From f774364461b2ac937ce57ae73cff0a2dbc927b02 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Fri, 13 Sep 2019 20:05:25 +0200
Subject: [PATCH] Working unit tests

---
 .../assignments/AssignmentEndpointTest.java   |  2 +-
 .../BypassRestrictionsFieldRestrictions.java  | 23 ++---
 .../BypassRestrictionsFrontendValidation.java | 94 +++++++++----------
 .../plugin/challenge1/Assignment1.java        | 12 +--
 .../{challenge6 => }/Assignment5.java         | 32 +++++--
 .../webgoat/plugin/challenge5/Challenge5.java | 61 ++++++++++++
 .../challenge5/challenge6/Challenge5.java     | 39 --------
 .../plugin/challenge6/Assignment6.java        | 11 +--
 .../plugin/challenge7/Assignment7.java        |  8 +-
 .../plugin/challenge8/Assignment8.java        | 10 +-
 .../owasp/webgoat/plugin/NetworkDummy.java    | 33 +++----
 .../owasp/webgoat/plugin/NetworkLesson.java   | 38 ++++----
 .../ChromeDevToolsTest.java                   |  0
 .../org/owasp/webgoat/plugin/CIAQuiz.java     | 17 ++--
 .../plugin/ClientSideFilteringAssignment.java | 12 +--
 .../ClientSideFilteringFreeAssignment.java    | 12 +--
 .../plugin/CrossSiteScriptingLesson1.java     | 48 +++++-----
 .../plugin/CrossSiteScriptingLesson3.java     | 11 +--
 .../plugin/CrossSiteScriptingLesson4.java     | 21 ++---
 .../plugin/CrossSiteScriptingLesson5a.java    | 84 ++++++++---------
 .../plugin/CrossSiteScriptingLesson6a.java    | 33 +++----
 .../plugin/CrossSiteScriptingQuiz.java        | 18 ++--
 .../webgoat/plugin/DOMCrossSiteScripting.java | 21 ++---
 .../plugin/DOMCrossSiteScriptingVerifier.java | 13 +--
 .../StoredCrossSiteScriptingVerifier.java     | 13 +--
 .../webgoat/plugin/StoredXssComments.java     | 17 ++--
 .../plugin/DOMCrossSiteScriptingTest.java     |  9 +-
 .../webgoat/plugin/CSRFConfirmFlag1.java      | 11 +--
 .../owasp/webgoat/plugin/CSRFFeedback.java    | 11 +--
 .../org/owasp/webgoat/plugin/CSRFLogin.java   |  5 +-
 .../owasp/webgoat/plugin/ForgedReviews.java   | 18 ++--
 .../webgoat/plugin/HtmlTamperingTask.java     | 38 ++++----
 .../org/owasp/webgoat/plugin/HttpBasics.java  | 51 +++++-----
 .../HttpBasicsInterceptRequestTest.java       |  2 +-
 34 files changed, 389 insertions(+), 439 deletions(-)
 rename webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/{challenge6 => }/Assignment5.java (76%)
 create mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Challenge5.java
 delete mode 100644 webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Challenge5.java
 rename webgoat-lessons/chrome-dev-tools/src/{Test => test}/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java (100%)

diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
index dc0c7a481..8edbd1264 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
@@ -38,6 +38,7 @@ import org.springframework.web.servlet.i18n.FixedLocaleResolver;
 
 import java.util.Locale;
 
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.when;
 
@@ -62,7 +63,6 @@ public class AssignmentEndpointTest {
 
     public void init(AssignmentEndpoint a) {
         messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
-        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
         ReflectionTestUtils.setField(a, "userTrackerRepository", userTrackerRepository);
         ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
         ReflectionTestUtils.setField(a, "webSession", webSession);
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java
index b916019f8..f5b4afaca 100755
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java
+++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java
@@ -1,15 +1,11 @@
 package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
+import org.springframework.web.bind.annotation.RestController;
 
 /**
  * *************************************************************************************************
@@ -44,23 +40,22 @@ import java.io.IOException;
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/BypassRestrictions/FieldRestrictions")
+@RestController
 public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
 
-    @RequestMapping(method = RequestMethod.POST)
-    public
+    @PostMapping("/BypassRestrictions/FieldRestrictions")
     @ResponseBody
-    AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) throws IOException {
-    	if (select.toString().equals("option1") || select.toString().equals("option2")) {
+    public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) {
+    	if (select.equals("option1") || select.equals("option2")) {
         return trackProgress(failed().build());
       }
-      if (radio.toString().equals("option1") || radio.toString().equals("option2")) {
+      if (radio.equals("option1") || radio.equals("option2")) {
         return trackProgress(failed().build());
       }
-      if (checkbox.toString().equals("on") || checkbox.toString().equals("off")) {
+      if (checkbox.equals("on") || checkbox.equals("off")) {
         return trackProgress(failed().build());
       }
-      if (shortInput.toString().length() <= 5) {
+      if (shortInput.length() <= 5) {
         return trackProgress(failed().build());
       }
       /*if (disabled == null) {
diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java
index 7eaefb129..a6c5aa95e 100644
--- a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java
+++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java
@@ -3,85 +3,81 @@ package org.owasp.webgoat.plugin;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 
 /**
  * *************************************************************************************************
- *
- *
+ * <p>
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
  * Foundation; either version 2 of the License, or (at your option) any later
  * version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with
  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
  * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
- *
+ * <p>
  * For details, please see http://webgoat.github.io
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/BypassRestrictions/frontendValidation")
+@RestController
 public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint {
 
-    @RequestMapping(method = RequestMethod.POST)
-    public
+    @PostMapping("/BypassRestrictions/frontendValidation")
     @ResponseBody
-    AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) throws IOException {
-      String regex1="^[a-z]{3}$";
-      String regex2="^[0-9]{3}$";
-      String regex3="^[a-zA-Z0-9 ]*$";
-      String regex4="^(one|two|three|four|five|six|seven|eight|nine)$";
-      String regex5="^\\d{5}$";
-      String regex6="^\\d{5}(-\\d{4})?$";
-      String regex7="^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
-      if (error>0) {
-        return trackProgress(failed().build());
-      }
-      if (field1.matches(regex1)) {
-        return trackProgress(failed().build());
-      }
-      if (field2.matches(regex2)) {
-        return trackProgress(failed().build());
-      }
-      if (field3.matches(regex3)) {
-        return trackProgress(failed().build());
-      }
-      if (field4.matches(regex4)) {
-        return trackProgress(failed().build());
-      }
-      if (field5.matches(regex5)) {
-        return trackProgress(failed().build());
-      }
-      if (field6.matches(regex6)) {
-        return trackProgress(failed().build());
-      }
-      if (field7.matches(regex7)) {
-        return trackProgress(failed().build());
-      }
-      return trackProgress(success().build());
+    public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) {
+        String regex1 = "^[a-z]{3}$";
+        String regex2 = "^[0-9]{3}$";
+        String regex3 = "^[a-zA-Z0-9 ]*$";
+        String regex4 = "^(one|two|three|four|five|six|seven|eight|nine)$";
+        String regex5 = "^\\d{5}$";
+        String regex6 = "^\\d{5}(-\\d{4})?$";
+        String regex7 = "^[2-9]\\d{2}-?\\d{3}-?\\d{4}$";
+        if (error > 0) {
+            return trackProgress(failed().build());
+        }
+        if (field1.matches(regex1)) {
+            return trackProgress(failed().build());
+        }
+        if (field2.matches(regex2)) {
+            return trackProgress(failed().build());
+        }
+        if (field3.matches(regex3)) {
+            return trackProgress(failed().build());
+        }
+        if (field4.matches(regex4)) {
+            return trackProgress(failed().build());
+        }
+        if (field5.matches(regex5)) {
+            return trackProgress(failed().build());
+        }
+        if (field6.matches(regex6)) {
+            return trackProgress(failed().build());
+        }
+        if (field7.matches(regex7)) {
+            return trackProgress(failed().build());
+        }
+        return trackProgress(success().build());
     }
 }
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
index 932aca8d8..ef09f2451 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge1/Assignment1.java
@@ -5,10 +5,7 @@ import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.plugin.Flag;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
@@ -44,13 +41,12 @@ import static org.owasp.webgoat.plugin.SolutionConstants.PASSWORD;
  * @version $Id: $Id
  * @since August 11, 2016
  */
-@AssignmentPath("/challenge/1")
+@RestController
 public class Assignment1 extends AssignmentEndpoint {
 
-    @RequestMapping(method = RequestMethod.POST)
-    public
+    @PostMapping("/challenge/1")
     @ResponseBody
-    AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) throws IOException {
+    public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
         boolean ipAddressKnown =  true;
         boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
         if (passwordCorrect && ipAddressKnown) {
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Assignment5.java
similarity index 76%
rename from webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java
rename to webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Assignment5.java
index bdb663ec2..f97a90e8b 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Assignment5.java
@@ -1,4 +1,26 @@
-package org.owasp.webgoat.plugin.challenge5.challenge6;
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.plugin.challenge5;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
@@ -10,9 +32,7 @@ import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.sql.*;
 
@@ -23,7 +43,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
  * @author nbaars
  * @since 4/8/17.
  */
-@AssignmentPath("/challenge/5")
+@RestController
 @Slf4j
 public class Assignment5 extends AssignmentEndpoint {
 
@@ -33,7 +53,7 @@ public class Assignment5 extends AssignmentEndpoint {
     @Autowired
     private WebSession webSession;
 
-    @RequestMapping(method = POST)
+    @PostMapping("/challenge/5")
     @ResponseBody
     public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
         Connection connection = DatabaseUtilities.getConnection(webSession);
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Challenge5.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Challenge5.java
new file mode 100644
index 000000000..3b7345eaa
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/Challenge5.java
@@ -0,0 +1,61 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.plugin.challenge5;
+
+import com.google.common.collect.Lists;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+
+import java.util.List;
+
+/**
+ * @author nbaars
+ * @since 3/21/17.
+ */
+public class Challenge5 extends NewLesson {
+
+    @Override
+    public Category getDefaultCategory() {
+        return Category.CHALLENGE;
+    }
+
+    @Override
+    public List<String> getHints() {
+        return Lists.newArrayList();
+    }
+
+    @Override
+    public Integer getDefaultRanking() {
+        return 10;
+    }
+
+    @Override
+    public String getTitle() {
+        return "challenge5.title";
+    }
+
+    @Override
+    public String getId() {
+        return "Challenge5";
+    }
+}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Challenge5.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Challenge5.java
deleted file mode 100644
index 140162828..000000000
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Challenge5.java
+++ /dev/null
@@ -1,39 +0,0 @@
-package org.owasp.webgoat.plugin.challenge5.challenge6;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.util.List;
-
-/**
- * @author nbaars
- * @since 3/21/17.
- */
-public class Challenge5 extends NewLesson {
-
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
-
-    @Override
-    public List<String> getHints() {
-        return Lists.newArrayList();
-    }
-
-    @Override
-    public Integer getDefaultRanking() {
-        return 10;
-    }
-
-    @Override
-    public String getTitle() {
-        return "challenge5.title";
-    }
-
-    @Override
-    public String getId() {
-        return "Challenge5";
-    }
-}
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java
index 743e5036f..b3822b9ce 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java
@@ -10,10 +10,7 @@ import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.PutMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.sql.*;
 
@@ -24,7 +21,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
  * @author nbaars
  * @since 4/8/17.
  */
-@AssignmentPath("/challenge/6")
+@RestController
 @Slf4j
 public class Assignment6 extends AssignmentEndpoint {
 
@@ -38,7 +35,7 @@ public class Assignment6 extends AssignmentEndpoint {
         log.info("Challenge 6 tablename is: {}", USERS_TABLE_NAME);
     }
 
-    @PutMapping  //assignment path is bounded to class so we use different http method :-)
+    @PutMapping("/challenge/6")  //assignment path is bounded to class so we use different http method :-)
     @ResponseBody
     public AttackResult registerNewUser(@RequestParam String username_reg, @RequestParam String email_reg, @RequestParam String password_reg) throws Exception {
         AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
@@ -75,7 +72,7 @@ public class Assignment6 extends AssignmentEndpoint {
         return null;
     }
 
-    @RequestMapping(method = POST)
+    @PostMapping("/challenge/6")
     @ResponseBody
     public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
         Connection connection = DatabaseUtilities.getConnection(webSession);
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java
index 2e12e14cc..23dc6bda1 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java
@@ -30,7 +30,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
  * @author nbaars
  * @since 4/8/17.
  */
-@AssignmentPath("/challenge/7")
+@RestController
 @Slf4j
 public class Assignment7 extends AssignmentEndpoint {
 
@@ -48,7 +48,7 @@ public class Assignment7 extends AssignmentEndpoint {
     @Value("${webwolf.url.mail}")
     private String webWolfMailURL;
 
-    @GetMapping("/reset-password/{link}")
+    @GetMapping("/challenge/7/reset-password/{link}")
     public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
         if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
             return ResponseEntity.accepted().body("<h1>Success!!</h1>" +
@@ -58,7 +58,7 @@ public class Assignment7 extends AssignmentEndpoint {
         return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT).body("That is not the reset link for admin");
     }
 
-    @RequestMapping(method = POST)
+    @PostMapping("/challenge/7")
     @ResponseBody
     public AttackResult sendPasswordResetLink(@RequestParam String email, HttpServletRequest request) throws URISyntaxException {
         if (StringUtils.hasText(email)) {
@@ -77,7 +77,7 @@ public class Assignment7 extends AssignmentEndpoint {
         return success().feedback("email.send").feedbackArgs(email).build();
     }
 
-    @RequestMapping(method = GET, value = "/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
+    @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
     @ResponseBody
     @SneakyThrows
     public ClassPathResource git() {
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge8/Assignment8.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge8/Assignment8.java
index 5a38aaf4e..0dff250b6 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge8/Assignment8.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge8/Assignment8.java
@@ -10,6 +10,7 @@ import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.HashMap;
@@ -20,7 +21,7 @@ import java.util.stream.Collectors;
  * @author nbaars
  * @since 4/8/17.
  */
-@AssignmentPath("/challenge/8")
+@RestController
 @Slf4j
 public class Assignment8 extends AssignmentEndpoint {
 
@@ -34,7 +35,7 @@ public class Assignment8 extends AssignmentEndpoint {
         votes.put(5, 300);
     }
 
-    @GetMapping(value = "/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
+    @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
     public ResponseEntity<?> vote(@PathVariable(value = "stars") int nrOfStars, HttpServletRequest request) {
         //Simple implementation of VERB Based Authentication
@@ -50,12 +51,12 @@ public class Assignment8 extends AssignmentEndpoint {
         return ResponseEntity.ok().header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8)).build();
     }
 
-    @GetMapping("/votes/")
+    @GetMapping("/challenge/8/votes/")
     public ResponseEntity<?> getVotes() {
         return ResponseEntity.ok(votes.entrySet().stream().collect(Collectors.toMap(e -> "" + e.getKey(), e -> e.getValue())));
     }
 
-    @GetMapping("/votes/average")
+    @GetMapping("/challenge/8/votes/average")
     public ResponseEntity<Map<String, Integer>> average() {
         int totalNumberOfVotes = votes.values().stream().mapToInt(i -> i.intValue()).sum();
         int categories = votes.entrySet().stream().mapToInt(e -> e.getKey() * e.getValue()).reduce(0, (a, b) -> a + b);
@@ -63,6 +64,5 @@ public class Assignment8 extends AssignmentEndpoint {
         json.put("average", (int) Math.ceil((double) categories / totalNumberOfVotes));
         return ResponseEntity.ok(json);
     }
-
 }
 
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
index e5efd285d..f8f425ee1 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
+++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkDummy.java
@@ -4,34 +4,29 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 
 /**
  * This is just a class used to make the the HTTP request.
+ *
  * @author TMelzer
  * @since 30.11.18
  */
-@AssignmentPath("/ChromeDevTools/dummy")
+@RestController
 public class NetworkDummy extends AssignmentEndpoint {
 
-  @RequestMapping(method = RequestMethod.POST)
-  public
-  @ResponseBody
-  AttackResult completed(@RequestParam String successMessage) throws IOException {
-	  
-	  UserSessionData userSessionData = getUserSessionData();
-      String answer = (String) userSessionData.getValue("randValue");
+    @PostMapping("/ChromeDevTools/dummy")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String successMessage) {
+        UserSessionData userSessionData = getUserSessionData();
+        String answer = (String) userSessionData.getValue("randValue");
 
-      if (successMessage!=null && successMessage.equals(answer)) {
-          return trackProgress(success().feedback("xss-dom-message-success").build());
-      } else {
-          return trackProgress(failed().feedback("xss-dom-message-failure").build());
-      }
-	    
-  }
+        if (successMessage != null && successMessage.equals(answer)) {
+            return trackProgress(success().feedback("xss-dom-message-success").build());
+        } else {
+            return trackProgress(failed().feedback("xss-dom-message-failure").build());
+        }
+    }
 }
\ No newline at end of file
diff --git a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
index 1969e53e9..8e02f537d 100644
--- a/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
+++ b/webgoat-lessons/chrome-dev-tools/src/main/java/org/owasp/webgoat/plugin/NetworkLesson.java
@@ -5,38 +5,34 @@ import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 
 /**
  * Assignment where the user has to look through an HTTP Request
  * using the Developer Tools and find a specific number.
+ *
  * @author TMelzer
  * @since 30.11.18
  */
-@AssignmentPath("/ChromeDevTools/network")
+@RestController
 @AssignmentHints({"networkHint1", "networkHint2"})
 public class NetworkLesson extends AssignmentEndpoint {
 
-  @RequestMapping(method = RequestMethod.POST, params= {"network_num","number"})
-  public
-  @ResponseBody
-  AttackResult completed(@RequestParam String network_num, @RequestParam String number) throws IOException {
-    if(network_num.equals(number)) {
-      return trackProgress(success().feedback("network.success").output("").build());
-    } else {
-      return trackProgress(failed().feedback("network.failed").build());
+    @PostMapping(value = "/ChromeDevTools/network", params = {"network_num", "number"})
+    @ResponseBody
+    public AttackResult completed(@RequestParam String network_num, @RequestParam String number) {
+        if (network_num.equals(number)) {
+            return trackProgress(success().feedback("network.success").output("").build());
+        } else {
+            return trackProgress(failed().feedback("network.failed").build());
+        }
+    }
+
+    @PostMapping(path = "/ChromeDevTools/network", params = "networkNum")
+    @ResponseBody
+    public ResponseEntity<?> ok(@RequestParam String networkNum) {
+        return ResponseEntity.ok().build();
     }
-  }
-  
-  @RequestMapping(method = RequestMethod.POST, params="networkNum")
-  public
-  @ResponseBody
-  ResponseEntity<?> ok(@RequestParam String networkNum) throws IOException {
-	  return ResponseEntity.ok().build();
-  }
 }
diff --git a/webgoat-lessons/chrome-dev-tools/src/Test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java b/webgoat-lessons/chrome-dev-tools/src/test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java
similarity index 100%
rename from webgoat-lessons/chrome-dev-tools/src/Test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java
rename to webgoat-lessons/chrome-dev-tools/src/test/java/org.owasp.webgoat.plugin/ChromeDevToolsTest.java
diff --git a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
index 28f3a2f5b..9df73ee36 100644
--- a/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
+++ b/webgoat-lessons/cia/src/main/java/org/owasp/webgoat/plugin/CIAQuiz.java
@@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 import java.sql.Connection;
@@ -15,20 +12,20 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 
-@AssignmentPath("/cia/quiz")
+@RestController
 public class CIAQuiz extends AssignmentEndpoint {
 
     String[] solutions = {"Solution 3", "Solution 1", "Solution 4", "Solution 2"};
     boolean[] guesses = new boolean[solutions.length];
 
-    @RequestMapping(method = RequestMethod.POST)
+    @PostMapping("/cia/quiz")
     @ResponseBody
-    public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) throws IOException {
+    public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution) {
         int correctAnswers = 0;
 
         String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0]};
 
-        for(int i = 0; i < solutions.length; i++) {
+        for (int i = 0; i < solutions.length; i++) {
             if (givenAnswers[i].contains(solutions[i])) {
                 // answer correct
                 correctAnswers++;
@@ -39,14 +36,14 @@ public class CIAQuiz extends AssignmentEndpoint {
             }
         }
 
-        if(correctAnswers == solutions.length) {
+        if (correctAnswers == solutions.length) {
             return trackProgress(success().build());
         } else {
             return trackProgress(failed().build());
         }
     }
 
-    @RequestMapping(method = RequestMethod.GET)
+    @GetMapping("/cia/quiz")
     @ResponseBody
     public boolean[] getResults() {
         return this.guesses;
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java
index e21f5c77d..e1368221b 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringAssignment.java
@@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 
@@ -40,14 +37,13 @@ import java.io.IOException;
  * @version $Id: $Id
  * @since August 11, 2016
  */
-@AssignmentPath("/clientSideFiltering/attack1")
+@RestController
 @AssignmentHints({"ClientSideFilteringHint1", "ClientSideFilteringHint2", "ClientSideFilteringHint3", "ClientSideFilteringHint4"})
 public class ClientSideFilteringAssignment extends AssignmentEndpoint {
 
-    @RequestMapping(method = RequestMethod.POST)
-    public
+    @PostMapping("/clientSideFiltering/attack1")
     @ResponseBody
-    AttackResult completed(@RequestParam String answer) throws IOException {
+    public AttackResult completed(@RequestParam String answer) {
         return trackProgress("450000".equals(answer) ?
                 success().feedback("assignment.solved").build() :
                 failed().feedback("ClientSideFiltering.incorrect").build());
diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java
index d27e67c86..78923ad57 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java
@@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 
@@ -15,16 +12,15 @@ import java.io.IOException;
  * @author nbaars
  * @since 4/6/17.
  */
-@AssignmentPath("/clientSideFiltering/getItForFree")
+@RestController
 @AssignmentHints({"client.side.filtering.free.hint1", "client.side.filtering.free.hint2", "client.side.filtering.free.hint3"})
 public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
 
     public static final String SUPER_COUPON_CODE = "get_it_for_free";
 
-    @RequestMapping(method = RequestMethod.POST)
-    public
+    @PostMapping("/clientSideFiltering/getItForFree")
     @ResponseBody
-    AttackResult completed(@RequestParam String checkoutCode) {
+    public AttackResult completed(@RequestParam String checkoutCode) {
         if (SUPER_COUPON_CODE.equals(checkoutCode)) {
             return trackProgress(success().build());
         }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
index 084cff5c6..41de6c257 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson1.java
@@ -2,57 +2,53 @@
 package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
+import org.springframework.web.bind.annotation.RestController;
 
 
 /***************************************************************************************************
- * 
- * 
+ *
+ *
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * 
+ *
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * 
+ *
  * Getting Source ==============
- * 
+ *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
- * 
+ *
  * For details, please see http://webgoat.github.io
- * 
+ *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/CrossSiteScripting/attack1")
+@RestController
 public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
 
-	@RequestMapping(method = RequestMethod.POST)
-	public @ResponseBody AttackResult completed(@RequestParam String answer_xss_1, HttpServletRequest request) throws IOException {
-	    if (answer_xss_1.toString().toLowerCase().equals("yes")) {
-	        return trackProgress(success().build());
-	    } else {
-	        return trackProgress(failed().feedback("xss.lesson1.failure").build());
-	    }
-	}
+    @PostMapping("/CrossSiteScripting/attack1")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String answer_xss_1) {
+        if (answer_xss_1.toString().toLowerCase().equals("yes")) {
+            return trackProgress(success().build());
+        } else {
+            return trackProgress(failed().feedback("xss.lesson1.failure").build());
+        }
+    }
 }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
index b8d6c672a..91eba4ae2 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
@@ -7,16 +7,13 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
-@AssignmentPath("CrossSiteScripting/attack3")
+@RestController
 @AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
 public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
 
-    @RequestMapping(method = RequestMethod.POST)
+    @PostMapping("CrossSiteScripting/attack3")
     @ResponseBody
     public AttackResult completed(@RequestParam String editor) {
         String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
@@ -49,7 +46,7 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
             } else {
                 return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
             }
-        }catch(Exception e) {
+        } catch (Exception e) {
             return trackProgress(failed().output(e.getMessage()).build());
         }
     }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
index 2c7b5857e..0331b58b7 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
@@ -4,10 +4,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import javax.tools.*;
 import java.io.IOException;
@@ -17,28 +14,26 @@ import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-@AssignmentPath("CrossSiteScripting/attack4")
+@RestController
 @AssignmentHints(value = {"xss-mitigation-4-hint1"})
 public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
 
-    @RequestMapping(method = RequestMethod.POST)
+    @PostMapping("CrossSiteScripting/attack4")
     @ResponseBody
     public AttackResult completed(@RequestParam String editor2) {
 
-        String editor = editor2.replaceAll("\\<.*?>","");
+        String editor = editor2.replaceAll("\\<.*?>", "");
         System.out.println(editor);
 
         if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")")) &&
-                editor.contains("new AntiSamy();")&&
+                editor.contains("new AntiSamy();") &&
                 editor.contains(".scan(newComment,") &&
                 editor.contains("CleanResults") &&
-                editor.contains("MyCommentDAO.addComment(threadID, userID")&&
-                editor.contains(".getCleanHTML());"))
-        {
+                editor.contains("MyCommentDAO.addComment(threadID, userID") &&
+                editor.contains(".getCleanHTML());")) {
             System.out.println("true");
             return trackProgress(success().feedback("xss-mitigation-4-success").build());
-        }
-        else {
+        } else {
             System.out.println("false");
             return trackProgress(failed().feedback("xss-mitigation-4-failed").build());
         }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
index 18946e22c..d9b955192 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
@@ -7,16 +7,12 @@ import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 
 
-
 /***************************************************************************************************
  *
  *
@@ -47,52 +43,52 @@ import java.io.IOException;
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/CrossSiteScripting/attack5a")
+@RestController
 @AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
 public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 
-	@Autowired
-	UserSessionData userSessionData;
+    @Autowired
+    UserSessionData userSessionData;
 
-	@RequestMapping(method = RequestMethod.GET)
-	public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
-												@RequestParam Integer QTY2, @RequestParam Integer QTY3,
-												@RequestParam Integer QTY4, @RequestParam String field1,
-												@RequestParam String field2, HttpServletRequest request)
-			throws IOException {
+    @GetMapping("/CrossSiteScripting/attack5a")
+    @ResponseBody
+    public AttackResult completed(@RequestParam Integer QTY1,
+                                  @RequestParam Integer QTY2, @RequestParam Integer QTY3,
+                                  @RequestParam Integer QTY4, @RequestParam String field1,
+                                  @RequestParam String field2) {
 
-		if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
-			return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
-		}
+        if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
+            return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
+        }
 
-		double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
+        double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
 
-		userSessionData.setValue("xss-reflected1-complete",(Object)"false");
-		StringBuffer cart = new StringBuffer();
-		cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
-		cart.append("<p>We have charged credit card:" + field1 + "<br />");
-		cart.append(   "                             ------------------- <br />");
-		cart.append(   "                               $" + totalSale);
+        userSessionData.setValue("xss-reflected1-complete", (Object) "false");
+        StringBuffer cart = new StringBuffer();
+        cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
+        cart.append("<p>We have charged credit card:" + field1 + "<br />");
+        cart.append("                             ------------------- <br />");
+        cart.append("                               $" + totalSale);
 
-		//init state
-		if (userSessionData.getValue("xss-reflected1-complete") == null) {
-			userSessionData.setValue("xss-reflected1-complete",(Object)"false");
-		}
+        //init state
+        if (userSessionData.getValue("xss-reflected1-complete") == null) {
+            userSessionData.setValue("xss-reflected1-complete", (Object) "false");
+        }
 
-		if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
-			//return trackProgress()
-			userSessionData.setValue("xss-reflected-5a-complete","true");
-			if(field1.toLowerCase().contains("console.log")) {
-				return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
-			} else {
-				return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
-			}
-		} else {
-			userSessionData.setValue("xss-reflected1-complete","false");
-			return trackProgress(success()
-					.feedback("xss-reflected-5a-failure")
-					.output(cart.toString())
-					.build());
-		}
-	}
+        if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
+            //return trackProgress()
+            userSessionData.setValue("xss-reflected-5a-complete", "true");
+            if (field1.toLowerCase().contains("console.log")) {
+                return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
+            } else {
+                return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
+            }
+        } else {
+            userSessionData.setValue("xss-reflected1-complete", "false");
+            return trackProgress(success()
+                    .feedback("xss-reflected-5a-failure")
+                    .output(cart.toString())
+                    .build());
+        }
+    }
 }
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
index 07ae1ad20..22eeddcf1 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
@@ -7,53 +7,50 @@ import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 
 
 /***************************************************************************************************
- * 
- * 
+ *
+ *
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * 
+ *
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
+ *
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * 
+ *
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * 
+ *
  * Getting Source ==============
- * 
+ *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
- * 
+ *
  * For details, please see http://webgoat.github.io
- * 
+ *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/CrossSiteScripting/attack6a")
+@RestController
 @AssignmentHints(value = {"xss-reflected-6a-hint-1", "xss-reflected-6a-hint-2", "xss-reflected-6a-hint-3", "xss-reflected-6a-hint-4"})
 public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
     @Autowired
     UserSessionData userSessionData;
 
-    @RequestMapping(method = RequestMethod.POST)
-    public @ResponseBody
-    AttackResult completed(@RequestParam String DOMTestRoute)  throws IOException {
+    @PostMapping("/CrossSiteScripting/attack6a")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String DOMTestRoute) {
 
         if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
             //return trackProgress()
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingQuiz.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingQuiz.java
index 8c8fd9b1a..32478f5c0 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingQuiz.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingQuiz.java
@@ -1,29 +1,25 @@
 package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 
-@AssignmentPath("/cross-site-scripting/quiz")
+@RestController
 public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
 
     String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"};
     boolean[] guesses = new boolean[solutions.length];
 
-    @RequestMapping(method = RequestMethod.POST)
+    @PostMapping("/cross-site-scripting/quiz")
     @ResponseBody
     public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException {
         int correctAnswers = 0;
 
         String[] givenAnswers = {question_0_solution[0], question_1_solution[0], question_2_solution[0], question_3_solution[0], question_4_solution[0]};
 
-        for(int i = 0; i < solutions.length; i++) {
+        for (int i = 0; i < solutions.length; i++) {
             if (givenAnswers[i].contains(solutions[i])) {
                 // answer correct
                 correctAnswers++;
@@ -34,17 +30,17 @@ public class CrossSiteScriptingQuiz extends AssignmentEndpoint {
             }
         }
 
-        if(correctAnswers == solutions.length) {
+        if (correctAnswers == solutions.length) {
             return trackProgress(success().build());
         } else {
             return trackProgress(failed().build());
         }
     }
 
-    @RequestMapping(method = RequestMethod.GET)
+    @GetMapping("/cross-site-scripting/quiz")
     @ResponseBody
     public boolean[] getResults() {
         return this.guesses;
     }
 
-    }
+}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
index 59b3867ad..9acef17cc 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
@@ -32,29 +32,24 @@
 package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.security.SecureRandom;
 
-
-@AssignmentPath("/CrossSiteScripting/phone-home-xss")
+@RestController
 public class DOMCrossSiteScripting extends AssignmentEndpoint {
-    @RequestMapping(method = RequestMethod.POST)
-    public @ResponseBody
-    AttackResult completed(@RequestParam Integer param1,
-                           @RequestParam Integer param2, HttpServletRequest request)  throws IOException {
 
-            UserSessionData userSessionData = getUserSessionData();
+    @PostMapping("/CrossSiteScripting/phone-home-xss")
+    @ResponseBody
+    public AttackResult completed(@RequestParam Integer param1,
+                                  @RequestParam Integer param2, HttpServletRequest request) {
+        UserSessionData userSessionData = getUserSessionData();
         SecureRandom number = new SecureRandom();
-        userSessionData.setValue("randValue",String.valueOf(number.nextInt()));
+        userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
 
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
             return trackProgress(success().output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build());
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java
index 80f3cca75..a0773e50c 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java
@@ -36,10 +36,7 @@ import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
@@ -47,13 +44,13 @@ import java.io.IOException;
 /**
  * Created by jason on 11/23/16.
  */
-@AssignmentPath("/CrossSiteScripting/dom-follow-up")
+@RestController
 @AssignmentHints(value = {"xss-dom-message-hint-1", "xss-dom-message-hint-2", "xss-dom-message-hint-3", "xss-dom-message-hint-4", "xss-dom-message-hint-5", "xss-dom-message-hint-6"})
 public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
-    @RequestMapping(method = RequestMethod.POST)
-    public @ResponseBody
-    AttackResult completed(@RequestParam String successMessage)  throws IOException {
 
+    @PostMapping("/CrossSiteScripting/dom-follow-up")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String successMessage) {
         UserSessionData userSessionData = getUserSessionData();
         String answer = (String) userSessionData.getValue("randValue");
 
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredCrossSiteScriptingVerifier.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredCrossSiteScriptingVerifier.java
index 3f97ba602..5aef9c087 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredCrossSiteScriptingVerifier.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredCrossSiteScriptingVerifier.java
@@ -35,22 +35,19 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 
 /**
  * Created by jason on 11/23/16.
  */
-@AssignmentPath("/CrossSiteScripting/stored-xss-follow-up")
+@RestController
 public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
-    @RequestMapping(method = RequestMethod.POST)
-    public @ResponseBody
-    AttackResult completed(@RequestParam String successMessage)  throws IOException {
 
+    @PostMapping("/CrossSiteScripting/stored-xss-follow-up")
+    @ResponseBody
+    public AttackResult completed(@RequestParam String successMessage) {
         UserSessionData userSessionData = getUserSessionData();
 
         if (successMessage.equals(userSessionData.getValue("randValue").toString())) {
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java
index 8fbff0518..82ad4b7fd 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java
@@ -48,12 +48,13 @@ import org.springframework.web.bind.annotation.*;
 import org.owasp.encoder.*;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
+
 import java.io.IOException;
 import java.util.*;
 
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
-@AssignmentPath("/CrossSiteScripting/stored-xss")
+@RestController
 public class StoredXssComments extends AssignmentEndpoint {
 
     @Autowired
@@ -72,7 +73,7 @@ public class StoredXssComments extends AssignmentEndpoint {
         comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
     }
 
-    @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
+    @GetMapping(path = "/CrossSiteScripting/stored-xss", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
     @ResponseBody
     public Collection<Comment> retrieveComments() {
         List<Comment> allComments = Lists.newArrayList();
@@ -85,10 +86,9 @@ public class StoredXssComments extends AssignmentEndpoint {
         return allComments;
     }
 
-    @RequestMapping(method = RequestMethod.POST)
+    @PostMapping("/CrossSiteScripting/stored-xss")
     @ResponseBody
-    public AttackResult createNewComment (@RequestBody String commentStr)  throws IOException {
-
+    public AttackResult createNewComment(@RequestBody String commentStr) {
         Comment comment = parseJson(commentStr);
 
         EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
@@ -113,9 +113,4 @@ public class StoredXssComments extends AssignmentEndpoint {
             return new Comment();
         }
     }
-}
-
-
-
-
-
+}
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingTest.java b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingTest.java
index dc41484ab..f9657b4c6 100644
--- a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingTest.java
+++ b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingTest.java
@@ -29,7 +29,7 @@ import org.hamcrest.CoreMatchers;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.mockito.runners.MockitoJUnitRunner;
+import org.mockito.junit.MockitoJUnitRunner;
 import org.owasp.webgoat.assignments.AssignmentEndpointTest;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.test.web.servlet.MockMvc;
@@ -44,8 +44,7 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
 @RunWith(MockitoJUnitRunner.class)
 public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
     private MockMvc mockMvc;
-    private UserSessionData mockUserSessionData;
-    private String randVal =  "12034837";
+    private String randVal = "12034837";
 
     @Before
     public void setup() {
@@ -60,7 +59,7 @@ public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
     public void success() throws Exception {
 
         mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
-                .header("webgoat-requested-by","dom-xss-vuln")
+                .header("webgoat-requested-by", "dom-xss-vuln")
                 .param("param1", "42")
                 .param("param2", "24"))
                 .andExpect(status().isOk())
@@ -72,7 +71,7 @@ public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
     public void failure() throws Exception {
 
         mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/phone-home-xss")
-                .header("webgoat-requested-by","wrong-value")
+                .header("webgoat-requested-by", "wrong-value")
                 .param("param1", "22")
                 .param("param2", "20"))
                 .andExpect(status().isOk())
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFConfirmFlag1.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFConfirmFlag1.java
index 4cf8f22eb..7a43e3279 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFConfirmFlag1.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFConfirmFlag1.java
@@ -2,28 +2,27 @@ package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
 /**
  * Created by jason on 9/29/17.
  */
 
-@AssignmentPath("/csrf/confirm-flag-1")
+@RestController
 @AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
 public class CSRFConfirmFlag1 extends AssignmentEndpoint {
 
     @Autowired
     UserSessionData userSessionData;
 
-    @PostMapping(produces = {"application/json"})
-    public @ResponseBody
-    AttackResult completed(String confirmFlagVal) {
-
+    @PostMapping(path = "/csrf/confirm-flag-1", produces = {"application/json"})
+    @ResponseBody
+    public AttackResult completed(String confirmFlagVal) {
         Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
         if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
             return trackProgress(
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java
index c99dbee70..c79563652 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java
@@ -11,10 +11,7 @@ import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
@@ -26,7 +23,7 @@ import java.util.UUID;
  * @author nbaars
  * @since 11/17/17.
  */
-@AssignmentPath("/csrf/feedback")
+@RestController
 @AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
 public class CSRFFeedback extends AssignmentEndpoint {
 
@@ -35,7 +32,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
     @Autowired
     private ObjectMapper objectMapper;
 
-    @PostMapping(value = "/message", produces = {"application/json"})
+    @PostMapping(value = "/csrf/feedback/message", produces = {"application/json"})
     @ResponseBody
     public AttackResult completed(HttpServletRequest request, @RequestBody String feedback) {
         try {
@@ -59,7 +56,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
         return failed().build();
     }
 
-    @PostMapping(produces = "application/json")
+    @PostMapping(path = "/csrf/feedback", produces = "application/json")
     @ResponseBody
     public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
         if (flag.equals(userSessionData.getValue("csrf-feedback"))) {
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java
index 122238bc1..b416cca41 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java
@@ -9,19 +9,20 @@ import org.owasp.webgoat.users.UserTrackerRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
 /**
  * @author nbaars
  * @since 11/17/17.
  */
-@AssignmentPath("/csrf/login")
+@RestController
 @AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
 public class CSRFLogin extends AssignmentEndpoint {
 
     @Autowired
     private UserTrackerRepository userTrackerRepository;
 
-    @PostMapping(produces = {"application/json"})
+    @PostMapping(path = "/csrf/login", produces = {"application/json"})
     @ResponseBody
     public AttackResult completed() {
         String userName = getWebSession().getUserName();
diff --git a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
index 12d8cf1ce..900c043d1 100644
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java
@@ -44,9 +44,7 @@ import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
@@ -56,8 +54,8 @@ import java.util.Map;
 import static org.springframework.http.MediaType.ALL_VALUE;
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
-@AssignmentPath("/csrf/review")
-@AssignmentHints({"csrf-review-hint1","csrf-review-hint2","csrf-review-hint3"})
+@RestController
+@AssignmentHints({"csrf-review-hint1", "csrf-review-hint2", "csrf-review-hint3"})
 public class ForgedReviews extends AssignmentEndpoint {
 
     @Autowired
@@ -73,10 +71,10 @@ public class ForgedReviews extends AssignmentEndpoint {
         REVIEWS.add(new Review("secUriTy", DateTime.now().toString(fmt), "This is like swiss cheese", 0));
         REVIEWS.add(new Review("webgoat", DateTime.now().toString(fmt), "It works, sorta", 2));
         REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "Best, App, Ever", 5));
-        REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?",1));
+        REVIEWS.add(new Review("guest", DateTime.now().toString(fmt), "This app is so insecure, I didn't even post this review, can you pull that off too?", 1));
     }
 
-    @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
+    @GetMapping(path = "/csrf/review", produces = MediaType.APPLICATION_JSON_VALUE, consumes = ALL_VALUE)
     @ResponseBody
     public Collection<Review> retrieveReviews() {
         Collection<Review> allReviews = Lists.newArrayList();
@@ -90,9 +88,9 @@ public class ForgedReviews extends AssignmentEndpoint {
         return allReviews;
     }
 
-    @RequestMapping(method = RequestMethod.POST)
+    @PostMapping("/csrf/review")
     @ResponseBody
-    public AttackResult createNewReview (String reviewText, Integer stars, String validateReq, HttpServletRequest request)  throws IOException {
+    public AttackResult createNewReview(String reviewText, Integer stars, String validateReq, HttpServletRequest request) {
 
         String host = (request.getHeader("host") == null) ? "NULL" : request.getHeader("host");
 //        String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
@@ -116,7 +114,7 @@ public class ForgedReviews extends AssignmentEndpoint {
             return trackProgress(failed().feedback("csrf-you-forgot-something").build());
         }
         //we have the spoofed files
-        if (referer != "NULL" && refererArr[2].equals(host) ) {
+        if (referer != "NULL" && refererArr[2].equals(host)) {
             return trackProgress(failed().feedback("csrf-same-host").build());
         } else {
             return trackProgress(success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure")
diff --git a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
index 2f62612c0..36dec0b96 100755
--- a/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
+++ b/webgoat-lessons/html-tampering/src/main/java/org/owasp/webgoat/plugin/HtmlTamperingTask.java
@@ -4,57 +4,53 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.*;
 
 import java.io.IOException;
 
 /**
  * *************************************************************************************************
- *
- *
+ * <p>
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
  * Foundation; either version 2 of the License, or (at your option) any later
  * version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with
  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
  * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
- *
+ * <p>
  * For details, please see http://webgoat.github.io
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @created October 28, 2003
  */
-@AssignmentPath("/HtmlTampering/task")
-@AssignmentHints({ "hint1", "hint2", "hint3"})
+@RestController
+@AssignmentHints({"hint1", "hint2", "hint3"})
 public class HtmlTamperingTask extends AssignmentEndpoint {
 
-    @RequestMapping(method = RequestMethod.POST)
-    public
+    @PostMapping("/HtmlTampering/task")
     @ResponseBody
-    AttackResult completed(@RequestParam String QTY, @RequestParam String Total) throws IOException {
-    	if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
-    		return trackProgress(success().feedback("html-tampering.tamper.success").build());
-    	}
+    public AttackResult completed(@RequestParam String QTY, @RequestParam String Total) {
+        if (Float.parseFloat(QTY) * 2999.99 > Float.parseFloat(Total) + 1) {
+            return trackProgress(success().feedback("html-tampering.tamper.success").build());
+        }
         return trackProgress(failed().feedback("html-tampering.tamper.failure").build());
     }
 }
diff --git a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasics.java b/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasics.java
index b41e9d005..41b60e45e 100644
--- a/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasics.java
+++ b/webgoat-lessons/http-basics/src/main/java/org/owasp/webgoat/plugin/HttpBasics.java
@@ -1,3 +1,25 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
 package org.owasp.webgoat.plugin;
 
 import com.beust.jcommander.internal.Lists;
@@ -6,35 +28,6 @@ import org.owasp.webgoat.lessons.NewLesson;
 
 import java.util.List;
 
-/**
- * ************************************************************************************************
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- *
- * @author WebGoat
- * @version $Id: $Id
- * @since October 12, 2016
- */
 public class HttpBasics extends NewLesson {
     @Override
     public Category getDefaultCategory() {
diff --git a/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java b/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java
index c6e8cc294..6ab59c7a6 100644
--- a/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java
+++ b/webgoat-lessons/http-proxies/src/test/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequestTest.java
@@ -29,7 +29,7 @@ import org.hamcrest.CoreMatchers;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.mockito.runners.MockitoJUnitRunner;
+import org.mockito.junit.MockitoJUnitRunner;
 import org.owasp.webgoat.assignments.AssignmentEndpointTest;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;