flag submission fixed (#812)

webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java

@@ -38,6 +38,10 @@ public class Scoreboard {
         List<WebGoatUser> allUsers = userRepository.findAll();
         List<Ranking> rankings = new ArrayList<>();
         for (WebGoatUser user : allUsers) {
+        	if (user.getUsername().startsWith("csrf-")) {
+        		//the csrf- assignment specific users do not need to be in the overview
+        		continue;
+        	}
             UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
             rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
         }

webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java

@@ -0,0 +1,59 @@
+package org.owasp.webgoat;
+
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+import io.restassured.RestAssured;
+
+public class ChallengeTest extends IntegrationTest {
+	
+	@Test
+    public void testChallenge1() {
+    	startLesson("Challenge1");      
+    	
+    	Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("username", "admin");
+        params.put("password", "!!webgoat_admin_1234!!");
+       
+    	
+        checkAssignment(url("/WebGoat/challenge/1"), params, true);
+        String result = 
+        		RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .formParams(params)
+                .post(url("/WebGoat/challenge/1"))
+                .then()
+                .statusCode(200)
+                .extract().asString();
+        
+        String flag = result.substring(result.indexOf("flag")+6,result.indexOf("flag")+42);
+    	params.clear();
+       	params.put("flag", flag);
+        checkAssignment(url("/WebGoat/challenge/flag"), params, true);
+         
+  
+        checkResults("/challenge/1");      
+        
+        List<String> capturefFlags = 
+        		RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/WebGoat/scoreboard-data"))
+                .then()
+                .statusCode(200)
+                .extract().jsonPath()
+                .get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured");
+        assertTrue(capturefFlags.contains("Admin lost password"));
+    }
+    
+}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/Flag.java

@@ -22,11 +22,15 @@
 
 package org.owasp.webgoat.challenges;
 
-import lombok.AllArgsConstructor;
-import lombok.Getter;
-import lombok.extern.slf4j.Slf4j;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.IntStream;
+
+import javax.annotation.PostConstruct;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.i18n.PluginMessages;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.users.UserTracker;
 import org.owasp.webgoat.users.UserTrackerRepository;
@@ -38,27 +42,21 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-import javax.annotation.PostConstruct;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
-import java.util.stream.IntStream;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
 
 /**
  * @author nbaars
  * @since 3/23/17.
  */
-@Slf4j
 @RestController
-public class Flag {
+public class Flag extends AssignmentEndpoint {
 
     public static final Map<Integer, String> FLAGS = new HashMap<>();
     @Autowired
     private UserTrackerRepository userTrackerRepository;
     @Autowired
     private WebSession webSession;
-    @Autowired
-    private PluginMessages pluginMessages;
 
     @AllArgsConstructor
     private class FlagPosted {
@@ -81,10 +79,10 @@ public class Flag {
         final AttackResult attackResult;
         if (expectedFlag.equals(flag)) {
             userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
-            attackResult = new AttackResult.AttackResultBuilder(pluginMessages).lessonCompleted(true, "challenge.flag.correct").build();
+            attackResult = success(this).feedback("challenge.flag.correct").build();
         } else {
             userTracker.assignmentFailed(webSession.getCurrentLesson());
-            attackResult = new AttackResult.AttackResultBuilder(pluginMessages).feedback("challenge.flag.incorrect").build();
+            attackResult = failed(this).feedback("challenge.flag.incorrect").build();
         }
         userTrackerRepository.save(userTracker);
         return attackResult;