdvanced/attack6b")
 public class SqlInjectionLesson6b extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionQuiz.java

@@ -21,7 +21,7 @@ import java.sql.Statement;
  * 3. add Request param with name of question to method head
  * For a more detailed description how to implement the quiz go to the quiz.js file in webgoat-container -> js
  */
-@AssignmentPath("/SqlInjection/quiz")
+@AssignmentPath("/SqlInjectionAdvanced/quiz")
 public class SqlInjectionQuiz extends AssignmentEndpoint {
 
     String[] solutions = {"Solution 4", "Solution 3", "Solution 2", "Solution 3", "Solution 4"};

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/Servers.java

@@ -20,7 +20,7 @@ import java.util.List;
  * @since 6/13/17.
  */
 @RestController
-@RequestMapping("SqlInjection/servers")
+@RequestMapping("SqlInjectionMitigations/servers")
 public class Servers {
 
     @AllArgsConstructor

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java

@@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-@AssignmentPath("SqlInjection/attack10a")
+@AssignmentPath("SqlInjectionMitigations/attack10a")
 @Slf4j
 @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10a-1", "SqlStringInjectionHint-mitigation-10a-10a2"})
 public class SqlInjectionLesson10a extends AssignmentEndpoint {

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java

@@ -18,7 +18,7 @@ import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-@AssignmentPath("SqlInjection/attack10b")
+@AssignmentPath("SqlInjectionMitigations/attack10b")
 @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3", "SqlStringInjectionHint-mitigation-10b-4", "SqlStringInjectionHint-mitigation-10b-5"})
 public class SqlInjectionLesson10b extends AssignmentEndpoint {
 

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java

@@ -20,7 +20,7 @@ import java.sql.*;
  * @author nbaars
  * @since 6/13/17.
  */
-@AssignmentPath("SqlInjection/attack12a")
+@AssignmentPath("SqlInjectionMitigations/attack12a")
 @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-12a-1", "SqlStringInjectionHint-mitigation-12a-2", "SqlStringInjectionHint-mitigation-12a-3", "SqlStringInjectionHint-mitigation-12a-4"})
 @Slf4j
 public class SqlInjectionLesson12a extends AssignmentEndpoint {

webgoat-lessons/sql-injection/src/main/resources/html/SqlInjection.html

@@ -21,7 +21,7 @@
             <table>
                 <tr>
                     <td><label>SQL query</label></td>
-                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                    <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
                 </tr>
                 <tr>
                     <td><button type="SUBMIT">Submit</button></td>
@@ -46,7 +46,7 @@
             <table>
                 <tr>
                     <td><label>SQL query</label></td>
-                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                    <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
                 </tr>
                 <tr>
                     <td><button type="SUBMIT">Submit</button></td>
@@ -71,7 +71,7 @@
             <table>
                 <tr>
                     <td><label>SQL query</label></td>
-                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                    <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
                 </tr>
                 <tr>
                     <td><button type="SUBMIT">Submit</button></td>
@@ -96,7 +96,7 @@
             <table>
                 <tr>
                     <td><label>SQL query</label></td>
-                    <td><input name="query" value="" type="TEXT" placeholder="SQL query"/></td>
+                    <td width="100%"><input class="form-control" name="query" value="" type="TEXT" placeholder="SQL query"/></td>
                 </tr>
                 <tr>
                     <td><button type="SUBMIT">Submit</button></td>

webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html

@@ -3,22 +3,24 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/assignments.css}"/>
 
+<!-- 1 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjectionAdvanced_plan.adoc"></div>
 </div>
 
-
+<!-- 2 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_content6.adoc"></div>
 </div>
 
+<!-- 3 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_content6a.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack6a"
+              action="/WebGoat/SqlInjectionAdvanced/attack6a"
               enctype="application/json;charset=UTF-8">
             <table>
                 <tr>
@@ -30,14 +32,9 @@
                 </tr>
             </table>
         </form>        
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack6b"
+              action="/WebGoat/SqlInjectionAdvanced/attack6b"
               enctype="application/json;charset=UTF-8">
             <table>
                 <tr>
@@ -54,6 +51,7 @@
     </div>
 </div>
 
+<!-- 4 -->
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_content6c.adoc"></div>
 </div>
@@ -83,7 +81,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="SqlInjection/challenge_Login"
+                                          action="/WebGoat/SqlInjectionAdvanced/challenge_Login"
                                           enctype="application/json;charset=UTF-8" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
@@ -119,7 +117,7 @@
                                     </form>
                                     <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="PUT" name="form"
-                                          action="SqlInjection/challenge"
+                                          action="/WebGoat/SqlInjectionAdvanced/challenge"
                                           enctype="application/json;charset=UTF-8" style="display: none;" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_reg" id="username" tabindex="1"
@@ -172,7 +170,7 @@
             <div class="container-fluid">
                 <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                       method="POST" name="form"
-                      action="SqlInjection/quiz"
+                      action="/WebGoat/SqlInjectionAdvanced/quiz"
                       enctype="application/json;charset=UTF-8" role="form">
                     <div id="q_container"></div>
                     <br />

webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html

@@ -23,7 +23,7 @@
     <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_completion.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10a" enctype="application/json;charset=UTF-8">
+        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10a" enctype="application/json;charset=UTF-8">
             <div>
                 <p>Connection conn = DriverManager.<input type="text" name="field1" id="field1" />(DBURL, DBUSER, DBPW);</p>
                 <p><input type="text" name="field2" id="field2" /> = conn.<input type="text" name="field3" id="field3" />("SELECT status FROM users WHERE name=<input type="text" name="field4" id="field4" /> AND mail=<input type="text" name="field5" id="field5" />");</p>
@@ -42,7 +42,7 @@
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div>
     <div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
-        <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8">
+        <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjectionMitigations/attack10b" enctype="application/json;charset=UTF-8">
             <div>
                 <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 300px;" name="editor"></div>
                 <script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
@@ -78,7 +78,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/SqlInjection/attack12a"
+              action="/WebGoat/SqlInjectionMitigations/attack12a"
               enctype="application/json;charset=UTF-8">
             <div class="container-fluid">
                 <div class="row">

webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java

@@ -30,7 +30,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void wrongSolution() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "John"))
 
                 .andExpect(status().isOk())
@@ -39,7 +39,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void wrongNumberOfColumns() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith' union select userid,user_name, password,cookie from user_system_data --"))
 
                 .andExpect(status().isOk())
@@ -49,7 +49,7 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void wrongDataTypeOfColumns() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith' union select 1,password, 1,'2','3', '4',1 from user_system_data --"))
 
                 .andExpect(status().isOk())
@@ -59,16 +59,16 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void correctSolution() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith'; SELECT * from user_system_data; --"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.lessonCompleted", is(false)))
+                .andExpect(jsonPath("$.lessonCompleted", is(true)))
                 .andExpect(jsonPath("$.feedback", containsString("passW0rD")));
     }
 
     @Test
     public void noResultsReturned() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "Smith' and 1 = 2 --"))
 
                 .andExpect(status().isOk())
@@ -78,10 +78,11 @@ public class SqlInjectionLesson6aTest extends LessonTest {
 
     @Test
     public void noUnionUsed() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6a")
                 .param("userid_6a", "S'; Select * from user_system_data; --"))
 
                 .andExpect(status().isOk())
+                .andExpect(jsonPath("$.lessonCompleted", is(true)))
                 .andExpect(jsonPath("$.feedback", containsString("UNION")));
     }
 }

webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6bTest.java

@@ -29,7 +29,7 @@ public class SqlInjectionLesson6bTest extends LessonTest {
 
     @Test
     public void submitCorrectPassword() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
                 .param("userid_6b", "passW0rD"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
@@ -37,7 +37,7 @@ public class SqlInjectionLesson6bTest extends LessonTest {
 
     @Test
     public void submitWrongPassword() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6b")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionAdvanced/attack6b")
                 .param("userid_6b", "John"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));

webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12aTest.java

@@ -38,7 +38,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void knownAccountShouldDisplayData() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "id"))
 
                 .andExpect(status().isOk());
@@ -46,7 +46,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void addressCorrectShouldOrderByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '104.%' THEN hostname ELSE id END"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
@@ -54,17 +54,17 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void addressCorrectShouldOrderByHostnameUsingSubstr() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '1') IS NOT NULL then hostname else id end"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
 
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,2,1) = '0') IS NOT NULL then hostname else id end"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
 
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,3,1) = '4') IS NOT NULL then hostname else id end"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-acc")));
@@ -72,7 +72,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void addressIncorrectShouldOrderByIdUsingSubstr() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "case when (select ip from servers where hostname='webgoat-prd' and substr(ip,1,1) = '9') IS NOT NULL then hostname else id end"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
@@ -80,7 +80,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void trueShouldSortByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "(case when (true) then hostname else id end)"))
 
                 .andExpect(status().isOk())
@@ -89,7 +89,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void falseShouldSortById() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "(case when (true) then hostname else id end)"))
 
                 .andExpect(status().isOk())
@@ -98,7 +98,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void addressIncorrectShouldOrderByHostname() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjection/servers")
+        mockMvc.perform(MockMvcRequestBuilders.get("/SqlInjectionMitigations/servers")
                 .param("column", "CASE WHEN (SELECT ip FROM servers WHERE hostname='webgoat-prd') LIKE '192.%' THEN hostname ELSE id END"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$[0].hostname", is("webgoat-dev")));
@@ -106,7 +106,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void postingCorrectAnswerShouldPassTheLesson() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a")
                 .param("ip", "104.130.219.202"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
@@ -114,7 +114,7 @@ public class SqlInjectionLesson12aTest extends LessonTest {
 
     @Test
     public void postingWrongAnswerShouldNotPassTheLesson() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack12a")
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjectionMitigations/attack12a")
                 .param("ip", "192.168.219.202"))
 
                 .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));