From 97f66545e0bb322abbf14422564f5bf96c6f5791 Mon Sep 17 00:00:00 2001
From: Matthias Grundmann <matthias.grundmann@kit.edu>
Date: Fri, 12 Jul 2019 17:25:05 +0200
Subject: [PATCH] In CSRF-3 use POST instead of GET to prevent solving the
 assignment just by opening the URL in a new tab

---
 .../src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java     | 2 +-
 webgoat-lessons/csrf/src/main/resources/html/CSRF.html          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java
index ecc486b7f..6ca21cbe5 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java
@@ -27,7 +27,7 @@ public class CSRFGetFlag extends Endpoint {
     @Autowired
     private PluginMessages pluginMessages;
 
-    @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
+    @RequestMapping(produces = {"application/json"}, method = RequestMethod.POST)
     @ResponseBody
     public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
 
diff --git a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
index 71d08a816..9b9d79f02 100644
--- a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
+++ b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
@@ -14,7 +14,7 @@
     <div class="adoc-content" th:replace="doc:CSRF_Get_Flag.adoc"></div>
 
     <form accept-charset="UNKNOWN" id="basic-csrf-get"
-          method="GET" name="form1"
+          method="POST" name="form1"
           target="_blank"
           successCallback=""
           action="/WebGoat/csrf/basic-get-flag"