fix: JWT kid/jku lessons (#1949)

* refactor: rewrite hints Use active voice and fix grammar issues. * fix: use Thymeleaf `th:action` * fix: JWT kid/jku lessons Split the JavaScript into two files they pointed to the same URL The JWTs are now valid, they parse successfully. The paths now include `/kid` and `/jku` to make sure the hints match accordingly in the UI. Otherwise `/delete` would pick up both hints from both assignments as the paths overlap. Closes: #1715 * fix: update to latest pre-commit version * fix: increase timeouts for server to start during integration tests
2024-11-07 15:45:33 +01:00 · 2024-11-07 15:45:33 +01:00 · e1e00bca73
commit e1e00bca73
parent d59153d6d7
46 changed files with 133 additions and 122 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -26,7 +26,7 @@ jobs:
                    distribution: 'temurin'
                    java-version: '21'
            -   name: Pre-commit checks
-                uses: pre-commit/action@v3.0.0
+                uses: pre-commit/action@v3.0.1
            -   name: pre-commit-ci-lite
                uses: pre-commit-ci/lite-action@v1.1.0
                if: always()
--- a/pom.xml
+++ b/pom.xml
@ -93,7 +93,7 @@
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <thymeleaf.version>3.1.2.RELEASE</thymeleaf.version>
-    <waittimeForServerStart>30</waittimeForServerStart>
+    <waittimeForServerStart>60</waittimeForServerStart>
    <webdriver.version>5.9.2</webdriver.version>
    <webgoat.context>/</webgoat.context>
    <webgoat.sslenabled>false</webgoat.sslenabled>
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
@ -19,7 +19,7 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
-@RequestMapping("/JWT/jku")
+@RequestMapping("/JWT/")
@RestController
@AssignmentHints({
  "jwt-jku-hint1",
@ -30,7 +30,7 @@ import org.springframework.web.bind.annotation.RestController;
 })
 public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
-  @PostMapping("/follow/{user}")
+  @PostMapping("jku/follow/{user}")
  public @ResponseBody String follow(@PathVariable("user") String user) {
    if ("Jerry".equals(user)) {
      return "Following yourself seems redundant";
@ -39,7 +39,7 @@ public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
    }
  }
-  @PostMapping("/delete")
+  @PostMapping("jku/delete")
  public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
    if (StringUtils.isEmpty(token)) {
      return failed(this).feedback("jwt-invalid-token").build();
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
@ -52,7 +52,7 @@ import org.springframework.web.bind.annotation.RestController;
  "jwt-kid-hint5",
  "jwt-kid-hint6"
 })
-@RequestMapping("/JWT/kid")
+@RequestMapping("/JWT/")
 public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
  private final LessonDataSource dataSource;
@ -61,7 +61,7 @@ public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
    this.dataSource = dataSource;
  }
-  @PostMapping("/follow/{user}")
+  @PostMapping("kid/follow/{user}")
  public @ResponseBody String follow(@PathVariable("user") String user) {
    if ("Jerry".equals(user)) {
      return "Following yourself seems redundant";
@ -70,7 +70,7 @@ public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
    }
  }
-  @PostMapping("/delete")
+  @PostMapping("kid/delete")
  public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
    if (StringUtils.isEmpty(token)) {
      return failed(this).feedback("jwt-invalid-token").build();
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
@ -22,6 +22,8 @@
 package org.owasp.webgoat.lessons.passwordreset;
 import static org.springframework.util.StringUtils.hasText;
 import com.google.common.collect.Maps;
 import java.util.ArrayList;
 import java.util.HashMap;
@ -117,7 +119,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
      BindingResult bindingResult,
      @CurrentUsername String username) {
    ModelAndView modelAndView = new ModelAndView();
-    if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
+    if (!hasText(form.getPassword())) {
      bindingResult.rejectValue("password", "not.empty");
    }
    if (bindingResult.hasErrors()) {
--- a/src/main/resources/lessons/authbypass/html/AuthBypass.html
+++ b/src/main/resources/lessons/authbypass/html/AuthBypass.html
@ -23,7 +23,7 @@
            <form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form"
                  method="POST" name="form"
                  successCallback="onBypassResponse"
-                  action="auth-bypass/verify-account">
+                  th:action="@{/auth-bypass/verify-account}">
                <p>Verify Your Account by answering the questions below:</p>
                <p>What is the name of your favorite teacher?</p>
@ -43,7 +43,7 @@
            <form class="attack-form" accept-charset="UNKNOWN" id="change-password-form"
                  method="POST" name="form"
                  successCallback="onBypassResponse"
-                  action="auth-bypass/verify-account"
+                  th:action="@{/auth-bypass/verify-account}"
                  style="display:none"><!-- start off hidden -->
                <p>Please provide a new password for your account</p>
--- a/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
+++ b/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
@ -18,7 +18,7 @@
        <div class="container-fluid">
            <form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
                  method="POST"
-                  action="BypassRestrictions/FieldRestrictions">
+                  th:action="@{/BypassRestrictions/FieldRestrictions}">
                <div class="bypass-input-container"><b>Select field with two possible value</b>
                    <div class="input-group">
--- a/src/main/resources/lessons/challenges/html/Challenge1.html
+++ b/src/main/resources/lessons/challenges/html/Challenge1.html
@ -17,7 +17,7 @@
                <div class="panel-body">
                    <form class="attack-form" accept-charset="UNKNOWN"
                          method="POST" name="form"
-                          action="challenge/1"
+                          th:action="@{/challenge/1}"
                          style="width: 200px;">
                        <div class="form-group">
@ -37,7 +37,7 @@
            </div>
        </div>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/1">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/1}">
            <div class="form-group">
                <div class="input-group">
                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
--- a/src/main/resources/lessons/challenges/html/Challenge5.html
+++ b/src/main/resources/lessons/challenges/html/Challenge5.html
@ -25,7 +25,7 @@
                                <div class="col-lg-12">
                                    <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                          method="POST" name="form"
-                                          action="challenge/5" role="form">
+                                          th:action="@{/challenge/5}" role="form">
                                        <div class="form-group">
                                            <input type="text" name="username_login" id="username4" tabindex="1"
                                                   class="form-control" placeholder="Username" value=""/>
@ -66,7 +66,7 @@
            </div>
        </div>
        <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/5">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/5}">
            <div class="form-group">
                <div class="input-group">
                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
--- a/src/main/resources/lessons/challenges/html/Challenge6.html
+++ b/src/main/resources/lessons/challenges/html/Challenge6.html
@ -29,7 +29,7 @@
                                <div class="col-lg-12">
                                    <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                          method="POST" name="form"
-                                          action="challenge/6" role="form">
+                                          th:action="@{/challenge/6}" role="form">
                                        <div class="form-group">
                                            <input type="text" name="username_login" id="username4" tabindex="1"
                                                   class="form-control" placeholder="Username" value=""/>
@ -64,7 +64,7 @@
                                    </form>
                                    <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                          method="PUT" name="form"
-                                          action="challenge/6" style="display: none;" role="form">
+                                          th:action="@{/challenge/6}" style="display: none;" role="form">
                                        <div class="form-group">
                                            <input type="text" name="username_reg" id="username" tabindex="1"
                                                   class="form-control" placeholder="Username" value=""/>
@ -99,7 +99,7 @@
            </div>
        </div>
        <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/6">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/6}">
            <div class="form-group">
                <div class="input-group">
                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
--- a/src/main/resources/lessons/challenges/html/Challenge7.html
+++ b/src/main/resources/lessons/challenges/html/Challenge7.html
@ -28,7 +28,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
                                    <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                          method="POST" name="form"
-                                          action="challenge/7" role="form">
+                                          th:action="@{/challenge/7}" role="form">
                                        <div class="form-group">
                                            <div class="input-group">
@ -57,7 +57,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
            </div>
        </div>
        <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/7">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/7}">
            <div class="form-group">
                <div class="input-group">
                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
--- a/src/main/resources/lessons/challenges/html/Challenge8.html
+++ b/src/main/resources/lessons/challenges/html/Challenge8.html
@ -231,7 +231,7 @@
        </div>
        <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/8">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/8}">
            <div class="form-group">
                <div class="input-group">
                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
--- a/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
+++ b/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
@ -24,7 +24,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="DOMFollowUp"
-              action="ChromeDevTools/dummy">
+              th:action="@{/ChromeDevTools/dummy}">
            <input name="successMessage" value="" type="TEXT" />
            <input name="submitMessage" value="Submit" type="SUBMIT"/>
        </form>
@ -45,7 +45,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="ChromeDevTools/network">
+              th:action="@{/chromeDevTools/network}">
            <script>
                // sample custom javascript in the recommended way ...
                // a namespace has been assigned for it, but you can roll your own if you prefer
@ -66,7 +66,7 @@
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="ChromeDevTools/network">
+              th:action="@{/chromeDevTools/network}">
            <table>
                <tr>
                    <td>What is the number you found:   </td>
--- a/src/main/resources/lessons/cia/html/CIA.html
+++ b/src/main/resources/lessons/cia/html/CIA.html
@ -29,7 +29,7 @@
        <div class="container-fluid">
            <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                  method="POST" name="form"
-                  action="cia/quiz" role="form">
+                  th:action="@{/cia/quiz}" role="form">
                <div id="q_container"></div>
                <br />
                <input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
--- a/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
+++ b/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
@ -14,7 +14,7 @@
        <input type="hidden" id="user_id" value="102"/>
        <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form"
-              action="clientSideFiltering/attack1">
+              th:action="@{/clientSideFiltering/attack1}">
            <link rel="stylesheet" type="text/css"
                  th:href="@{/lesson_css/clientSideFiltering-stage1.css}"/>
            <script th:src="@{/lesson_js/clientSideFiltering.js}"
--- a/src/main/resources/lessons/cryptography/html/Cryptography.html
+++ b/src/main/resources/lessons/cryptography/html/Cryptography.html
@ -28,7 +28,7 @@ $(document).ready(initialise);
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			Now suppose you have intercepted the following header:<br/>
 			<div id="basicauthtoken" ></div><br/>
-			<form class="attack-form" method="POST" name="form"	action="crypto/encoding/basic-auth">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/encoding/basic-auth}">
 			Then what was the username
 			<input name="answer_user" value="" type="TEXT"/>
 			and what was the password:
@ -45,7 +45,7 @@ $(document).ready(initialise);
 		<!-- 3. assignment xor -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<form class="attack-form" method="POST" name="form"	action="crypto/encoding/xor">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/encoding/xor}">
 			Suppose you found the database password encoded as {xor}Oz4rPj0+LDovPiwsKDAtOw==<br/>
 			What would be the actual password
 			<input name="answer_pwd1" value="" type="TEXT"/><br/>
@ -62,7 +62,7 @@ $(document).ready(initialise);
 		<!-- 4. weak hashing exercise -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<form class="attack-form" method="POST" name="form"	action="crypto/hashing">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/hashing}">
 			Which password belongs to this hash: <div id="md5token" ></div>
 			<input name="answer_pwd1" value="" type="TEXT"/><br/>
 			Which password belongs to this hash: <div id="sha256token" ></div>
@ -87,7 +87,7 @@ $(document).ready(initialise);
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			Now suppose you have the following private key:<br/>
 			<pre><div id="privatekey" ></div></pre><br/>
-			<form class="attack-form" method="POST" name="form"	action="crypto/signing/verify">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/signing/verify}">
 			Then what was the modulus of the public key
 			<input name="modulus" value="" type="TEXT"/>
 			and now provide a signature for us based on that modulus
@ -110,7 +110,7 @@ $(document).ready(initialise);
 		<!-- 8. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<form class="attack-form" method="POST" name="form"	action="crypto/secure/defaults">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/secure/defaults}">
 			What is the unencrypted message<br/>
 			<input name="secretText" value="" type="TEXT"/><br/>
 			and what is the name of the file that stored the password <br/>
--- a/src/main/resources/lessons/csrf/html/CSRF.html
+++ b/src/main/resources/lessons/csrf/html/CSRF.html
@ -17,7 +17,7 @@
          method="POST" name="form1"
          target="_blank"
          successCallback=""
-          action="csrf/basic-get-flag">
+          th:action="@{/csrf/basic-get-flag}">
        <input name="csrf" type="hidden" value="false"/>
        <input type="submit" name="submit"/>
@ -35,7 +35,7 @@
        <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
              method="POST" name="form2"
              successCallback=""
-              action="csrf/confirm-flag-1">
+              th:action="@{/csrf/confirm-flag-1}">
            Confirm Flag Value:
            <input type="text" length="6" name="confirmFlagVal" value=""/>
@ -93,7 +93,7 @@
                            <form class="attack-form" accept-charset="UNKNOWN" id="csrf-review"
                                  method="POST" name="review-form"
                                  successCallback=""
-                                  action="csrf/review">
+                                  th:action="@{/csrf/review}">
                                <input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review"
                                       type="text"/>
                                <input class="form-control" id="reviewStars" name="stars" type="text"/>
@ -146,7 +146,7 @@
                            <form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
                                  method="POST"
                                  prepareData="feedback"
-                                  action="csrf/feedback/message"
+                                  th:action="@{/csrf/feedback/message}"
                                  contentType="application/json">
                                <div class="row">
                                    <div class="col-md-6">
@ -212,7 +212,7 @@
        </div>
        <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-feedback"
              method="POST" name="form2"
-              action="csrf/feedback">
+              th:action="@{/csrf/feedback}">
            Confirm Flag Value:
            <input type="text" length="6" name="confirmFlagVal" value=""/>
@ -236,7 +236,7 @@
        </div>
        <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-login"
              method="POST" name="form2"
-              action="csrf/login">
+              th:action="@{/csrf/login}">
            Press the button below when your are logged in as the other user<br/>
--- a/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
+++ b/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
@ -25,7 +25,7 @@
            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
            <form class="attack-form" accept-charset="UNKNOWN" name="task"
                  method="POST"
-                  action="InsecureDeserialization/task">
+                  th:action="@{/InsecureDeserialization/task}">
                <input type="textarea" rows="4" cols="40" value="" name="token" placeholder="token"/>
                <input type="submit" value="Submit" />
--- a/src/main/resources/lessons/hijacksession/templates/hijackform.html
+++ b/src/main/resources/lessons/hijacksession/templates/hijackform.html
@ -1,7 +1,7 @@
 <div class="row">
 	<div class="col-md-4">
 		<form class="attack-form" accept-charset="UNKNOWN" method="POST"
-			action="HijackSession/login">
+			th:action="@{/HijackSession/login}">
 			<div style="padding: 20px;" id="password-login">
 				<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
 				<fieldset>
--- a/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
+++ b/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
@ -13,7 +13,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
              method="POST"
-              action="HtmlTampering/task">
+              th:action="@{/HtmlTampering/task}">
            <script>
                var regex = /^2999.99$/;
                var price = 2999.99;
--- a/src/main/resources/lessons/httpbasics/html/HttpBasics.html
+++ b/src/main/resources/lessons/httpbasics/html/HttpBasics.html
@ -21,10 +21,10 @@
            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
 			<form class="attack-form" accept-charset="UNKNOWN"
 				method="POST" name="form"
-				action="HttpBasics/attack1">
+				th:action="@{/HttpBasics/attack1}">
 				<div id="lessonContent">
 					<form accept-charset="UNKNOWN" method="POST" name="form"
-						action="#attack/307/100">
+						th:action="@{/#attack/307/100}">
 						Enter Your Name: <input name="person" value="" type="TEXT"/><input
 							name="SUBMIT" value="Go!" type="SUBMIT"/>
 					</form>
@ -51,7 +51,7 @@
                <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
 				<form class="attack-form" accept-charset="UNKNOWN"
 					method="POST" name="form"
-					action="HttpBasics/attack2">
+					th:action="@{/HttpBasics/attack2}">
 					<script>
 					    // sample custom javascript in the recommended way ...
 					    // a namespace has been assigned for it, but you can roll your own if you prefer
--- a/src/main/resources/lessons/httpproxies/html/HttpProxies.html
+++ b/src/main/resources/lessons/httpproxies/html/HttpProxies.html
@ -24,7 +24,7 @@
            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
            <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
                  method="POST"
-                  action="HttpProxies/intercept-request">
+                  th:action="@{/HttpProxies/intercept-request}">
                <input type="text" value="doesn't matter really" name="changeMe" />
                <input type="submit" value="Submit" />
--- a/src/main/resources/lessons/idor/html/IDOR.html
+++ b/src/main/resources/lessons/idor/html/IDOR.html
@ -22,7 +22,7 @@
        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="IDOR/login">
+              th:action="@{/IDOR/login}">
            <table>
                <tr>
                    <td>user/pass</td>
@ -57,7 +57,7 @@
        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN"
              method="GET" name="form"
-              action="IDOR/profile">
+              th:action="@{/IDOR/profile}">
            <script th:src="@{/lesson_js/idor.js}" />
            <input name="View Profile" value="View Profile" type="button" onclick="onViewProfile();" />
@ -80,7 +80,7 @@
        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form"
              method="POST" name="diff-form"
-              action="IDOR/diff-attributes">
+              th:action="@{/IDOR/diff-attributes}">
            <input name="attributes" type="text" />
            <input name="Submit Diffs" value="Submit Diffs" type="submit" />
        </form>
@ -107,7 +107,7 @@
        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="IDOR/profile/alt-path">
+              th:action="@{/IDOR/profile/alt-path}">
            <div class="adoc-content" th:replace="~{doc:lessons/idor/documentation/IDOR_inputAltPath.adoc}"></div>
            <input name="url" value="WebGoat/" type="text"/>
            <input name="submit" value="Submit" type="SUBMIT"/>
@ -134,7 +134,7 @@
        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN" id="view-other"
              method="GET" name="view-other-profile"
-              action="IDOR/profile/{userId}">
+              th:action="@{/IDOR/profile/{userId}}">
            <script th:src="@{/lesson_js/idor.js}" />
            <input name="View Profile" value="View Profile" type="submit" />
@ -158,7 +158,7 @@
        <!-- modify the action to point to the intended endpoint -->
        <form class="attack-form" accept-charset="UNKNOWN" id="edit-other"
              method="GET" name="edit-other-profile"
-              action="IDOR/profile/{userId}">
+              th:action="@{/IDOR/profile/{userId}}">
            <script th:src="@{/lesson_js/idor.js}" />
            <input name="View Profile" value="View Profile" type="submit" />
--- a/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
+++ b/src/main/resources/lessons/insecurelogin/html/InsecureLogin.html
@ -17,7 +17,7 @@
            <script th:src="@{/lesson_js/credentials.js}"></script>
            <form class="attack-form" accept-charset="UNKNOWN" name="task"
                  method="POST"
-                  action="InsecureLogin/task">
+                  th:action="@{/InsecureLogin/task}">
                <button onclick="javascript:submit_secret_credentials();return false;">Log in</button>
@ -25,7 +25,7 @@
            <br></br>
            <form class="attack-form" accept-charset="UNKNOWN" name="task"
                  method="POST"
-                  action="InsecureLogin/task">
+                  th:action="@{/InsecureLogin/task}">
                <input type="text" value="" name="username" placeholder="username"/>
                <input type="password" value="" name="password" placeholder="password" />
--- a/src/main/resources/lessons/jwt/html/JWT.html
+++ b/src/main/resources/lessons/jwt/html/JWT.html
@ -17,7 +17,7 @@
    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_decode.adoc}"></div>
    <div class="attack-container">
        <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
-        <form id="decode" class="attack-form" method="POST" name="form" action="JWT/decode">
+        <form id="decode" class="attack-form" method="POST" name="form" th:action="@{/JWT/decode}">
            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
            <br>
            <div class="row">
@ -53,7 +53,7 @@
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST"
              successCallback="jwtSigningCallback"
-              action="JWT/votings">
+              th:action="@{/JWT/votings}">
            <div class="container-fluid">
                <div class="row">
@ -124,7 +124,7 @@
        <div class="container-fluid">
            <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                  method="POST" name="form"
-                  action="JWT/quiz"
+                  th:action="@{/JWT/quiz}"
                  role="form">
                <div id="q_container"></div>
                <br/>
@ -155,7 +155,7 @@
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" method="POST" name="form" action="JWT/secret">
+        <form class="attack-form" method="POST" name="form" th:action="@{/JWT/secret}">
            <div class="form-group">
                <div class="input-group">
                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
@ -192,7 +192,7 @@
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST"
              additionalHeaders="addBearerToken"
-              action="JWT/refresh/checkout">
+              th:action="@{/JWT/refresh/checkout}">
            <div class="container-fluid">
                <div class="row">
                    <div class="col-sm-12 col-md-10 col-md-offset-1">
@ -314,12 +314,13 @@
    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_claim_misuse_jku_assignment.adoc}"></div>
    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
-    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/jwt-jku.js}"></script>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST"
-              action="JWT/final/delete?token=eyJ0eXAiOiJKV1QiLCJqa3UiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3dlYmdvYXQvLndlbGwta25vd24vandrcy5qc29uIiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.SabvRaYSCW7xI0ueca19TL1e66cJIJaxRiydK2G5lgFMIbL5gQQjE6022HEha9HcprqFXyHbtXrQWRXAp6Gjaf5zs8LUMBMARWjEr8TS43ihguarmLLmvBCoqjiZY39o4EcEjEH9xAoyIYR_Trh7kXn6JVU-8MM76l9IOcYIJ9c8LqT1ERNmbCqtI4PP0tdqCy99nHhqlxSCVXaGDF0jMHV5kjCDSHNYib9riy9xZ63Sztify-bwPqRvxmaShPYtG4BBM_wOGlg-BYTTuws-6yISMfTB5U1WBDwLr6dLU123TGO26wCVBgTKbA0KKG94-ToOcneWLOTEacEfQQOlIQ">
+              th:action="@{/JWT/jku/delete?token=eyJ0eXAiOiJKV1QiLCJqa3UiOiJodHRwczovL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tL3dlYmdvYXQvLndlbGwta25vd24vandrcy5qc29uIiwiYWxnIjoiUlMyNTYifQ.ewogICJpc3MiOiAiV2ViR29hdCBUb2tlbiBCdWlsZGVyIiwKICAiaWF0IjogMTUyNDIxMDkwNCwKICAiZXhwIjogMTYxODkwNTMwNCwKICAiYXVkIjogIndlYmdvYXQub3JnIiwKICAic3ViIjogImplcnJ5QHdlYmdvYXQuY29tIiwKICAidXNlcm5hbWUiOiAiSmVycnkiLAogICJFbWFpbCI6ICJqZXJyeUB3ZWJnb2F0LmNvbSIsCiAgIlJvbGUiOiBbCiAgICAiQ2F0IgogIF0KfQ.SabvRaYSCW7xI0ueca19TL1e66cJIJaxRiydK2G5lgFMIbL5gQQjE6022HEha9HcprqFXyHbtXrQWRXAp6Gjaf5zs8LUMBMARWjEr8TS43ihguarmLLmvBCoqjiZY39o4EcEjEH9xAoyIYR_Trh7kXn6JVU-8MM76l9IOcYIJ9c8LqT1ERNmbCqtI4PP0tdqCy99nHhqlxSCVXaGDF0jMHV5kjCDSHNYib9riy9xZ63Sztify-bwPqRvxmaShPYtG4BBM_WOGlg-bYTTuws-6yISMfTB5U1WBDwLr6dLU123TGO26wCVBgTKbA0KKG94-ToOcneWLOTEacEfQQOlIQ}">
            <div class="container-fluid">
                <div id="toast"></div>
                <div class="col-sm-6 col-md-4 col-lg-3 mt-4">
@ -380,12 +381,12 @@
    <div class="adoc-content" th:replace="~{doc:lessons/jwt/documentation/JWT_claim_misuse_kid_assignment.adoc}"></div>
    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/jwt.css}"/>
-    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
+    <script th:src="@{/lesson_js/jwt-kid.js}"></script>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST"
-              action="JWT/kid/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJqZXJyeUB3ZWJnb2F0LmNvbSIsInVzZXJuYW1lIjoiSmVycnkiLCJFbWFpbCI6ImplcnJ5QHdlYmdvYXQuY29tIiwiUm9sZSI6WyJDYXQiXX0.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8">
+              th:action="@{/JWT/kid/delete?token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3ZWJnb2F0X2tleSIsImFsZyI6IkhTMjU2In0.ewogICJpc3MiOiAiV2ViR29hdCBUb2tlbiBCdWlsZGVyIiwKICAiaWF0IjogMTUyNDIxMDkwNCwKICAiZXhwIjogMTYxODkwNTMwNCwKICAiYXVkIjogIndlYmdvYXQub3JnIiwKICAic3ViIjogImplcnJ5QHdlYmdvYXQuY29tIiwKICAidXNlcm5hbWUiOiAiSmVycnkiLAogICJFbWFpbCI6ICJqZXJyeUB3ZWJnb2F0LmNvbSIsCiAgIlJvbGUiOiBbCiAgICAiQ2F0IgogIF0KfQ.CgZ27DzgVW8gzc0n6izOU638uUCi6UhiOJKYzoEZGE8}">
            <div class="container-fluid">
                <div id="toast"></div>
                <div class="col-sm-6 col-md-4 col-lg-3 mt-4">
@ -421,7 +422,7 @@
                        <div class="card-footer">
                            <small>Last updated 12 days ago</small>
                            <button type="button" class="btn btn-info float-right btn-sm"
-                                    onclick="javascript:follow('Tom')">Follow
+                                    onclick="javascript:startFollowing('Tom')">Follow
                            </button>
                            <button class="btn btn-info float-right btn-sm">Delete</button>
                        </div>
--- a/src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties
+++ b/src/main/resources/lessons/jwt/i18n/WebGoatLabels.properties
@ -26,15 +26,15 @@ jwt-refresh-alg-none=Nicely found! You solved the assignment with 'alg: none' ca
 jwt-final-jerry-account=Yikes, you are removing Jerry's account, try to delete the account of Tom
 jwt-final-not-tom=Username is not Tom try to pass a token for Tom
-jwt-jku-hint1=Take a look at the token and specifically and the header
+jwt-jku-hint1=Take a look at the token and specifically at the headers
-jwt-jku-hint2=The 'jku' (key ID) header parameter is a hint indicating which key is used to verify the JWS
+jwt-jku-hint2=The 'jku' header parameter hints a URL pointing to a set of keys used by the server to sign the JWT.
 jwt-jku-hint3=Could you use WebWolf to host the public key as a JWKS?
 jwt-jku-hint4=Create a key pair and sign the token with the private key
-jwt-jku-hint5=Change the JKU header claim and point it to a URL which hosts the public key in JWKS format.
+jwt-jku-hint5=Change the JKU header claim and point it to a URL that hosts the public key in JWKS format.
-jwt-kid-hint1=Take a look at the token and specifically and the header
+jwt-kid-hint1=Take a look at the token and specifically at the headers
-jwt-kid-hint2=The 'kid' (key ID) header parameter is a hint indicating which key was used to secure the JWS
+jwt-kid-hint2=The 'kid' (key ID) header parameter hints at the key was used to secure the JWS
-jwt-kid-hint3=The key can be located on the filesystem in memory or even reside in the database
+jwt-kid-hint3=The key resides can for example, either in the filesystem in memory or the database.
 jwt-kid-hint4=The key is stored in the database and loaded while verifying a token
-jwt-kid-hint5=Using a SQL injection you might be able to manipulate the key to something you know and create a new token.
+jwt-kid-hint5=Using an SQL injection, you might be able to manipulate the key to a known object and create a new token.
-jwt-kid-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --  as the kid in the header and change the contents of the token to Tom and hit the endpoint with the new token
+jwt-kid-hint6=Use: hacked' UNION select 'deletingTom' from INFORMATION_SCHEMA.SYSTEM_USERS --  as the kid in the header change the contents of the token to Tom and hit the endpoint with the new token
--- a/src/main/resources/lessons/jwt/js/jwt-final.js
+++ b/src/main/resources/lessons/jwt/js/jwt-final.js
@ -1,7 +1,7 @@
 function follow(user) {
    $.ajax({
        type: 'POST',
-        url: 'JWT/final/follow/' + user
+        url: 'JWT/kid/follow/' + user
    }).then(function (result) {
        $("#toast").append(result);
    })
--- a/src/main/resources/lessons/jwt/js/jwt-kid.js
+++ b/src/main/resources/lessons/jwt/js/jwt-kid.js
@ -0,0 +1,8 @@
 function startFollowing(user) {
    $.ajax({
        type: 'POST',
        url: 'JWT/kid/follow/' + user
    }).then(function (result) {
        $("#toast").append(result);
    })
 }
--- a/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
+++ b/src/main/resources/lessons/lessontemplate/html/LessonTemplate.html
@ -47,7 +47,7 @@
            <!-- modify the action to point to the intended endpoint and set other attributes as desired -->
            <form class="attack-form" accept-charset="UNKNOWN"
                  method="POST" name="form"
-                  action="lesson-template/sample-attack">
+                  th:action="@{/lesson-template/sample-attack}">
                <table>
                    <tr>
                        <td>two random params</td>
--- a/src/main/resources/lessons/logging/html/LogSpoofing.html
+++ b/src/main/resources/lessons/logging/html/LogSpoofing.html
@ -16,7 +16,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN" name="task"
              method="POST"
-              action="LogSpoofing/log-spoofing">
+              th:action="@{/LogSpoofing/log-spoofing}">
            <input type="text" value="" name="username" placeholder="username"/>
            <input type="password" value="" name="password" placeholder="password"/>
@ -38,7 +38,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN" name="task"
              method="POST"
-              action="LogSpoofing/log-bleeding">
+              th:action="@{/LogSpoofing/log-bleeding}">
            <input type="text" value="" name="username" placeholder="username"/>
            <input type="password" value="" name="password" placeholder="password"/>
--- a/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
+++ b/src/main/resources/lessons/missingac/html/MissingFunctionAC.html
@ -52,7 +52,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="access-control/hidden-menu">
+              th:action="@{/access-control/hidden-menu}">
            <p>Hidden item 1 <input name="hiddenMenu1" value="" type="TEXT"/></p>
            <p>Hidden item 2 <input name="hiddenMenu2" value="" type="TEXT"/></p>
@ -75,7 +75,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="access-control/user-hash">
+              th:action="@{/access-control/user-hash}">
            <p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
            <br/>
@ -97,7 +97,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="access-control/user-hash-fix">
+              th:action="@{/access-control/user-hash-fix}">
            <p>Your Hash: <input name="userHash" value="" type="TEXT"/></p>
            <br/>
--- a/src/main/resources/lessons/passwordreset/html/PasswordReset.html
+++ b/src/main/resources/lessons/passwordreset/html/PasswordReset.html
@ -23,7 +23,7 @@
                    <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
                          method="POST"
-                          action="PasswordReset/simple-mail/reset">
+                          th:action="@{/PasswordReset/simple-mail/reset}">
                        <div style="display: none;" id="password-reset-2">
                            <h4 class="">Forgot your password?</h4>
@ -47,7 +47,7 @@
                    </form>
                    <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
                          method="POST"
-                          action="PasswordReset/simple-mail">
+                          th:action="@{/PasswordReset/simple-mail}">
                        <div style="padding: 20px;" id="password-login-2">
                            <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i>
                                Account
--- a/src/main/resources/lessons/passwordreset/templates/password_reset.html
+++ b/src/main/resources/lessons/passwordreset/templates/password_reset.html
@ -9,7 +9,7 @@
 <div class="container">
    <div class="row">
        <div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
-            <form role="form" method="POST" action="/WebGoat/PasswordReset/reset/change-password" th:object="${form}" novalidate="novalidate">
+            <form role="form" method="POST" th:action="@{/PasswordReset/reset/change-password}" th:object="${form}" novalidate="novalidate">
                <h2 class="sign_up_title">Reset your password</h2>
                    <div class="form-group" th:classappend="${#fields.hasErrors('password')}? 'has-error'">
                        <input type="hidden" name="resetLink" th:field="*{resetLink}" />
--- a/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
+++ b/src/main/resources/lessons/pathtraversal/html/PathTraversal.html
@ -22,7 +22,7 @@
                  informationalCallback="profileUploadCallback"
                  prepareData="profileUpload"
                  enctype="multipart/form-data"
-                  action="PathTraversal/profile-upload">
+                  th:action="@{/PathTraversal/profile-upload}">
                <div class="preview text-center">
                    <img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
                         height="200" id="preview"/>
@ -76,7 +76,7 @@
                  informationalCallback="profileUploadCallbackFix"
                  prepareData="profileUploadFix"
                  enctype="multipart/form-data"
-                  action="PathTraversal/profile-upload-fix">
+                  th:action="@{/PathTraversal/profile-upload-fix}">
                <div class="preview text-center">
                    <img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
                         height="200" id="previewFix"/>
@ -131,7 +131,7 @@
                  informationalCallback="profileUploadCallbackRemoveUserInput"
                  prepareData="profileUploadRemoveUserInput"
                  enctype="multipart/form-data"
-                  action="PathTraversal/profile-upload-remove-user-input">
+                  th:action="@{/PathTraversal/profile-upload-remove-user-input}">
                <div class="preview text-center">
                    <img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
                         height="200" id="previewRemoveUserInput"/>
--- a/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
+++ b/src/main/resources/lessons/securepasswords/html/SecurePasswords.html
@ -20,7 +20,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SecurePasswords/assignment"
+              th:action="@{/SecurePasswords/assignment}"
              autocomplete="off">
            <div class="input-group input-group">
--- a/src/main/resources/lessons/spoofcookie/templates/spoofcookieform.html
+++ b/src/main/resources/lessons/spoofcookie/templates/spoofcookieform.html
@ -1,7 +1,7 @@
 <div class="row">
 	<div class="col-md-4">
 		<form class="attack-form" accept-charset="UNKNOWN" method="POST"
-			action="SpoofCookie/login">
+			th:action="@{/SpoofCookie/login}">
 			<div style="padding: 20px;" id="password-login">
 				<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
 				<fieldset>
--- a/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjection.html
@ -15,7 +15,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjection/attack2"
+              th:action="@{/SqlInjection/attack2}"
              autocomplete="off">
            <table>
                <tr>
@ -39,7 +39,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjection/attack3"
+              th:action="@{/SqlInjection/attack3}"
              autocomplete="off">
            <table>
                <tr>
@ -63,7 +63,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjection/attack4"
+              th:action="@{/SqlInjection/attack4}"
              autocomplete="off">
            <table>
                <tr>
@ -87,7 +87,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjection/attack5"
+              th:action="@{/SqlInjection/attack5}"
              autocomplete="off">
            <table>
                <tr>
@ -143,7 +143,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjection/assignment5a">
+              th:action="@{/SqlInjection/assignment5a}">
            <table>
                <tr>
                    <td>SELECT * FROM user_data WHERE first_name = 'John' AND last_name = '</td>
@ -188,7 +188,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjection/assignment5b">
+              th:action="@{/SqlInjection/assignment5b}">
            <table>
                <tr>
                    <td>Login_Count:</td>
@ -216,7 +216,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjection/attack8"
+              th:action="@{/SqlInjection/attack8}"
              autocomplete="off">
            <table>
                <tr>
@ -244,7 +244,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjection/attack9"
+              th:action="@{/SqlInjection/attack9}"
              autocomplete="off">
            <table>
                <tr>
@ -273,7 +273,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjection/attack10"
+              th:action="@{/SqlInjection/attack10}"
              autocomplete="off">
            <table>
                <tr>
--- a/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html
@ -20,7 +20,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjectionAdvanced/attack6a">
+              th:action="@{/SqlInjectionAdvanced/attack6a}">
            <table>
                <tr>
                    <td>Name:</td>
@ -33,7 +33,7 @@
        </form>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjectionAdvanced/attack6b">
+              th:action="@{/SqlInjectionAdvanced/attack6b}">
            <table>
                <tr>
                    <td>Password:</td>
@ -79,7 +79,7 @@
                                <div class="col-lg-12">
                                    <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                          method="POST" name="form"
-                                          action="SqlInjectionAdvanced/challenge_Login"
+                                          th:action="@{/SqlInjectionAdvanced/Challenge_Login}"
                                          role="form">
                                        <div class="form-group">
                                            <input type="text" name="username_login" id="username4" tabindex="1"
@ -115,7 +115,7 @@
                                    </form>
                                    <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                          method="PUT" name="form"
-                                          action="SqlInjectionAdvanced/challenge"
+                                          th:action="@{/SqlInjectionAdvanced/challenge}"
                                          style="display: none;" role="form">
                                        <div class="form-group">
                                            <input type="text" name="username_reg" id="username" tabindex="1"
@ -168,7 +168,7 @@
            <div class="container-fluid">
                <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                      method="POST" name="form"
-                      action="SqlInjectionAdvanced/quiz"
+                      th:action="@{/SqlInjectionAdvanced/quiz}"
                      role="form">
                    <div id="q_container"></div>
                    <br />
--- a/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
+++ b/src/main/resources/lessons/sqlinjection/html/SqlInjectionMitigations.html
@ -23,7 +23,7 @@
    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_completion.adoc}"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="SqlInjectionMitigations/attack10a">
+        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/SqlInjectionMitigations/attack10a}">
            <div>
                <p>Connection conn = DriverManager.<input type="text" name="field1" id="field1" />(DBURL, DBUSER, DBPW);</p>
                <p><input type="text" name="field2" id="field2" /> = conn.<input type="text" name="field3" id="field3" />("SELECT status FROM users WHERE name=<input type="text" name="field4" id="field4" /> AND mail=<input type="text" name="field5" id="field5" />");</p>
@ -42,7 +42,7 @@
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="~{doc:lessons/sqlinjection/documentation/SqlInjection_jdbc_newcode.adoc}"></div>
    <div class="attack-container" style="border: none !important; height: 100%; min-height: 300px;">
-        <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="SqlInjectionMitigations/attack10b">
+        <form id="codesubmit" style="height: 100%; min-height: 300px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/SqlInjectionMitigations/attack10b}">
            <div>
                <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 300px;" name="editor"></div>
                <script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
@ -72,7 +72,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlOnlyInputValidation/attack"
+              th:action="@{/SqlInjectionMitigations/attack}"
              enctype="application/json;charset=UTF-8">
            <table>
                <tr>
@ -95,7 +95,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlOnlyInputValidationOnKeywords/attack"
+              th:action="@{/SqlInjectionMitigations/attack}"
              enctype="application/json;charset=UTF-8">
            <table>
                <tr>
@ -124,7 +124,7 @@
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="SqlInjectionMitigations/attack12a">
+              th:action="@{/SqlInjectionMitigations/attack12a}">
            <div class="container-fluid">
                <div class="row">
                    <div class="panel panel-primary">
@ -173,7 +173,7 @@
                <br/>
            </div>
        </form>
-        <form class="attack-form" method="POST" name="form" action="SqlInjectionMitigations/attack12a">
+        <form class="attack-form" method="POST" name="form" th:action="@{/SqlInjectionMitigations/attack12a}">
            <div class="form-group">
                <div class="input-group">
                    <div class="input-group-addon">IP address webgoat-prd server:</div>
--- a/src/main/resources/lessons/ssrf/html/SSRF.html
+++ b/src/main/resources/lessons/ssrf/html/SSRF.html
@ -12,7 +12,7 @@
            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
            <form class="attack-form" accept-charset="UNKNOWN"
                  method="POST" name="form"
-                  action="SSRF/task1">
+                  th:action="@{/SSRF/task1}">
                <table>
                    <tr>
                        <td><input type="hidden" id="url1" name="url" value="images/tom.png"/></td>
@ -34,7 +34,7 @@
            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
            <form class="attack-form" accept-charset="UNKNOWN"
                  method="POST" name="form"
-                  action="SSRF/task2">
+                  th:action="@{/SSRF/task2}">
                <table>
                    <tr>
                        <td><input type="hidden" id="url2" name="url" value="images/cat.png"/></td>
--- a/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
+++ b/src/main/resources/lessons/webwolfintroduction/html/WebWolfIntroduction.html
@ -18,7 +18,7 @@
        <form class="attack-form" accept-charset="UNKNOWN"  style="position:relative;top:150px"
              method="POST" name="form"
-              action="WebWolf/mail">
+              th:action="@{/WebWolf/mail}">
            <div class="container-fluid">
                <div class="row">
                    <div class="col-md-4">
@ -39,7 +39,7 @@
        <!-- <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
        <form class="attack-form" accept-charset="UNKNOWN"  style="position:relative;top:-50px"
              method="POST" name="secondform"
-              action="WebWolf/mail/send">
+              th:action="@{/WebWolf/mail/send}">
            <div class="container-fluid">
                <div class="row">
                    <div class="col-md-4">
--- a/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5b.adoc
+++ b/src/main/resources/lessons/xss/documentation/CrossSiteScripting_content5b.adoc
@ -7,4 +7,4 @@ Why is that?
 That is because no link triggers that XSS.
 You can try it yourself to see what happens ... go to:
-link:/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111["/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111",window=_blank]
+link:CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111["CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111",window=_blank]
--- a/src/main/resources/lessons/xss/html/CrossSiteScripting.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScripting.html
@ -12,7 +12,7 @@
 		<div id="lessonContent">
 			<form class="attack-form" accept-charset="UNKNOWN"
 				  method="POST" name="form"
-				  action="CrossSiteScripting/attack1">
+				  th:action="@{/CrossSiteScripting/attack1}">
 				<table>
 					<tr>
 						<td><input type="checkbox" name="checkboxAttack1"> The cookies are the same on each tab </td>
@ -46,7 +46,7 @@
 		<div id="lessonContent">
 			<form class="attack-form" accept-charset="UNKNOWN"
 				  method="GET" name="xss-5a"
-				  action="CrossSiteScripting/attack5a">
+				  th:action="@{/CrossSiteScripting/attack5a}">
 				<center>
 					<h4>Shopping Cart</h4>
 				</center>
@ -133,7 +133,7 @@
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<form class="attack-form" accept-charset="UNKNOWN"
 			  method="POST" name="DOMTestRoute"
-			  action="CrossSiteScripting/attack6a">
+			  th:action="@{/CrossSiteScripting/attack6a}">
 			<input name="DOMTestRoute" value="" type="TEXT" />
 			<input name="SubmitTestRoute" value="Submit" type="SUBMIT"/>
 		</form>
@ -148,7 +148,7 @@
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<form class="attack-form" accept-charset="UNKNOWN"
 			  method="POST" name="DOMFollowUp"
-			  action="CrossSiteScripting/dom-follow-up">
+			  th:action="@{/CrossSiteScripting/dom-follow-up}">
 			<input name="successMessage" value="" type="TEXT" />
 			<input name="submitMessage" value="Submit" type="SUBMIT"/>
 		</form>
@ -168,7 +168,7 @@
 		<div class="container-fluid">
 			<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
 				  method="POST" name="form"
-				  action="CrossSiteScripting/quiz" role="form">
+				  th:action="@{/CrossSiteScripting/quiz}" role="form">
 				<div id="q_container"></div>
 				<br />
 				<input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
--- a/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScriptingMitigation.html
@ -21,7 +21,7 @@
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8b.adoc}"></div>
 	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
-		<form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="CrossSiteScripting/attack3">
+		<form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/CrossSiteScripting/attack3}">
 			<div>
 				<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor"></div>
 				<script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
@ -41,7 +41,7 @@
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="~{doc:lessons/xss/documentation/CrossSiteScripting_content8c.adoc}"></div>
 	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
-		<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="CrossSiteScripting/attack4">
+		<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" th:action="@{/CrossSiteScripting/attack4}">
 			<div>
 				<div id="editor2" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor2"></div>
 				<script th:src="@{/js/libs/ace.js}" type="text/javascript" charset="utf-8"></script>
--- a/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
+++ b/src/main/resources/lessons/xss/html/CrossSiteScriptingStored.html
@ -67,7 +67,7 @@
 		<form class="attack-form" accept-charset="UNKNOWN"
 			  method="POST" name="DOMFollowUp"
-			  action="CrossSiteScriptingStored/stored-xss-follow-up">
+			  th:action="@{/CrossSiteScriptingStored/stored-xss-follow-up}">
 			<input name="successMessage" value="" type="TEXT" />
 			<input name="submitMessage" value="Submit" type="SUBMIT"/>
 		</form>
--- a/src/main/resources/lessons/xxe/html/XXE.html
+++ b/src/main/resources/lessons/xxe/html/XXE.html
@ -28,7 +28,7 @@
              successCallback="simpleXXECallback"
              failureCallback="simpleXXECallback"
              contentType="application/xml"
-              action="xxe/simple">
+              th:action="@{/xxe/simple}">
            <div class="container-fluid">
                <div class="panel post">
                    <div class="post-heading">
@ -94,7 +94,7 @@
              prepareData="contentTypeXXE"
              successCallback="contentTypeXXECallback"
              failureCallback="contentTypeXXECallback"
-              action="xxe/content-type"
+              th:action="@{/xxe/content-type}"
              contentType="application/json">
            <div class="container-fluid">
                <div class="panel post">
@ -166,7 +166,7 @@
              prepareData="blindXXE"
              successCallback="blindXXECallback"
              failureCallback="blindXXECallback"
-              action="xxe/blind"
+              th:action="@{/xxe/blind}"
              contentType="application/xml">
            <div class="container-fluid">
                <div class="panel post">