implemented xss-quiz

webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html

@@ -170,4 +170,26 @@
 		<div class="attack-output"></div>
 	</div>
 </div>
+
+<div class="lesson-page-wrapper">
+	<span id="quiz_id" data-quiz_id="cross_site_scripting"></span>
+	<script th:src="@{/js/quiz.js}" language="JavaScript"></script>
+	<link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_quiz.adoc"></div>
+	<div class="attack-container">
+		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+		<div class="container-fluid">
+			<form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
+				  method="POST" name="form"
+				  action="/WebGoat/cross-site-scripting/quiz"
+				  enctype="application/json;charset=UTF-8" role="form">
+				<div id="q_container"></div>
+				<br />
+				<input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>
+			</form>
+		</div>
+		<div class="attack-feedback"></div>
+		<div class="attack-output"></div>
+	</div>
+</div>
 </html>

webgoat-lessons/cross-site-scripting/src/main/resources/js/questions_cross_site_scripting.json

@@ -0,0 +1,43 @@
+{
+  "questions": [{
+    "text": "Are trusted websites immune to XSS attacks?",
+    "solutions": {
+      "1": "Yes, they're safe because the browser checks the code before executing.",
+      "2": "Yes, because Google has got an algorithm that blocks malicious code.",
+      "3": "No, because the script that's executed will break through the browser's defense algorithm.",
+      "4": "No, because the browser trusts the website if it's acknowledged trusted, then the browser doesn't know that the script is malicious."
+    }
+  }, {
+    "text": "When do XSS attacks occur?",
+    "solutions": {
+      "1": "Data enters a web application through a trusted source.",
+      "2": "Data enters a browser application through the website.",
+      "3": "The data is included in dynamic content that is sent to a web user without being validated for malicious content.",
+      "4": "The data is excluded in static content, that way it is sent without being validated."
+    }
+  }, {
+    "text": "What are Stored XSS attacks?",
+    "solutions": {
+      "1": "The script is permanently stored on the server and the victim gets the malicious script when requesting information from the server.",
+      "2": "The script stores itself on the victim's computer and executes locally the malicious code.",
+      "3": "The script stores a virus on the victim's computer. The attacker can perform various actions now.",
+      "4": "The script is stored in the browser and sends information to the attacker."
+    }
+  }, {
+    "text": "What are Reflected XSS attacks?",
+    "solutions": {
+      "1": "Reflected attacks reflect malicious code from the database to the web server and then reflect it back to the user.",
+      "2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the request.",
+      "3": "Reflected attacks reflect from the server's firewall off to the database where the user requests information from.",
+      "4": "Reflected XSS is an attack where the injected script is reflected off the database and web server to the user."
+    }
+  }, {
+    "text": "Is Javascript the only way to perform XSS attacks?",
+    "solutions": {
+      "1": "Yes, you can only make use of tags through Javascript.",
+      "2": "Yes, otherwise you can't steal cookies.",
+      "3": "No, there's ECMAScript too.",
+      "4": "No, there're many other ways. Like HTML, Flash or any other type of code that the browser executes."
+    }
+  }]
+}

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_quiz.adoc

@@ -0,0 +1 @@
+Now it's time for a quiz! It's recommended to check the OWASP Cross Site Scripting explanations https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Answer all questions correctly to complete the assignment.