[maven-release-plugin] prepare release 7.1

Signed-off-by: Doug Morato <dm@corp.io>

.travis.yml

@@ -4,19 +4,24 @@ jdk:
   - oraclejdk8
 install: "/bin/true"
 script:
-  - mvn clean install
+  - mvn clean install -q
-  - git clone https://github.com/WebGoat/WebGoat-Lessons.git
+  - git clone -b develop https://github.com/WebGoat/WebGoat-Lessons.git
-  - mvn -file ./WebGoat-Lessons/pom.xml clean package
+  - mvn -file ./WebGoat-Lessons/pom.xml clean package -q
   - cp -fa ./WebGoat-Lessons/target/plugins/*.jar ./webgoat-container/src/main/webapp/plugin_lessons/
-  - if [[ $TRAVIS_PULL_REQUEST == "false" ]]; then mvn "-Dbuild.number=$TRAVIS_BUILD_NUMBER" -Prun-integration-tests clean install; else mvn clean install; fi
+  # Start the container this will make sure we do not see the debug logging of the Tomcat 7 Maven plugin
+  # which seems to always be set to DEBUG this will fail the build because we generate too much logging
+  - nohup bash -c "java -jar ./webgoat-standalone/target/webgoat-standalone-7.1-SNAPSHOT-exec.jar --port 8888 2>&1 &"
+  - if [[ $TRAVIS_PULL_REQUEST == "false" ]]; then mvn "-Dbuild.number=$TRAVIS_BUILD_NUMBER" -q clean install failsafe:integration-test; else mvn -q failsafe:integration-test; fi
 cache:
   directories:
   - $HOME/.m2
 before_deploy:
   - export WEBGOAT_CONTAINTER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-container/target
+  - export WEBGOAT_STANDALONE_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-standalone/target
   - export WEBGOAT_ARTIFACTS_FOLDER=$HOME/build/$TRAVIS_REPO_SLUG/Deployable_Artifacts/
   - mkdir $WEBGOAT_ARTIFACTS_FOLDER
   - cp -fa $WEBGOAT_CONTAINTER_TARGET_DIR/* $WEBGOAT_ARTIFACTS_FOLDER/
+  - cp -fa $WEBGOAT_STANDALONE_TARGET_DIR/* $WEBGOAT_ARTIFACTS_FOLDER/
   - echo "Contents of artifcts folder:"
   - ls $WEBGOAT_ARTIFACTS_FOLDER
 deploy:
@@ -30,11 +35,11 @@ deploy:
   local_dir: "$WEBGOAT_ARTIFACTS_FOLDER"
   on:
     repo: WebGoat/WebGoat
-    branch: master
+    branch: develop
     jdk: oraclejdk8
 after_success:
-  - mvn versioneye:update
+  - mvn versioneye:update -q
-  - mvn cobertura:cobertura coveralls:report
+  - mvn cobertura:cobertura coveralls:report -q
 notifications:
   slack:
     secure: S9VFew5NSE8WDzYD1VDBUULKKT0fzgblQACznwQ85699b2yeX9TX58N3RZvRS1JVagVP1wu2xOrwN2g+AWx4Ro3UBZD5XG86uTJWpCLD4cRWHBoGMH2TfvI7/IzsWmgxH4MBxFRvZr/eEhlVAux+N9H4EoEdS4CKsJXEqV37PlA=

README.MD

@@ -1,9 +1,10 @@
 # WebGoat: A deliberately insecure Web Application
 
-[![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg)](https://travis-ci.org/WebGoat/WebGoat)
+[![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat)
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=master&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
 [![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa)
+[![OWASP Labs](https://img.shields.io/badge/owasp-labs-orange.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
 
 # Important Information
 
@@ -22,7 +23,7 @@ penetration testing techniques.
 * [Home Page](http://webgoat.github.io)
 * [OWASP Project Home Page](http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)
 * [Source Code](https://github.com/WebGoat/WebGoat)
-* [Easy-Run Download](https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0-SNAPSHOT-war-exec.jar)
+* [Easy-Run Download](https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0.1-war-exec.jar)
 * [Wiki](https://github.com/WebGoat/WebGoat/wiki)
 * [FAQ (old info):](http://code.google.com/p/webgoat/wiki/FAQ)
 * [Project Leader - Direct to Bruce Mayhew](mailto:webgoat@owasp.org)
@@ -52,37 +53,60 @@ The "Easy Run" JAR file offers a no hassle approach to testing and running WebGo
 wish to simply try/test/run the current development version of WebGoat
 
 ### Prerequisites:
-* Java VM >= 1.6 installed ( JDK 1.7 recommended)
+* Java VM 1.8
 
-## Easy Run Instructions:
+## Standalone
 
 #### 1. Download the easy run executable jar file which contains all the lessons and a embedded Tomcat server:
 
-https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0-SNAPSHOT-war-exec.jar
+https://s3.amazonaws.com/webgoat-war/webgoat-standalone-7.1-SNAPSHOT-exec.jar
 
 #### 2. Run it using java:
 
 Open a command shell/window, browse to where you downloaded the easy run jar and type:
 
 ```Shell
-java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar
+java -jar webgoat-standalone-7.0.1-exec.jar [-p | --p <port>] [-a | --address <address>]
 ```
 
-#### 3. Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
+Using the `--help` option will show the allowed command line arguments.
 
-#### (Optional) If you would like to change the port or other options, use the help command for guidance:
+#### 3. Browse to the url shown in the console and happy hacking !
 
-```Shell
+## Vagrant
-java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar --help
+
+To run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
+
+```shell
+   $ cd WebGoat/webgoat-images/vagrant-users
+   $ vagrant up
 ```
 
+Once you see the message 'Browse to http://localhost:9999/WebGoat and happy hacking! you can open a
+browser.
+
+
 # For Developers
 
+## Vagrant
+
+For an easy development experience you can use Vagrant. Note you should have Vagrant and Virtualbox installed on your system.
+
+```shell
+   $ cd WebGoat/webgoat-images/vagrant-developers
+   $ vagrant up
+```
+
+Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant.
+The source code will be available in the home directory.
+
+## Set up manual
+
 Follow these instructions if you wish to run Webgoat and modify the source code as well.
 
 ### Prerequisites:
 
-* Java >= 1.6 ( JDK 1.7 recommended )
+* Java 1.8
 * Maven > 2.0.9
 * Your favorite IDE, with Maven awareness: Netbeans/IntelliJ/Eclipse with m2e installed.
 * Git, or Git support in your IDE
@@ -95,7 +119,7 @@ launch Tomcat listening on localhost:8080
 mkdir WebGoat-Workspace
 cd WebGoat-Workspace
 curl -o webgoat_developer_bootstrap.sh https://raw.githubusercontent.com/WebGoat/WebGoat/master/webgoat_developer_bootstrap.sh
-sh webgoat_developer_bootstrap.sh
+./webgoat_developer_bootstrap.sh
 ```
 
 ## The Manual Way: Developer Edition!
@@ -113,6 +137,7 @@ git clone https://github.com/WebGoat/WebGoat-Lessons.git
 
 ```Shell
 cd WebGoat
+git checkout develop
 mvn clean compile install
 cd ..
 ```
@@ -122,8 +147,10 @@ cd ..
 
 ```Shell
 cd WebGoat-Lessons
+git checkout develop
 mvn package
-cp target/plugins/*.jar ../WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
+(linux)   cp target/plugins/*.jar ../WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
+(windows) xcopy "target\plugins\*.jar" "..\WebGoat\webgoat-container\src\main\webapp\plugin_lessons\"
 cd ..
 ```
 
@@ -147,19 +174,19 @@ The __maven package__ goal generates an executable .jar file:
 ```Shell
 cd WebGoat
 mvn package
-cd webgoat-container/target
+cd webgoat-standalone/target
-java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar http://localhost:8080/WebGoat
+java -jar webgoat-standalone-7.1-SNAPSHOT-exec.jar [-p | --p <port>] [-a | --address <address>]
 ```
 
-Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
+Browse to url shown in the console and happy hacking !
 
-#### Option #3: Deploy the WebGoat WAR file in your local Tomcat or other Application Serve:
+#### Option #3: Deploy the WebGoat WAR file in your local Tomcat or other Application Server:
 The __maven package__ goal generates a .war file that can deployed into an Application Server, such as Tomcat
 
 ```Shell
 cd WebGoat
 mvn package
-cp webgoat-container/target/webgoat-container-7.0-SNAPSHOT.war <your_tomcat_directory>/webapps/
+cp webgoat-container/target/webgoat-container-7.1-SNAPSHOT.war <your_tomcat_directory>/webapps/
 ```
 
 Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !

pom.xml

@@ -5,7 +5,7 @@
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>7.0.1</version>
+    <version>7.1</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@@ -86,7 +86,7 @@
         <url>https://github.com/WebGoat/WebGoat</url>
         <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
         <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
-      <tag>HEAD</tag>
+      <tag>7.1</tag>
   </scm>
 
     <issueManagement>
@@ -142,12 +142,12 @@
         <maven-failsafe-plugin.version>2.19</maven-failsafe-plugin.version>
         <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
         <maven-jar-plugin.version>2.6</maven-jar-plugin.version>
-        <maven-javadoc-plugin.version>2.10.3</maven-javadoc-plugin.version>
+        <maven-javadoc-plugin.version>2.10.4</maven-javadoc-plugin.version>
         <maven-release-plugin.version>2.5.2</maven-release-plugin.version>
-        <maven-source-plugin.version>2.4</maven-source-plugin.version>
+        <maven-source-plugin.version>3.0.1</maven-source-plugin.version>
         <maven-surefire-plugin.version>2.19</maven-surefire-plugin.version>
         <maven-war-plugin.version>2.6</maven-war-plugin.version>
-        <nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
+        <nexus-staging-maven-plugin.version>1.6.7</nexus-staging-maven-plugin.version>
         <org.springframework.version>3.2.4.RELEASE</org.springframework.version>
         <sauce_junit.version>2.1.20</sauce_junit.version>
         <selenium-java.version>2.48.2</selenium-java.version>
@@ -164,6 +164,7 @@
 
     <modules>
         <module>webgoat-container</module>
+        <module>webgoat-standalone</module>
     </modules>
 
     <distributionManagement>
@@ -195,9 +196,37 @@
     <profiles>
         <profile>
             <id>release</id>
+			<dependencies>
+                <dependency>
+                    <groupId>org.owasp.webgoat.lesson</groupId>
+                    <artifactId>dist</artifactId>
+                    <version>1.0</version>
+                    <type>zip</type>
+                    <scope>provided</scope>
+                    <classifier>plugins</classifier>
+                </dependency>
+            </dependencies>
             <build>
                 <plugins>
 				    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-dependency-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <id>unpack-lesson</id>
+                                <goals>
+                                    <goal>unpack-dependencies</goal>
+                                </goals>
+                                <phase>generate-resources</phase>
+                                <configuration>
+                                    <outputDirectory>${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons</outputDirectory>
+                                    <includeArtifactIds>dist</includeArtifactIds>
+                                    <includes>*.jar</includes>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
                         <groupId>org.sonatype.plugins</groupId>
                         <artifactId>nexus-staging-maven-plugin</artifactId>
                         <version>${nexus-staging-maven-plugin.version}</version>
@@ -205,7 +234,7 @@
                         <configuration>
                             <serverId>ossrh</serverId>
                             <nexusUrl>https://oss.sonatype.org/</nexusUrl>
-                            <autoReleaseAfterClose>true</autoReleaseAfterClose>
+                            <autoReleaseAfterClose>false</autoReleaseAfterClose>
                         </configuration>
                     </plugin>
                     <plugin>

webgoat-container/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>7.0.1</version>
+        <version>7.1</version>
     </parent>
 
     <profiles>
@@ -77,6 +77,11 @@
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-failsafe-plugin</artifactId>
                         <version>${maven-failsafe-plugin.version}</version>
+                        <configuration>
+                            <systemPropertyVariables>
+                                <log4j.configuration>file:${project.basedir}/src/test/resources/log4j-silent.properties</log4j.configuration>
+                            </systemPropertyVariables>
+                        </configuration>
                         <executions>
                             <execution>
                                 <goals>
@@ -206,6 +211,28 @@
                     </excludes>
                 </configuration>
             </plugin>
+            <!--<plugin>-->
+                <!--<groupId>com.github.webdriverextensions</groupId>-->
+                <!--<artifactId>webdriverextensions-maven-plugin</artifactId>-->
+                <!--<version>3.0.2</version>-->
+                <!--<executions>-->
+                    <!--<execution>-->
+                        <!--<goals>-->
+                            <!--<goal>install-drivers</goal>-->
+                        <!--</goals>-->
+                    <!--</execution>-->
+                <!--</executions>-->
+                <!--<configuration>-->
+                    <!--<drivers>-->
+                        <!--<driver>-->
+                            <!--<name>chromedriver</name>-->
+                            <!--<platform>windows</platform>-->
+                            <!--<bit>64</bit>-->
+                        <!--</driver>-->
+                    <!--</drivers>-->
+                    <!--<keepDownloadedWebdrivers>true</keepDownloadedWebdrivers>-->
+                <!--</configuration>-->
+            <!--</plugin>-->
         </plugins>
     </build>
 
@@ -465,6 +492,11 @@
             <version>${sauce_junit.version}</version>
             <scope>test</scope>
         </dependency>
+        <!--<dependency>-->
+            <!--<groupId>com.github.webdriverextensions</groupId>-->
+            <!--<artifactId>webdriverextensions</artifactId>-->
+            <!--<version>2.8.0</version>-->
+        <!--</dependency>-->
         <!-- ************* END: Dependencies for Unit and Integration Testing ************** -->
         <!-- ************* END: <dependencies> ************** -->
     </dependencies>

webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java

@@ -96,7 +96,7 @@ public class Catcher extends HammerHead
 			// property file. No other control parameters are supported at this time.
 			if (!property.equals(EMPTY_STRING))
 			{
-				Enumeration e = session.getParser().getParameterNames();
+				Enumeration<String> e = session.getParser().getParameterNames();
 
 				while (e.hasMoreElements())
 				{

webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java

@@ -20,6 +20,7 @@ import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.net.URL;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.Locale;
@@ -63,7 +64,6 @@ public class HammerHead extends HttpServlet {
 
     final Logger logger = LoggerFactory.getLogger(HammerHead.class);
 
-    private static final String WELCOMED = "welcomed";
 
     /**
      *
@@ -244,6 +244,10 @@ public class HammerHead extends HttpServlet {
         httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
         propertiesPath = getServletContext().getRealPath("/WEB-INF/webgoat.properties");
         webgoatContext = new WebgoatContext(this);
+        URL runningStandalone = Thread.currentThread().getContextClassLoader().getResource("standalone.properties");
+        if (runningStandalone == null) {
+            logger.info("Browse to http://localhost:8080/WebGoat and happy hacking!");
+        }
     }
 
     /**

webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java

@@ -5,7 +5,22 @@
  */
 package org.owasp.webgoat.application;
 
-import com.google.common.collect.Maps;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Paths;
+import java.sql.Driver;
+import java.sql.DriverManager;
+import java.sql.SQLException;
+import java.util.Enumeration;
+import java.util.Set;
+import java.util.jar.Attributes;
+import java.util.jar.Manifest;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+import javax.servlet.ServletRegistration;
+
 import org.owasp.webgoat.HammerHead;
 import org.owasp.webgoat.lessons.LessonServletMapping;
 import org.owasp.webgoat.plugins.PluginsLoader;
@@ -15,22 +30,6 @@ import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
 import org.springframework.core.type.filter.AnnotationTypeFilter;
 
-import javax.servlet.ServletContext;
-import javax.servlet.ServletContextEvent;
-import javax.servlet.ServletContextListener;
-import javax.servlet.ServletRegistration;
-import java.io.IOException;
-import java.io.InputStream;
-import java.nio.file.Paths;
-import java.sql.Driver;
-import java.sql.DriverManager;
-import java.sql.SQLException;
-import java.util.Enumeration;
-import java.util.Map;
-import java.util.Set;
-import java.util.jar.Attributes;
-import java.util.jar.Manifest;
-
 /**
  * Web application lifecycle listener.
  *
@@ -55,7 +54,6 @@ public class WebGoatServletListener implements ServletContextListener {
 
     private void loadServlets(ServletContextEvent sce) {
         final ServletContext servletContext = sce.getServletContext();
-        Map<String, Class> controllers = Maps.newHashMap();
         ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider(
                 false);
         provider.addIncludeFilter(new AnnotationTypeFilter(LessonServletMapping.class));

webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -35,35 +35,36 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 
+import static java.lang.Math.abs;
+
 /**
  * ************************************************************************************************
- *
+ * <p>
- *
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @since October 28, 2003
  * @version $Id: $Id
+ * @since October 28, 2003
  */
 public abstract class AbstractLesson extends Screen implements Comparable<Object> {
 
@@ -74,7 +75,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
      */
     public final static String ADMIN_ROLE = "admin";
 
-    /** Constant <code>CHALLENGE_ROLE="challenge"</code> */
+    /**
+     * Constant <code>CHALLENGE_ROLE="challenge"</code>
+     */
     public final static String CHALLENGE_ROLE = "challenge";
 
     /**
@@ -120,7 +123,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
      * Constructor for the Lesson object
      */
     public AbstractLesson() {
-        id = new Integer(++count);
+        //based on the class name derive an id so the screenId is fixed, should not give clashes based on
+        //the fact we use the classname and the size is limited
+        id = abs(this.getClass().getSimpleName().hashCode());
     }
 
     /**
@@ -185,7 +190,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * {@inheritDoc}
-     *
+     * <p>
      * Description of the Method
      */
     public int compareTo(Object obj) {
@@ -194,7 +199,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * {@inheritDoc}
-     *
+     * <p>
      * Description of the Method
      */
     public boolean equals(Object obj) {
@@ -368,6 +373,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     // @TODO we need to restrict access at the service layer
     // rather than passing session object around
+
     /**
      * <p>getHintsPublic.</p>
      *
@@ -384,8 +390,8 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
      * stuck on somthing silly.
      *
      * @param s          The users WebSession
-     * @return The hint1 value
      * @param hintNumber a int.
+     * @return The hint1 value
      */
     public String getHint(WebSession s, int hintNumber) {
         return "Hint: " + getHints(s).get(hintNumber);
@@ -394,8 +400,8 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
     /**
      * Gets the instructions attribute of the AbstractLesson object
      *
-     * @return The instructions value
      * @param s a {@link org.owasp.webgoat.session.WebSession} object.
+     * @return The instructions value
      */
     public abstract String getInstructions(WebSession s);
 
@@ -613,12 +619,11 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * <p>Returns the default "path" portion of a lesson's URL.</p>
-     *
+     * <p>
-     *
      * Legacy webgoat lesson links are of the form
      * "attack?Screen=Xmenu=Ystage=Z". This method returns the path portion of
      * the url, i.e., "attack" in the string above.
-     *
+     * <p>
      * Newer, Spring-Controller-based classes will override this method to
      * return "*.do"-styled paths.
      *
@@ -630,7 +635,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * Get the link that can be used to request this screen.
-     *
+     * <p>
      * Rendering the link in the browser may result in Javascript sending
      * additional requests to perform necessary actions or to obtain data
      * relevant to the lesson or the element of the lesson selected by the
@@ -651,7 +656,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * Get the link to the target servlet.
-     *
+     * <p>
      * Unlike getLink() this method does not require rendering the output of
      * the request to the link in order to execute the servlet's method with
      * conventional HTTP query parameters.
@@ -999,6 +1004,4 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
     }
 
 
-
-
 }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java

@@ -70,10 +70,15 @@ public abstract class LessonAdapter extends AbstractLesson {
         ec
                 .addElement(new StringElement(
                         "Lesson are simple to create and very little coding is required.   "
-                                + "In fact, most lessons can be created by following the easy to use instructions in the "
+                                + "In fact, most lessons can be created by following the easy to use instructions by going to the WebGoat wiki page "
-                                + "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
+                                + "<A HREF=https://github.com/WebGoat/WebGoat/wiki>WebGoat Wiki Page</A>&nbsp;&nbsp;"
-                                + "If you would prefer, send your lesson ideas to "
+                                + "If you would prefer, send your lesson ideas to&nbsp;"
-                                + getWebgoatContext().getFeedbackAddressHTML()));
+                                + getWebgoatContext().getFeedbackAddressHTML())
+                                + " Note: you will need to register at "
+                                + "the following link to use the feedback tool:&nbsp;"
+                                + "<A HREF=https://lists.owasp.org/mailman/listinfo/owasp-webgoat>List Registration</A>&nbsp;&nbsp;"
+                                + "Finally, OWASP has a slack channel. You can register at the following link:&nbsp;"
+                                + "<A HREF=https://owasp.slack.com/>OWASP Slack Channel</A>");
         
         try (InputStream is = Thread.currentThread().getContextClassLoader()
                 .getResourceAsStream("New Lesson Instructions.txt")) {
@@ -250,7 +255,7 @@ public abstract class LessonAdapter extends AbstractLesson {
     protected Element makeSuccess(WebSession s) {
         getLessonTracker(s).setCompleted(true);
 
-        s.setMessage(getLabelManager().get("LessonCompleted"));
+        //s.setMessage(getLabelManager().get("LessonCompleted"));
 
         return (null);
     }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/RandomLessonAdapter.java

@@ -1,14 +1,15 @@
 
 package org.owasp.webgoat.lessons;
 
-import java.sql.Connection;
-import java.sql.SQLException;
 import org.owasp.webgoat.session.CreateDB;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.LessonTracker;
 import org.owasp.webgoat.session.RandomLessonTracker;
 import org.owasp.webgoat.session.WebSession;
 
+import java.sql.Connection;
+import java.sql.SQLException;
+
 
 /**
  * <p>Abstract RandomLessonAdapter class.</p>
@@ -75,7 +76,7 @@ public abstract class RandomLessonAdapter extends LessonAdapter
         lt.setStageComplete(stage, true);
         if (lt.getCompleted())
         {
-            s.setMessage("Congratulations, you have completed this lab");
+            //s.setMessage("Congratulations, you have completed this lab");
         }
         else
         {

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java

@@ -55,7 +55,6 @@ public class PluginsLoader {
         try {
             if (!alreadyLoaded) {
                 WebappClassLoader cl = (WebappClassLoader) Thread.currentThread().getContextClassLoader();
-                cl.setAntiJARLocking(true);
                 List<URL> jars = listJars();
                 for (URL jar : jars) {
                     cl.addRepository(jar.toString());

webgoat-container/src/main/java/org/owasp/webgoat/service/DummyService.java

@@ -1,57 +0,0 @@
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- */
-package org.owasp.webgoat.service;
-
-import java.util.ArrayList;
-import java.util.List;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-/**
- * <p>DummyService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class DummyService extends BaseService{
-
-    /**
-     * <p>firstNames.</p>
-     *
-     * @return a {@link java.util.List} object.
-     */
-    @RequestMapping(value = "/first.mvc", produces = "application/json")
-    public @ResponseBody
-    List<String> firstNames() {
-        List<String> test = new ArrayList<String>();
-        test.add("one");
-        test.add("two)");
-        return test;
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java

@@ -29,18 +29,23 @@
  */
 package org.owasp.webgoat.service;
 
+import java.util.HashMap;
+import java.util.Map;
+
 import org.owasp.webgoat.session.LabelDebugger;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
- * <p>PluginReloadService class.</p>
+ * <p>LabelDebugService class.</p>
  *
  * @author nbaars
  * @version $Id: $Id
@@ -48,21 +53,52 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @Controller
 public class LabelDebugService extends BaseService {
 
+    private static final String URL_DEBUG_LABELS_MVC = "/debug/labels.mvc";
+    private static final String KEY_ENABLED = "enabled";
+    private static final String KEY_SUCCESS = "success";
+
     private static final Logger logger = LoggerFactory.getLogger(LabelDebugService.class);
 
     @Autowired
     private LabelDebugger labelDebugger;
 
+
     /**
-     * Reload all the plugins
+     * Checks if debugging of labels is enabled or disabled
      *
      * @return a {@link org.springframework.http.ResponseEntity} object.
      */
-    @RequestMapping(value = "/debug/labels.mvc")
+    @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
     public @ResponseBody
-    //todo parse params to add enable / disable
+    ResponseEntity<Map<String, Object>> checkDebuggingStatus() {
-    ResponseEntity<String> reloadPlugins() {
+        logger.debug("Checking label debugging, it is " + labelDebugger.isEnabled()); // FIXME parameterize
-        labelDebugger.enable();
+        Map<String, Object> result = createResponse(labelDebugger.isEnabled());
-        return new ResponseEntity("Label debugger enabled refresh the WebGoat page!",HttpStatus.OK);
+        return new ResponseEntity<Map<String, Object>>(result, HttpStatus.OK);
+    }
+
+      /**
+      * Sets the enabled flag on the label debugger to the given parameter
+      * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
+      * @throws Exception unhandled exception
+      * @return a {@link org.springframework.http.ResponseEntity} object.
+      */
+     @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE, params = KEY_ENABLED)
+     public @ResponseBody
+     ResponseEntity<Map<String, Object>> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) throws Exception {
+         logger.debug("Setting label debugging to " + labelDebugger.isEnabled()); // FIXME parameterize
+         Map<String, Object> result = createResponse(enabled);
+         labelDebugger.setEnabled(enabled);
+         return new ResponseEntity<Map<String, Object>>(result, HttpStatus.OK);
+     }
+
+    /**
+     * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
+     * @return a {@link java.util.Map} object.
+     */
+    private Map<String, Object> createResponse(Boolean enabled) {
+        Map<String, Object> result = new HashMap<String, Object>();
+        result.put(KEY_SUCCESS, Boolean.TRUE);
+        result.put(KEY_ENABLED, enabled);
+        return result;
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java

@@ -29,17 +29,15 @@
  */
 package org.owasp.webgoat.service;
 
-import javax.servlet.http.HttpSession;
-import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
-import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
 import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.model.SourceListing;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpSession;
+
 /**
  * <p>LessonPlanService class.</p>
  *
@@ -61,9 +59,6 @@ public class LessonPlanService extends BaseService {
         WebSession ws = getWebSession(session);
         String plan = getPlan(ws);
         return plan;
-        //SourceListing sl = new SourceListing();
-        //sl.setSource(source);
-        //return sl;
     }
 
     /**
@@ -73,15 +68,12 @@ public class LessonPlanService extends BaseService {
      * @return Description of the Return Value
      */
     protected String getPlan(WebSession s) {
-
         String plan = null;
         int scr = s.getCurrentScreen();
         Course course = s.getCourse();
 
-        if (s.isUser() || s.isChallenge()) {
+        if (s.isUser() || s.isAdmin()) {
-
             AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
             if (lesson != null) {
                 plan = lesson.getLessonPlan(s);
             }

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java

@@ -0,0 +1,54 @@
+package org.owasp.webgoat.service;
+
+import com.google.common.collect.Maps;
+import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.RandomLessonAdapter;
+import org.owasp.webgoat.lessons.model.LessonInfoModel;
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.util.LabelManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.HttpSession;
+import java.util.Map;
+
+@Controller
+/**
+ * <p>LessonProgressService class.</p>
+ *
+ * @author webgoat
+ */
+public class LessonProgressService extends BaseService {
+
+    private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
+    private LabelManager labelManager;
+
+    @Autowired
+    public LessonProgressService(final LabelManager labelManager) {
+        this.labelManager = labelManager;
+    }
+
+    /**
+     * <p>LessonProgressService.</p>
+     *
+     * @param session a {@link HttpSession} object.
+     * @return a {@link LessonInfoModel} object.
+     */
+    @RequestMapping(value = "/lessonprogress.mvc", produces = "application/json")
+    @ResponseBody
+    public Map getLessonInfo(HttpSession session) {
+        WebSession webSession = getWebSession(session);
+        AbstractLesson lesson = webSession.getCurrentLesson();
+        boolean lessonCompleted = lesson.isCompleted(webSession);
+        String successMessage = lesson instanceof RandomLessonAdapter ? "Congratulations, you have completed this lab" : labelManager
+                .get("LessonCompleted");
+        Map json = Maps.newHashMap();
+        json.put("lessonCompleted", lessonCompleted);
+        json.put("successMessage", successMessage);
+        return json;
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java

@@ -29,19 +29,23 @@
  */
 package org.owasp.webgoat.service;
 
+import java.nio.file.Paths;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.http.HttpSession;
+
 import org.owasp.webgoat.plugins.PluginsLoader;
 import org.owasp.webgoat.session.WebSession;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.servlet.http.HttpSession;
-import java.nio.file.Paths;
-
 /**
  * <p>PluginReloadService class.</p>
  *
@@ -59,16 +63,20 @@ public class PluginReloadService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link org.springframework.http.ResponseEntity} object.
      */
-    @RequestMapping(value = "/reloadplugins.mvc")
+    @RequestMapping(value = "/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
     public @ResponseBody
-    ResponseEntity<String> reloadPlugins(HttpSession session) {
+    ResponseEntity<Map<String, Object>> reloadPlugins(HttpSession session) {
         WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
+
         logger.debug("Loading plugins into cache");
         String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
         String targetPath = session.getServletContext().getRealPath("plugin_extracted");
         new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
-
         webSession.getCourse().loadLessonFromPlugin(session.getServletContext());
-        return new ResponseEntity("Plugins reload refresh the WebGoat page!",HttpStatus.OK);
+
+        Map<String, Object> result = new HashMap<String, Object>();
+        result.put("success", true);
+        result.put("message", "Plugins reloaded");
+        return new ResponseEntity<Map<String, Object>>(result, HttpStatus.OK);
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java

@@ -26,11 +26,13 @@
  */
 package org.owasp.webgoat.service;
 
-import javax.servlet.http.HttpSession;
 import org.owasp.webgoat.session.WebSession;
+import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+import javax.servlet.http.HttpSession;
 
 /**
  * <p>RestartLessonService class.</p>
@@ -45,16 +47,14 @@ public class RestartLessonService extends BaseService {
      * Returns current lesson
      *
      * @param session a {@link javax.servlet.http.HttpSession} object.
-     * @return a {@link java.lang.String} object.
      */
-    @RequestMapping(value = "/restartlesson.mvc", produces = "text/text")
+    @RequestMapping(value = "/restartlesson.mvc")
-    public @ResponseBody
+    @ResponseStatus(value = HttpStatus.OK)
-    String restartLesson(HttpSession session) {
+    public void restartLesson(HttpSession session) {
         WebSession ws = getWebSession(session);
         int currentScreen = ws.getCurrentScreen();
         if(currentScreen > 0){
             ws.restartLesson(currentScreen);
         }
-        return ws.getCurrentLesson().getLink();
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java

@@ -29,7 +29,6 @@
  */
 package org.owasp.webgoat.service;
 
-import javax.servlet.http.HttpSession;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
@@ -37,6 +36,8 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpSession;
+
 /**
  * <p>SolutionService class.</p>
  *
@@ -67,23 +68,19 @@ public class SolutionService extends BaseService {
      * @return a {@link java.lang.String} object.
      */
     protected String getSolution(WebSession s) {
-
         String source = null;
         int scr = s.getCurrentScreen();
         Course course = s.getCourse();
 
-        if (s.isUser() || s.isChallenge()) {
+        if (s.isUser() || s.isAdmin()) {
-
             AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
             if (lesson != null) {
                 source = lesson.getSolution(s);
             }
         }
         if (source == null) {
-            return "Solution  is not available. Contact "
+            return "Solution  is not available. Contact " + s.getWebgoatContext().getFeedbackAddressHTML();
-                    + s.getWebgoatContext().getFeedbackAddressHTML();
         }
-        return (source);
+        return source;
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java

@@ -75,15 +75,12 @@ public class SourceService extends BaseService {
      * @return Description of the Return Value
      */
     protected String getSource(WebSession s) {
-
         String source = null;
         int scr = s.getCurrentScreen();
         Course course = s.getCourse();
 
-        if (s.isUser() || s.isChallenge()) {
+        if (s.isUser() || s.isAdmin()) {
-
             AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
             if (lesson != null) {
                 source = lesson.getRawSource(s);
             }
@@ -91,7 +88,7 @@ public class SourceService extends BaseService {
         if (source == null) {
             return "Source code is not available for this lesson.";
         }
-        return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
+        return source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
-                "Code Section Deliberately Omitted"));
+                "Code Section Deliberately Omitted");
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/session/LabelDebugger.java

@@ -10,7 +10,7 @@ import java.io.Serializable;
  */
 public class LabelDebugger implements Serializable {
 
-    private boolean isEnabled = false;
+    private boolean enabled = false;
 
     /**
      * <p>isEnabled.</p>
@@ -18,14 +18,29 @@ public class LabelDebugger implements Serializable {
      * @return a boolean.
      */
     public boolean isEnabled() {
-        return isEnabled;
+        return enabled;
     }
 
     /**
-     * <p>enable.</p>
+     * <p>Enables label debugging</p>
      */
     public void enable() {
-        this.isEnabled = true;
+        this.enabled = true;
+    }
+
+    /**
+     * <p>Disables label debugging</p>
+     */
+    public void disable() {
+        this.enabled = false;
+    }
+
+    /**
+     * <p>Sets the status to enabled</p>
+     * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
+     */
+    public void setEnabled(boolean enabled)  {
+        this.enabled = enabled;
     }
 
 }

webgoat-container/src/main/java/org/owasp/webgoat/session/ParameterParser.java

@@ -467,7 +467,7 @@ public class ParameterParser {
      *
      * @return The parameterNames value
      */
-    public Enumeration getParameterNames() {
+    public Enumeration<String> getParameterNames() {
         if (request == null) {
             return (null);
         }

webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java

@@ -33,32 +33,27 @@ import org.slf4j.LoggerFactory;
  * *************************************************************************************************
  *
  *
- * This file is part of WebGoat, an Open Web Application Security Project
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see
- * utility. For details, please see http://www.owasp.org/
+ * http://www.owasp.org/
  *
  * Copyright (c) 2002 - 20014 Bruce Mayhew
  *
- * This program is free software; you can redistribute it and/or modify it under
+ * This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
- * the terms of the GNU General Public License as published by the Free Software
+ * License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
- * Foundation; either version 2 of the License, or (at your option) any later
  * version.
  *
- * This program is distributed in the hope that it will be useful, but WITHOUT
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
  *
- * You should have received a copy of the GNU General Public License along with
+ * You should have received a copy of the GNU General Public License along with this program; if not, write to the Free
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- * Place - Suite 330, Boston, MA 02111-1307, USA.
  *
  * Getting Source ==============
  *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * for free software projects.
+ * projects.
  *
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
+ * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * Security</a>
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
  * @since October 28, 2003
  * @version $Id: $Id
@@ -96,7 +91,7 @@ public class WebSession {
     public final static String COURSE = "course";
 
     /**
-     * Description of the Field
+     * Error screen number
      */
     public final static int ERROR = 0;
 
@@ -104,27 +99,27 @@ public class WebSession {
     public static final String STAGE = "stage";
 
     /**
-     * Description of the Field
+     * session id string
      */
     public final static String JSESSION_ID = "jsessionid";
 
     /**
-     * Description of the Field
+     * Logout parameter name
      */
     public final static String LOGOUT = "Logout";
 
     /**
-     * Description of the Field
+     * Restart parameter name
      */
     public final static String RESTART = "Restart";
 
     /**
-     * Description of the Field
+     * menu parameter name
      */
     public final static String MENU = "menu";
 
     /**
-     * Description of the Field
+     * Screen parameter name
      */
     public final static String SCREEN = "Screen";
 
@@ -184,6 +179,8 @@ public class WebSession {
 
     private int previousScreen = ERROR;
 
+    private int previousStage = -1;
+
     private int hintNum = -1;
 
     private boolean isAdmin = false;
@@ -289,7 +286,7 @@ public class WebSession {
     }
 
     /**
-     * Description of the Method
+     * Marks all cookies but the JSESSIONID for deletion and adds them to the response.
      */
     public void eatCookies() {
         Cookie[] cookies = request.getCookies();
@@ -338,11 +335,9 @@ public class WebSession {
     }
 
     /**
-     * Sets the admin flag - this routine is ONLY here to allow someone a
+     * Sets the admin flag - this routine is ONLY here to allow someone a backdoor to setting the user up as an admin.
-     * backdoor to setting the user up as an admin.
      *
-     * This is also used by the WebSession to set the admin, but the method
+     * This is also used by the WebSession to set the admin, but the method should be private
-     * should be private
      *
      * @param state a boolean.
      */
@@ -539,11 +534,10 @@ public class WebSession {
         }
 
         /*
-         * List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies
+         * List cookies = new Vector(); HttpServletRequest request = getRequest(); Cookie[] cookies =
-         * = request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI(
+         * request.getCookies(); if ( cookies.length == 0 ) { list.addElement( new LI( "No Cookies" ) ); } for ( int i =
-         * "No Cookies" ) ); } for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie =
+         * 0; i < cookies.length; i++ ) { Cookie cookie = cookies[i]; cookies.add(cookie); //list.addElement( new LI(
-         * cookies[i]; cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
+         * cookie.getName() + " -> " + cookie.getValue() ) ); }
-         * cookie.getValue() ) ); }
          */
         return cookies;
     }
@@ -918,8 +912,8 @@ public class WebSession {
     }
 
     /**
-     * Parse parameters from the given request, handle any servlet commands, and
+     * Parse parameters from the given request, handle any servlet commands, and update this session based on the
-     * update this session based on the parameters.
+     * parameters.
      *
      * @param request Description of the Parameter
      * @param response Description of the Parameter
@@ -929,22 +923,12 @@ public class WebSession {
     public void update(HttpServletRequest request, HttpServletResponse response, String name) throws IOException {
         String content = null;
 
-        clearMessage();
         this.request = request;
         this.response = response;
         this.servletName = name;
 
-        if (myParser == null) {
+        clearMessage();
-            myParser = new ParameterParser(request);
+        updateParser(request);
-        } else {
-            myParser.update(request);
-        }
-
-        Locale locale = request.getLocale();
-        if(locale != null) {
-        	LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
-        	labelManager.setLocale(locale);
-        }
 
         // System.out.println("Current Screen 1: " + currentScreen );
         // System.out.println("Previous Screen 1: " + previousScreen );
@@ -952,78 +936,72 @@ public class WebSession {
         // FIXME: doesn't work right -- no reauthentication
         // REMOVED - we have explicit logout now via spriing security
         /*
-        if (myParser.getRawParameter(LOGOUT, null) != null) {
+         * if (myParser.getRawParameter(LOGOUT, null) != null) { System.out.println("Logout " +
-            System.out.println("Logout " + request.getUserPrincipal());
+         * request.getUserPrincipal()); eatCookies(); request.getSession().invalidate(); currentScreen = WELCOME;
-            eatCookies();
+         * previousScreen = ERROR; }
-            request.getSession().invalidate();
-            currentScreen = WELCOME;
-            previousScreen = ERROR;
-        }
          */
 
-        // There are several scenarios where we want the first lesson to be loaded
+        updateScreenProperties(request);
-        // 1) Previous screen is Welcome - Start of the course
-        // 2) After a logout and after the session has been reinitialized
-        if ((this.getPreviousScreen() == WebSession.WELCOME) || (getRequest().getSession(false) != null
-                && // getRequest().getSession(false).isNew() &&
-                this.getCurrentScreen() == WebSession.WELCOME && this.getPreviousScreen() == WebSession.ERROR)) {
-            currentScreen = course.getFirstLesson().getScreenId();
-            hintNum = -1;
-        }
 
-        // System.out.println("Current Screen 2: " + currentScreen );
-        // System.out.println("Previous Screen 2: " + previousScreen );
-        // update the screen variables
-        previousScreen = currentScreen;
-
-        try {
-            // If the request is new there should be no parameters.
-            // This can occur from a session timeout or a the starting of a new course.
-            if (!request.getSession().isNew()) {
-                currentScreen = myParser.getIntParameter(SCREEN, currentScreen);
-            } else {
-                if (!myParser.getRawParameter(SCREEN, "NULL").equals("NULL")) {
-                    this.setMessage("Session Timeout - Starting new Session.");
-                }
-            }
-        } catch (Exception e) {
-        }
-
-        // clear variables when switching screens
         if (this.getCurrentScreen() != this.getPreviousScreen()) {
-            if (webgoatContext.isDebug()) {
+            clearScreenProperties();
-                setMessage("Changed to a new screen, clearing cookies and hints");
-            }
-            eatCookies();
-            hintNum = -1;
         } else if (myParser.getRawParameter(STAGE, null) != null) {
-            AbstractLesson al = getCurrentLesson();
+            updateCurrentScreenStage();
-            if (al instanceof SequentialLessonAdapter) {
-                SequentialLessonAdapter sla = (SequentialLessonAdapter) al;
-                int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
-                if (stage > 0 && stage <= sla.getStageCount()) {
-                    sla.setStage(this, stage);
-                }
-            } else if (al instanceof RandomLessonAdapter) {
-                try {
-                    RandomLessonAdapter rla = (RandomLessonAdapter) al;
-                    if (!myParser.getRawParameter(STAGE).equals("null")) {
-                        int stage = myParser.getIntParameter(STAGE) - 1;
-                        String[] stages = rla.getStages();
-                        if (stages == null) {
-                            stages = new String[0];
-                        }
-                        if (stage >= 0 && stage < stages.length) {
-                            rla.setStage(this, stages[stage]);
-                        }
         } else {
-                        rla.setStage(this, null);
+            content = updateCurrentScreen(content);
         }
-                } catch (ParameterNotFoundException pnfe) {
+
+        updateParameters(request);
+        updateContent(response, content);
+    }
+
+    /**
+     * Updates parameters isAdmin, isHackedAdmin, hasHackedHackableAdmin, isColor and isDebug
+     *
+     * @param request
+     */
+    private void updateParameters(HttpServletRequest request) {
+        isAdmin = request.isUserInRole(WEBGOAT_ADMIN);
+        isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin);
+        if (isHackedAdmin) {
+            System.out.println("Hacked admin");
+            hasHackedHackableAdmin = true;
+        }
+        isColor = myParser.getBooleanParameter(COLOR, isColor);
+        isDebug = myParser.getBooleanParameter(DEBUG, isDebug);
+    }
+
+    /**
+     * If the content is not already set we get the response and sends it on its way
+     *
+     * @param response
+     * @param content to send
+     * @throws IOException
+     */
+    private void updateContent(HttpServletResponse response, String content) throws IOException {
+        // System.out.println( "showParams:" + showParams );
+        // System.out.println( "showSource:" + showSource );
+        // System.out.println( "showSolution:" + showSolution );
+        // System.out.println( "showCookies:" + showCookies );
+        // System.out.println( "showRequest:" + showRequest );
+        if (content != null) {
+            response.setContentType("text/html");
+            PrintWriter out = new PrintWriter(response.getOutputStream());
+            out.print(content);
+            out.flush();
+            out.close();
         }
     }
-        } // else update global variables for the current screen
+
-        else {
+    /**
+     * Checks to see if the lesson should be restarted. Also handles parsing of "show" commands for getting hints,
+     * params, cookies, source and solution.
+     *
+     * @param content
+     * @return the updated content
+     */
+    private String updateCurrentScreen(String content) {
+        // else update global variables for the current screen
         // Handle "restart" commands
         int lessonId = myParser.getIntParameter(RESTART, -1);
         if (lessonId != -1) {
@@ -1054,29 +1032,134 @@ public class WebSession {
                 getPreviousHint();
             }
         }
-
+        return content;
     }
 
-        isAdmin = request.isUserInRole(WEBGOAT_ADMIN);
+    /**
-        isHackedAdmin = myParser.getBooleanParameter(ADMIN, isAdmin);
+     * Checks to see what kind of lesson we are viewing and parses the "stage" parameter accordingly. Sets the stage for
-        if (isHackedAdmin) {
+     * the lesson using setStage on the lesson object.
-            System.out.println("Hacked admin");
+     */
-            hasHackedHackableAdmin = true;
+    private void updateCurrentScreenStage() {
+        AbstractLesson al = getCurrentLesson();
+        if (al instanceof SequentialLessonAdapter) {
+            updateSlaStage((SequentialLessonAdapter) al);
+        } else if (al instanceof RandomLessonAdapter) {
+            updateRlaStage((RandomLessonAdapter) al);
+        }
     }
-        isColor = myParser.getBooleanParameter(COLOR, isColor);
-        isDebug = myParser.getBooleanParameter(DEBUG, isDebug);
 
-        // System.out.println( "showParams:" + showParams );
+    /**
-        // System.out.println( "showSource:" + showSource );
+     * Updates the stage for a RandomLessonAdapter
-        // System.out.println( "showSolution:" + showSolution );
+     *
-        // System.out.println( "showCookies:" + showCookies );
+     * @param al
-        // System.out.println( "showRequest:" + showRequest );
+     */
-        if (content != null) {
+    private void updateRlaStage(RandomLessonAdapter rla) {
-            response.setContentType("text/html");
+        try {
-            PrintWriter out = new PrintWriter(response.getOutputStream());
+            if (!myParser.getRawParameter(STAGE).equals("null")) {
-            out.print(content);
+                int currentStage = myParser.getIntParameter(STAGE) - 1;
-            out.flush();
+                if (previousStage != currentStage) {
-            out.close();
+                    previousStage = currentStage;
+                    String[] stages = rla.getStages();
+                    if (stages == null) {
+                        stages = new String[0];
+                    }
+                    if (currentStage >= 0 && currentStage < stages.length) {
+                        rla.setStage(this, stages[currentStage]);
+                    }
+                }
+            } else {
+                rla.setStage(this, null);
+            }
+        } catch (ParameterNotFoundException pnfe) {
+            logger.warn("ParameterNotFoundException when updating stage for RandomLessonAdapter: " + pnfe.getMessage() + " " + pnfe.getCause());
+        }
+    }
+
+    /**
+     * Updates the stage for a SequentialLessonAdapter
+     *
+     * @param al
+     */
+    private void updateSlaStage(SequentialLessonAdapter sla) {
+        int stage = myParser.getIntParameter(STAGE, sla.getStage(this));
+        if (stage > 0 && stage <= sla.getStageCount()) {
+            sla.setStage(this, stage);
+        }
+    }
+
+    /**
+     * Eats all the cookies and resets hintNum and previousStage
+     */
+    private void clearScreenProperties() {
+        if (webgoatContext.isDebug()) {
+            setMessage("Changed to a new screen, clearing cookies and hints");
+        }
+        eatCookies();
+        hintNum = -1;
+        previousStage = -1;
+    }
+
+    /**
+     * Updates the properties currentScreen, previousScreen and hintNum depending on which scenario is being handled.
+     *
+     * @param request
+     */
+    private void updateScreenProperties(HttpServletRequest request) {
+        // There are several scenarios where we want the first lesson to be loaded
+        // 1) Previous screen is Welcome - Start of the course
+        // 2) After a logout and after the session has been reinitialized
+        if ((this.getPreviousScreen() == WebSession.WELCOME) || 
+                (getRequest().getSession(false) != null &&
+                // getRequest().getSession(false).isNew() &&
+                this.getCurrentScreen() == WebSession.WELCOME && 
+                this.getPreviousScreen() == WebSession.ERROR)) {
+            currentScreen = course.getFirstLesson().getScreenId();
+            hintNum = -1;
+        }
+
+        // System.out.println("Current Screen 2: " + currentScreen );
+        // System.out.println("Previous Screen 2: " + previousScreen );
+        // update the screen variables
+        previousScreen = currentScreen;
+
+        try {
+            // If the request is new there should be no parameters.
+            // This can occur from a session timeout or a the starting of a new course.
+            if (!request.getSession().isNew()) {
+                currentScreen = myParser.getIntParameter(SCREEN, currentScreen);
+            } else {
+                if (!myParser.getRawParameter(SCREEN, "NULL").equals("NULL")) {
+                    this.setMessage("Session Timeout - Starting new Session.");
+                }
+            }
+        } catch (Exception e) {
+            logger.warn("Exception when updating properties in updateScreenProperties: " + e.getMessage() + " " + e.getCause());
+        }
+    }
+
+    /**
+     * Updates the labelmanager local based on the labelManager bean
+     *
+     * @param request
+     */
+    private void updateLocale(HttpServletRequest request) {
+        Locale locale = request.getLocale();
+        if (locale != null) {
+            LabelManager labelManager = BeanProvider.getBean("labelManager", LabelManager.class);
+            labelManager.setLocale(locale);
+        }
+    }
+
+    /**
+     * Creates a new parser if not created yet. Sets the request on the parser for later use.
+     *
+     * @param request
+     */
+    private void updateParser(HttpServletRequest request) {
+        if (myParser == null) {
+            myParser = new ParameterParser(request);
+        } else {
+            myParser.update(request);
         }
     }
 

webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java

@@ -51,9 +51,6 @@ public class WebgoatContext {
     /** Constant <code>SHOWHINTS="ShowHints"</code> */
     public final static String SHOWHINTS = "ShowHints";
 
-    /** Constant <code>DEFUSEOSCOMMANDS="DefuseOSCommands"</code> */
-    public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
-
     /** Constant <code>FEEDBACK_ADDRESS_HTML="FeedbackAddressHTML"</code> */
     public final static String FEEDBACK_ADDRESS_HTML = "FeedbackAddressHTML";
 
@@ -86,15 +83,13 @@ public class WebgoatContext {
 
     private boolean showSolution = false;
 
-    private boolean defuseOSCommands = false;
-
     private boolean enterprise = false;
 
     private boolean codingExercises = false;
 
-    private String feedbackAddress = "webgoat@owasp.org";
+    private String feedbackAddress = "owasp-webgoat@list.owasp.org";
 
-    private String feedbackAddressHTML = "<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>";
+    private String feedbackAddressHTML = "<A HREF=mailto:owasp-webgoat@list.owasp.org>owasp-webgoat@list.owasp.org</A>";
 
     private boolean isDebug = false;
 
@@ -123,7 +118,6 @@ public class WebgoatContext {
         showCookies = "true".equals(getParameter(servlet, SHOWCOOKIES));
         showSource = "true".equals(getParameter(servlet, SHOWSOURCE));
         showSolution = "true".equals(getParameter(servlet, SHOWSOLUTION));
-        defuseOSCommands = "true".equals(getParameter(servlet, DEFUSEOSCOMMANDS));
         enterprise = "true".equals(getParameter(servlet, ENTERPRISE));
         codingExercises = "true".equals(getParameter(servlet, CODING_EXERCISES));
         feedbackAddressHTML = getParameter(servlet, FEEDBACK_ADDRESS_HTML) != null ? getParameter(servlet,
@@ -192,15 +186,6 @@ public class WebgoatContext {
         return (databasePassword);
     }
     
-    /**
-     * <p>isDefuseOSCommands.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isDefuseOSCommands() {
-        return defuseOSCommands;
-    }
-
     /**
      * <p>isEnterprise.</p>
      *

webgoat-container/src/main/java/org/owasp/webgoat/util/HtmlEncoder.java

@@ -119,10 +119,9 @@ public class HtmlEncoder
 	};
 
 	/**
-	 * <p>Constructor for HtmlEncoder.</p>
+	 * Initialises the mappings between entities and characters
 	 */
-	public HtmlEncoder()
+	static {
-	{
 	    for (int i = 0; i < entities.length; i++)
             e2i.put((String) entities[i][0], (Integer) entities[i][1]);
         for (int i = 0; i < entities.length; i++)

webgoat-container/src/main/resources/log4j.properties

@@ -18,6 +18,7 @@ log4j.appender.CONSOLE.layout.conversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p
 
 # a little less spring output
 log4j.category.org.springframework = INFO
+log4j.category.org.apache=INFO
 
 log4j.appender.default.out=org.apache.log4j.ConsoleAppender
 log4j.appender.default.out.threeshold=DEBUG

webgoat-container/src/main/webapp/META-INF/context.xml

@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Context antiJARLocking="true" path="/WebGoat">
+<Context path="/WebGoat">
 
 </Context>

webgoat-container/src/main/webapp/WEB-INF/context.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Context antiJARLocking="true" path="/WebGoat"/>
+<Context path="/WebGoat"/>

webgoat-container/src/main/webapp/WEB-INF/pages/main_new.jsp

@@ -50,7 +50,7 @@
             <header id="header">
                 <!--logo start-->
                 <div class="brand">
-                    <a href="${pageContext.request.contextPath}/start.mvc" class="logo"><span>Web</span>Goat</a>
+                    <a href="${pageContext.request.contextPath}/welcome.mvc" class="logo"><span>Web</span>Goat</a>
                 </div>
                 <!--logo end-->
                 <div class="toggle-navigation toggle-left">
@@ -72,9 +72,9 @@
                             <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">User: ${user}</a></li>
                             <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Role: ${role}</a></li>
                             <li role="presentation" class="divider"></li>
+                            <li role="presentation"><a role="menuitem" tabindex="-1" href="#developer-controls">Show developer controls</a></li>      
                             <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">${version}</a></li>
                             <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">Build: ${build}</a></li>
-
                         </ul>
                     </div>
                     <button type="button" id="about-button"  class="btn btn-default right_nav_button" title="About WebGoat" data-toggle="modal" data-target="#about-modal"> 
@@ -102,6 +102,11 @@
                         <div class="col-md-8">
                             <div class="col-md-12" align="left">
                                 <div class="panel" id="help-controls">
+                                    <button class="btn btn-primary btn-xs help-button" id="show-source-button">Show Source</button>
+                                    <button class="btn btn-primary btn-xs help-button" id="show-solution-button">Show Solution</button>
+                                    <button class="btn btn-primary btn-xs help-button" id="show-plan-button">Show Plan</button>
+                                    <button class="btn btn-primary btn-xs help-button" id="show-hints-button">Show Hints</button>
+                                    <button class="btn btn-xs help-button" id="restart-lesson-button">Restart Lesson</button>
                                 </div>
                                 <div class="lesson-hint" id="lesson-hint-container">
                                     <h4>Hints</h4>
@@ -116,6 +121,7 @@
                                 </div>
                             </div>
                             <div class="col-md-12" align="left">
+                                <div id="lesson-progress" class="info"></div>
                                 <div id="lesson-content-wrapper" class="panel">
 
                                 </div>
@@ -137,6 +143,15 @@
                                                 <h4>Params</h4>
                                             </div>
                                         </div>
+                                        <div id="developer-control-container">
+	                                        <div align="left">
+	                                            <h3>Developer controls</h3>
+	                                        </div>
+	                                        <hr />
+	                                        <div id="developer-controls">
+	                                        
+	                                        </div>
+                                        </div>
                                     </div>
                                 </div>
                             </div>

webgoat-container/src/main/webapp/WEB-INF/server-config.wsdd

@@ -29,11 +29,11 @@
  <handler name="Authenticate" type="java:org.apache.axis.handlers.SimpleAuthenticationHandler"/>
  <service name="WSDLScanning" provider="java:RPC">
   <parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
-  <parameter name="className" value="org.owasp.webgoat.lessons.WSDLScanning"/>
+  <parameter name="className" value="org.owasp.webgoat.plugin.WSDLScanning"/>
  </service>
  <service name="SoapRequest" provider="java:RPC">
   <parameter name="allowedMethods" value="getFirstName, getLastName, getCreditCard, getLoginCount"/>
-  <parameter name="className" value="org.owasp.webgoat.lessons.SoapRequest"/>
+  <parameter name="className" value="org.owasp.webgoat.plugin.SoapRequest"/>
  </service>
  <service name="AdminService" provider="java:MSG">
   <parameter name="allowedMethods" value="AdminService"/>
@@ -47,7 +47,7 @@
  </service>
  <service name="WsSqlInjection" provider="java:RPC">
   <parameter name="allowedMethods" value="getCreditCard"/>
-  <parameter name="className" value="org.owasp.webgoat.lessons.WsSqlInjection"/>
+  <parameter name="className" value="org.owasp.webgoat.plugin.WsSqlInjection"/>
  </service>
  <transport name="http">
   <requestFlow>

webgoat-container/src/main/webapp/WEB-INF/web.xml

@@ -126,10 +126,6 @@
             <param-name>CookieDebug</param-name>
             <param-value>true</param-value>
         </init-param>
-        <init-param>
-            <param-name>DefuseOSCommands</param-name>
-            <param-value>false</param-value>
-        </init-param>
         <init-param>
             <param-name>Enterprise</param-name>
             <param-value>true</param-value>

webgoat-container/src/main/webapp/WEB-INF/webgoat.properties

@@ -10,13 +10,7 @@ lesson.BasicAuthentication.hidden=true
 lesson.BlindScript.hidden=true
 lesson.RemoteAdminFlaw.hidden=true
 lesson.HttpSplitting.hidden=true
-lesson.BasicAuthentication.hidden=true
-lesson.SameOriginPolicyProtection.hidden=true
-lesson.SilentTransactions.hidden=true
-lesson.WeakAuthenticationCookie.hidden=true
 lesson.TraceXSS.hidden=true
 lesson.DBSQLInjection.hidden=true
-lesson.CrossSiteScripting.hidden=true
 lesson.DBCrossSiteScripting.hidden=true
-lesson.XPATHInjection.hidden=true
 lesson.ForcedBrowsing.hidden=true

webgoat-container/src/main/webapp/css/main.css

@@ -765,6 +765,27 @@ cookie-container {
   padding-left:3px;
 }
 
+.developer-controls-table {
+	width: 100%;
+}
+
+.developer-controls-table td {
+    text-align: right;
+}
+
+.developer-controls-table a {
+    color: #e84c3d
+}
+
+#developer-control-container {
+	display: none;
+}
+
+#menu-container a,
+.developer-controls-table a {
+    cursor: pointer;	
+}
+
 /* ==========================================================================
    MENU / Sidebar
    ========================================================================== */

webgoat-container/src/main/webapp/js/goatApp/controller/LessonController.js

@@ -15,7 +15,9 @@ define(['jquery',
     'goatApp/view/UserAndInfoView',
     'goatApp/view/MenuButtonView',
     'goatApp/model/LessonInfoModel',
-    'goatApp/view/TitleView'
+    'goatApp/view/TitleView',
+    'goatApp/model/LessonProgressModel',
+    'goatApp/view/LessonProgressView'
     ], 
     function($,
         _,
@@ -34,13 +36,18 @@ define(['jquery',
         UserAndInfoView,
         MenuButtonView,
         LessonInfoModel,
-        TitleView
+        TitleView,
+        LessonProgressModel,
+        LessonProgressView
+
     ) {
         'use strict'
         
         
         var Controller = function(options) {
             this.lessonContent = new LessonContentModel();
+            this.lessonProgressModel = new LessonProgressModel();
+            this.lessonProgressView = new LessonProgressView(this.lessonProgressModel);
             this.lessonView = options.lessonView;
 
             _.extend(Controller.prototype,Backbone.Events);
@@ -116,6 +123,7 @@ define(['jquery',
                     this.sourceView = new SourceView();
                     this.lessonHintView = new HintView();
                     this.cookieView = new CookieView();
+
                     //TODO: instantiate model with values (not sure why was not working before)
                     var paramModel = new ParamModel({});
                     paramModel.set('scrParam',this.lessonContent.get('scrParam'));
@@ -127,6 +135,7 @@ define(['jquery',
                     $('.lesson-help').hide();
                 }
                 this.trigger('menu:reload');
+                this.lessonProgressModel.completed();
             };
 
             this.addCurHelpState = function (curHelp) {
@@ -179,8 +188,9 @@ define(['jquery',
                 $.ajax({
                     url:'service/restartlesson.mvc',
                     method:'GET'
-                }).done(function(text) {
+                }).done(function() {
-                    console.log("Received a response from the restart servlet: '" + text + "'");
+                    //Log shows warning, see https://bugzilla.mozilla.org/show_bug.cgi?id=884693
+
                     // Explicitly loading the lesson instead of triggering an
                     // event in goatRouter.navigate().
                     self.loadLesson(self.scr,self.menu);

webgoat-container/src/main/webapp/js/goatApp/model/LabelDebugModel.js

@@ -0,0 +1,39 @@
+define([
+	'backbone'],
+	function(
+		Backbone) {
+	return Backbone.Model.extend({
+		id: 'label-status',
+		url: 'service/debug/labels.mvc',
+		
+		label: '',
+		labels: {
+			enable: 'Enable label debugging',
+			disable: 'Disable label debugging'
+		},
+		
+		initialize: function() {
+			this.load();
+		},
+		
+		fetch: function(options) {
+            options || (options = {});
+            var data = (options.data || {});
+            if(this.enabled != undefined) {
+            	options.data = { enabled: !this.enabled };
+            }
+            return Backbone.Collection.prototype.fetch.call(this, options);
+		},
+		
+		load: function () {
+			this.fetch().then(this.labelStatusLoaded.bind(this));
+		},
+
+		labelStatusLoaded: function(data) {
+			this.enabled = data.enabled;
+			this.label = this.enabled ? this.labels['disable'] : this.labels['enable'];
+			this.trigger('plugins:loaded', this, data);
+		}
+
+	});
+});

webgoat-container/src/main/webapp/js/goatApp/model/LessonProgressModel.js

@@ -0,0 +1,13 @@
+define(['jquery',
+        'underscore',
+        'backbone'],
+    function ($,
+              _,
+              Backbone) {
+        return Backbone.Model.extend({
+            url: 'service/lessonprogress.mvc',
+            completed: function () {
+                this.fetch();
+            }
+        });
+    });

webgoat-container/src/main/webapp/js/goatApp/model/PluginReloadModel.js

@@ -0,0 +1,19 @@
+define([
+	'backbone'],
+	function(
+		Backbone) {
+	return Backbone.Model.extend({
+		url: 'service/reloadplugins.mvc',
+		id: 'reload-plugins',
+		label: 'Reload plugins',
+		
+		load: function () {
+			this.fetch().then(this.pluginsLoaded.bind(this));
+		},
+
+		pluginsLoaded: function(data) {
+			this.trigger('plugins:loaded', this, data);
+		}
+
+	});
+});

webgoat-container/src/main/webapp/js/goatApp/view/DeveloperControlsView.js

@@ -0,0 +1,77 @@
+define(['jquery',
+	'underscore',
+	'backbone',
+	'goatApp/model/PluginReloadModel',
+	'goatApp/model/LabelDebugModel'],
+function(
+	$,
+	_,
+	Backbone,
+	PluginReloadModel,
+	LabelDebugModel) {
+	return Backbone.View.extend({
+		el: '#developer-controls',
+	    
+	    onControlClick: function(model) {
+	    	$('#' + model.id).find('td').text('Loading...');
+	    	model.load();
+	    },
+	    
+	    onPluginsLoaded: function(model) {
+	    	window.location.href = 'welcome.mvc';
+	    },
+	    
+	    onLabelsLoaded: function(model) {
+	    	this.models[1] = model;
+	    	this.render();
+	        Backbone.history.loadUrl(Backbone.history.getFragment());
+	    },
+
+		initialize: function(options) {
+			this.addMenuListener();
+			this.models = [new PluginReloadModel(), new LabelDebugModel()];
+			this.listenTo(this.models[0], 'plugins:loaded', this.onPluginsLoaded);
+			this.listenTo(this.models[1], 'plugins:loaded', this.onLabelsLoaded);
+			this.render();
+		},
+		
+		addMenuListener: function() {
+			var showHandler = function(e) {
+				e.preventDefault();
+				$('#developer-control-container').show();
+				$(this).text('Hide developer controls').off().on('click', hideHandler);
+			};
+			
+			var hideHandler = function(e) {
+				e.preventDefault();
+				$('#developer-control-container').hide();
+				$(this).text('Show developer controls').off().on('click', showHandler);
+			};
+			
+			$('a[href="#developer-controls"]').click(showHandler);
+		},
+
+		render: function() {
+			this.$el.html('');
+			var table = $('<table>',{'class':'developer-controls-table table-nonfluid'});
+			var self = this;
+			_.each(this.models, function(model) {
+				var newRow = $('<tr>', { id: model.id });
+				var headerCell = $('<th>')
+				var statusCell = $('<td>')
+				
+				var link = $('<a>', {
+					'text': model.label,
+					'title': model.label
+				});
+				link.click(_.bind(self.onControlClick, self, model));
+				
+				newRow.append(headerCell.append(link));
+				newRow.append(statusCell);
+				table.append(newRow);
+			});
+			
+			this.$el.append(table);
+		}
+	});
+});

webgoat-container/src/main/webapp/js/goatApp/view/GoatRouter.js

@@ -4,17 +4,20 @@ define(['jquery',
     'goatApp/controller/LessonController',
     'goatApp/controller/MenuController',
     'goatApp/view/LessonContentView',
-    'goatApp/view/MenuView'
+    'goatApp/view/MenuView',
+    'goatApp/view/DeveloperControlsView'
     ], function ($,
     _,
     Backbone,
     LessonController,
     MenuController,
     LessonContentView,
-    MenuView) {
+    MenuView,
+    DeveloperControlsView) {
     
     var lessonView = new LessonContentView();
     var menuView = new MenuView();
+    var developerControlsView = new DeveloperControlsView();
 
     var GoatAppRouter = Backbone.Router.extend({
         routes: {

webgoat-container/src/main/webapp/js/goatApp/view/HelpControlsView.js

@@ -4,14 +4,7 @@ define(['jquery',
 function($,_,Backbone) {
 	return Backbone.View.extend({
 		el:'#help-controls', //Check this
-		helpButtons: {
+
-			//TODO: move this into a template
-			showSource:$('<button>',{id:'show-source-button','class':'btn btn-primary btn-xs help-button',type:'button',text:'Java Source'}),
-			showSolution:$('<button>',{id:'show-solution-button','class':'btn btn-primary btn-xs help-button',type:'button',text:'Solution'}),
-			showPlan:$('<button>',{id:'show-plan-button','class':'btn btn-primary btn-xs help-button',type:'button',text:'Lesson Plan'}),
-			showHints:$('<button>',{id:'show-hints-button','class':'btn btn-primary btn-xs help-button',type:'button',text:'Hints'}),
-			restartLesson:$('<button>',{id:'restart-lesson-button','class':'btn btn-xs help-button',type:'button',text:'Restart Lesson'})
-		},
 		initialize: function (options) {
 			if (!options) {
 				return;
@@ -21,28 +14,30 @@ function($,_,Backbone) {
 			this.hasSource = options.hasSource;
 			this.hasHints = options.hasHints;
 		},
+		    
 		render:function(title) {
-			this.$el.html();
+			//this.$el.html();
+			// if still showing, hide
+			$('#show-source-button').hide();
+			$('#show-solution-button').hide();
+			$('#show-plan-button').hide();
+			$('#show-hints-button').hide();
 
 			if (this.hasSource) {
-				this.helpButtons.showSource.unbind().on('click',_.bind(this.showSource,this));
+				this.$el.find('#show-source-button').unbind().on('click',_.bind(this.showSource,this)).show();
-				this.$el.append(this.helpButtons.showSource);
 			}
 			if (this.hasSolution) {
-				this.helpButtons.showSolution.unbind().on('click',_.bind(this.showSolution,this));
+				this.$el.find('#show-solution-button').unbind().on('click',_.bind(this.showSolution,this)).show();
-				this.$el.append(this.helpButtons.showSolution);
 			}
 			if (this.hasPlan) {
-				this.helpButtons.showPlan.unbind().on('click',_.bind(this.showPlan,this));
+				this.$el.find('#show-plan-button').unbind().on('click',_.bind(this.showPlan,this)).show();
-				this.$el.append(this.helpButtons.showPlan);
 			}
 			if (this.hasHints) {
-				this.helpButtons.showHints.unbind().on('click',_.bind(this.showHints,this));
+				this.$el.find('#show-hints-button').unbind().on('click',_.bind(this.showHints,this)).show();
-				this.$el.append(this.helpButtons.showHints);
 			}
 			
-			this.helpButtons.restartLesson.unbind().on('click',_.bind(this.restartLesson,this));
+			this.$el.find('#restart-lesson-button').unbind().on('click',_.bind(this.restartLesson,this)).show();
-			this.$el.append(this.helpButtons.restartLesson);
+			//this.$el.append(this.helpButtons.restartLesson);
 		},
 
 		showSource: function() {

webgoat-container/src/main/webapp/js/goatApp/view/LessonContentView.js

@@ -24,15 +24,16 @@ define(['jquery',
         
         //TODO: reimplement this in custom fashion maybe?
         makeFormsAjax: function () {
+            var $form = $('form');
             var options = {
                 success:this.reLoadView.bind(this),
                 url: this.model.urlRoot,
-                type:'GET'
+                type: $form.attr('method')
                 // $.ajax options can be used here too, for example: 
                 //timeout:   3000 
             };
             //hook forms //TODO: clarify form selectors later
-            $("form").ajaxForm(options);
+            $form.ajaxForm(options);
         },
 
         ajaxifyAttackHref: function() {  // rewrite any links with hrefs point to relative attack URLs             
@@ -46,10 +47,10 @@ define(['jquery',
                 $(el).click(function(event) {
                     event.preventDefault();
                     var _url = $(el).attr('link');
-                    console.log("About to GET " + _url);
+                    console.log("About to POST " + _url);
-                    $.get(_url)
+                    $.post(_url)
                         .done(self.reLoadView.bind(self))
-                        .fail(function() { alert("failed to GET " + _url); });
+                        .fail(function() { alert("failed to POST " + _url); });
                 });
             });
         },

webgoat-container/src/main/webapp/js/goatApp/view/LessonProgressView.js

@@ -0,0 +1,26 @@
+define(['jquery',
+        'underscore',
+        'backbone',
+        'goatApp/model/LessonProgressModel'],
+    function ($,
+              _,
+              Backbone,
+              LessonProgressModel) {
+        return Backbone.View.extend({
+            el: '#lesson-progress',
+            initialize: function (lessonProgressModel) {
+                this.model = lessonProgressModel;
+
+                if (this.model) {
+                    this.listenTo(this.model, 'change', this.render);
+                }
+            },
+            render: function () {
+                if (this.model.get("lessonCompleted")) {
+                    this.$el.html(this.model.get('successMessage'));
+                } else {
+                    this.$el.html("");
+                }
+            }
+        });
+    });

webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestUtils.java

@@ -0,0 +1,57 @@
+package org.owasp.webgoat.plugins;
+
+import org.openqa.selenium.By;
+import org.openqa.selenium.NoSuchElementException;
+import org.openqa.selenium.StaleElementReferenceException;
+import org.openqa.selenium.WebDriver;
+import org.openqa.selenium.support.ui.ExpectedConditions;
+import org.openqa.selenium.support.ui.FluentWait;
+import org.openqa.selenium.support.ui.WebDriverWait;
+
+import static java.util.concurrent.TimeUnit.SECONDS;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since September 22, 2016
+ */
+public class TestUtils {
+
+    public static void assertTitlePresent(WebDriver webDriver, String title) {
+        FluentWait<WebDriver> wait = new WebDriverWait(webDriver, 15); // wait for a maximum of 15 seconds
+        wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), title));
+    }
+
+    public static  FluentWait createDefaultWait(WebDriver webDriver) {
+        return new FluentWait(webDriver)
+                .withTimeout(10, SECONDS)
+                .pollingEvery(2, SECONDS)
+                .ignoring(NoSuchElementException.class)
+                .ignoring(StaleElementReferenceException.class);
+
+    }
+}

webgoat-container/src/test/java/org/owasp/webgoat/plugins/WebGoatIT.java

@@ -1,5 +1,6 @@
 package org.owasp.webgoat.plugins;
 
+import com.google.common.base.Predicate;
 import com.saucelabs.common.SauceOnDemandAuthentication;
 import com.saucelabs.common.SauceOnDemandSessionIdProvider;
 import com.saucelabs.junit.ConcurrentParameterized;
@@ -11,31 +12,39 @@ import org.junit.Test;
 import org.junit.rules.TestName;
 import org.junit.runner.RunWith;
 import org.openqa.selenium.By;
+import org.openqa.selenium.JavascriptExecutor;
+import org.openqa.selenium.NoSuchElementException;
 import org.openqa.selenium.WebDriver;
 import org.openqa.selenium.WebElement;
 import org.openqa.selenium.remote.CapabilityType;
 import org.openqa.selenium.remote.DesiredCapabilities;
 import org.openqa.selenium.remote.RemoteWebDriver;
 import org.openqa.selenium.support.ui.ExpectedConditions;
+import org.openqa.selenium.support.ui.FluentWait;
 import org.openqa.selenium.support.ui.WebDriverWait;
 
+import java.io.IOException;
 import java.net.URL;
 import java.util.LinkedList;
+import java.util.concurrent.TimeUnit;
 
+import static java.util.concurrent.TimeUnit.SECONDS;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.owasp.webgoat.plugins.TestUtils.assertTitlePresent;
+import static org.owasp.webgoat.plugins.TestUtils.createDefaultWait;
 
 
 /**
  * Created by Doug Morato <dm@corp.io> on 8/21/15.
- *
  */
 @RunWith(ConcurrentParameterized.class)
 public class WebGoatIT implements SauceOnDemandSessionIdProvider {
 
     // Since most Tomcat deployments run on port 8080, let's set the automated integration tests to
     // spawn tomcat on port 8888 so that we don't interfere with local Tomcat's
-    private String baseWebGoatUrl = "http://localhost:8888/WebGoat";
+    protected String baseWebGoatUrl = "http://localhost:8888/WebGoat";
     private String loginUser = "webgoat";
     private String loginPassword = "webgoat";
 
@@ -82,21 +91,16 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
      * Represents the device-orientation of mobile device
      */
     private String deviceOrientation;
-    /**
-     * Instance variable which contains the Sauce Job Id.
-     */
-    private String sessionId;
 
-    /**
+    protected ThreadLocal<WebDriver> _webDriver = new ThreadLocal<>();
-     * The {@link WebDriver} instance which is used to perform browser interactions with.
+    protected ThreadLocal<String> sessionId = new ThreadLocal<>();
-     */
-    private WebDriver driver;
 
 
     /**
      * Constructs a new instance of the test.  The constructor requires three string parameters, which represent the operating
      * system, version and browser to be used when launching a Sauce VM.  The order of the parameters should be the same
      * as that of the elements within the {@link #browsersStrings()} method.
+     *
      * @param os
      * @param version
      * @param browser
@@ -113,6 +117,15 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
         this.deviceOrientation = deviceOrientation;
     }
 
+    public WebDriver getWebDriver() {
+        return _webDriver.get();
+    }
+
+    public String getSessionId() {
+        return sessionId.get();
+    }
+
+
     /**
      * @return a LinkedList containing String arrays representing the browser combinations the test should be run against. The values
      * in the String array are used as part of the invocation of the test constructor
@@ -121,32 +134,23 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
     public static LinkedList browsersStrings() {
         LinkedList browsers = new LinkedList();
 
-        // windows 7, Chrome 45
+        // windows 7, Chrome latest
-        browsers.add(new String[]{"Windows 7", "45", "chrome", null, null});
+        //browsers.add(new String[]{"Windows 7", "", "chrome", null, null});
 
-        // windows 7, IE 9
+        // windows 10, Chrome latest
-        //browsers.add(new String[]{"Windows 7", "9", "internet explorer", null, null});
+        browsers.add(new String[]{"Windows 10", "", "chrome", null, null});
 
-        // windows 8, IE 10
+        // Linux, Firefox latest
-        //browsers.add(new String[]{"Windows 8", "10", "internet explorer", null, null});
+        browsers.add(new String[]{"Linux", "", "firefox", null, null});
 
-        // windows 8.1, IE 11
+        // windows 10, IE latest
-        //browsers.add(new String[]{"Windows 8.1", "11", "internet explorer", null, null});
+        //browsers.add(new String[]{"Windows 10", "", "internetExplorer", null, null});
 
-        // windows 10, Microsoft Edge Browser
+        // windows 10, Microsoft Edge Browser latest
-        //browsers.add(new String[]{"Windows 10", "20.10240", "microsoftedge", null, null});
+        //browsers.add(new String[]{"Windows 10", "", "edge", null, null});
 
-        // OS X 10.9, Safari 7
+        // OS X 10.11 El Capitan, Safari
-        //browsers.add(new String[]{"OSX 10.9", "7", "safari", null, null});
+        //browsers.add(new String[]{"OSX 10.11", "", "safari", null, null});
-
-        // OS X 10.10, Safari
-        //browsers.add(new String[]{"OSX 10.10", "8", "safari", null, null});
-
-        // OS X 10.11, Safari
-        //browsers.add(new String[]{"OSX 10.11", "8.1", "safari", null, null});
-
-        // Linux, Firefox 37
-        browsers.add(new String[]{"Linux", "37", "firefox", null, null});
 
         return browsers;
     }
@@ -169,7 +173,7 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
 
         // Additional settings to help debugging and improve job perf
         capabilities.setCapability("public", "share");
-        capabilities.setCapability("wwebdriverRemoteQuietExceptions", false);
+        capabilities.setCapability("wwebgetWebDriver()RemoteQuietExceptions", false);
         capabilities.setCapability("captureHtml", true);
 
         if (System.getenv("CI") != null && System.getenv("TRAVIS").equals("true")) {
@@ -183,11 +187,12 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
         String methodName = name.getMethodName();
         capabilities.setCapability("name", methodName);
 
-        this.driver = new RemoteWebDriver(
+        this._webDriver.set(new RemoteWebDriver(
                 new URL("http://" + authentication.getUsername() + ":" + authentication.getAccessKey() +
                         "@ondemand.saucelabs.com:80/wd/hub"),
-                capabilities);
+                capabilities));
-        this.sessionId = (((RemoteWebDriver) driver).getSessionId()).toString();
+        this.getWebDriver().manage().timeouts().implicitlyWait(4, SECONDS);
+        this.sessionId.set((((RemoteWebDriver) getWebDriver()).getSessionId()).toString());
 
         String message = String.format("SauceOnDemandSessionID=%1$s job-name=%2$s", this.sessionId, methodName);
         System.out.println(message);
@@ -195,36 +200,37 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
 
     public void doLoginWebgoatUser() {
 
-        driver.get(baseWebGoatUrl + "/login.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/login.mvc");
-        driver.navigate().refresh();
+        getWebDriver().navigate().refresh();
 
-        WebDriverWait wait = new WebDriverWait(driver, 15); // wait for a maximum of 15 seconds
+        WebDriverWait wait = new WebDriverWait(getWebDriver(), 15); // wait for a maximum of 15 seconds
         wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputEmail1")));
         wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputPassword1")));
 
-        WebElement usernameElement     = driver.findElement(By.name("username"));
+        WebElement usernameElement = getWebDriver().findElement(By.name("username"));
-        WebElement passwordElement     = driver.findElement(By.name("password"));
+        WebElement passwordElement = getWebDriver().findElement(By.name("password"));
         usernameElement.sendKeys(loginUser);
         passwordElement.sendKeys(loginPassword);
         passwordElement.submit();
-        driver.get(baseWebGoatUrl + "/start.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc");
     }
 
     /**
      * Runs a simple test verifying the UI and title of the WebGoat home page.
+     *
      * @throws Exception
      */
     @Test
     public void verifyWebGoatLoginPage() throws Exception {
-        driver.get(baseWebGoatUrl + "/login.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/login.mvc");
-        WebDriverWait wait = new WebDriverWait(driver, 15); // wait for a maximum of 15 seconds
+        WebDriverWait wait = new WebDriverWait(getWebDriver(), 15); // wait for a maximum of 15 seconds
         wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputEmail1")));
         wait.until(ExpectedConditions.presenceOfElementLocated(By.id("exampleInputPassword1")));
 
-        assertTrue(driver.getTitle().equals("Login Page"));
+        assertTrue(getWebDriver().getTitle().equals("Login Page"));
 
-        WebElement usernameElement     = driver.findElement(By.name("username"));
+        WebElement usernameElement = getWebDriver().findElement(By.name("username"));
-        WebElement passwordElement     = driver.findElement(By.name("password"));
+        WebElement passwordElement = getWebDriver().findElement(By.name("password"));
         assertNotNull(usernameElement);
         assertNotNull(passwordElement);
     }
@@ -232,9 +238,9 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
 
     @Test
     public void testStartMvc() {
-        driver.get(baseWebGoatUrl + "/start.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc");
 
-        WebDriverWait wait = new WebDriverWait(driver, 15); // wait for a maximum of 15 seconds
+        WebDriverWait wait = new WebDriverWait(getWebDriver(), 15); // wait for a maximum of 15 seconds
         wait.until(ExpectedConditions.presenceOfElementLocated(By.name("username")));
         wait.until(ExpectedConditions.presenceOfElementLocated(By.name("password")));
     }
@@ -244,11 +250,11 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
 
         doLoginWebgoatUser();
 
-        driver.get(baseWebGoatUrl + "/start.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc");
-        String pageSource = driver.getPageSource();
+        String pageSource = getWebDriver().getPageSource();
 
         assertTrue("user: webgoat is not in the page source", pageSource.contains("Role: webgoat_admin"));
-        WebElement cookieParameters = driver.findElement(By.id("cookies-and-params"));
+        WebElement cookieParameters = getWebDriver().findElement(By.id("cookies-and-params"));
         assertNotNull("element id=cookieParameters should be displayed to user upon successful login", cookieParameters);
     }
 
@@ -257,25 +263,294 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
 
         doLoginWebgoatUser();
 
-        driver.get(baseWebGoatUrl + "/service/lessonmenu.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/service/lessonmenu.mvc");
 
-        String pageSource = driver.getPageSource();
+        String pageSource = getWebDriver().getPageSource();
 
         assertTrue("Page source should contain lessons: Test 1", pageSource.contains("Reflected XSS"));
         assertTrue("Page source should contain lessons: Test 2", pageSource.contains("Access Control Flaws"));
-        assertTrue("Page source should contain lessons: Test 3", pageSource.contains("Improper Error Handling"));
         assertTrue("Page source should contain lessons: Test 34", pageSource.contains("Fail Open Authentication Scheme"));
     }
 
+    @Test
+    public void testAccessControlFlaws() {
+        doLoginWebgoatUser();
+
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1708534694/200");
+        getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1708534694/200");
+
+        FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
+        wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "Using an Access Control Matrix"));
+
+        WebElement user = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("User")));
+        user.click();
+        user.sendKeys("L");
+
+        WebElement resource = getWebDriver().findElement(By.name("Resource"));
+        resource.click();
+        resource.sendKeys("A");
+
+        WebElement submit = getWebDriver().findElement(By.name("SUBMIT"));
+        submit.click();
+
+        wait.until(new Predicate<WebDriver>() {
+            public boolean apply(WebDriver webDriver) {
+                return webDriver.getPageSource().contains("Congratulations");
+            }
+        });
+    }
+
+    @Test
+    public void testRoleBasedAccessConrol() throws IOException {
+        doLoginWebgoatUser();
+
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/160587164/200");
+        getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/160587164/200");
+
+        assertTitlePresent(getWebDriver(), "LAB: Role Based Access Control");
+        this.getWebDriver().manage().timeouts().implicitlyWait(4, SECONDS);
+
+        FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
+        WebElement user = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("employee_id")));
+        user.click();
+        user.sendKeys("T");
+
+        WebElement resource = getWebDriver().findElement(By.name("password"));
+        resource.click();
+        resource.sendKeys("tom");
+
+        WebElement submit = getWebDriver().findElement(By.name("action"));
+        submit.click();
+
+
+        wait = createDefaultWait(getWebDriver());
+        wait.until(new Predicate<WebDriver>() {
+            public boolean apply(WebDriver webDriver) {
+                return webDriver.getPageSource().contains("Welcome Back");
+            }
+        });
+
+        JavascriptExecutor javascript = (JavascriptExecutor) getWebDriver();
+        String value = "document.getElementsByName('action')[0].value='DeleteProfile';";
+        javascript.executeScript(value);
+
+        WebElement viewProfile = getWebDriver().findElements(By.name("action")).get(0);
+        viewProfile.click();
+        wait.until(new Predicate<WebDriver>() {
+            public boolean apply(WebDriver webDriver) {
+                return webDriver.getPageSource().contains("Stage 2");
+            }
+        });
+
+        //
+        // Stage 3
+        //
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/160587164/200/3");
+        assertTitlePresent(getWebDriver(), "LAB: Role Based Access Control");
+
+        user = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("employee_id")));
+        user.click();
+        user.sendKeys("T");
+
+        resource = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("password")));
+        resource.click();
+        resource.sendKeys("tom");
+
+        submit =  wait.until(ExpectedConditions.presenceOfElementLocated(By.name("action")));
+        submit.click();
+
+        wait.until(new Predicate<WebDriver>() {
+            public boolean apply(WebDriver webDriver) {
+                return webDriver.getPageSource().contains("Welcome Back");
+            }
+        });
+
+        javascript = (JavascriptExecutor) getWebDriver();
+        value = "var select = document.getElementsByName('employee_id')[0]; select.options[0].value='106'; ";
+        javascript.executeScript(value);
+
+        viewProfile = wait.until(ExpectedConditions.presenceOfAllElementsLocatedBy(By.name("action"))).get(0);
+        viewProfile.click();
+        wait.until(new Predicate<WebDriver>() {
+            public boolean apply(WebDriver webDriver) {
+                return webDriver.getPageSource().contains("Stage 4");
+            }
+        });
+    }
+
+    @Test
+    public void testFailOpenAuthenticationScheme() throws IOException {
+        doLoginWebgoatUser();
+
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1075773632/200");
+        getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1075773632/200");
+
+        FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
+        wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "Fail Open Authentication Scheme"));
+
+        WebElement user = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("Username")));
+        user.click();
+        user.sendKeys("Larry");
+
+        JavascriptExecutor javascript = (JavascriptExecutor) getWebDriver();
+        String todisable = "document.getElementsByName('Password')[0].setAttribute('disabled', '');";
+        javascript.executeScript(todisable);
+        assertFalse(getWebDriver().findElement(By.name("Password")).isEnabled());
+
+        WebElement submit = getWebDriver().findElement(By.name("SUBMIT"));
+        submit.click();
+        wait.until(new Predicate<WebDriver>() {
+            public boolean apply(WebDriver webDriver) {
+                return webDriver.getPageSource().contains("Congratulations");
+            }
+        });
+    }
+
+    @Test
+    public void testSqlInjectionLabLessonPlanShouldBePresent() throws IOException {
+        doLoginWebgoatUser();
+
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1537271095/200");
+        getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1537271095/200");
+
+        FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
+        wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "LAB: SQL Injection"));
+
+        assertFalse(getWebDriver().getPageSource().contains("Lesson Plan Title: How to Perform a SQL Injection"));
+        WebElement user = getWebDriver().findElement(By.id("show-plan-button"));
+        user.click();
+
+        wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-plan-content"), "Lesson Plan Title: How to Perform a SQL Injection"));
+    }
+
+    //@Test
+    public void testClientSideValidation() throws IOException {
+        doLoginWebgoatUser();
+
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1129417221/200");
+        getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1129417221/200");
+
+        FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
+        wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "Insecure Client Storage"));
+
+        getWebDriver().manage().timeouts().implicitlyWait(10, TimeUnit.SECONDS);
+
+        //Stage 1
+        WebElement user = getWebDriver().findElement(By.name("field1"));
+        user.click();
+        user.sendKeys("PLATINUM");
+
+        WebElement submit = getWebDriver().findElement(By.name("SUBMIT"));
+        submit.click();
+        wait.until(new Predicate<WebDriver>() {
+            @Override
+            public boolean apply(WebDriver input) {
+                return getWebDriver().getPageSource().contains("Stage 2");
+            }
+        });
+
+        //Stage 2
+        WebElement qty = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("QTY1")));
+        qty.click();
+        qty.sendKeys("8");
+        qty = getWebDriver().findElement(By.name("QTY1"));
+        qty.click();
+        qty.sendKeys("8");
+        getWebDriver().manage().timeouts().implicitlyWait(10, TimeUnit.SECONDS);
+
+
+        JavascriptExecutor javascript = (JavascriptExecutor) getWebDriver();
+        String cmd = "document.getElementsByName('GRANDTOT')[0].value = '$0.00';";
+        javascript.executeScript(cmd);
+
+        getWebDriver().manage().timeouts().implicitlyWait(10, TimeUnit.SECONDS);
+
+        submit = getWebDriver().findElement(By.name("SUBMIT"));
+        submit.click();
+        wait = new FluentWait(getWebDriver())
+                .withTimeout(10, SECONDS)
+                .pollingEvery(2, SECONDS)
+                .ignoring(NoSuchElementException.class);
+        wait.until(new Predicate<WebDriver>() {
+            public boolean apply(WebDriver webDriver) {
+                return webDriver.getPageSource().contains("Congratulations");
+            }
+        });
+    }
+
+    @Test
+    public void testJavaScriptValidation() throws IOException {
+        doLoginWebgoatUser();
+
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1574219258/1700");
+        getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1574219258/1700");
+
+        FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
+        wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "Bypass Client Side JavaScript Validation"));
+
+        getWebDriver().manage().timeouts().implicitlyWait(10, TimeUnit.SECONDS);
+
+        for (int i = 1; i <= 7; i++) {
+
+            WebElement field = wait.until(ExpectedConditions.presenceOfElementLocated(By.name("field" + i)));
+            field.click();
+            field.sendKeys("@#@{@#{");
+        }
+
+        JavascriptExecutor javascript = (JavascriptExecutor) getWebDriver();
+        String cmd = "document.getElementById('submit_btn').onclick=''";
+        javascript.executeScript(cmd);
+
+        WebElement submit = getWebDriver().findElement(By.id("submit_btn"));
+        submit.click();
+
+        getWebDriver().manage().timeouts().implicitlyWait(10, TimeUnit.SECONDS);
+
+        wait.until(new Predicate<WebDriver>() {
+            public boolean apply(WebDriver webDriver) {
+                return webDriver.getPageSource().contains("Congratulations");
+            }
+        });
+    }
+
+    @Test
+    public void testSqlInjectionLabLessonSolutionAreNotAvailable() throws IOException {
+        doLoginWebgoatUser();
+
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1537271095/200");
+        getWebDriver().get(baseWebGoatUrl + "/service/restartlesson.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/start.mvc#attack/1537271095/200");
+
+        FluentWait<WebDriver> wait = createDefaultWait(getWebDriver());
+        wait.until(ExpectedConditions.textToBePresentInElementLocated(By.id("lesson-title"), "LAB: SQL Injection"));
+        this.getWebDriver().manage().timeouts().implicitlyWait(4, SECONDS);
+
+        WebElement user =  wait.until(ExpectedConditions.presenceOfElementLocated(By.id("show-solution-button")));
+        user.click();
+
+        wait.until(new Predicate<WebDriver>() {
+            public boolean apply(WebDriver webDriver) {
+                return webDriver.getPageSource().contains("Could not find the solution file");
+            }
+        });
+    }
+
     @Test
     public void testLogoutMvc() {
 
         doLoginWebgoatUser();
 
-        driver.get(baseWebGoatUrl + "/logout.mvc");
+        getWebDriver().get(baseWebGoatUrl + "/logout.mvc");
 
-        assertTrue("Page title should be Logout Page", driver.getTitle().contains("Logout Page"));
+        assertTrue("Page title should be Logout Page", getWebDriver().getTitle().contains("Logout Page"));
-        assertTrue("Logout message should be displayed to user when successful logout", driver.getPageSource().contains("You have logged out successfully"));
+        assertTrue("Logout message should be displayed to user when successful logout",
+                getWebDriver().getPageSource().contains("You have logged out successfully"));
     }
 
     /**
@@ -285,15 +560,7 @@ public class WebGoatIT implements SauceOnDemandSessionIdProvider {
      */
     @After
     public void tearDown() throws Exception {
-        driver.quit();
+        getWebDriver().quit();
     }
 
-    /**
-     *
-     * @return the value of the Sauce Job id.
-     */
-    @Override
-    public String getSessionId() {
-        return sessionId;
-    }
 }

webgoat-container/src/test/java/org/owasp/webgoat/session/LabelDebuggerTest.java

@@ -0,0 +1,47 @@
+package org.owasp.webgoat.session;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class LabelDebuggerTest {
+
+    @Test
+    public void testSetEnabledTrue() throws Exception {
+        LabelDebugger ld = new LabelDebugger();
+        ld.setEnabled(true);
+        assertTrue(ld.isEnabled());
+    }
+
+    @Test
+    public void testSetEnabledFalse() throws Exception {
+        LabelDebugger ld = new LabelDebugger();
+        ld.setEnabled(false);
+        assertFalse(ld.isEnabled());
+    }
+
+    @Test
+    public void testSetEnabledNullThrowsException() {
+        LabelDebugger ld = new LabelDebugger();
+        ld.setEnabled(true);
+        assertTrue(ld.isEnabled());
+    }
+
+    @Test
+    public void testEnableIsTrue() {
+        LabelDebugger ld = new LabelDebugger();
+        ld.enable();
+        assertTrue(ld.isEnabled());
+    }
+
+    @Test
+    public void testDisableIsFalse() {
+        LabelDebugger ld = new LabelDebugger();
+        ld.disable();
+        assertFalse(ld.isEnabled());
+    }
+
+
+
+}

webgoat-container/src/test/resources/log4j-silent.properties

@@ -0,0 +1 @@
+log4j.rootLogger=INFO

webgoat-container/src/test/resources/log4j.properties

@@ -1,4 +1,4 @@
-log4j.rootLogger=DEBUG, CONSOLE
+log4j.rootLogger=ERROR, CONSOLE
 
 log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
 log4j.appender.CONSOLE.Target=System.out

webgoat-images/vagrant-developers/Vagrantfile

@@ -0,0 +1,31 @@
+Vagrant.configure(2) do |config|
+  config.vm.box = "boxcutter/ubuntu1604-desktop"
+
+
+  config.vm.provider "virtualbox" do |vb|
+  	vb.gui = true
+  	vb.memory = "4096"
+  	vb.cpus = 2
+  	vb.name = "WebGoat-Development"
+	vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
+  end
+
+  config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
+
+  config.vm.provision 'shell' do |s|
+    s.path = '../vagrant_provision.sh'
+    s.privileged = true
+  end
+
+  config.vm.provision :shell, privileged:false, inline: <<-SHELL
+    echo -e "Cloning the WebGoat container repository"
+    git clone https://github.com/WebGoat/WebGoat.git
+    echo -e "Cloning the WebGoat Lessons repository"
+    git clone https://github.com/WebGoat/WebGoat-Lessons.git
+    SHELL
+
+  config.vm.provision 'shell' do |s|
+    s.inline = "echo Finished provisioning, login with user vagrant pass vagrant"
+  end
+
+end

webgoat-images/vagrant-users/Vagrantfile

@@ -0,0 +1,47 @@
+#For now use the same as for developers but start WebGoat
+#In the future we can add Docker as well and then Vagrant can start the
+#Docker container or Chef which setups the Tomcat
+
+Vagrant.configure(2) do |config|
+  config.vm.box = "boxcutter/ubuntu1604-desktop"
+  config.vm.network :forwarded_port, guest: 8080, host: 9999
+  config.vm.provider "virtualbox" do |vb|
+  	vb.gui = false
+  	vb.memory = "2048"
+  	vb.cpus = 2
+  	vb.name = "WebGoat-Users"
+	vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
+  end
+  config.vm.provider "vmware_fusion" do |vf|
+    vf.gui = false
+    vf.vmx["memsize"] = 4096
+    vf.vmx["numvcpus"] = 2
+    vf.vmx["displayname"] = "WebGoat-Users"
+  end
+
+  config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
+
+  config.vm.provision 'shell' do |s|
+    s.path = '../vagrant_provision.sh'
+    s.privileged = true
+  end
+
+  config.vm.provision :shell, inline: <<-SHELL
+    echo -e "Cloning the WebGoat container repository"
+    git clone https://github.com/WebGoat/WebGoat.git
+    echo -e "Cloning the WebGoat Lessons repository"
+    git clone https://github.com/WebGoat/WebGoat-Lessons.git
+    echo -e "Compiling and installing the WebGoat Container lesson server....."
+    mvn -q -DskipTests -file WebGoat/pom.xml clean compile install
+    echo -e "Compiling and installing the WebGoat Lessons $COL_RESET"
+    mvn -q -DskipTests -file WebGoat-Lessons/pom.xml package
+    echo -e "Copying the compiled lessons jars into the container so we can start the lesson server with some base lessons"
+    cp -fa ./WebGoat-Lessons/target/plugins/*.jar ./WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
+    nohup mvn -q -DskipTests -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war 0<&- &>/dev/null &
+    SHELL
+
+  config.vm.provision 'shell' do |s|
+    s.inline = "echo Finished provisioning, open a browser and browse to http://localhost:9999/WebGoat/"
+  end
+
+end

webgoat-images/vagrant_provision.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+set -e
+
+echo "Setting locale..."
+sudo update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
+
+sudo kill -9 $(lsof -t /var/lib/dpkg/lock) || true
+sudo apt-get update
+sudo apt-get install -y git
+
+echo "Installing required packages..."
+sudo apt-get install -y -q build-essential autotools-dev automake pkg-config expect
+
+
+## Chrome
+wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
+sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
+sudo apt-get update
+sudo apt-get install -y google-chrome-stable
+
+## Java 8
+echo "Provisioning Java 8..."
+mkdir -p /home/vagrant/java
+cd /home/vagrant/java
+test -f /tmp/jdk-8-linux-x64.tar.gz || curl -q -L --cookie "oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u101-b13/jdk-8u101-linux-x64.tar.gz -o /tmp/jdk-8-linux-x64.tar.gz
+
+sudo mkdir -p /usr/lib/jvm
+sudo tar zxf /tmp/jdk-8-linux-x64.tar.gz -C /usr/lib/jvm
+
+sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_101/bin/java" 1
+sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_101/bin/javac" 1
+sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_101/bin/javaws" 1
+
+sudo chmod a+x /usr/bin/java
+sudo chmod a+x /usr/bin/javac
+sudo chmod a+x /usr/bin/javaws
+sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_101
+
+echo "export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_101" >> /home/vagrant/.bashrc
+
+## Maven
+echo "Installing Maven.."
+sudo apt-get install -y maven
+
+## ZAP
+echo "Provisioning ZAP..."
+cd /home/vagrant
+mkdir tools
+cd tools
+wget https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAP_2.5.0_Linux.tar.gz
+tar xvfx ZAP_2.5.0_Linux.tar.gz
+rm -rf ZAP_2.5.0_Linux.tar.gz
+
+## IntelliJ
+cd /home/vagrant/tools
+wget https://download.jetbrains.com/idea/ideaIC-2016.2.4.tar.gz
+tar xvfz ideaIC-2016.2.4.tar.gz
+rm -rf ideaIC-2016.2.4.tar.gz
+
+## Eclipse
+sudo apt-get -y install eclipse

webgoat-standalone/.gitignore

@@ -0,0 +1,8 @@
+target/
+.idea/
+*.iml
+/src/main/webapp/plugin_lessons/*.jar
+/src/main/webapp/plugin_extracted/*
+dependency-reduced-pom.xml
+src/main/webapp/users/guest.org.owasp.webgoat.lessons.BackDoors.props
+/src/main/webapp/WEB-INF/lib/*.jar

webgoat-standalone/README.MD

@@ -0,0 +1,31 @@
+# WebGoat standalone runner
+
+## Introduction
+This project is aimed to be the replacement for the exec-war, it contains
+a simple Main.class which will start an embedded Tomcat server.
+This makes it easier to change the server address and the portnumber for example.
+It kind of works in the same way Spring Boot starts an embedded Tomcat server.
+
+## Usage
+
+For the first time make sure you run a complete build:
+
+```Shell
+mvn clean install
+```
+
+Open up your favourite IDE and run the Main.class which will start the
+embedded Tomcat server.
+
+Or in a shell:
+
+```Shell
+java -jar webgoat-standalone-<<version>>-exec.jar
+```
+
+The following command line options are available:
+
+```
+-a, --address Specify the server address, like 192.168.0.1 (default localhost)
+-p, --port    Specify on which port the server should run (default 6047)
+```

webgoat-standalone/pom.xml

@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <name>webgoat-standalone</name>
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>webgoat-standalone</artifactId>
+
+    <parent>
+        <groupId>org.owasp.webgoat</groupId>
+        <artifactId>webgoat-parent</artifactId>
+        <version>7.1</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.github.ryenus</groupId>
+            <artifactId>rop</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat</groupId>
+            <artifactId>webgoat-container</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+        <!--************* Tomcat dependencies **************-->
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-core</artifactId>
+            <version>${tomcat-catalina.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-logging-juli</artifactId>
+            <version>${tomcat-catalina.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-jasper</artifactId>
+            <version>${tomcat-catalina.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-jasper</artifactId>
+            <version>${tomcat-catalina.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-jasper-el</artifactId>
+            <version>${tomcat-catalina.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>tomcat-jsp-api</artifactId>
+            <version>${tomcat-catalina.version}</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${maven-compiler-plugin.version}</version>
+                <configuration>
+                    <source>1.7</source>
+                    <target>1.7</target>
+                    <encoding>ISO-8859-1</encoding>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>2.3</version>
+                <executions>
+                    <!-- Run shade goal on package phase -->
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                        <configuration>
+                            <transformers>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                                    <resource>META-INF/spring.handlers</resource>
+                                </transformer>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                                    <resource>META-INF/spring.schemas</resource>
+                                </transformer>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                                    <mainClass>org.owasp.webgoat.Main</mainClass>
+                                </transformer>
+                            </transformers>
+                            <shadedArtifactAttached>true</shadedArtifactAttached>
+                            <shadedClassifierName>exec</shadedClassifierName>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>

webgoat-standalone/src/main/java/org/owasp/webgoat/Main.java

@@ -0,0 +1,80 @@
+package org.owasp.webgoat;
+
+import com.github.ryenus.rop.OptionParser;
+import com.github.ryenus.rop.OptionParser.Option;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.core.StandardContext;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.coyote.AbstractProtocol;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.net.InetAddress;
+
+import static com.github.ryenus.rop.OptionParser.Command;
+
+/**
+ * ************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ *
+ * @author WebGoat
+ * @version $Id: $Id
+ * @since July 24, 2016
+ */
+@Command(name = "webgoat", descriptions = "Starting WebGoat")
+public class Main {
+
+    private final Logger logger = LoggerFactory.getLogger(Main.class);
+
+    @Option(opt = {"-p", "--port"}, description = "HTTP port to use")
+    int port = 6047;
+
+    @Option(opt = {"-a", "--address"}, description = "Server address to use")
+    String address = "localhost";
+
+    void run() throws Exception {
+        String webappDirLocation = "webgoat-container/src/main/webapp/";
+        Tomcat tomcat = new Tomcat();
+        StandardContext ctx = (StandardContext) tomcat.addWebapp("/WebGoat", new File(webappDirLocation).getAbsolutePath());
+
+        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
+        connector.setPort(port);
+
+        if (connector.getProtocolHandler() instanceof AbstractProtocol) {
+            AbstractProtocol<?> protocol = (AbstractProtocol<?>) connector.getProtocolHandler();
+            protocol.setAddress(InetAddress.getByName(address));
+            protocol.setPort(port);
+        }
+        tomcat.getService().addConnector(connector);
+        tomcat.start();
+        logger.info("Browse to http://{}:{}/WebGoat and happy hacking!", address, port);
+        tomcat.getServer().await();
+    }
+
+    public static void main(String[] args) throws Exception {
+        OptionParser parser = new OptionParser(Main.class);
+        parser.parse(args);
+    }
+}

webgoat-standalone/src/main/standalone.properties

@@ -0,0 +1 @@
+# Dummy property file to figure out whether we started as a war or as a standalone jar

webgoat_developer_bootstrap.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # Bootstrap the setup of WebGoat for developer use in Linux and Mac machines
 # This script will clone the necessary git repositories, call the maven goals
@@ -40,14 +40,14 @@ hr() {
             LINE="$LINE$WORD"
         done
 
-        echo "${LINE:0:$COLS}"
+        echo -e "${LINE:0:$COLS}"
     fi
 }
 
 ## test if command exists
 ftest() {
-  echo "$COL_CYAN  info: Checking if ${1} is installed $COL_RESET"
+  echo -e "$COL_CYAN  info: Checking if ${1} is installed $COL_RESET"
-  if ! type -f "${1}" > /dev/null 2>&1; then
+  if ! type "${1}" > /dev/null 2>&1; then
     return 1
   else
     return 0
@@ -59,7 +59,7 @@ ftest() {
 features() {
   for f in "${@}"; do
     ftest "${f}" || {
-      echo >&2 "***$COL_RED ERROR: Missing \`${f}'! Make sure it exists and try again. $COL_RESET"
+      echo -e >&2 "***$COL_RED ERROR: Missing \`${f}'! Make sure it exists and try again. $COL_RESET"
       return 1
     }
   done
@@ -69,13 +69,13 @@ features() {
 tomcat_started () {
     STAT=`netstat -na | grep 8080 | awk '{print $6}'`
     if [ "$STAT" = "LISTEN" ]; then
-        echo "$COL_GREEN WebGoat has started successfully! Browse to the following address. $COL_RESET"
+        echo -e "$COL_GREEN WebGoat has started successfully! Browse to the following address. $COL_RESET"
-        echo "$COL_CYAN Happy Hacking! $COL_RESET"
+        echo -e "$COL_CYAN Happy Hacking! $COL_RESET"
         return 0
 
     elif [ "$STAT" = "" ]; then
-        echo "$COL_RED WebGoat failed to start up.... please wait run the following command for debugging : $COL_RESET"
+        echo -e "$COL_RED WebGoat failed to start up.... please wait run the following command for debugging : $COL_RESET"
-        echo "$COL_MAGENTA  mvn -q -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war"
+        echo -e "$COL_MAGENTA  mvn -q -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war"
     fi
     return 1
 }
@@ -84,7 +84,7 @@ tomcat_started () {
 ## main setup
 developer_bootstrap() {
     horizontal_rule
-    echo "$COL_RED
+    echo -e "$COL_RED
     ██╗    ██╗███████╗██████╗  ██████╗  ██████╗  █████╗ ████████╗
     ██║    ██║██╔════╝██╔══██╗██╔════╝ ██╔═══██╗██╔══██╗╚══██╔══╝
     ██║ █╗ ██║█████╗  ██████╔╝██║  ███╗██║   ██║███████║   ██║
@@ -93,89 +93,91 @@ developer_bootstrap() {
      ╚══╝╚══╝ ╚══════╝╚═════╝  ╚═════╝  ╚═════╝ ╚═╝  ╚═╝   ╚═╝
     $COL_RESET"
     horizontal_rule
-    echo "Welcome to the WebGoat Developer Bootstrap script for Linux/Mac."
+    echo -e "Welcome to the WebGoat Developer Bootstrap script for Linux/Mac."
-    echo "Now checking if all the required software to run WebGoat is already installed."
+    echo -e "Now checking if all the required software to run WebGoat is already installed."
-    echo "FYI: This Developer Bootstrap Script for WebGoat requires: Git, Java JDK and Maven accessible on the path"
+    echo -e "FYI: This Developer Bootstrap Script for WebGoat requires: Git, Java JDK and Maven accessible on the path"
 
     ## test for require features
-    features git mvn java || return $?
+    features git mvn java 
+
+    return $1
 
     # Clone WebGoat from github
     if [ ! -d "WebGoat" ]; then
-        echo "Cloning the WebGoat container repository"
+        echo -e "Cloning the WebGoat container repository"
         git clone https://github.com/WebGoat/WebGoat.git
     else
         horizontal_rule
         (
-            echo "$COL_YELLOW The WebGoat container repo has already been clonned before, pulling upstream changes. $COL_RESET"
+            echo -e "$COL_YELLOW The WebGoat container repo has already been clonned before, pulling upstream changes. $COL_RESET"
             cd WebGoat || {
-                echo >&2 "$COL_RED *** ERROR: Could not cd into the WebGoat Directory. $COL_RESET"
+                echo -e >&2 "$COL_RED *** ERROR: Could not cd into the WebGoat Directory. $COL_RESET"
                 return 1
             }
-            git pull origin master
+            git pull origin develop
         )
     fi
 
     # Clone WebGoat-lessons from GitHub if they don't exist
     if [ ! -d "WebGoat-Lessons" ]; then
         horizontal_rule
-        echo -e  "$COL_CYAN Cloning the WebGoat Lessons repository $COL_RESET"
+        echo -e -e  "$COL_CYAN Cloning the WebGoat Lessons repository $COL_RESET"
         git clone https://github.com/WebGoat/WebGoat-Lessons.git
     else
         horizontal_rule
         (
-            echo "$COL_YELLOW The WebGoat Lesson repo has already been cloned before, pulling upstream changes. $COL_RESET"
+            echo -e "$COL_YELLOW The WebGoat Lesson repo has already been cloned before, pulling upstream changes. $COL_RESET"
             cd WebGoat-Lessons || {
-                echo >&2 "$COL_RED *** ERROR: Could not cd into the WebGoat-Lessons Directory $COL_RESET"
+                echo -e >&2 "$COL_RED *** ERROR: Could not cd into the WebGoat-Lessons Directory $COL_RESET"
                 return 1
             }
-            git pull origin master
+            git pull origin develop
         )
     fi
 
     # Compile and Install the WebGoat lesson server
     horizontal_rule
-    echo "$COL_BLUE Compiling and installing the WebGoat Container lesson server..... $COL_RESET"
+    echo -e "$COL_BLUE Compiling and installing the WebGoat Container lesson server..... $COL_RESET"
     mvn -q -DskipTests -file WebGoat/pom.xml clean compile install || {
-        echo >&2 "$COL_RED *** ERROR: Could not compile the WebGoat Container. $COL_RESET"
+        echo -e >&2 "$COL_RED *** ERROR: Could not compile the WebGoat Container. $COL_RESET"
         return 1
     }
-    echo "$COL_GREEN SUCCESS: Compiled the WebGoat Container successfully! $COL_RESET"
+    echo -e "$COL_GREEN SUCCESS: Compiled the WebGoat Container successfully! $COL_RESET"
 
     # Compile and package the WebGoat Lessons
     horizontal_rule
-    echo "$COL_BLUE Compiling and installing the WebGoat Lessons $COL_RESET"
+    echo -e "$COL_BLUE Compiling and installing the WebGoat Lessons $COL_RESET"
     mvn -q -DskipTests -file WebGoat-Lessons/pom.xml package || {
-        echo >&2 "$COL_RED *** ERROR: Could not compile the WebGoat Container. $COL_RESET"
+        echo -e >&2 "$COL_RED *** ERROR: Could not compile the WebGoat Container. $COL_RESET"
         return 1
     }
-    echo "$COL_GREEN SUCCESS: Compiled the WebGoat Lessons successfully! $COL_RESET"
+    echo -e "$COL_GREEN SUCCESS: Compiled the WebGoat Lessons successfully! $COL_RESET"
 
     # Copy the Lessons into the WebGoat-Container
     horizontal_rule
-    echo "$COL_BLUE Copying the compiled lessons jars into the container so we can start the lesson server with some base lessons, $COL_RESET"
+    echo -e "$COL_BLUE Copying the compiled lessons jars into the container so we can start the lesson server with some base lessons, $COL_RESET"
     cp -fa ./WebGoat-Lessons/target/plugins/*.jar ./WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
 
     # Start the embedded Tomcat server
-    echo "$COL_MAGENTA"
+    echo -e "$COL_MAGENTA"
     horizontal_rule
     horizontal_rule
     horizontal_rule
     horizontal_rule
-    echo "$COL_MAGENTA"
+    echo -e "$COL_MAGENTA"
-    echo "$COL_CYAN ***** Starting WebGoat using the embedded Tomcat ***** $COL_RESET"
+    echo -e "$COL_CYAN ***** Starting WebGoat using the embedded Tomcat ***** $COL_RESET"
-    echo " Please be patient.... The startup of the server can take from 30s to 3 minutes."
+    echo -e " Please be patient.... The startup of the server can take from 30s to 3 minutes."
-    echo " WebGoat will be ready for you when you see the following message on the command prompt:"
+    echo -e " WebGoat will be ready for you when you see the following message on the command prompt:"
-    echo "$COL_YELLOW INFO: Starting ProtocolHandler ["http-bio-8080"] $COL_RESET"
+    echo -e "$COL_YELLOW INFO: Starting ProtocolHandler ["http-bio-8080"] $COL_RESET"
-    echo "$COL_CYAN When you see the message above, open a web browser and navigate to http://localhost:8080/WebGoat/ $COL_RESET"
+    echo -e "$COL_CYAN When you see the message above, open a web browser and navigate to http://localhost:8080/WebGoat/ $COL_RESET"
-    echo " To stop the WebGoat and Tomcat Execution execution, press CTRL + C"
+    echo -e " To stop the WebGoat and Tomcat Execution execution, press CTRL + C"
-    echo "$COL_RED If you close this terminal window, Tomcat and WebGoat will stop running $COL_RESET"
+    echo -e "$COL_RED If you close this terminal window, Tomcat and WebGoat will stop running $COL_RESET"
-    echo "$COL_MAGENTA"
+    echo -e "$COL_MAGENTA"
     horizontal_rule
     horizontal_rule
     horizontal_rule
     horizontal_rule
-    echo "$COL_RESET"
+    echo -e "$COL_RESET"
     sleep 5
 
     # Starting WebGoat