WIP

Bumps [com.nulab-inc:zxcvbn](https://github.com/nulab/zxcvbn4j) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/nulab/zxcvbn4j/releases)
- [Changelog](https://github.com/nulab/zxcvbn4j/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nulab/zxcvbn4j/compare/1.7.0...1.8.0)

---
updated-dependencies:
- dependency-name: com.nulab-inc:zxcvbn
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/build.yml

@@ -36,13 +36,13 @@ jobs:
                 run: mvn --no-transfer-progress verify
             -   name: "Set up QEMU"
                 if: runner.os == 'Linux'
-                uses: docker/setup-qemu-action@v2.1.0
+                uses: docker/setup-qemu-action@v2.2.0
             -   name: "Set up Docker Buildx"
                 if: runner.os == 'Linux'
                 uses: docker/setup-buildx-action@v2
             -   name: "Verify Docker WebGoat build"
                 if: runner.os == 'Linux'
-                uses: docker/build-push-action@v4.1.0
+                uses: docker/build-push-action@v4.1.1
                 with:
                     context: ./
                     file: ./Dockerfile
@@ -50,7 +50,7 @@ jobs:
                     build-args: |
                         webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
             -   name: "Verify Docker WebGoat desktop build"
-                uses: docker/build-push-action@v4.1.0
+                uses: docker/build-push-action@v4.1.1
                 if: runner.os == 'Linux'
                 with:
                     context: ./

.github/workflows/release.yml

@@ -44,7 +44,7 @@ jobs:
           files: |
             target/webgoat-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
           body: |
-            ## Version ${{ steps.tag.outputs.tag }}
+           ## Version ${{ github.ref_name }} 
 
             ### New functionality
 
@@ -54,7 +54,7 @@ jobs:
 
             - [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
               
-            Full change log: https://github.com/WebGoat/WebGoat/compare/${{ steps.tag.outputs.tag }}...${{ steps.tag.outputs.tag }}  
+            Full change log: https://github.com/WebGoat/WebGoat/compare/${{ github.ref_name }}...${{ github.ref_name }}  
 
 
             ## Contributors
@@ -72,7 +72,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Set up QEMU"
-        uses: docker/setup-qemu-action@v2.1.0
+        uses: docker/setup-qemu-action@v2.2.0
         with:
           platforms: all
 
@@ -86,7 +86,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push WebGoat"
-        uses: docker/build-push-action@v4.1.0
+        uses: docker/build-push-action@v4.1.1
         with:
           context: ./
           file: ./Dockerfile
@@ -99,7 +99,7 @@ jobs:
             webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
 
       - name: "Build and push WebGoat desktop"
-        uses: docker/build-push-action@v4.1.0
+        uses: docker/build-push-action@v4.1.1
         with:
           context: ./
           file: ./Dockerfile_desktop

.github/workflows/test.yml

@@ -61,7 +61,7 @@ jobs:
             # send report to forks only due to limits on permission tokens
             -   name: Send report to commit
                 if: github.repository != 'WebGoat/WebGoat' && github.event_name == 'push'
-                uses: joonvena/robotframework-reporter-action@v2.1
+                uses: joonvena/robotframework-reporter-action@v2.2
                 with:
                     gh_access_token: ${{ secrets.GITHUB_TOKEN }}
                     report_path: 'robotreport'

pom.xml

@@ -109,7 +109,7 @@
 
   <properties>
     <!-- Shared properties with plugins and version numbers across submodules-->
-    <asciidoctorj.version>2.5.3</asciidoctorj.version>
+    <asciidoctorj.version>2.5.10</asciidoctorj.version>
     <!-- Upgrading needs UI work in WebWolf -->
     <bootstrap.version>3.3.7</bootstrap.version>
     <cglib.version>3.3.0</cglib.version>
@@ -119,20 +119,20 @@
     <commons-io.version>2.11.0</commons-io.version>
     <commons-lang3.version>3.12.0</commons-lang3.version>
     <commons-text.version>1.10.0</commons-text.version>
-    <guava.version>31.1-jre</guava.version>
+    <guava.version>32.1.1-jre</guava.version>
     <jacoco.version>0.8.10</jacoco.version>
     <java.version>17</java.version>
     <jaxb.version>2.3.1</jaxb.version>
     <jjwt.version>0.9.1</jjwt.version>
     <jose4j.version>0.9.3</jose4j.version>
-    <jquery.version>3.5.1</jquery.version>
+    <jquery.version>3.6.4</jquery.version>
     <jsoup.version>1.16.1</jsoup.version>
     <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
     <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
     <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
     <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
     <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
-    <maven-surefire-plugin.version>3.1.0</maven-surefire-plugin.version>
+    <maven-surefire-plugin.version>3.1.2</maven-surefire-plugin.version>
     <maven.compiler.source>17</maven.compiler.source>
     <maven.compiler.target>17</maven.compiler.target>
     <pmd.version>3.15.0</pmd.version>
@@ -147,7 +147,7 @@
     <xml-resolver.version>1.2</xml-resolver.version>
     <xstream.version>1.4.5</xstream.version>
     <!-- do not update necessary for lesson -->
-    <zxcvbn.version>1.7.0</zxcvbn.version>
+    <zxcvbn.version>1.8.0</zxcvbn.version>
   </properties>
 
   <dependencyManagement>
@@ -243,7 +243,7 @@
       <dependency>
         <groupId>org.apache.commons</groupId>
         <artifactId>commons-compress</artifactId>
-        <version>1.22</version>
+        <version>1.23.0</version>
       </dependency>
       <dependency>
         <groupId>org.jruby</groupId>
@@ -532,7 +532,7 @@
       <plugin>
         <groupId>com.diffplug.spotless</groupId>
         <artifactId>spotless-maven-plugin</artifactId>
-        <version>2.33.0</version>
+        <version>2.38.0</version>
         <configuration>
           <formats>
             <format>

src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java

@@ -42,6 +42,7 @@ public class AccountVerificationHelper {
   static {
     secQuestionStore.put(verifyUserId, userSecQuestions);
   }
+
   // end 'data store set up'
 
   // this is to aid feedback in the attack process and is not intended to be part of the
@@ -68,6 +69,7 @@ public class AccountVerificationHelper {
 
     return likely;
   }
+
   // end of cheating check ... the method below is the one of real interest. Can you find the flaw?
 
   public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {

src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -45,7 +46,7 @@ import org.springframework.web.bind.annotation.RestController;
   "idor.hints.otherProfile8",
   "idor.hints.otherProfile9"
 })
-public class IDOREditOtherProfiile extends AssignmentEndpoint {
+public class IDOREditOtherProfile extends AssignmentEndpoint {
 
   @Autowired private UserSessionData userSessionData;
 
@@ -69,7 +70,7 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
       // we will persist in the session object for now in case we want to refer back or use it later
       userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
       if (currentUserProfile.getRole() <= 1
-          && currentUserProfile.getColor().toLowerCase().equals("red")) {
+          && currentUserProfile.getColor().equalsIgnoreCase("red")) {
         return success(this)
             .feedback("idor.edit.profile.success1")
             .output(currentUserProfile.profileToMap().toString())
@@ -77,16 +78,16 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
       }
 
       if (currentUserProfile.getRole() > 1
-          && currentUserProfile.getColor().toLowerCase().equals("red")) {
-        return success(this)
+          && currentUserProfile.getColor().equalsIgnoreCase("red")) {
+        return failed(this)
             .feedback("idor.edit.profile.failure1")
             .output(currentUserProfile.profileToMap().toString())
             .build();
       }
 
       if (currentUserProfile.getRole() <= 1
-          && !currentUserProfile.getColor().toLowerCase().equals("red")) {
-        return success(this)
+          && !currentUserProfile.getColor().equalsIgnoreCase("red")) {
+        return failed(this)
             .feedback("idor.edit.profile.failure2")
             .output(currentUserProfile.profileToMap().toString())
             .build();
@@ -97,7 +98,8 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
           .feedback("idor.edit.profile.failure3")
           .output(currentUserProfile.profileToMap().toString())
           .build();
-    } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
+    } else if (userSubmittedProfile.getUserId() != null
+        && userSubmittedProfile.getUserId().equals(authUserId)) {
       return failed(this).feedback("idor.edit.profile.failure4").build();
     }
 

src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -23,8 +24,6 @@
 package org.owasp.webgoat.lessons.idor;
 
 import jakarta.servlet.http.HttpServletResponse;
-import java.util.HashMap;
-import java.util.Map;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -56,7 +55,6 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
       produces = {"application/json"})
   @ResponseBody
   public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
-    Map<String, Object> details = new HashMap<>();
 
     if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
       // going to use session auth to view this one
@@ -66,7 +64,8 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
         UserProfile requestedProfile = new UserProfile(userId);
         // secure code would ensure there was a horizontal access control check prior to dishing up
         // the requested profile
-        if (requestedProfile.getUserId().equals("2342388")) {
+        if (requestedProfile.getUserId() != null
+            && requestedProfile.getUserId().equals("2342388")) {
           return success(this)
               .feedback("idor.view.profile.success")
               .output(requestedProfile.profileToMap().toString())

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -68,7 +69,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
         return failed(this).feedback("idor.view.own.profile.failure2").build();
       }
     } catch (Exception ex) {
-      return failed(this).feedback("an error occurred with your request").build();
+      return failed(this).output("an error occurred with your request").build();
     }
   }
 }

src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -27,6 +28,7 @@ import jakarta.servlet.http.HttpServletResponse;
 import java.util.Map;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
 import org.springframework.web.bind.UnsatisfiedServletRequestParameterException;
@@ -44,6 +46,7 @@ import org.springframework.web.bind.annotation.RestController;
  *
  */
 
+@AssignmentHints({"spoofcookie.hint1", "spoofcookie.hint2", "spoofcookie.hint3"})
 @RestController
 public class SpoofCookieAssignment extends AssignmentEndpoint {
 

src/main/resources/lessons/idor/i18n/WebGoatLabels.properties

@@ -27,7 +27,7 @@ idor.diff.failure=Try again. Look in your browser dev tools or Proxy and compare
 idor.edit.profile.success1=Well done, you have modified someone else's profile (as displayed below)
 idor.edit.profile.success2=Good work! View the updated profile below
 idor.edit.profile.failure1=Close ... you've got the technique. Now try for a lower role number
-idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.)
+idor.edit.profile.failure2=Close ... you've got the technique. Now change the color in their profile to red.
 idor.edit.profile.failure3=Try again. Use the hints if you need to.
 idor.edit.profile.failure4=Modifying your own profile is good, but we want to do this to Buffalo Bill's profile.
 

src/main/resources/lessons/session_fixation/documentation/SessionFixation_1.adoc

@@ -0,0 +1,30 @@
+==== Introduction
+
+Session fixation is a security vulnerability that occurs when an attacker forces a user's session identifier (usually stored in a cookie) to be set to a value chosen by the attacker.
+This attack can result in the attacker being able to impersonate the victim's session and gain unauthorized access to their account.
+
+==== How session fixation works
+
+The following steps outline the process of a session fixation attack:
+
+- The attacker obtains a session identifier (SID) from a valid session, either by generating one or through some other means.
+
+- The attacker tricks the victim into clicking on a malicious link that includes the obtained SID.
+This link might be sent via email, social engineering, or another method.
+
+- When the victim clicks the malicious link, their browser uses the provided SID to identify the session.
+The attacker can then use the same SID to access the victim's session after they log in.
+
+- The attacker now has unauthorized access to the victim's account, effectively taking over their session.
+
+
+====  Implications and risks
+
+A successful session fixation attack can have serious consequences, including:
+
+- Unauthorized access to the victim's account and sensitive information.
+- Ability to perform actions on behalf of the victim.
+- Compromise of confidential data.
+- Damage to the victim's reputation and trust in the web application.
+
+

src/main/resources/lessons/session_fixation/documentation/SessionFixation_2.adoc

@@ -0,0 +1,15 @@
+==== Preventing session fixation attacks
+
+Most modern web frameworks do a pretty decent job fixing the problem automatically.
+Please read up on your framework before.
+
+To defend against session fixation attacks, web developers can implement the following countermeasures:
+
+- Never trust an url parameter: Never pass session identifiers via URLs, as these can be easily manipulated.
+- Session regeneration: always change the session identifier upon significant events, such as login or privilege level change.
+- Session timeout: Implement a session timeout mechanism that automatically logs out inactive users after a specified period.
+This will help when an attacker sends an email to a victim with a link.
+This way the link containing the session-id is already timed out.
+- Random session identifiers: Generate session identifiers using a strong random number generator to make them difficult to guess or predict.
+- Cookie attributes: Set `secure` and `HttpOnly` attributes for cookies to prevent manipulation and unauthorized access.
+

src/main/resources/lessons/session_fixation/documentation/SessionFixation_3.adoc

@@ -0,0 +1,17 @@
+==== Let's try
+
+Maybe WebGoat is vulnerable to a session fixation attack?
+Create a new account, for example `attacker` and login to WebGoat. Email yourself with the link and click the link and login to WebGoat.
+
+
+- Endpoint for logging in (POST)
+- Goal is to get /users/..../profile this one checks session id cookie
+- Email send to a specfic user should immediately login
+- XSS should set cookie and endpoint should pick it up.
+-
+
+Screen 1 is send email
+
+
+
+

src/main/resources/lessons/session_fixation/documentation/SessionFixation_4.adoc

@@ -0,0 +1,3 @@
+=== No longer hackable?
+
+Someone submitted a bug report and the developers made some improvements. Can you still hack them?

src/main/resources/lessons/session_fixation/documentation/SessionFixation_intro.adoc

@@ -0,0 +1,10 @@
+In this lesson, you will learn about a common web application vulnerability called "Session Fixation." Session fixation is an attack that allows an attacker to set a victim's session identifier, potentially giving them unauthorized access to the victim's account.
+We will explore how this attack works, its implications, and how to defend against it.
+
+Goals:
+
+By the end of this lesson, you will be able to:
+
+- Explain what a session fixation attack is and how it works.
+- Understand the potential risks and consequences of a successful session fixation attack.
+- Implement countermeasures to defend against session fixation attacks in a web application.

src/main/resources/lessons/spoofcookie/documentation/SpoofCookie_content0.adoc

@@ -1,16 +1,16 @@
 = Spoofing an Authentication Cookie
 
-Bypass the authentication mechanism by spoofing an authentication cookie.
+Attempt to bypass the authentication mechanism by spoofing an authentication cookie.
 
 *Notes about the login system*
 
-When an authentication cookie is sent, the system will log in the user directly if the cookie is valid.
+When a valid authentication cookie is received, the system will automatically log in the user.
 
-When a cookie is not sent, but credentials provided are correct, the system will create an authentication cookie.
+If a cookie is not sent, but the provided credentials are correct, the system will generate an authentication cookie.
 
-The login will be denied on any other cases.
+Login attempts will be denied under any other circumstances.
 
-Pay attention to the feedback message that you will get during the attacks.
+Please pay close attention to the feedback messages you receive during the attacks.
 
 Known credentials:
 
@@ -27,4 +27,4 @@ Known credentials:
 
 *Goal*
 
-When you understand how the authentication cookie is generated, try to _spoof_ the cookie and login as Tom.
+Once you have a clear understanding of how the authentication cookie is generated, attempt to _spoof_ the cookie and log in as Tom.

src/main/resources/lessons/spoofcookie/documentation/SpoofCookie_plan.adoc

@@ -2,17 +2,26 @@
 
 == Concept
 
-Authentication Cookies are used for services that require authentication, when the user logs in with a personal user name and password, the server validates the provided credentials and if those are valid, it creates a session.
+Authentication cookies are used for services that require authentication. When a user logs in with a personal username and password, the server verifies the provided credentials. If they are valid, it creates a session.
 
-Every session usually has a unique ID that identifies the user's session; when the server returns the response to the user, it includes a Set-Cookie header that contains, among other things, the cookie name and value.
+Typically, each session is assigned a unique ID that identifies the user's session. When the server sends a response back to the user, it includes a "Set-Cookie" header that contains, among other things, the cookie name and value.
 
-The authentication cookie is typically stored on the client and server side.
+The authentication cookie is usually stored on both the client and server sides.
 
-On the one hand, having the cookie stored on the client side implies that can be stolen by exploiting certain vulnerabilities or intercepted using man in the middle attacks or XSS. On the other, cookie values can be guessed if the algorithm for generating the cookie can be obtained.
-
-Many applications will automatically login a user if the right authentication cookie is provided.
+On one hand, storing the cookie on the client side means it can be susceptible to theft through exploiting certain vulnerabilities or interception via man-in-the-middle attacks or XSS. On the other hand, the cookie values can be guessed if the algorithm used to generate the cookie is obtained.
 
+Many applications will automatically log in a user if the correct authentication cookie is provided.
 
 == Goals
 
-The user should be able to guess the cookie generation algorithm and bypass the authentication mechanism by logging in as a different user.
+The user should not be able to guess the cookie generation algorithm and bypass the authentication mechanism by logging in as a different user.
+
+== Rationale
+
+It is crucial for the security of the authentication system that the cookie generation algorithm remains secure and not easily guessable. If an attacker can predict or determine the algorithm, they may be able to generate valid authentication cookies for different users, thereby bypassing the authentication mechanism and impersonating other users.
+
+To mitigate this risk, it is essential to employ robust and cryptographically secure algorithms for generating authentication cookies. These algorithms should use strong randomization and hashing techniques to ensure the uniqueness and unpredictability of the generated cookies.
+
+Additionally, implementing measures such as session expiration and regular rotation of authentication cookies can further enhance security. By frequently changing the cookie values and enforcing session timeouts, the window of opportunity for attackers to exploit any potential vulnerabilities is significantly reduced.
+
+Overall, protecting the confidentiality and integrity of the authentication cookie generation algorithm is paramount to prevent unauthorized access and maintain the integrity of the authentication mechanism.

src/main/resources/lessons/spoofcookie/i18n/WebGoatLabels.properties

@@ -5,3 +5,7 @@ spoofcookie.login=Logged in using credentials. Cookie created, see below.
 spoofcookie.cookie-login=Logged in using cookie.
 spoofcookie.wrong-cookie=Wrong cookie sent.
 spoofcookie.cheating=Don't cheat!
+
+spoofcookie.hint1=Investigate thoroughly how the cookie in this lesson is structured and try to draw conclusions about its encoding and content.
+spoofcookie.hint2=We need to deduce how the cookie value is formed. Can we deduce it? Is it possible to create a non-legitimate cookie?
+spoofcookie.hint3=Build a non-legitimate cookie and load it into the browser.

src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7Test.java

@@ -0,0 +1,99 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.challenges.challenge7;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.lessons.challenges.Flags;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultActions;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.web.client.RestTemplate;
+
+@ExtendWith(MockitoExtension.class)
+public class Assignment7Test extends AssignmentEndpointTest {
+  private MockMvc mockMvc;
+
+  private static final String CHALLENGE_PATH = "/challenge/7";
+  private static final String RESET_PASSWORD_PATH = CHALLENGE_PATH + "/reset-password";
+  private static final String GIT_PATH = CHALLENGE_PATH + "/.git";
+
+  @Mock private RestTemplate restTemplate;
+
+  @Value("${webwolf.mail.url}")
+  String webWolfMailURL;
+
+  @BeforeEach
+  void setup() {
+    Assignment7 assignment7 = new Assignment7(new Flags(), restTemplate, webWolfMailURL);
+    init(assignment7);
+    mockMvc = standaloneSetup(assignment7).build();
+  }
+
+  @Test
+  @DisplayName("Reset password test")
+  void resetPasswordTest() throws Exception {
+    ResultActions result =
+        mockMvc.perform(MockMvcRequestBuilders.get(RESET_PASSWORD_PATH + "/any"));
+    result.andExpect(status().is(equalTo(HttpStatus.I_AM_A_TEAPOT.value())));
+
+    result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.get(
+                RESET_PASSWORD_PATH + "/" + Assignment7.ADMIN_PASSWORD_LINK));
+    result.andExpect(status().is(equalTo(HttpStatus.ACCEPTED.value())));
+  }
+
+  @Test
+  @DisplayName("Send password reset link test")
+  void sendPasswordResetLinkTest() throws Exception {
+    ResultActions result =
+        mockMvc.perform(
+            MockMvcRequestBuilders.post(CHALLENGE_PATH)
+                .param("email", "webgoat@webgoat-cloud.net"));
+    result.andExpect(status().isOk());
+    result.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+  }
+
+  @Test
+  @DisplayName("git test")
+  void gitTest() throws Exception {
+    ResultActions result = mockMvc.perform(MockMvcRequestBuilders.get(GIT_PATH));
+    result.andExpect(content().contentType("application/zip"));
+  }
+}

src/test/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5Test.java

@@ -0,0 +1,48 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.challenges.challenge7;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.stream.Stream;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
+
+public class MD5Test {
+
+  @ParameterizedTest
+  @DisplayName("MD5 test")
+  @MethodSource("providedForMD5Values")
+  void testMD5(String in, String out) {
+    assertEquals(MD5.getHashString(in.getBytes()), out);
+  }
+
+  private static Stream<Arguments> providedForMD5Values() {
+    return Stream.of(
+        Arguments.of("", "d41d8cd98f00b204e9800998ecf8427e"),
+        Arguments.of("a string", "3a315533c0f34762e0c45e3d4e9d525c"));
+  }
+}