Let user-composed (CSRF) attacks send one-request actions, as opposed to the address bar MVC links requesting lessons. The lesson display servlets have javascript that requests data and actions.

webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -626,18 +626,37 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
     /**
      * Get the link that can be used to request this screen.
      *
+     * Rendering the link in the browser may result in Javascript sending
+     * additional requests to perform necessary actions or to obtain data
+     * relevant to the lesson or the element of the lesson selected by the
+     * user.  Thanks to using the hash mark "#" and Javascript handling the
+     * clicks, the user will experience less waiting as the pages do not have
+     * to reload entirely.
+     *
      * @return a {@link java.lang.String} object.
      */
     public String getLink() {
-        StringBuffer link = new StringBuffer();
+        StringBuffer link = new StringBuffer(getPath());
 
         // mvc update:
-        link.append(getPath()).append("/");
-        link.append(getScreenId());
-        link.append("/");
-        link.append(getCategory().getRanking());
+        return link
+            .append("/").append(getScreenId())
+            .append("/").append(getCategory().getRanking()).toString();
+    }
 
-        return link.toString();
+    /**
+     * Get the link to the target servlet.
+     *
+     * Unlike getLink() this method does not require rendering the output of
+     * the request to the link in order to execute the servlet's method with
+     * conventional HTTP query parameters.
+     */
+    public String getServletLink() {
+        StringBuffer link = new StringBuffer("attack");
+
+        return link
+            .append("?Screen=").append(getScreenId())
+            .append("&menu=").append(getCategory().getRanking()).toString();
     }
 
     /**

webgoat-container/src/test/java/org/owasp/webgoat/lessons/AbstractLessonTest.java

@@ -0,0 +1,62 @@
+package org.owasp.webgoat.lessons;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.hamcrest.CoreMatchers;
+import org.junit.Test;
+import org.owasp.webgoat.session.WebSession;
+
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.Assert.assertThat;
+
+public class AbstractLessonTest  {
+
+    private AbstractLesson lesson = new AbstractLesson() {
+        protected Element createContent(WebSession s) {
+            return new ElementContainer();
+        }
+        public Category getCategory() {
+            return Category.XSS;
+        }
+        protected Integer getDefaultRanking() { 
+            return new Integer(5);
+        }
+        protected Category getDefaultCategory() {
+            return Category.INTRODUCTION;
+        }
+        protected boolean getDefaultHidden() {
+            return false;
+        }
+        protected List<String> getHints(WebSession s) {
+            return Arrays.<String>asList();
+        }
+        public String getInstructions(WebSession s) {
+            return "Instructions";
+        }
+        public String getTitle() {
+            return "title";
+        }
+        public String getCurrentAction(WebSession s) {
+            return "an action";
+        }
+        public void restartLesson() {
+        }
+        public void setCurrentAction(WebSession s, String lessonScreen) {
+        }
+    };
+
+    @Test
+    public void testLinks() {
+        String mvcLink = lesson.getLink();
+        assertThat(mvcLink, CoreMatchers.startsWith("#attack/"));
+        assertThat(mvcLink, CoreMatchers.endsWith("/900"));
+
+        String srvLink = lesson.getServletLink();
+        assertThat(srvLink, CoreMatchers.startsWith("attack?Screen="));
+        assertThat(srvLink, CoreMatchers.endsWith("&menu=900"));
+    }
+}
+
+