fix: SQL advanced assignment 5 (#2047)

- Add and show correct hints
- Fix solving the lesson immediately when you register as tom. Now uses `informationMessage` to display a message in the UI
- Add Playwright test

Closes: gh-2045

src/main/resources/i18n/messages.properties

@@ -1,4 +1,3 @@
-lesson.completed=Congratulations. You have successfully completed this lesson.
 assignment.solved=Congratulations. You have successfully completed the assignment.
 assignment.not.solved=Sorry the solution is not correct, please try again.
 RestartLesson=Restart this Lesson

src/main/resources/i18n/messages_de.properties

@@ -1,5 +1,4 @@
 #General
-lesson.completed=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
 assignment.solved=Herzlichen Gl\u00fcckwunsch! Sie haben diesen Auftrag erfolgreich abgeschlossen.
 assignment.not.solved=Die L\u00f6sung ist nicht korrekt, versuchen Sie es erneut.
 

src/main/resources/i18n/messages_fr.properties

@@ -1,5 +1,4 @@
 #General
-lesson.completed=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
 RestartLesson=Recommencer cette le\u00e7on
 SolutionVideos=Solution vid\u00e9os
 ErrorGenerating=Error generating

src/main/resources/i18n/messages_nl.properties

@@ -1,4 +1,3 @@
-lesson.completed=Gefeliciteerd, je hebt deze les succesvol afgerond.
 assignment.solved=Gefeliciteerd, je hebt deze opdracht succesvol afgerond.
 assignment.not.solved=Sorry de oplossing is niet correct, probeer het nog eens.
 RestartLesson=Herstart de les

src/main/resources/lessons/challenges/i18n/WebGoatLabels.properties

@@ -10,7 +10,7 @@ challenge9.title=Changing password
 challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
 challenge.close=This is not the correct password for Larry, please try again.
 
-email.send=An e-mail has been send to {0}
+email.send=An e-mail has been sent to {0}
 
 user.exists=User {0} already exists please try to register with a different username.
 user.created=User {0} created, please proceed to the login page.

src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_ru.properties

@@ -1,2 +0,0 @@
-EnterYourName=\u0412\u0432\u0435\u0434\u0438\u0442\u0435 \u0432\u0430\u0448\u0435 \u0438\u043c\u044f
-Go!=\u0412\u043f\u0435\u0440\u0451\u0434!

src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html

@@ -79,7 +79,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          th:action="@{/SqlInjectionAdvanced/Challenge_Login}"
+                                          th:action="@{/SqlInjectionAdvanced/login}"
                                           role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
@@ -115,7 +115,7 @@
                                     </form>
                                     <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="PUT" name="form"
-                                          th:action="@{/SqlInjectionAdvanced/challenge}"
+                                          th:action="@{/SqlInjectionAdvanced/register}"
                                           style="display: none;" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_reg" id="username" tabindex="1"

src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels.properties

@@ -3,12 +3,8 @@
 2.sql.advanced.title=SQL Injection (advanced)
 3.sql.mitigation.title=SQL Injection (mitigation)
 
-
-SqlInjectionChallenge1=Look at the different response you receive from the server
-SqlInjectionChallenge2=The vulnerability is on the register form
-SqlInjectionChallenge3=Use tooling to automate this attack
-NoResultsMatched=No results matched, try again.
-ResultsButNotTom=Try To login as Tom!
+NoResultsMatched=Wrong username or password. Try again.
+ResultsButNotTom=Try to log in as Tom!
 
 sql-injection.2.success=You have succeeded!
 sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above.
@@ -100,10 +96,13 @@ SqlStringInjectionHint-mitigation-13-2=Intercept the request and try to specify
 SqlStringInjectionHint-mitigation-13-3=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 SqlStringInjectionHint-mitigation-13-4=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 
-SqlInjectionChallengeHint1=The table name is randomized at each start of WebGoat, try to figure out the name first.
-SqlInjectionChallengeHint2=Find the field which is vulnerable to SQL injection use that to change the password.
-SqlInjectionChallengeHint3=Change the password through an UPDATE Statement.
-SqlInjectionChallengeHint4=The vulnerable field is the username field of the register form.
+SqlInjectionChallenge1=Look at the different response you receive from the server when you try different entries
+SqlInjectionChallenge2=Does the register form give you any indication a user already exists?
+SqlInjectionChallenge3=Try to guess the password of the user 'tom' one character at a time
+SqlInjectionChallenge4=Use substring(column, start, length) to get the password of the user 'tom' one character at a time
+SqlInjectionChallenge5=Use tom' AND substring(password,1,1)='a for the guess of the first character of the password
+SqlInjectionChallenge6=It is important to look at the different responses you receive from the server when you try different entries
+SqlInjectionChallenge7=You can use tooling to automate this attack
 
 SqlOnlyInputValidation-failed=Using spaces is not allowed!
 SqlOnlyInputValidation-1=Spaces are rejected, try to find a way around this restriction

src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_de.properties

@@ -1,7 +1,7 @@
 #StringSqlInjection.java
 StringSqlInjectionSecondStage=Da sie nun erfolgreich eine SQL Injection durchgef\u00fchrt haben, versuchen Sie denselben Typ von Angriff auf eine parametrisierte Anfrage. Starten Sie Diese Lektion neu, wenn Sie zur verwundbaren SQL Anfrage gelangen m\u00f6chten.
     EnterLastName=Geben Sie Ihren Nachnamen ein:
-NoResultsMatched=Keine Resultate gefunden, versuchen Sie es erneut
+NoResultsMatched=Falscher Benutzername oder falsches Passwort. Versuchen Sie es erneut.
 SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
 SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
 SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true

src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_fr.properties

@@ -1,7 +1,7 @@
 #StringSqlInjection.java
 StringSqlInjectionSecondStage=Maintenant que vous avez r\u00e9alis\u00e9 une injection SQL avec succ\u00e8s, essayer le m\u00eame type d'attaque sur une requ\u00eate param\u00e9tr\u00e9e. Red\u00e9marrez la le\u00e7on si vous souhaitez revenir \u00e0 la requ\u00eate injectable.
 EnterLastName=Entrez votre nom :
-NoResultsMatched=Aucun r\u00e9sultat correspondant. Essayez encore.
+NoResultsMatched=Aucun nom d'utilisateur ou mot de passe incorrect. Essayez encore.
 SqlStringInjectionHint1=L'application r\u00e9cup\u00e8re votre saisie et l'ins\u00e8re \u00e0 la fin d'une commande SQL pr\u00e9-form\u00e9e.
 SqlStringInjectionHint2=Voici le code de la requ\u00eate assembl\u00e9e et ex\u00e9cut\u00e9e par WebGoat :<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
 SqlStringInjectionHint3=Les commandes SQL compos\u00e9es peuvent \u00eatre assembl\u00e9es en associant de multiples conditions au moyen de mots-cl\u00e9 tels que AND et OR. Essayez d'assembler une condition qui sera toujours r\u00e9solue \u00e0 vrai.

src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_ru.properties

@@ -1,8 +0,0 @@
-#StringSqlInjection.java
-StringSqlInjectionSecondStage=\u0422\u0435\u043f\u0435\u0440\u044c, \u043a\u043e\u0433\u0434\u0430 \u0432\u0430\u043c \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u0443\u0434\u0430\u0447\u043d\u043e \u043f\u0440\u043e\u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c SQL-\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044e, \u043f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c \u044d\u0442\u043e \u0441 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u043c. \u041d\u0430\u0447\u043d\u0438\u0442\u0435 \u0443\u0440\u043e\u043a \u0437\u0430\u043d\u043e\u0432\u043e \u0435\u0441\u043b\u0438 \u0432\u044b \u0445\u043e\u0442\u0438\u0442\u0435 \u0432\u043d\u043e\u0432\u044c \u0443\u0432\u0438\u0434\u0435\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0435 \u043f\u043e\u043b\u0435.
-EnterLastName=\u0412\u0432\u0435\u0434\u0438\u0442\u0435 \u0432\u0430\u0448\u0443 \u0444\u0430\u043c\u0438\u043b\u0438\u044e:
-NoResultsMatched=\u041d\u0435\u0442 \u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0439. \u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0441\u043d\u043e\u0432\u0430.
-SqlStringInjectionHint1=\u041f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u0431\u0435\u0440\u0451\u0442 \u0442\u043e \u0447\u0442\u043e \u0432\u044b \u0432\u0432\u043e\u0434\u0438\u0442\u0435 \u0438 \u0432\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0432 \u043a\u043e\u043d\u0435\u0446 \u0437\u0430\u0440\u0430\u043d\u0435\u0435 \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e SQL-\u0437\u0430\u043f\u0440\u043e\u0441\u0430.
-SqlStringInjectionHint2=\u0412\u043e\u0442 \u043a\u043e\u0434 \u0437\u0430\u043f\u0440\u043e\u0441\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f WebGoat`\u043e\u043c:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
-SqlStringInjectionHint3=\u0426\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c SQL-\u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043c\u043e\u0436\u043d\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0442\u044c \u043f\u0440\u043e\u0432\u0435\u0434\u044f \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u043e\u043a \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0442\u0430\u043a\u0438\u0445 \u043a\u043b\u044e\u0447\u0435\u0432\u044b\u0445 \u0441\u043b\u043e\u0432 \u043a\u0430\u043a AND \u0438 OR. \u041f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0441\u043e\u0441\u0442\u0430\u0432\u0438\u0442\u044c \u0442\u0430\u043a\u043e\u0435 SQL-\u0432\u044b\u0440\u0430\u0436\u0435\u043d\u0438\u0435, \u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u0432\u0441\u0435\u0433\u0434\u0430 \u0431\u0443\u0434\u0435\u0442 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0442\u044c \u0438\u0441\u0442\u0438\u043d\u0443.
-SqlStringInjectionHint4=\u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0432\u0432\u0435\u0441\u0442\u0438 [ smith' OR '1' = '1 ].