chore: release version 2023.4

.github/dependabot.yml

@@ -1,15 +1,7 @@
 version: 2
 updates:
-    -   package-ecosystem: "github-actions"
-        directory: "/"
-        schedule:
-            interval: "weekly"
-    -   package-ecosystem: "maven"
-        directory: "/"
-        schedule:
-            interval: "weekly"
-    -   package-ecosystem: "docker"
-        directory: "/"
-        schedule:
-            interval: "weekly"
-
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/build.yml

@@ -27,7 +27,7 @@ jobs:
                     java-version: 17
                     architecture: x64
             -   name: Cache Maven packages
-                uses: actions/cache@v3.3.1
+                uses: actions/cache@v3.2.5
                 with:
                     path: ~/.m2
                     key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -42,7 +42,7 @@ jobs:
                 uses: docker/setup-buildx-action@v2
             -   name: "Verify Docker WebGoat build"
                 if: runner.os == 'Linux'
-                uses: docker/build-push-action@v4.1.0
+                uses: docker/build-push-action@v4.0.0
                 with:
                     context: ./
                     file: ./Dockerfile
@@ -50,7 +50,7 @@ jobs:
                     build-args: |
                         webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
             -   name: "Verify Docker WebGoat desktop build"
-                uses: docker/build-push-action@v4.1.0
+                uses: docker/build-push-action@v4.0.0
                 if: runner.os == 'Linux'
                 with:
                     context: ./

.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.3.1
+        uses: actions/cache@v3.2.5
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -80,13 +80,13 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: "Login to dockerhub"
-        uses: docker/login-action@v2.2.0
+        uses: docker/login-action@v2.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push WebGoat"
-        uses: docker/build-push-action@v4.1.0
+        uses: docker/build-push-action@v4.0.0
         with:
           context: ./
           file: ./Dockerfile
@@ -99,12 +99,12 @@ jobs:
             webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
 
       - name: "Build and push WebGoat desktop"
-        uses: docker/build-push-action@v4.1.0
+        uses: docker/build-push-action@v4.0.0
         with:
           context: ./
           file: ./Dockerfile_desktop
           push: true
-          platforms: linux/amd64, linux/arm64
+          platforms: linux/amd64, linux/arm64, linux/arm/v7
           tags: |
             webgoat/webgoat-desktop:${{ env.WEBGOAT_TAG_VERSION }}
             webgoat/webgoat-desktop:latest
@@ -123,7 +123,6 @@ jobs:
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
           java-version: 17
           architecture: x64
 

.github/workflows/test.yml

@@ -37,7 +37,7 @@ jobs:
                     architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             -   name: Cache Maven packages
-                uses: actions/cache@v3.3.1
+                uses: actions/cache@v3.2.5
                 with:
                     path: ~/.m2
                     key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
@@ -48,8 +48,6 @@ jobs:
                         robotframework
                         robotframework-SeleniumLibrary
                         webdriver-manager
-                        selenium==4.9.1
-                    # TODO https://github.com/robotframework/SeleniumLibrary/issues/1835
             -   name: Run with Maven
                 run: mvn --no-transfer-progress spring-boot:run &
             -   name: Wait to start

CONTRIBUTING.md

@@ -3,7 +3,6 @@
 [![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
 ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
 ![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
-[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
 
 This document describes how you can contribute to WebGoat. Please read it carefully.
 
@@ -42,19 +41,6 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 
 ### Write a good commit message
 
-* We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and use the following types:
-
-  - fix:
-  - feat:
-  - build:
-  - chore:
-  - ci:
-  - docs:
-  - refactor:
-  - test:
-
-  Using this style of commits makes it possible to create our release notes automatically.
-
 * Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
 
 * If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.

CREATE_RELEASE.md

@@ -13,7 +13,6 @@ committers.
 ```
 mvn versions:set 
 << update release notes >>
-mvn verify
 git commit ....
 git tag v2023.01 
 git push --tags

Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/eclipse-temurin:19-jre-focal
+FROM docker.io/eclipse-temurin:17-jre-focal
 LABEL NAME = "WebGoat: A deliberately insecure Web Application"
 MAINTAINER "WebGoat team"
 
@@ -27,8 +27,6 @@ ENTRYPOINT [ "java", \
    "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
    "--add-opens", "java.base/java.io=ALL-UNNAMED", \
    "--add-opens", "java.base/java.util=ALL-UNNAMED", \
-   "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
-   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
    "-Drunning.in.docker=true", \
    "-Dwebgoat.host=0.0.0.0", \
    "-Dwebwolf.host=0.0.0.0", \

Dockerfile_desktop

@@ -10,17 +10,12 @@ COPY config/desktop/start_zap.sh /config/start_zap.sh
 COPY config/desktop/WebGoat.txt /config/Desktop/
 
 RUN \
- case $(uname -m) in \
-  x86_64) ARCH=x64;; \
-  aarch64) ARCH=aarch64;; \
-  *) ARCH=unknown;; \
- esac && \
  curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz && \
  tar zfxv ZAP_2.12.0_Linux.tar.gz && \
  rm -rf ZAP_2.12.0_Linux.tar.gz && \
- curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
- tar zfxv OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
- rm -rf OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
+ curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
+ tar zfxv OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
+ rm -rf OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
  chmod +x /config/start_webgoat.sh && \
  chmod +x /config/start_zap.sh && \
  apt-get update &&  \

FAQ.md

@@ -1,8 +0,0 @@
-# FAQ for development
-
-## Introduction
-
-### Integration tests fail
-
-Try to run the command in the console `java -jar ...` and remove `-Dlogging.pattern.console=` from the command line.
-

README.md

@@ -6,7 +6,6 @@
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 [![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
-[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
 
 # Introduction
 

RELEASE_NOTES.md

@@ -4,7 +4,7 @@
 
 ### New functionality
 
-- [#1422 Add Docker Linux Desktop variant with all tools installed](https://github.com/WebGoat/WebGoat/issues/1422). Thanks to the [OWASP WrongSecrets project](https://owasp.org/www-project-wrongsecrets/) we now have a Docker Linux desktop image with all the tools installed. No need to install any tools locally only run the new Docker image. See README.md for details on how to start it.
+- [#1422 Add Docker Linux Desktop variant with all tools installed ](https://github.com/WebGoat/WebGoat/issues/1422). Thanks to the [OWASP WrongSecrets project](https://owasp.org/www-project-wrongsecrets/) we now have a Docker Linux desktop image with all the tools installed. No need to install any tools locally only run the new Docker image. See README.md for details on how to start it.
 - [#1411 JWT: looks that buy as Tom also works with alg:none](https://github.com/WebGoat/WebGoat/issues/1411).
 
 ### Bug fixes

pom.xml

@@ -1,16 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.1.0</version>
+    <version>2.7.1</version>
   </parent>
-
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
-  <version>2023.5-SNAPSHOT</version>
+  <version>2023.4</version>
   <packaging>jar</packaging>
 
   <name>WebGoat</name>
@@ -27,7 +27,6 @@
       <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
     </license>
   </licenses>
-
   <developers>
     <developer>
       <id>mayhew64</id>
@@ -95,6 +94,7 @@
       <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
     </mailingList>
   </mailingLists>
+
   <scm>
     <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
     <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
@@ -108,46 +108,44 @@
   </issueManagement>
 
   <properties>
+
     <!-- Shared properties with plugins and version numbers across submodules-->
     <asciidoctorj.version>2.5.3</asciidoctorj.version>
-    <!-- Upgrading needs UI work in WebWolf -->
     <bootstrap.version>3.3.7</bootstrap.version>
-    <cglib.version>3.3.0</cglib.version>
+    <cglib.version>2.2</cglib.version>
     <!-- do not update necessary for lesson -->
-    <checkstyle.version>3.3.0</checkstyle.version>
+    <checkstyle.version>3.1.2</checkstyle.version>
     <commons-collections.version>3.2.1</commons-collections.version>
-    <commons-io.version>2.11.0</commons-io.version>
+    <commons-io.version>2.6</commons-io.version>
     <commons-lang3.version>3.12.0</commons-lang3.version>
-    <commons-text.version>1.10.0</commons-text.version>
-    <guava.version>31.1-jre</guava.version>
-    <jacoco.version>0.8.10</jacoco.version>
+    <commons-text.version>1.9</commons-text.version>
+    <guava.version>30.1-jre</guava.version>
     <java.version>17</java.version>
-    <jaxb.version>2.3.1</jaxb.version>
     <jjwt.version>0.9.1</jjwt.version>
-    <jose4j.version>0.9.3</jose4j.version>
+    <jose4j.version>0.7.6</jose4j.version>
     <jquery.version>3.5.1</jquery.version>
-    <jsoup.version>1.16.1</jsoup.version>
+    <jsoup.version>1.14.3</jsoup.version>
     <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
     <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
     <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
     <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
     <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
-    <maven-surefire-plugin.version>3.1.0</maven-surefire-plugin.version>
+    <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
     <maven.compiler.source>17</maven.compiler.source>
     <maven.compiler.target>17</maven.compiler.target>
     <pmd.version>3.15.0</pmd.version>
     <!-- Use UTF-8 Encoding -->
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
-    <webdriver.version>5.3.2</webdriver.version>
+    <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
+    <webdriver.version>4.3.1</webdriver.version>
     <webgoat.port>8080</webgoat.port>
     <webwolf.port>9090</webwolf.port>
     <wiremock.version>2.27.2</wiremock.version>
     <xml-resolver.version>1.2</xml-resolver.version>
     <xstream.version>1.4.5</xstream.version>
     <!-- do not update necessary for lesson -->
-    <zxcvbn.version>1.7.0</zxcvbn.version>
+    <zxcvbn.version>1.5.2</zxcvbn.version>
   </properties>
 
   <dependencyManagement>
@@ -156,7 +154,7 @@
       <dependency>
         <groupId>org.ow2.asm</groupId>
         <artifactId>asm</artifactId>
-        <version>9.5</version>
+        <version>9.1</version>
       </dependency>
 
       <dependency>
@@ -243,15 +241,16 @@
       <dependency>
         <groupId>org.apache.commons</groupId>
         <artifactId>commons-compress</artifactId>
-        <version>1.22</version>
+        <version>1.21</version>
       </dependency>
       <dependency>
         <groupId>org.jruby</groupId>
         <artifactId>jruby</artifactId>
-        <version>9.4.2.0</version>
+        <version>9.3.6.0</version>
       </dependency>
     </dependencies>
   </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>org.apache.commons</groupId>
@@ -270,7 +269,6 @@
     <dependency>
       <groupId>javax.xml.bind</groupId>
       <artifactId>jaxb-api</artifactId>
-      <version>${jaxb.version}</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -312,11 +310,7 @@
     </dependency>
     <dependency>
       <groupId>org.thymeleaf.extras</groupId>
-      <artifactId>thymeleaf-extras-springsecurity6</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>jakarta.servlet</groupId>
-      <artifactId>jakarta.servlet-api</artifactId>
+      <artifactId>thymeleaf-extras-springsecurity5</artifactId>
     </dependency>
     <dependency>
       <groupId>org.hsqldb</groupId>
@@ -375,13 +369,8 @@
       <artifactId>jquery</artifactId>
     </dependency>
     <dependency>
-      <groupId>jakarta.xml.bind</groupId>
-      <artifactId>jakarta.xml.bind-api</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.sun.xml.bind</groupId>
-      <artifactId>jaxb-impl</artifactId>
-      <scope>runtime</scope>
+      <groupId>org.glassfish.jaxb</groupId>
+      <artifactId>jaxb-runtime</artifactId>
     </dependency>
 
     <dependency>
@@ -397,7 +386,6 @@
     <dependency>
       <groupId>com.github.tomakehurst</groupId>
       <artifactId>wiremock</artifactId>
-      <version>3.0.0-beta-2</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -405,11 +393,6 @@
       <artifactId>rest-assured</artifactId>
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-properties-migrator</artifactId>
-      <scope>runtime</scope>
-    </dependency>
   </dependencies>
 
   <repositories>
@@ -505,10 +488,9 @@
         <version>${maven-surefire-plugin.version}</version>
         <configuration>
           <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
-          --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
-          --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
-          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
-          --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED</argLine>
+                        --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
+                        --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
+                        --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
           <excludes>
             <exclude>**/*IntegrationTest.java</exclude>
             <exclude>src/it/java</exclude>
@@ -532,7 +514,7 @@
       <plugin>
         <groupId>com.diffplug.spotless</groupId>
         <artifactId>spotless-maven-plugin</artifactId>
-        <version>2.33.0</version>
+        <version>2.29.0</version>
         <configuration>
           <formats>
             <format>
@@ -593,7 +575,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-enforcer-plugin</artifactId>
-        <version>3.3.0</version>
+        <version>3.0.0</version>
         <executions>
           <execution>
             <id>restrict-log4j-versions</id>
@@ -696,10 +678,6 @@
                     <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>--add-opens</argument>
                     <argument>java.base/java.util=ALL-UNNAMED</argument>
-                    <argument>--add-opens</argument>
-                    <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
-                    <argument>--add-opens</argument>
-                    <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
                   </arguments>
                   <waitForInterrupt>false</waitForInterrupt>
@@ -749,82 +727,6 @@
         </plugins>
       </build>
     </profile>
-    <profile>
-      <!-- run with: mvn test -Pcoverage -->
-      <id>coverage</id>
-      <activation>
-        <activeByDefault>false</activeByDefault>
-      </activation>
-      <build>
-        <plugins>
-          <plugin>
-            <groupId>org.apache.maven.plugins</groupId>
-            <artifactId>maven-surefire-plugin</artifactId>
-            <version>${maven-surefire-plugin.version}</version>
-            <configuration>
-              <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
-          --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
-          --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
-          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
-          ${surefire.jacoco.args}</argLine>
-              <excludes>
-                <exclude>**/*IntegrationTest.java</exclude>
-                <exclude>src/it/java</exclude>
-                <exclude>org/owasp/webgoat/*Test</exclude>
-              </excludes>
-            </configuration>
-          </plugin>
-          <plugin>
-            <groupId>org.jacoco</groupId>
-            <artifactId>jacoco-maven-plugin</artifactId>
-            <version>${jacoco.version}</version>
-            <executions>
-              <execution>
-                <id>before-unit-test</id>
-                <goals>
-                  <goal>prepare-agent</goal>
-                </goals>
-                <configuration>
-                  <destFile>${project.build.directory}/jacoco/jacoco-ut.exec</destFile>
-                  <propertyName>surefire.jacoco.args</propertyName>
-                </configuration>
-              </execution>
-              <execution>
-                <id>check</id>
-                <goals>
-                  <goal>check</goal>
-                </goals>
-                <configuration>
-                  <rules>
-                    <rule>
-                      <element>BUNDLE</element>
-                      <limits>
-                        <limit>
-                          <counter>CLASS</counter>
-                          <value>COVEREDCOUNT</value>
-                          <minimum>0.6</minimum>
-                        </limit>
-                      </limits>
-                    </rule>
-                  </rules>
-                  <dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
-                </configuration>
-              </execution>
-              <execution>
-                <id>after-unit-test</id>
-                <goals>
-                  <goal>report</goal>
-                </goals>
-                <phase>test</phase>
-                <configuration>
-                  <dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
-                  <outputDirectory>${project.reporting.outputDirectory}/jacoco-unit-test-coverage-report</outputDirectory>
-                </configuration>
-              </execution>
-            </executions>
-          </plugin>
-        </plugins>
-      </build>
-    </profile>
   </profiles>
+
 </project>

src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java

@@ -7,14 +7,12 @@ import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
-import org.springframework.http.HttpStatus;
 
 public class ChallengeIntegrationTest extends IntegrationTest {
 
   @Test
-  void testChallenge1() {
+  public void testChallenge1() {
     startLesson("Challenge1");
 
     byte[] resultBytes =
@@ -69,7 +67,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
   }
 
   @Test
-  void testChallenge5() {
+  public void testChallenge5() {
     startLesson("Challenge5");
 
     Map<String, Object> params = new HashMap<>();
@@ -109,62 +107,4 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
     assertTrue(capturefFlags.contains("Without password"));
   }
-
-  @Test
-  void testChallenge7() {
-    startLesson("Challenge7");
-    cleanMailbox();
-
-    // One should first be able to download git.zip from WebGoat
-    RestAssured.given()
-        .when()
-        .relaxedHTTPSValidation()
-        .cookie("JSESSIONID", getWebGoatCookie())
-        .get(url("/WebGoat/challenge/7/.git"))
-        .then()
-        .statusCode(200)
-        .extract()
-        .asString();
-
-    // Should send an email to WebWolf inbox this should give a hint to the link being static
-    RestAssured.given()
-        .when()
-        .relaxedHTTPSValidation()
-        .cookie("JSESSIONID", getWebGoatCookie())
-        .formParams("email", getUser() + "@webgoat.org")
-        .post(url("/WebGoat/challenge/7"))
-        .then()
-        .statusCode(200)
-        .extract()
-        .asString();
-
-    // Check whether email has been received
-    var responseBody =
-        RestAssured.given()
-            .when()
-            .relaxedHTTPSValidation()
-            .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(webWolfUrl("/mail"))
-            .then()
-            .extract()
-            .response()
-            .getBody()
-            .asString();
-    Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
-
-    // Call reset link with admin link
-    String result =
-        RestAssured.given()
-            .when()
-            .relaxedHTTPSValidation()
-            .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("/challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
-            .then()
-            .statusCode(HttpStatus.ACCEPTED.value())
-            .extract()
-            .asString();
-
-    String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
-    checkAssignment(url("/WebGoat/challenge/flag"), Map.of("flag", flag), true);
-  }
 }

src/it/java/org/owasp/webgoat/IntegrationTest.java

@@ -11,7 +11,6 @@ import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
-import org.springframework.http.HttpStatus;
 
 public abstract class IntegrationTest {
 
@@ -253,14 +252,4 @@ public abstract class IntegrationTest {
         .getBody()
         .asString();
   }
-
-  public void cleanMailbox() {
-    RestAssured.given()
-        .when()
-        .relaxedHTTPSValidation()
-        .cookie("WEBWOLFSESSION", getWebWolfCookie())
-        .delete(webWolfUrl("/mail"))
-        .then()
-        .statusCode(HttpStatus.ACCEPTED.value());
-  }
 }

src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java

@@ -5,6 +5,7 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 import io.restassured.RestAssured;
 import java.util.Arrays;
 import java.util.Map;
+import lombok.SneakyThrows;
 import org.apache.commons.lang3.StringUtils;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.AfterEach;
@@ -15,6 +16,7 @@ import org.junit.jupiter.api.TestFactory;
 public class PasswordResetLessonIntegrationTest extends IntegrationTest {
 
   @BeforeEach
+  @SneakyThrows
   public void init() {
     startLesson("/PasswordReset");
   }

src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java

@@ -29,9 +29,9 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
               .relaxedHTTPSValidation()
               .cookie("JSESSIONID", getWebGoatCookie())
               .formParams(Map.of("flag", "test"))
-              .post(url("/challenge/flag"));
+              .post(url("/challenge/flag/"));
         };
-    ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS);
+    ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
     List<? extends Callable<Response>> flagCalls =
         IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
     var responses = executorService.invokeAll(flagCalls);

src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java

@@ -27,10 +27,10 @@
  */
 package org.owasp.webgoat.container;
 
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 

src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java

@@ -33,7 +33,6 @@ package org.owasp.webgoat.container;
 import static org.asciidoctor.Asciidoctor.Factory.create;
 
 import io.undertow.util.Headers;
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -42,6 +41,7 @@ import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
@@ -60,7 +60,7 @@ import org.thymeleaf.templateresource.StringTemplateResource;
  * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
  *
  * <p><code>
- * <div th:replace="~{doc:AccessControlMatrix_plan.adoc}"></div>
+ * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
  * </code>
  */
 @Slf4j

src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java

@@ -50,13 +50,12 @@ public class DatabaseConfiguration {
   }
 
   @Bean
-  public Function<String, Flyway> flywayLessons() {
+  public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
     return schema ->
         Flyway.configure()
             .configuration(Map.of("driver", properties.getDriverClassName()))
             .schemas(schema)
-            .cleanDisabled(false)
-            .dataSource(dataSource())
+            .dataSource(lessonDataSource)
             .locations("lessons")
             .load();
   }

src/main/java/org/owasp/webgoat/container/MvcConfiguration.java

@@ -56,10 +56,10 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
 import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.thymeleaf.IEngineConfiguration;
-import org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect;
-import org.thymeleaf.spring6.SpringTemplateEngine;
-import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver;
-import org.thymeleaf.spring6.view.ThymeleafViewResolver;
+import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
+import org.thymeleaf.spring5.SpringTemplateEngine;
+import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
+import org.thymeleaf.spring5.view.ThymeleafViewResolver;
 import org.thymeleaf.templatemode.TemplateMode;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresolver.ITemplateResolver;

src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java

@@ -37,49 +37,50 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
-import org.springframework.security.web.SecurityFilterChain;
 
 /** Security configuration for WebGoat. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
-public class WebSecurityConfig {
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
   private final UserService userDetailsService;
 
-  @Bean
-  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    http.authorizeHttpRequests(
-        auth ->
-            auth.requestMatchers(
-                    "/css/**",
-                    "/images/**",
-                    "/js/**",
-                    "fonts/**",
-                    "/plugins/**",
-                    "/registration",
-                    "/register.mvc",
-                    "/actuator/**")
-                .permitAll()
-                .anyRequest()
-                .authenticated());
-    http.formLogin()
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
+        http.authorizeRequests()
+            .antMatchers(
+                "/css/**",
+                "/images/**",
+                "/js/**",
+                "fonts/**",
+                "/plugins/**",
+                "/registration",
+                "/register.mvc",
+                "/actuator/**")
+            .permitAll()
+            .anyRequest()
+            .authenticated();
+    security
+        .and()
+        .formLogin()
         .loginPage("/login")
         .defaultSuccessUrl("/welcome.mvc", true)
         .usernameParameter("username")
         .passwordParameter("password")
         .permitAll();
-    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-    http.csrf().disable();
+    security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
+    security.and().csrf().disable();
 
     http.headers().cacheControl().disable();
     http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
-    return http.build();
   }
 
   @Autowired
@@ -88,14 +89,15 @@ public class WebSecurityConfig {
   }
 
   @Bean
-  public UserDetailsService userDetailsServiceBean() {
+  @Override
+  public UserDetailsService userDetailsServiceBean() throws Exception {
     return userDetailsService;
   }
 
+  @Override
   @Bean
-  public AuthenticationManager authenticationManager(
-      AuthenticationConfiguration authenticationConfiguration) throws Exception {
-    return authenticationConfiguration.getAuthenticationManager();
+  protected AuthenticationManager authenticationManager() throws Exception {
+    return super.authenticationManager();
   }
 
   @SuppressWarnings("deprecation")

src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java

@@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.asciidoc;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 import org.springframework.web.context.request.RequestContextHolder;

src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java

@@ -75,8 +75,7 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
     } else {
       userTracker.assignmentFailed(webSession.getCurrentLesson());
     }
-    userTrackerRepository.save(userTracker);
-
+    userTrackerRepository.saveAndFlush(userTracker);
     return attackResult;
   }
 }

src/main/java/org/owasp/webgoat/container/controller/StartLesson.java

@@ -31,7 +31,7 @@
  */
 package org.owasp.webgoat.container.controller;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.session.Course;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.stereotype.Controller;

src/main/java/org/owasp/webgoat/container/controller/Welcome.java

@@ -29,8 +29,8 @@
  */
 package org.owasp.webgoat.container.controller;
 
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpSession;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.servlet.ModelAndView;
@@ -49,7 +49,7 @@ public class Welcome {
   /**
    * welcome.
    *
-   * @param request a {@link jakarta.servlet.http.HttpServletRequest} object.
+   * @param request a {@link javax.servlet.http.HttpServletRequest} object.
    * @return a {@link org.springframework.web.servlet.ModelAndView} object.
    */
   @GetMapping(path = {"welcome.mvc"})

src/main/java/org/owasp/webgoat/container/lessons/Assignment.java

@@ -1,14 +1,9 @@
 package org.owasp.webgoat.container.lessons;
 
-import jakarta.persistence.Entity;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
-import jakarta.persistence.Transient;
 import java.util.ArrayList;
 import java.util.List;
-import lombok.EqualsAndHashCode;
-import lombok.Getter;
+import javax.persistence.*;
+import lombok.*;
 
 /**
  * ************************************************************************************************
@@ -46,7 +41,7 @@ import lombok.Getter;
 public class Assignment {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  @GeneratedValue(strategy = GenerationType.AUTO)
   private Long id;
 
   private String name;

src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java

@@ -4,13 +4,15 @@ import java.lang.reflect.InvocationHandler;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.sql.Connection;
+import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 /**
  * Handler which sets the correct schema for the currently bounded user. This way users are not
- * seeing each other data, and we can reset data for just one particular user.
+ * seeing each other data and we can reset data for just one particular user.
  */
+@Slf4j
 public class LessonConnectionInvocationHandler implements InvocationHandler {
 
   private final Connection targetConnection;

src/main/java/org/owasp/webgoat/container/users/LessonTracker.java

@@ -1,20 +1,8 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.persistence.CascadeType;
-import jakarta.persistence.Entity;
-import jakarta.persistence.FetchType;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
-import jakarta.persistence.OneToMany;
-import jakarta.persistence.Version;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
+import java.util.*;
 import java.util.stream.Collectors;
-import lombok.EqualsAndHashCode;
+import javax.persistence.*;
 import lombok.Getter;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@@ -51,11 +39,10 @@ import org.owasp.webgoat.container.lessons.Lesson;
  * @since October 29, 2003
  */
 @Entity
-@EqualsAndHashCode
 public class LessonTracker {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  @GeneratedValue(strategy = GenerationType.AUTO)
   private Long id;
 
   @Getter private String lessonName;

src/main/java/org/owasp/webgoat/container/users/RegistrationController.java

@@ -1,10 +1,11 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.validation.Valid;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.validation.Valid;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -22,6 +23,7 @@ public class RegistrationController {
 
   private UserValidator userValidator;
   private UserService userService;
+  private AuthenticationManager authenticationManager;
 
   @GetMapping("/registration")
   public String showForm(UserForm userForm) {

src/main/java/org/owasp/webgoat/container/users/UserForm.java

@@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.validation.constraints.NotNull;
-import jakarta.validation.constraints.Pattern;
-import jakarta.validation.constraints.Size;
+import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
+import javax.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
 

src/main/java/org/owasp/webgoat/container/users/UserTracker.java

@@ -1,19 +1,11 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.persistence.CascadeType;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.FetchType;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
-import jakarta.persistence.OneToMany;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
-import lombok.EqualsAndHashCode;
+import javax.persistence.*;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@@ -51,11 +43,10 @@ import org.owasp.webgoat.container.lessons.Lesson;
  */
 @Slf4j
 @Entity
-@EqualsAndHashCode
 public class UserTracker {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  @GeneratedValue(strategy = GenerationType.AUTO)
   private Long id;
 
   @Column(name = "username")

src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java

@@ -1,10 +1,10 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.persistence.Entity;
-import jakarta.persistence.Id;
-import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;

src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java

@@ -22,13 +22,13 @@
 
 package org.owasp.webgoat.lessons.authbypass;
 
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java

@@ -1,13 +1,89 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
 package org.owasp.webgoat.lessons.challenges;
 
-public record Flag(int number, String answer) {
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.IntStream;
+import javax.annotation.PostConstruct;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
-  public boolean isCorrect(String flag) {
-    return answer.equals(flag);
+/**
+ * @author nbaars
+ * @since 3/23/17.
+ */
+@RestController
+public class Flag extends AssignmentEndpoint {
+
+  public static final Map<Integer, String> FLAGS = new HashMap<>();
+  @Autowired private UserTrackerRepository userTrackerRepository;
+  @Autowired private WebSession webSession;
+
+  @AllArgsConstructor
+  private class FlagPosted {
+    @Getter private boolean lessonCompleted;
   }
 
-  @Override
-  public String toString() {
-    return answer;
+  @PostConstruct
+  public void initFlags() {
+    IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
+  }
+
+  @RequestMapping(
+      path = "/challenge/flag",
+      method = RequestMethod.POST,
+      produces = MediaType.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult postFlag(@RequestParam String flag) {
+    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+    String currentChallenge = webSession.getCurrentLesson().getName();
+    int challengeNumber =
+        Integer.valueOf(
+            currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
+    String expectedFlag = FLAGS.get(challengeNumber);
+    final AttackResult attackResult;
+    if (expectedFlag.equals(flag)) {
+      userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
+      attackResult = success(this).feedback("challenge.flag.correct").build();
+    } else {
+      userTracker.assignmentFailed(webSession.getCurrentLesson());
+      attackResult = failed(this).feedback("challenge.flag.incorrect").build();
+    }
+    userTrackerRepository.save(userTracker);
+    return attackResult;
   }
 }

src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java

@@ -1,52 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webgoat.lessons.challenges;
-
-import lombok.AllArgsConstructor;
-import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.container.session.WebSession;
-import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
-
-@RestController
-@AllArgsConstructor
-public class FlagController extends AssignmentEndpoint {
-
-  private final WebSession webSession;
-  private final Flags flags;
-
-  @PostMapping(path = "/challenge/flag", produces = MediaType.APPLICATION_JSON_VALUE)
-  @ResponseBody
-  public AttackResult postFlag(@RequestParam String flag) {
-    Flag expectedFlag = flags.getFlag(webSession.getCurrentLesson());
-    if (expectedFlag.isCorrect(flag)) {
-      return success(this).feedback("challenge.flag.correct").build();
-    } else {
-      return failed(this).feedback("challenge.flag.incorrect").build();
-    }
-  }
-}

src/main/java/org/owasp/webgoat/lessons/challenges/Flags.java

@@ -1,27 +0,0 @@
-package org.owasp.webgoat.lessons.challenges;
-
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
-import java.util.stream.IntStream;
-import org.owasp.webgoat.container.lessons.Lesson;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class Flags {
-  private final Map<Integer, Flag> FLAGS = new HashMap<>();
-
-  public Flags() {
-    IntStream.range(1, 10).forEach(i -> FLAGS.put(i, new Flag(i, UUID.randomUUID().toString())));
-  }
-
-  public Flag getFlag(Lesson forLesson) {
-    String lessonName = forLesson.getName();
-    int challengeNumber = Integer.valueOf(lessonName.substring(lessonName.length() - 1));
-    return FLAGS.get(challengeNumber);
-  }
-
-  public Flag getFlag(int flagNumber) {
-    return FLAGS.get(flagNumber);
-  }
-}

src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java

@@ -32,4 +32,6 @@ public interface SolutionConstants {
 
   // TODO should be random generated when starting the server
   String PASSWORD = "!!webgoat_admin_1234!!";
+  String PASSWORD_TOM = "thisisasecretfortomonly";
+  String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
 }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java

@@ -2,10 +2,11 @@ package org.owasp.webgoat.lessons.challenges.challenge1;
 
 import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
 
-import lombok.RequiredArgsConstructor;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.lessons.challenges.Flag;
+import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -42,14 +43,12 @@ import org.springframework.web.bind.annotation.RestController;
  * @since August 11, 2016
  */
 @RestController
-@RequiredArgsConstructor
 public class Assignment1 extends AssignmentEndpoint {
 
-  private final Flags flags;
-
   @PostMapping("/challenge/1")
   @ResponseBody
-  public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+  public AttackResult completed(
+      @RequestParam String username, @RequestParam String password, HttpServletRequest request) {
     boolean ipAddressKnown = true;
     boolean passwordCorrect =
         "admin".equals(username)
@@ -57,10 +56,14 @@ public class Assignment1 extends AssignmentEndpoint {
                 .replace("1234", String.format("%04d", ImageServlet.PINCODE))
                 .equals(password);
     if (passwordCorrect && ipAddressKnown) {
-      return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(1)).build();
+      return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
     } else if (passwordCorrect) {
       return failed(this).feedback("ip.address.unknown").build();
     }
     return failed(this).build();
   }
+
+  public static boolean containsHeader(HttpServletRequest request) {
+    return StringUtils.hasText(request.getHeader("X-Forwarded-For"));
+  }
 }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java

@@ -4,7 +4,8 @@ import static org.springframework.web.bind.annotation.RequestMethod.GET;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 
 import java.io.IOException;
-import java.util.Random;
+import java.security.SecureRandom;
+import javax.servlet.http.HttpServlet;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -12,9 +13,10 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-public class ImageServlet {
+public class ImageServlet extends HttpServlet {
 
-  public static final int PINCODE = new Random().nextInt(10000);
+  private static final long serialVersionUID = 9132775506936676850L;
+  public static final int PINCODE = new SecureRandom().nextInt(10000);
 
   @RequestMapping(
       method = {GET, POST},

src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java

@@ -24,12 +24,11 @@ package org.owasp.webgoat.lessons.challenges.challenge5;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
-import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.lessons.challenges.Flag;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -38,11 +37,13 @@ import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @Slf4j
-@RequiredArgsConstructor
 public class Assignment5 extends AssignmentEndpoint {
 
   private final LessonDataSource dataSource;
-  private final Flags flags;
+
+  public Assignment5(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
   @PostMapping("/challenge/5")
   @ResponseBody
@@ -65,7 +66,7 @@ public class Assignment5 extends AssignmentEndpoint {
       ResultSet resultSet = statement.executeQuery();
 
       if (resultSet.next()) {
-        return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(5)).build();
+        return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
       } else {
         return failed(this).feedback("challenge.close").build();
       }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java

@@ -1,14 +1,16 @@
 package org.owasp.webgoat.lessons.challenges.challenge7;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.time.LocalDateTime;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.challenges.Email;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.SolutionConstants;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.HttpStatus;
@@ -31,8 +33,6 @@ import org.springframework.web.client.RestTemplate;
 @Slf4j
 public class Assignment7 extends AssignmentEndpoint {
 
-  public static final String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
-
   private static final String TEMPLATE =
       "Hi, you requested a password reset link, please use this <a target='_blank'"
           + " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your"
@@ -44,26 +44,22 @@ public class Assignment7 extends AssignmentEndpoint {
           + "Kind regards, \n"
           + "Team WebGoat";
 
-  private final Flags flags;
-  private final RestTemplate restTemplate;
-  private final String webWolfMailURL;
+  @Autowired private RestTemplate restTemplate;
 
-  public Assignment7(
-      Flags flags, RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfMailURL) {
-    this.flags = flags;
-    this.restTemplate = restTemplate;
-    this.webWolfMailURL = webWolfMailURL;
-  }
+  @Value("${webwolf.mail.url}")
+  private String webWolfMailURL;
 
   @GetMapping("/challenge/7/reset-password/{link}")
   public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
-    if (link.equals(ADMIN_PASSWORD_LINK)) {
+    if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
       return ResponseEntity.accepted()
           .body(
               "<h1>Success!!</h1>"
                   + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
                   + "<br/><br/>Here is your flag: "
-                  + flags.getFlag(7));
+                  + "<b>"
+                  + Flag.FLAGS.get(7)
+                  + "</b>");
     }
     return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT)
         .body("That is not the reset link for admin");
@@ -98,6 +94,6 @@ public class Assignment7 extends AssignmentEndpoint {
   @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
   @ResponseBody
   public ClassPathResource git() {
-    return new ClassPathResource("lessons/challenges/challenge7/git.zip");
+    return new ClassPathResource("challenge7/git.zip");
   }
 }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java

@@ -1,14 +1,13 @@
 package org.owasp.webgoat.lessons.challenges.challenge8;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.stream.Collectors;
-import lombok.RequiredArgsConstructor;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.lessons.challenges.Flag;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -16,9 +15,12 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
 @RestController
 @Slf4j
-@RequiredArgsConstructor
 public class Assignment8 extends AssignmentEndpoint {
 
   private static final Map<Integer, Integer> votes = new HashMap<>();
@@ -31,8 +33,6 @@ public class Assignment8 extends AssignmentEndpoint {
     votes.put(5, 300);
   }
 
-  private final Flags flags;
-
   @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
   @ResponseBody
   public ResponseEntity<?> vote(
@@ -47,7 +47,7 @@ public class Assignment8 extends AssignmentEndpoint {
     Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0);
     votes.put(nrOfStars, allVotesForStar + 1);
     return ResponseEntity.ok()
-        .header("X-FlagController", "Thanks for voting, your flag is: " + flags.getFlag(8))
+        .header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8))
         .build();
   }
 

src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java

@@ -22,7 +22,6 @@
 
 package org.owasp.webgoat.lessons.clientsidefiltering;
 
-import jakarta.annotation.PostConstruct;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -32,6 +31,7 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import javax.annotation.PostConstruct;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;

src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.Base64;
 import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;

src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java

@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java

@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.RSAPublicKey;
+import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java

@@ -24,11 +24,11 @@ package org.owasp.webgoat.lessons.csrf;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import jakarta.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Map;
 import java.util.UUID;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java

@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.i18n.PluginMessages;
 import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java

@@ -22,7 +22,7 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java

@@ -25,7 +25,6 @@ package org.owasp.webgoat.lessons.csrf;
 import static org.springframework.http.MediaType.ALL_VALUE;
 
 import com.google.common.collect.Lists;
-import jakarta.servlet.http.HttpServletRequest;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
@@ -33,6 +32,7 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.hijacksession;
 
-import jakarta.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java

@@ -22,7 +22,7 @@
 
 package org.owasp.webgoat.lessons.httpproxies;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.HttpMethod;

src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java

@@ -97,8 +97,7 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
           .feedback("idor.edit.profile.failure3")
           .output(currentUserProfile.profileToMap().toString())
           .build();
-    } else if (userSubmittedProfile.getUserId() != null
-        && userSubmittedProfile.getUserId().equals(authUserId)) {
+    } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
       return failed(this).feedback("idor.edit.profile.failure4").build();
     }
 

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.idor;
 
-import jakarta.servlet.http.HttpServletResponse;
 import java.util.HashMap;
 import java.util.Map;
+import javax.servlet.http.HttpServletResponse;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java

@@ -31,14 +31,14 @@ import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.impl.TextCodec;
-import jakarta.annotation.PostConstruct;
-import jakarta.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletResponse;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
+import javax.annotation.PostConstruct;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java

@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.logging;
 
-import jakarta.annotation.PostConstruct;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.UUID;
+import javax.annotation.PostConstruct;
 import org.apache.logging.log4j.util.Strings;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.UUID;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;

src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java

@@ -1,7 +1,7 @@
 package org.owasp.webgoat.lessons.passwordreset.resetlink;
 
-import jakarta.validation.constraints.NotNull;
-import jakarta.validation.constraints.Size;
+import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
 

src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java

@@ -1,7 +1,5 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
-import jakarta.annotation.PostConstruct;
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -10,6 +8,8 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.util.Base64;
+import javax.annotation.PostConstruct;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.spoofcookie;
 
-import jakarta.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletResponse;
 import java.util.Map;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java

@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import jakarta.annotation.PostConstruct;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
+import javax.annotation.PostConstruct;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.sql.*;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java

@@ -44,12 +44,12 @@ public class SSRFTask1 extends AssignmentEndpoint {
     try {
       StringBuilder html = new StringBuilder();
 
-      if (url.matches("images/tom\\.png")) {
+      if (url.matches("images/tom.png")) {
         html.append(
             "<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\""
                 + " height=\"25%\">");
         return failed(this).feedback("ssrf.tom").output(html.toString()).build();
-      } else if (url.matches("images/jerry\\.png")) {
+      } else if (url.matches("images/jerry.png")) {
         html.append(
             "<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\""
                 + " height=\"25%\">");

src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java

@@ -46,7 +46,7 @@ public class SSRFTask2 extends AssignmentEndpoint {
   }
 
   protected AttackResult furBall(String url) {
-    if (url.matches("http://ifconfig\\.pro")) {
+    if (url.matches("http://ifconfig.pro")) {
       String html;
       try (InputStream in = new URL(url).openStream()) {
         html =

src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.webwolfintroduction;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.xss;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.security.SecureRandom;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.UserSessionData;

src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java

@@ -22,8 +22,7 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
-import jakarta.xml.bind.annotation.XmlRootElement;
-import jakarta.xml.bind.annotation.XmlType;
+import javax.xml.bind.annotation.XmlRootElement;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -38,8 +37,7 @@ import lombok.ToString;
 @Setter
 @AllArgsConstructor
 @NoArgsConstructor
-@XmlRootElement(name = "comment")
-@XmlType
+@XmlRootElement
 @ToString
 public class Comment {
   private String user;

src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java

@@ -26,8 +26,6 @@ import static java.util.Optional.empty;
 import static java.util.Optional.of;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import jakarta.xml.bind.JAXBContext;
-import jakarta.xml.bind.JAXBException;
 import java.io.IOException;
 import java.io.StringReader;
 import java.time.LocalDateTime;
@@ -38,6 +36,8 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 import javax.xml.XMLConstants;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import org.owasp.webgoat.container.session.WebSession;
@@ -93,7 +93,7 @@ public class CommentsCache {
    * progress etc). In real life the XmlMapper bean defined above will be used automatically and the
    * Comment class can be directly used in the controller method (instead of a String)
    */
-  protected Comment parseXml(String xml) throws XMLStreamException, JAXBException {
+  protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
     var jc = JAXBContext.newInstance(Comment.class);
     var xif = XMLInputFactory.newInstance();
 

src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java

@@ -24,7 +24,7 @@ package org.owasp.webgoat.lessons.xxe;
 
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -60,7 +60,8 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
   public AttackResult createNewUser(
       HttpServletRequest request,
       @RequestBody String commentStr,
-      @RequestHeader("Content-Type") String contentType) {
+      @RequestHeader("Content-Type") String contentType)
+      throws Exception {
     AttackResult attackResult = failed(this).build();
 
     if (APPLICATION_JSON_VALUE.equals(contentType)) {

src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java

@@ -25,7 +25,7 @@ package org.owasp.webgoat.lessons.xxe;
 import static org.springframework.http.MediaType.ALL_VALUE;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

src/main/java/org/owasp/webgoat/webwolf/FileServer.java

@@ -24,10 +24,10 @@ package org.owasp.webgoat.webwolf;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
+import javax.servlet.http.HttpServletRequest;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;

src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.webwolf;
 
-import jakarta.annotation.PostConstruct;
 import java.io.File;
+import javax.annotation.PostConstruct;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;

src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java

@@ -29,49 +29,54 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
-import org.springframework.security.web.SecurityFilterChain;
 
-/** Security configuration for WebWolf. */
+/** Security configuration for WebGoat. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
-public class WebSecurityConfig {
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
   private final UserService userDetailsService;
 
-  @Bean
-  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    http.authorizeHttpRequests(
-        auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
-    http.authorizeHttpRequests(
-        auth ->
-            auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
-    http.authorizeHttpRequests().anyRequest().permitAll();
-    http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
-    http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
-    http.logout().permitAll();
-    return http.build();
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
+        http.authorizeRequests()
+            .antMatchers(HttpMethod.POST, "/fileupload")
+            .authenticated()
+            .antMatchers(HttpMethod.GET, "/files", "/mail", "/requests")
+            .authenticated()
+            .and()
+            .authorizeRequests()
+            .anyRequest()
+            .permitAll();
+
+    security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
+    security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
+    security.and().logout().permitAll();
   }
 
   @Autowired
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-    auth.userDetailsService(userDetailsService);
+    auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
   }
 
   @Bean
-  public UserDetailsService userDetailsServiceBean() {
+  @Override
+  public UserDetailsService userDetailsServiceBean() throws Exception {
     return userDetailsService;
   }
 
+  @Override
   @Bean
-  public AuthenticationManager authenticationManager(
-      AuthenticationConfiguration authenticationConfiguration) throws Exception {
-    return authenticationConfiguration.getAuthenticationManager();
+  protected AuthenticationManager authenticationManager() throws Exception {
+    return super.authenticationManager();
   }
 
   @Bean

src/main/java/org/owasp/webgoat/webwolf/WebWolf.java

@@ -23,7 +23,7 @@
 package org.owasp.webgoat.webwolf;
 
 import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
-import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
+import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
@@ -37,7 +37,7 @@ import org.springframework.context.annotation.PropertySource;
 public class WebWolf {
 
   @Bean
-  public HttpExchangeRepository traceRepository() {
+  public HttpTraceRepository traceRepository() {
     return new WebWolfTraceRepository();
   }
 }

src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java

@@ -23,14 +23,10 @@
 package org.owasp.webgoat.webwolf.mailbox;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
 import java.io.Serializable;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
+import javax.persistence.*;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;

src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java

@@ -23,25 +23,26 @@
 package org.owasp.webgoat.webwolf.mailbox;
 
 import java.util.List;
-import lombok.RequiredArgsConstructor;
+import lombok.AllArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
 @RestController
-@RequiredArgsConstructor
+@AllArgsConstructor
+@Slf4j
 public class MailboxController {
 
   private final MailboxRepository mailboxRepository;
 
-  @GetMapping("/mail")
+  @GetMapping(value = "/mail")
   public ModelAndView mail() {
     UserDetails user =
         (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
@@ -55,15 +56,9 @@ public class MailboxController {
     return modelAndView;
   }
 
-  @PostMapping("/mail")
-  @ResponseStatus(HttpStatus.CREATED)
-  public void sendEmail(@RequestBody Email email) {
+  @PostMapping(value = "/mail")
+  public ResponseEntity<?> sendEmail(@RequestBody Email email) {
     mailboxRepository.save(email);
-  }
-
-  @DeleteMapping("/mail")
-  @ResponseStatus(HttpStatus.ACCEPTED)
-  public void deleteAllMail() {
-    mailboxRepository.deleteAll();
+    return ResponseEntity.status(HttpStatus.CREATED).build();
   }
 }

src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.webwolf.requests;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.concurrent.Callable;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;

src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java

@@ -32,7 +32,8 @@ import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
-import org.springframework.boot.actuate.web.exchanges.HttpExchange;
+import org.springframework.boot.actuate.trace.http.HttpTrace;
+import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Controller;
@@ -77,8 +78,8 @@ public class Requests {
     return model;
   }
 
-  private boolean allowedTrace(HttpExchange t, UserDetails user) {
-    HttpExchange.Request req = t.getRequest();
+  private boolean allowedTrace(HttpTrace t, UserDetails user) {
+    Request req = t.getRequest();
     boolean allowed = true;
     /* do not show certain traces to other users in a classroom setup */
     if (req.getUri().getPath().contains("/files")
@@ -94,11 +95,11 @@ public class Requests {
     return allowed;
   }
 
-  private String path(HttpExchange t) {
+  private String path(HttpTrace t) {
     return (String) t.getRequest().getUri().getPath();
   }
 
-  private String toJsonString(HttpExchange t) {
+  private String toJsonString(HttpTrace t) {
     try {
       return objectMapper.writeValueAsString(t);
     } catch (JsonProcessingException e) {

src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java

@@ -26,8 +26,8 @@ import com.google.common.collect.EvictingQueue;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.boot.actuate.web.exchanges.HttpExchange;
-import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
+import org.springframework.boot.actuate.trace.http.HttpTrace;
+import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
 
 /**
  * Keep track of all the incoming requests, we are only keeping track of request originating from
@@ -37,9 +37,9 @@ import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
  * @since 8/13/17.
  */
 @Slf4j
-public class WebWolfTraceRepository implements HttpExchangeRepository {
+public class WebWolfTraceRepository implements HttpTraceRepository {
 
-  private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000);
+  private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
   private final List<String> exclusionList =
       List.of(
           "/tmpdir",
@@ -54,11 +54,11 @@ public class WebWolfTraceRepository implements HttpExchangeRepository {
           "/mail");
 
   @Override
-  public List<HttpExchange> findAll() {
+  public List<HttpTrace> findAll() {
     return List.of();
   }
 
-  public List<HttpExchange> findAllTraces() {
+  public List<HttpTrace> findAllTraces() {
     return new ArrayList<>(traces);
   }
 
@@ -67,7 +67,7 @@ public class WebWolfTraceRepository implements HttpExchangeRepository {
   }
 
   @Override
-  public void add(HttpExchange httpTrace) {
+  public void add(HttpTrace httpTrace) {
     var path = httpTrace.getRequest().getUri().getPath();
     if (!isInExclusionList(path)) {
       traces.add(httpTrace);

src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java

@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.webwolf.user;
 
-import jakarta.persistence.Entity;
-import jakarta.persistence.Id;
-import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.User;

src/main/resources/application-webgoat.properties

@@ -13,12 +13,11 @@ server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
 server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
 server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
 
-spring.banner.location=classpath:banner.txt
 spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
-spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
-spring.jpa.open-in-view=false
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
+spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
+spring.banner.location=classpath:banner.txt
 
 logging.level.org.thymeleaf=INFO
 logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
@@ -29,7 +28,6 @@ logging.level.org.springframework=INFO
 logging.level.org.springframework.boot.devtools=INFO
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webgoat=DEBUG
-logging.level.org.hidbernate.SQL=DEBUG
 
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@@ -53,11 +51,11 @@ spring.jackson.serialization.write-dates-as-timestamps=false
 #For static file refresh ... and faster dev :D
 spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
 
-#exclude based on the enum of the Category
 exclude.categories=${EXCLUDE_CATEGORIES:none,none}
+#exclude based on the enum of the Category
 
-#exclude based on the class name of a lesson e.g.: LessonTemplate
 exclude.lessons=${EXCLUDE_LESSONS:none,none}
+#exclude based on the class name of a lesson e.g.: LessonTemplate
 
 management.health.db.enabled=true
 management.endpoint.health.show-details=always

src/main/resources/application-webwolf.properties

@@ -18,7 +18,6 @@ spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
-spring.jpa.open-in-view=false
 spring.messages.basename=i18n/messages
 spring.jmx.enabled=false
 
@@ -27,7 +26,7 @@ logging.level.org.springframework.boot.devtools=WARN
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webwolf=TRACE
 
-management.httpexchanges.recording.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
+management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
 management.endpoint.httptrace.enabled=true
 
 spring.thymeleaf.cache=false

src/main/resources/db/container/V3__id.sql

@@ -1,4 +0,0 @@
-ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
-ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
-ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
-

src/main/resources/lessons/authbypass/html/AuthBypass.html

@@ -4,14 +4,14 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/bypass-intro.adoc}"></div>
+        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/2fa-bypass.adoc}"></div>
+        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -72,9 +72,9 @@
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-video.adoc}"></div>-->
+        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
         <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-attack.adoc}"></div>-->
+        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
 
         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
 

src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html

@@ -6,12 +6,12 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -59,7 +59,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 

src/main/resources/lessons/challenges/html/Challenge.html

@@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
 </div>
 
 </html>

src/main/resources/lessons/challenges/html/Challenge1.html

@@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
     <div class="attack-container">

src/main/resources/lessons/challenges/html/Challenge5.html

@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_5.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

src/main/resources/lessons/challenges/html/Challenge6.html

@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_6.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
     <div class="attack-container">

src/main/resources/lessons/challenges/html/Challenge7.html

@@ -12,7 +12,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_7.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">

src/main/resources/lessons/challenges/html/Challenge8.html

@@ -3,7 +3,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_8.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
     <script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>
 

src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html

@@ -4,22 +4,22 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc"></div>
 </div>
 
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc"></div>
 </div>
 
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -35,12 +35,12 @@
 
 <!-- 5 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc"></div>
 </div>
 
 <!-- 6 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"

src/main/resources/lessons/cia/html/CIA.html

@@ -3,19 +3,19 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_intro.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_confidentiality.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_integrity.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_availability.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
@@ -23,7 +23,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_quiz.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">

src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html

@@ -2,10 +2,10 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc"></div>
 
     <br/>
 
@@ -74,7 +74,7 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
     <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
     <div class="attack-container">

src/main/resources/lessons/cryptography/html/Cryptography.html

@@ -18,11 +18,11 @@ $(document).ready(initialise);
 <body>
 	<!-- 1. overview -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/Crypto_plan.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/Crypto_plan.adoc"></div>
 	</div>
 	<!-- 2. encoding -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan.adoc"></div>
 		<!-- 2. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -41,7 +41,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 3. encoding xor -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan2.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan2.adoc"></div>
 		<!-- 3. assignment xor -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -58,7 +58,7 @@ $(document).ready(initialise);
 
 	<!-- 4. hashing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/hashing_plan.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/hashing_plan.adoc"></div>
 		<!-- 4. weak hashing exercise -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -76,12 +76,12 @@ $(document).ready(initialise);
 	
 	<!-- 5. encryption -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encryption.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encryption.adoc"></div>
 	</div>
 
 	<!-- 6. signing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/signing.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/signing.adoc"></div>
 		<!-- 6. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -101,12 +101,12 @@ $(document).ready(initialise);
 	
 	<!-- 7. keystores -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/keystores.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/keystores.adoc"></div>
 	</div>
 	
 	<!-- 8. security defaults -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/defaults.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/defaults.adoc"></div>
 		<!-- 8. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -123,7 +123,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 9. postquantum -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/postquantum.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/postquantum.adoc"></div>
 	</div>
 </body>
 </html>

src/main/resources/lessons/csrf/html/CSRF.html

@@ -3,15 +3,15 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_intro.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_GET.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_GET.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc"></div>
 
     <form accept-charset="UNKNOWN" id="basic-csrf-get"
           method="POST" name="form1"
@@ -23,7 +23,7 @@
 
     </form>
 
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc"></div>
 
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
@@ -54,7 +54,7 @@
 
 <div class="lesson-page-wrapper">
 
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Reviews.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Reviews.adoc"></div>
 
     <!-- comment area -->
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@@ -121,15 +121,15 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Frameworks.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Frameworks.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_JSON.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_JSON.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_ContentType.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_ContentType.adoc"></div>
 
     <script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script>
     <div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66;
@@ -227,7 +227,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Login.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Login.adoc"></div>
 
     <div class="attack-container">
         <div class="assignment-success">
@@ -251,7 +251,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc"></div>
 </div>
 
 

src/main/resources/lessons/deserialization/html/InsecureDeserialization.html

@@ -3,24 +3,24 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc}"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc}"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc}"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc}"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc}"></div>
+        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="task"

src/main/resources/lessons/hijacksession/documentation/HijackSession_content0.adoc

@@ -1,4 +1,4 @@
 = Hijack a Session
 
-In this lesson we are trying to predict the 'hijack_cookie' value. The 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.
+In this lesson we are trying to predict the 'hijack_cookie' value. THe 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.
 

src/main/resources/lessons/hijacksession/html/HijackSession.html

@@ -7,12 +7,12 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_plan.adoc}"></div>
+	<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_plan.adoc"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_content0.adoc}"></div>
+	<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_content0.adoc"></div>
 	<div class="attack-container">
 		<div class="assignment-success">
 			<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>

src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html

@@ -7,7 +7,7 @@
 	<div class="lesson-page-wrapper">
 		<!-- reuse this block for each 'page' of content -->
 		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="~{doc:HijackSession_solution.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:HijackSession_solution.adoc"></div>
 	</div>