WIP

Bumps [com.nulab-inc:zxcvbn](https://github.com/nulab/zxcvbn4j) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/nulab/zxcvbn4j/releases)
- [Changelog](https://github.com/nulab/zxcvbn4j/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nulab/zxcvbn4j/compare/1.7.0...1.8.0)

---
updated-dependencies:
- dependency-name: com.nulab-inc:zxcvbn
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/dependabot.yml

@@ -1,7 +1,15 @@
 version: 2
 updates:
-  # Maintain dependencies for GitHub Actions
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
+    -   package-ecosystem: "github-actions"
+        directory: "/"
+        schedule:
+            interval: "weekly"
+    -   package-ecosystem: "maven"
+        directory: "/"
+        schedule:
+            interval: "weekly"
+    -   package-ecosystem: "docker"
+        directory: "/"
+        schedule:
+            interval: "weekly"
+

.github/workflows/build.yml

@@ -27,7 +27,7 @@ jobs:
                     java-version: 17
                     architecture: x64
             -   name: Cache Maven packages
-                uses: actions/cache@v3.2.5
+                uses: actions/cache@v3.3.1
                 with:
                     path: ~/.m2
                     key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -36,13 +36,13 @@ jobs:
                 run: mvn --no-transfer-progress verify
             -   name: "Set up QEMU"
                 if: runner.os == 'Linux'
-                uses: docker/setup-qemu-action@v2.1.0
+                uses: docker/setup-qemu-action@v2.2.0
             -   name: "Set up Docker Buildx"
                 if: runner.os == 'Linux'
                 uses: docker/setup-buildx-action@v2
             -   name: "Verify Docker WebGoat build"
                 if: runner.os == 'Linux'
-                uses: docker/build-push-action@v4.0.0
+                uses: docker/build-push-action@v4.1.1
                 with:
                     context: ./
                     file: ./Dockerfile
@@ -50,7 +50,7 @@ jobs:
                     build-args: |
                         webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
             -   name: "Verify Docker WebGoat desktop build"
-                uses: docker/build-push-action@v4.0.0
+                uses: docker/build-push-action@v4.1.1
                 if: runner.os == 'Linux'
                 with:
                     context: ./

.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.2.5
+        uses: actions/cache@v3.3.1
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -44,7 +44,7 @@ jobs:
           files: |
             target/webgoat-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
           body: |
-            ## Version ${{ steps.tag.outputs.tag }}
+           ## Version ${{ github.ref_name }} 
 
             ### New functionality
 
@@ -54,7 +54,7 @@ jobs:
 
             - [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
               
-            Full change log: https://github.com/WebGoat/WebGoat/compare/${{ steps.tag.outputs.tag }}...${{ steps.tag.outputs.tag }}  
+            Full change log: https://github.com/WebGoat/WebGoat/compare/${{ github.ref_name }}...${{ github.ref_name }}  
 
 
             ## Contributors
@@ -72,7 +72,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Set up QEMU"
-        uses: docker/setup-qemu-action@v2.1.0
+        uses: docker/setup-qemu-action@v2.2.0
         with:
           platforms: all
 
@@ -80,13 +80,13 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: "Login to dockerhub"
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v2.2.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push WebGoat"
-        uses: docker/build-push-action@v4.0.0
+        uses: docker/build-push-action@v4.1.1
         with:
           context: ./
           file: ./Dockerfile
@@ -99,12 +99,12 @@ jobs:
             webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
 
       - name: "Build and push WebGoat desktop"
-        uses: docker/build-push-action@v4.0.0
+        uses: docker/build-push-action@v4.1.1
         with:
           context: ./
           file: ./Dockerfile_desktop
           push: true
-          platforms: linux/amd64, linux/arm64, linux/arm/v7
+          platforms: linux/amd64, linux/arm64
           tags: |
             webgoat/webgoat-desktop:${{ env.WEBGOAT_TAG_VERSION }}
             webgoat/webgoat-desktop:latest
@@ -123,6 +123,7 @@ jobs:
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
+          distribution: 'temurin'
           java-version: 17
           architecture: x64
 

.github/workflows/test.yml

@@ -37,7 +37,7 @@ jobs:
                     architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             -   name: Cache Maven packages
-                uses: actions/cache@v3.2.5
+                uses: actions/cache@v3.3.1
                 with:
                     path: ~/.m2
                     key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
@@ -48,6 +48,8 @@ jobs:
                         robotframework
                         robotframework-SeleniumLibrary
                         webdriver-manager
+                        selenium==4.9.1
+                    # TODO https://github.com/robotframework/SeleniumLibrary/issues/1835
             -   name: Run with Maven
                 run: mvn --no-transfer-progress spring-boot:run &
             -   name: Wait to start
@@ -59,7 +61,7 @@ jobs:
             # send report to forks only due to limits on permission tokens
             -   name: Send report to commit
                 if: github.repository != 'WebGoat/WebGoat' && github.event_name == 'push'
-                uses: joonvena/robotframework-reporter-action@v2.1
+                uses: joonvena/robotframework-reporter-action@v2.2
                 with:
                     gh_access_token: ${{ secrets.GITHUB_TOKEN }}
                     report_path: 'robotreport'

CONTRIBUTING.md

@@ -3,6 +3,7 @@
 [![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
 ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
 ![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
+[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
 
 This document describes how you can contribute to WebGoat. Please read it carefully.
 
@@ -41,6 +42,19 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 
 ### Write a good commit message
 
+* We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and use the following types:
+
+  - fix:
+  - feat:
+  - build:
+  - chore:
+  - ci:
+  - docs:
+  - refactor:
+  - test:
+
+  Using this style of commits makes it possible to create our release notes automatically.
+
 * Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
 
 * If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.

CREATE_RELEASE.md

@@ -13,6 +13,7 @@ committers.
 ```
 mvn versions:set 
 << update release notes >>
+mvn verify
 git commit ....
 git tag v2023.01 
 git push --tags

Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/eclipse-temurin:17-jre-focal
+FROM docker.io/eclipse-temurin:19-jre-focal
 LABEL NAME = "WebGoat: A deliberately insecure Web Application"
 MAINTAINER "WebGoat team"
 
@@ -27,6 +27,8 @@ ENTRYPOINT [ "java", \
    "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
    "--add-opens", "java.base/java.io=ALL-UNNAMED", \
    "--add-opens", "java.base/java.util=ALL-UNNAMED", \
+   "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
+   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
    "-Drunning.in.docker=true", \
    "-Dwebgoat.host=0.0.0.0", \
    "-Dwebwolf.host=0.0.0.0", \

Dockerfile_desktop

@@ -10,12 +10,17 @@ COPY config/desktop/start_zap.sh /config/start_zap.sh
 COPY config/desktop/WebGoat.txt /config/Desktop/
 
 RUN \
+ case $(uname -m) in \
+  x86_64) ARCH=x64;; \
+  aarch64) ARCH=aarch64;; \
+  *) ARCH=unknown;; \
+ esac && \
  curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz && \
  tar zfxv ZAP_2.12.0_Linux.tar.gz && \
  rm -rf ZAP_2.12.0_Linux.tar.gz && \
- curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
- tar zfxv OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
- rm -rf OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
+ curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
+ tar zfxv OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
+ rm -rf OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
  chmod +x /config/start_webgoat.sh && \
  chmod +x /config/start_zap.sh && \
  apt-get update &&  \

FAQ.md

@@ -0,0 +1,8 @@
+# FAQ for development
+
+## Introduction
+
+### Integration tests fail
+
+Try to run the command in the console `java -jar ...` and remove `-Dlogging.pattern.console=` from the command line.
+

README.md

@@ -6,6 +6,7 @@
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 [![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
+[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
 
 # Introduction
 

RELEASE_NOTES.md

@@ -1,5 +1,18 @@
 # WebGoat release notes
 
+## Version 2023.4
+
+### New functionality
+
+- [#1422 Add Docker Linux Desktop variant with all tools installed](https://github.com/WebGoat/WebGoat/issues/1422). Thanks to the [OWASP WrongSecrets project](https://owasp.org/www-project-wrongsecrets/) we now have a Docker Linux desktop image with all the tools installed. No need to install any tools locally only run the new Docker image. See README.md for details on how to start it.
+- [#1411 JWT: looks that buy as Tom also works with alg:none](https://github.com/WebGoat/WebGoat/issues/1411).
+
+### Bug fixes
+
+- [#1410 WebWolf: JWT decode is broken](https://github.com/WebGoat/WebGoat/issues/1410).
+- [#1396 password_reset return 500 Error](https://github.com/WebGoat/WebGoat/issues/1396).
+- [#1379 Move XXE to A05:2021-Security Misconfiguration](https://github.com/WebGoat/WebGoat/issues/1379).
+
 ## Version 2023.3
 
 With great pleasure, we present you with a new release of WebGoat **2023.3**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).

pom.xml

@@ -1,16 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>2.7.1</version>
+    <version>3.1.0</version>
   </parent>
+
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
-  <version>2023.4-SNAPSHOT</version>
+  <version>2023.5-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>WebGoat</name>
@@ -27,6 +27,7 @@
       <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
     </license>
   </licenses>
+
   <developers>
     <developer>
       <id>mayhew64</id>
@@ -94,7 +95,6 @@
       <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
     </mailingList>
   </mailingLists>
-
   <scm>
     <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
     <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
@@ -108,44 +108,46 @@
   </issueManagement>
 
   <properties>
-
     <!-- Shared properties with plugins and version numbers across submodules-->
-    <asciidoctorj.version>2.5.3</asciidoctorj.version>
+    <asciidoctorj.version>2.5.10</asciidoctorj.version>
+    <!-- Upgrading needs UI work in WebWolf -->
     <bootstrap.version>3.3.7</bootstrap.version>
-    <cglib.version>2.2</cglib.version>
+    <cglib.version>3.3.0</cglib.version>
     <!-- do not update necessary for lesson -->
-    <checkstyle.version>3.1.2</checkstyle.version>
+    <checkstyle.version>3.3.0</checkstyle.version>
     <commons-collections.version>3.2.1</commons-collections.version>
-    <commons-io.version>2.6</commons-io.version>
+    <commons-io.version>2.11.0</commons-io.version>
     <commons-lang3.version>3.12.0</commons-lang3.version>
-    <commons-text.version>1.9</commons-text.version>
-    <guava.version>30.1-jre</guava.version>
+    <commons-text.version>1.10.0</commons-text.version>
+    <guava.version>32.1.1-jre</guava.version>
+    <jacoco.version>0.8.10</jacoco.version>
     <java.version>17</java.version>
+    <jaxb.version>2.3.1</jaxb.version>
     <jjwt.version>0.9.1</jjwt.version>
-    <jose4j.version>0.7.6</jose4j.version>
-    <jquery.version>3.5.1</jquery.version>
-    <jsoup.version>1.14.3</jsoup.version>
+    <jose4j.version>0.9.3</jose4j.version>
+    <jquery.version>3.6.4</jquery.version>
+    <jsoup.version>1.16.1</jsoup.version>
     <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
     <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
     <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
     <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
     <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
-    <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
+    <maven-surefire-plugin.version>3.1.2</maven-surefire-plugin.version>
     <maven.compiler.source>17</maven.compiler.source>
     <maven.compiler.target>17</maven.compiler.target>
     <pmd.version>3.15.0</pmd.version>
     <!-- Use UTF-8 Encoding -->
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
-    <webdriver.version>4.3.1</webdriver.version>
+    <thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
+    <webdriver.version>5.3.2</webdriver.version>
     <webgoat.port>8080</webgoat.port>
     <webwolf.port>9090</webwolf.port>
     <wiremock.version>2.27.2</wiremock.version>
     <xml-resolver.version>1.2</xml-resolver.version>
     <xstream.version>1.4.5</xstream.version>
     <!-- do not update necessary for lesson -->
-    <zxcvbn.version>1.5.2</zxcvbn.version>
+    <zxcvbn.version>1.8.0</zxcvbn.version>
   </properties>
 
   <dependencyManagement>
@@ -154,7 +156,7 @@
       <dependency>
         <groupId>org.ow2.asm</groupId>
         <artifactId>asm</artifactId>
-        <version>9.1</version>
+        <version>9.5</version>
       </dependency>
 
       <dependency>
@@ -241,16 +243,15 @@
       <dependency>
         <groupId>org.apache.commons</groupId>
         <artifactId>commons-compress</artifactId>
-        <version>1.21</version>
+        <version>1.23.0</version>
       </dependency>
       <dependency>
         <groupId>org.jruby</groupId>
         <artifactId>jruby</artifactId>
-        <version>9.3.6.0</version>
+        <version>9.4.2.0</version>
       </dependency>
     </dependencies>
   </dependencyManagement>
-
   <dependencies>
     <dependency>
       <groupId>org.apache.commons</groupId>
@@ -269,6 +270,7 @@
     <dependency>
       <groupId>javax.xml.bind</groupId>
       <artifactId>jaxb-api</artifactId>
+      <version>${jaxb.version}</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -310,7 +312,11 @@
     </dependency>
     <dependency>
       <groupId>org.thymeleaf.extras</groupId>
-      <artifactId>thymeleaf-extras-springsecurity5</artifactId>
+      <artifactId>thymeleaf-extras-springsecurity6</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
     </dependency>
     <dependency>
       <groupId>org.hsqldb</groupId>
@@ -369,8 +375,13 @@
       <artifactId>jquery</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.glassfish.jaxb</groupId>
-      <artifactId>jaxb-runtime</artifactId>
+      <groupId>jakarta.xml.bind</groupId>
+      <artifactId>jakarta.xml.bind-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.sun.xml.bind</groupId>
+      <artifactId>jaxb-impl</artifactId>
+      <scope>runtime</scope>
     </dependency>
 
     <dependency>
@@ -386,6 +397,7 @@
     <dependency>
       <groupId>com.github.tomakehurst</groupId>
       <artifactId>wiremock</artifactId>
+      <version>3.0.0-beta-2</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -393,6 +405,11 @@
       <artifactId>rest-assured</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-properties-migrator</artifactId>
+      <scope>runtime</scope>
+    </dependency>
   </dependencies>
 
   <repositories>
@@ -488,9 +505,10 @@
         <version>${maven-surefire-plugin.version}</version>
         <configuration>
           <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
-                        --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
-                        --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
-                        --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
+          --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
+          --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
+          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
+          --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED</argLine>
           <excludes>
             <exclude>**/*IntegrationTest.java</exclude>
             <exclude>src/it/java</exclude>
@@ -514,7 +532,7 @@
       <plugin>
         <groupId>com.diffplug.spotless</groupId>
         <artifactId>spotless-maven-plugin</artifactId>
-        <version>2.29.0</version>
+        <version>2.38.0</version>
         <configuration>
           <formats>
             <format>
@@ -575,7 +593,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-enforcer-plugin</artifactId>
-        <version>3.0.0</version>
+        <version>3.3.0</version>
         <executions>
           <execution>
             <id>restrict-log4j-versions</id>
@@ -678,6 +696,10 @@
                     <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>--add-opens</argument>
                     <argument>java.base/java.util=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
+                    <argument>--add-opens</argument>
+                    <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
                   </arguments>
                   <waitForInterrupt>false</waitForInterrupt>
@@ -727,6 +749,82 @@
         </plugins>
       </build>
     </profile>
+    <profile>
+      <!-- run with: mvn test -Pcoverage -->
+      <id>coverage</id>
+      <activation>
+        <activeByDefault>false</activeByDefault>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-surefire-plugin</artifactId>
+            <version>${maven-surefire-plugin.version}</version>
+            <configuration>
+              <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
+          --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
+          --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
+          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
+          ${surefire.jacoco.args}</argLine>
+              <excludes>
+                <exclude>**/*IntegrationTest.java</exclude>
+                <exclude>src/it/java</exclude>
+                <exclude>org/owasp/webgoat/*Test</exclude>
+              </excludes>
+            </configuration>
+          </plugin>
+          <plugin>
+            <groupId>org.jacoco</groupId>
+            <artifactId>jacoco-maven-plugin</artifactId>
+            <version>${jacoco.version}</version>
+            <executions>
+              <execution>
+                <id>before-unit-test</id>
+                <goals>
+                  <goal>prepare-agent</goal>
+                </goals>
+                <configuration>
+                  <destFile>${project.build.directory}/jacoco/jacoco-ut.exec</destFile>
+                  <propertyName>surefire.jacoco.args</propertyName>
+                </configuration>
+              </execution>
+              <execution>
+                <id>check</id>
+                <goals>
+                  <goal>check</goal>
+                </goals>
+                <configuration>
+                  <rules>
+                    <rule>
+                      <element>BUNDLE</element>
+                      <limits>
+                        <limit>
+                          <counter>CLASS</counter>
+                          <value>COVEREDCOUNT</value>
+                          <minimum>0.6</minimum>
+                        </limit>
+                      </limits>
+                    </rule>
+                  </rules>
+                  <dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
+                </configuration>
+              </execution>
+              <execution>
+                <id>after-unit-test</id>
+                <goals>
+                  <goal>report</goal>
+                </goals>
+                <phase>test</phase>
+                <configuration>
+                  <dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
+                  <outputDirectory>${project.reporting.outputDirectory}/jacoco-unit-test-coverage-report</outputDirectory>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
-
 </project>

src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java

@@ -7,12 +7,14 @@ import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
+import org.springframework.http.HttpStatus;
 
 public class ChallengeIntegrationTest extends IntegrationTest {
 
   @Test
-  public void testChallenge1() {
+  void testChallenge1() {
     startLesson("Challenge1");
 
     byte[] resultBytes =
@@ -67,7 +69,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
   }
 
   @Test
-  public void testChallenge5() {
+  void testChallenge5() {
     startLesson("Challenge5");
 
     Map<String, Object> params = new HashMap<>();
@@ -107,4 +109,62 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
     assertTrue(capturefFlags.contains("Without password"));
   }
+
+  @Test
+  void testChallenge7() {
+    startLesson("Challenge7");
+    cleanMailbox();
+
+    // One should first be able to download git.zip from WebGoat
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("JSESSIONID", getWebGoatCookie())
+        .get(url("/WebGoat/challenge/7/.git"))
+        .then()
+        .statusCode(200)
+        .extract()
+        .asString();
+
+    // Should send an email to WebWolf inbox this should give a hint to the link being static
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("JSESSIONID", getWebGoatCookie())
+        .formParams("email", getUser() + "@webgoat.org")
+        .post(url("/WebGoat/challenge/7"))
+        .then()
+        .statusCode(200)
+        .extract()
+        .asString();
+
+    // Check whether email has been received
+    var responseBody =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("WEBWOLFSESSION", getWebWolfCookie())
+            .get(webWolfUrl("/mail"))
+            .then()
+            .extract()
+            .response()
+            .getBody()
+            .asString();
+    Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
+
+    // Call reset link with admin link
+    String result =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .get(url("/challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
+            .then()
+            .statusCode(HttpStatus.ACCEPTED.value())
+            .extract()
+            .asString();
+
+    String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
+    checkAssignment(url("/WebGoat/challenge/flag"), Map.of("flag", flag), true);
+  }
 }

src/it/java/org/owasp/webgoat/IntegrationTest.java

@@ -11,6 +11,7 @@ import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
+import org.springframework.http.HttpStatus;
 
 public abstract class IntegrationTest {
 
@@ -252,4 +253,14 @@ public abstract class IntegrationTest {
         .getBody()
         .asString();
   }
+
+  public void cleanMailbox() {
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .delete(webWolfUrl("/mail"))
+        .then()
+        .statusCode(HttpStatus.ACCEPTED.value());
+  }
 }

src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java

@@ -5,7 +5,6 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 import io.restassured.RestAssured;
 import java.util.Arrays;
 import java.util.Map;
-import lombok.SneakyThrows;
 import org.apache.commons.lang3.StringUtils;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.AfterEach;
@@ -16,7 +15,6 @@ import org.junit.jupiter.api.TestFactory;
 public class PasswordResetLessonIntegrationTest extends IntegrationTest {
 
   @BeforeEach
-  @SneakyThrows
   public void init() {
     startLesson("/PasswordReset");
   }

src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java

@@ -29,9 +29,9 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
               .relaxedHTTPSValidation()
               .cookie("JSESSIONID", getWebGoatCookie())
               .formParams(Map.of("flag", "test"))
-              .post(url("/challenge/flag/"));
+              .post(url("/challenge/flag"));
         };
-    ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
+    ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS);
     List<? extends Callable<Response>> flagCalls =
         IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
     var responses = executorService.invokeAll(flagCalls);

src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java

@@ -27,10 +27,10 @@
  */
 package org.owasp.webgoat.container;
 
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 

src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java

@@ -33,6 +33,7 @@ package org.owasp.webgoat.container;
 import static org.asciidoctor.Asciidoctor.Factory.create;
 
 import io.undertow.util.Headers;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -41,7 +42,6 @@ import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
-import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
@@ -60,7 +60,7 @@ import org.thymeleaf.templateresource.StringTemplateResource;
  * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
  *
  * <p><code>
- * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
+ * <div th:replace="~{doc:AccessControlMatrix_plan.adoc}"></div>
  * </code>
  */
 @Slf4j

src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java

@@ -50,12 +50,13 @@ public class DatabaseConfiguration {
   }
 
   @Bean
-  public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
+  public Function<String, Flyway> flywayLessons() {
     return schema ->
         Flyway.configure()
             .configuration(Map.of("driver", properties.getDriverClassName()))
             .schemas(schema)
-            .dataSource(lessonDataSource)
+            .cleanDisabled(false)
+            .dataSource(dataSource())
             .locations("lessons")
             .load();
   }

src/main/java/org/owasp/webgoat/container/MvcConfiguration.java

@@ -56,10 +56,10 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
 import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.thymeleaf.IEngineConfiguration;
-import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
-import org.thymeleaf.spring5.SpringTemplateEngine;
-import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
-import org.thymeleaf.spring5.view.ThymeleafViewResolver;
+import org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect;
+import org.thymeleaf.spring6.SpringTemplateEngine;
+import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver;
+import org.thymeleaf.spring6.view.ThymeleafViewResolver;
 import org.thymeleaf.templatemode.TemplateMode;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresolver.ITemplateResolver;

src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java

@@ -37,50 +37,49 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
 
 /** Security configuration for WebGoat. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
   private final UserService userDetailsService;
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
-        http.authorizeRequests()
-            .antMatchers(
-                "/css/**",
-                "/images/**",
-                "/js/**",
-                "fonts/**",
-                "/plugins/**",
-                "/registration",
-                "/register.mvc",
-                "/actuator/**")
-            .permitAll()
-            .anyRequest()
-            .authenticated();
-    security
-        .and()
-        .formLogin()
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests(
+        auth ->
+            auth.requestMatchers(
+                    "/css/**",
+                    "/images/**",
+                    "/js/**",
+                    "fonts/**",
+                    "/plugins/**",
+                    "/registration",
+                    "/register.mvc",
+                    "/actuator/**")
+                .permitAll()
+                .anyRequest()
+                .authenticated());
+    http.formLogin()
         .loginPage("/login")
         .defaultSuccessUrl("/welcome.mvc", true)
         .usernameParameter("username")
         .passwordParameter("password")
         .permitAll();
-    security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-    security.and().csrf().disable();
+    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
+    http.csrf().disable();
 
     http.headers().cacheControl().disable();
     http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
+    return http.build();
   }
 
   @Autowired
@@ -89,15 +88,14 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
   }
 
   @Bean
-  @Override
-  public UserDetailsService userDetailsServiceBean() throws Exception {
+  public UserDetailsService userDetailsServiceBean() {
     return userDetailsService;
   }
 
-  @Override
   @Bean
-  protected AuthenticationManager authenticationManager() throws Exception {
-    return super.authenticationManager();
+  public AuthenticationManager authenticationManager(
+      AuthenticationConfiguration authenticationConfiguration) throws Exception {
+    return authenticationConfiguration.getAuthenticationManager();
   }
 
   @SuppressWarnings("deprecation")

src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java

@@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.asciidoc;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 import org.springframework.web.context.request.RequestContextHolder;

src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java

@@ -75,7 +75,8 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
     } else {
       userTracker.assignmentFailed(webSession.getCurrentLesson());
     }
-    userTrackerRepository.saveAndFlush(userTracker);
+    userTrackerRepository.save(userTracker);
+
     return attackResult;
   }
 }

src/main/java/org/owasp/webgoat/container/controller/StartLesson.java

@@ -31,7 +31,7 @@
  */
 package org.owasp.webgoat.container.controller;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.session.Course;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.stereotype.Controller;

src/main/java/org/owasp/webgoat/container/controller/Welcome.java

@@ -29,8 +29,8 @@
  */
 package org.owasp.webgoat.container.controller;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.servlet.ModelAndView;
@@ -49,7 +49,7 @@ public class Welcome {
   /**
    * welcome.
    *
-   * @param request a {@link javax.servlet.http.HttpServletRequest} object.
+   * @param request a {@link jakarta.servlet.http.HttpServletRequest} object.
    * @return a {@link org.springframework.web.servlet.ModelAndView} object.
    */
   @GetMapping(path = {"welcome.mvc"})

src/main/java/org/owasp/webgoat/container/lessons/Assignment.java

@@ -1,9 +1,14 @@
 package org.owasp.webgoat.container.lessons;
 
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.Transient;
 import java.util.ArrayList;
 import java.util.List;
-import javax.persistence.*;
-import lombok.*;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
 
 /**
  * ************************************************************************************************
@@ -41,7 +46,7 @@ import lombok.*;
 public class Assignment {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.AUTO)
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;
 
   private String name;

src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java

@@ -4,15 +4,13 @@ import java.lang.reflect.InvocationHandler;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.sql.Connection;
-import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 /**
  * Handler which sets the correct schema for the currently bounded user. This way users are not
- * seeing each other data and we can reset data for just one particular user.
+ * seeing each other data, and we can reset data for just one particular user.
  */
-@Slf4j
 public class LessonConnectionInvocationHandler implements InvocationHandler {
 
   private final Connection targetConnection;

src/main/java/org/owasp/webgoat/container/users/LessonTracker.java

@@ -1,8 +1,20 @@
 package org.owasp.webgoat.container.users;
 
-import java.util.*;
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.Version;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Collectors;
-import javax.persistence.*;
+import lombok.EqualsAndHashCode;
 import lombok.Getter;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@@ -39,10 +51,11 @@ import org.owasp.webgoat.container.lessons.Lesson;
  * @since October 29, 2003
  */
 @Entity
+@EqualsAndHashCode
 public class LessonTracker {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.AUTO)
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;
 
   @Getter private String lessonName;

src/main/java/org/owasp/webgoat/container/users/RegistrationController.java

@@ -1,11 +1,10 @@
 package org.owasp.webgoat.container.users;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.validation.Valid;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.validation.Valid;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -23,7 +22,6 @@ public class RegistrationController {
 
   private UserValidator userValidator;
   private UserService userService;
-  private AuthenticationManager authenticationManager;
 
   @GetMapping("/registration")
   public String showForm(UserForm userForm) {

src/main/java/org/owasp/webgoat/container/users/UserForm.java

@@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.users;
 
-import javax.validation.constraints.NotNull;
-import javax.validation.constraints.Pattern;
-import javax.validation.constraints.Size;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Pattern;
+import jakarta.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
 

src/main/java/org/owasp/webgoat/container/users/UserTracker.java

@@ -1,11 +1,19 @@
 package org.owasp.webgoat.container.users;
 
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToMany;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
-import javax.persistence.*;
+import lombok.EqualsAndHashCode;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@@ -43,10 +51,11 @@ import org.owasp.webgoat.container.lessons.Lesson;
  */
 @Slf4j
 @Entity
+@EqualsAndHashCode
 public class UserTracker {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.AUTO)
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;
 
   @Column(name = "username")

src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java

@@ -1,10 +1,10 @@
 package org.owasp.webgoat.container.users;
 
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
-import javax.persistence.Entity;
-import javax.persistence.Id;
-import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;

src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java

@@ -42,6 +42,7 @@ public class AccountVerificationHelper {
   static {
     secQuestionStore.put(verifyUserId, userSecQuestions);
   }
+
   // end 'data store set up'
 
   // this is to aid feedback in the attack process and is not intended to be part of the
@@ -68,6 +69,7 @@ public class AccountVerificationHelper {
 
     return likely;
   }
+
   // end of cheating check ... the method below is the one of real interest. Can you find the flaw?
 
   public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {

src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java

@@ -22,13 +22,13 @@
 
 package org.owasp.webgoat.lessons.authbypass;
 
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java

@@ -1,89 +1,13 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
 package org.owasp.webgoat.lessons.challenges;
 
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
-import java.util.stream.IntStream;
-import javax.annotation.PostConstruct;
-import lombok.AllArgsConstructor;
-import lombok.Getter;
-import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.container.session.WebSession;
-import org.owasp.webgoat.container.users.UserTracker;
-import org.owasp.webgoat.container.users.UserTrackerRepository;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
+public record Flag(int number, String answer) {
 
-/**
- * @author nbaars
- * @since 3/23/17.
- */
-@RestController
-public class Flag extends AssignmentEndpoint {
-
-  public static final Map<Integer, String> FLAGS = new HashMap<>();
-  @Autowired private UserTrackerRepository userTrackerRepository;
-  @Autowired private WebSession webSession;
-
-  @AllArgsConstructor
-  private class FlagPosted {
-    @Getter private boolean lessonCompleted;
+  public boolean isCorrect(String flag) {
+    return answer.equals(flag);
   }
 
-  @PostConstruct
-  public void initFlags() {
-    IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
-  }
-
-  @RequestMapping(
-      path = "/challenge/flag",
-      method = RequestMethod.POST,
-      produces = MediaType.APPLICATION_JSON_VALUE)
-  @ResponseBody
-  public AttackResult postFlag(@RequestParam String flag) {
-    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-    String currentChallenge = webSession.getCurrentLesson().getName();
-    int challengeNumber =
-        Integer.valueOf(
-            currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
-    String expectedFlag = FLAGS.get(challengeNumber);
-    final AttackResult attackResult;
-    if (expectedFlag.equals(flag)) {
-      userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
-      attackResult = success(this).feedback("challenge.flag.correct").build();
-    } else {
-      userTracker.assignmentFailed(webSession.getCurrentLesson());
-      attackResult = failed(this).feedback("challenge.flag.incorrect").build();
-    }
-    userTrackerRepository.save(userTracker);
-    return attackResult;
+  @Override
+  public String toString() {
+    return answer;
   }
 }

src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java

@@ -0,0 +1,52 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.challenges;
+
+import lombok.AllArgsConstructor;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@AllArgsConstructor
+public class FlagController extends AssignmentEndpoint {
+
+  private final WebSession webSession;
+  private final Flags flags;
+
+  @PostMapping(path = "/challenge/flag", produces = MediaType.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult postFlag(@RequestParam String flag) {
+    Flag expectedFlag = flags.getFlag(webSession.getCurrentLesson());
+    if (expectedFlag.isCorrect(flag)) {
+      return success(this).feedback("challenge.flag.correct").build();
+    } else {
+      return failed(this).feedback("challenge.flag.incorrect").build();
+    }
+  }
+}

src/main/java/org/owasp/webgoat/lessons/challenges/Flags.java

@@ -0,0 +1,27 @@
+package org.owasp.webgoat.lessons.challenges;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.IntStream;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class Flags {
+  private final Map<Integer, Flag> FLAGS = new HashMap<>();
+
+  public Flags() {
+    IntStream.range(1, 10).forEach(i -> FLAGS.put(i, new Flag(i, UUID.randomUUID().toString())));
+  }
+
+  public Flag getFlag(Lesson forLesson) {
+    String lessonName = forLesson.getName();
+    int challengeNumber = Integer.valueOf(lessonName.substring(lessonName.length() - 1));
+    return FLAGS.get(challengeNumber);
+  }
+
+  public Flag getFlag(int flagNumber) {
+    return FLAGS.get(flagNumber);
+  }
+}

src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java

@@ -32,6 +32,4 @@ public interface SolutionConstants {
 
   // TODO should be random generated when starting the server
   String PASSWORD = "!!webgoat_admin_1234!!";
-  String PASSWORD_TOM = "thisisasecretfortomonly";
-  String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
 }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java

@@ -2,11 +2,10 @@ package org.owasp.webgoat.lessons.challenges.challenge1;
 
 import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
 
-import javax.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flag;
-import org.springframework.util.StringUtils;
+import org.owasp.webgoat.lessons.challenges.Flags;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -43,12 +42,14 @@ import org.springframework.web.bind.annotation.RestController;
  * @since August 11, 2016
  */
 @RestController
+@RequiredArgsConstructor
 public class Assignment1 extends AssignmentEndpoint {
 
+  private final Flags flags;
+
   @PostMapping("/challenge/1")
   @ResponseBody
-  public AttackResult completed(
-      @RequestParam String username, @RequestParam String password, HttpServletRequest request) {
+  public AttackResult completed(@RequestParam String username, @RequestParam String password) {
     boolean ipAddressKnown = true;
     boolean passwordCorrect =
         "admin".equals(username)
@@ -56,14 +57,10 @@ public class Assignment1 extends AssignmentEndpoint {
                 .replace("1234", String.format("%04d", ImageServlet.PINCODE))
                 .equals(password);
     if (passwordCorrect && ipAddressKnown) {
-      return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
+      return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(1)).build();
     } else if (passwordCorrect) {
       return failed(this).feedback("ip.address.unknown").build();
     }
     return failed(this).build();
   }
-
-  public static boolean containsHeader(HttpServletRequest request) {
-    return StringUtils.hasText(request.getHeader("X-Forwarded-For"));
-  }
 }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java

@@ -4,8 +4,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.GET;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 
 import java.io.IOException;
-import java.security.SecureRandom;
-import javax.servlet.http.HttpServlet;
+import java.util.Random;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -13,10 +12,9 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-public class ImageServlet extends HttpServlet {
+public class ImageServlet {
 
-  private static final long serialVersionUID = 9132775506936676850L;
-  public static final int PINCODE = new SecureRandom().nextInt(10000);
+  public static final int PINCODE = new Random().nextInt(10000);
 
   @RequestMapping(
       method = {GET, POST},

src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java

@@ -24,11 +24,12 @@ package org.owasp.webgoat.lessons.challenges.challenge5;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.Flags;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -37,13 +38,11 @@ import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @Slf4j
+@RequiredArgsConstructor
 public class Assignment5 extends AssignmentEndpoint {
 
   private final LessonDataSource dataSource;
-
-  public Assignment5(LessonDataSource dataSource) {
-    this.dataSource = dataSource;
-  }
+  private final Flags flags;
 
   @PostMapping("/challenge/5")
   @ResponseBody
@@ -66,7 +65,7 @@ public class Assignment5 extends AssignmentEndpoint {
       ResultSet resultSet = statement.executeQuery();
 
       if (resultSet.next()) {
-        return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
+        return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(5)).build();
       } else {
         return failed(this).feedback("challenge.close").build();
       }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java

@@ -1,16 +1,14 @@
 package org.owasp.webgoat.lessons.challenges.challenge7;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.time.LocalDateTime;
-import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.challenges.Email;
-import org.owasp.webgoat.lessons.challenges.Flag;
-import org.owasp.webgoat.lessons.challenges.SolutionConstants;
-import org.springframework.beans.factory.annotation.Autowired;
+import org.owasp.webgoat.lessons.challenges.Flags;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.HttpStatus;
@@ -33,6 +31,8 @@ import org.springframework.web.client.RestTemplate;
 @Slf4j
 public class Assignment7 extends AssignmentEndpoint {
 
+  public static final String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
+
   private static final String TEMPLATE =
       "Hi, you requested a password reset link, please use this <a target='_blank'"
           + " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your"
@@ -44,22 +44,26 @@ public class Assignment7 extends AssignmentEndpoint {
           + "Kind regards, \n"
           + "Team WebGoat";
 
-  @Autowired private RestTemplate restTemplate;
+  private final Flags flags;
+  private final RestTemplate restTemplate;
+  private final String webWolfMailURL;
 
-  @Value("${webwolf.mail.url}")
-  private String webWolfMailURL;
+  public Assignment7(
+      Flags flags, RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfMailURL) {
+    this.flags = flags;
+    this.restTemplate = restTemplate;
+    this.webWolfMailURL = webWolfMailURL;
+  }
 
   @GetMapping("/challenge/7/reset-password/{link}")
   public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
-    if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
+    if (link.equals(ADMIN_PASSWORD_LINK)) {
       return ResponseEntity.accepted()
           .body(
               "<h1>Success!!</h1>"
                   + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
                   + "<br/><br/>Here is your flag: "
-                  + "<b>"
-                  + Flag.FLAGS.get(7)
-                  + "</b>");
+                  + flags.getFlag(7));
     }
     return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT)
         .body("That is not the reset link for admin");
@@ -94,6 +98,6 @@ public class Assignment7 extends AssignmentEndpoint {
   @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
   @ResponseBody
   public ClassPathResource git() {
-    return new ClassPathResource("challenge7/git.zip");
+    return new ClassPathResource("lessons/challenges/challenge7/git.zip");
   }
 }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java

@@ -1,13 +1,14 @@
 package org.owasp.webgoat.lessons.challenges.challenge8;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.stream.Collectors;
-import javax.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.Flags;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -15,12 +16,9 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-/**
- * @author nbaars
- * @since 4/8/17.
- */
 @RestController
 @Slf4j
+@RequiredArgsConstructor
 public class Assignment8 extends AssignmentEndpoint {
 
   private static final Map<Integer, Integer> votes = new HashMap<>();
@@ -33,6 +31,8 @@ public class Assignment8 extends AssignmentEndpoint {
     votes.put(5, 300);
   }
 
+  private final Flags flags;
+
   @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
   @ResponseBody
   public ResponseEntity<?> vote(
@@ -47,7 +47,7 @@ public class Assignment8 extends AssignmentEndpoint {
     Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0);
     votes.put(nrOfStars, allVotesForStar + 1);
     return ResponseEntity.ok()
-        .header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8))
+        .header("X-FlagController", "Thanks for voting, your flag is: " + flags.getFlag(8))
         .build();
   }
 

src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java

@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.clientsidefiltering;
 
+import jakarta.annotation.PostConstruct;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -31,7 +32,6 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import javax.annotation.PostConstruct;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;

src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.Base64;
 import java.util.Random;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;

src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java

@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Random;
-import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java

@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.RSAPublicKey;
-import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java

@@ -24,11 +24,11 @@ package org.owasp.webgoat.lessons.csrf;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Map;
 import java.util.UUID;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java

@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Random;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.i18n.PluginMessages;
 import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java

@@ -22,7 +22,7 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java

@@ -25,6 +25,7 @@ package org.owasp.webgoat.lessons.csrf;
 import static org.springframework.http.MediaType.ALL_VALUE;
 
 import com.google.common.collect.Lists;
+import jakarta.servlet.http.HttpServletRequest;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
@@ -32,7 +33,6 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.hijacksession;
 
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java

@@ -22,7 +22,7 @@
 
 package org.owasp.webgoat.lessons.httpproxies;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.HttpMethod;

src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -45,7 +46,7 @@ import org.springframework.web.bind.annotation.RestController;
   "idor.hints.otherProfile8",
   "idor.hints.otherProfile9"
 })
-public class IDOREditOtherProfiile extends AssignmentEndpoint {
+public class IDOREditOtherProfile extends AssignmentEndpoint {
 
   @Autowired private UserSessionData userSessionData;
 
@@ -69,7 +70,7 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
       // we will persist in the session object for now in case we want to refer back or use it later
       userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
       if (currentUserProfile.getRole() <= 1
-          && currentUserProfile.getColor().toLowerCase().equals("red")) {
+          && currentUserProfile.getColor().equalsIgnoreCase("red")) {
         return success(this)
             .feedback("idor.edit.profile.success1")
             .output(currentUserProfile.profileToMap().toString())
@@ -77,16 +78,16 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
       }
 
       if (currentUserProfile.getRole() > 1
-          && currentUserProfile.getColor().toLowerCase().equals("red")) {
-        return success(this)
+          && currentUserProfile.getColor().equalsIgnoreCase("red")) {
+        return failed(this)
             .feedback("idor.edit.profile.failure1")
             .output(currentUserProfile.profileToMap().toString())
             .build();
       }
 
       if (currentUserProfile.getRole() <= 1
-          && !currentUserProfile.getColor().toLowerCase().equals("red")) {
-        return success(this)
+          && !currentUserProfile.getColor().equalsIgnoreCase("red")) {
+        return failed(this)
             .feedback("idor.edit.profile.failure2")
             .output(currentUserProfile.profileToMap().toString())
             .build();
@@ -97,7 +98,8 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
           .feedback("idor.edit.profile.failure3")
           .output(currentUserProfile.profileToMap().toString())
           .build();
-    } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
+    } else if (userSubmittedProfile.getUserId() != null
+        && userSubmittedProfile.getUserId().equals(authUserId)) {
       return failed(this).feedback("idor.edit.profile.failure4").build();
     }
 

src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java

@@ -15,16 +15,15 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
 package org.owasp.webgoat.lessons.idor;
 
-import java.util.HashMap;
-import java.util.Map;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletResponse;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -56,7 +55,6 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
       produces = {"application/json"})
   @ResponseBody
   public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
-    Map<String, Object> details = new HashMap<>();
 
     if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
       // going to use session auth to view this one
@@ -66,7 +64,8 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
         UserProfile requestedProfile = new UserProfile(userId);
         // secure code would ensure there was a horizontal access control check prior to dishing up
         // the requested profile
-        if (requestedProfile.getUserId().equals("2342388")) {
+        if (requestedProfile.getUserId() != null
+            && requestedProfile.getUserId().equals("2342388")) {
           return success(this)
               .feedback("idor.view.profile.success")
               .output(requestedProfile.profileToMap().toString())

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -68,7 +69,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
         return failed(this).feedback("idor.view.own.profile.failure2").build();
       }
     } catch (Exception ex) {
-      return failed(this).feedback("an error occurred with your request").build();
+      return failed(this).output("an error occurred with your request").build();
     }
   }
 }

src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java

@@ -31,14 +31,14 @@ import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.impl.TextCodec;
+import jakarta.annotation.PostConstruct;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
-import javax.annotation.PostConstruct;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java

@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.logging;
 
+import jakarta.annotation.PostConstruct;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.UUID;
-import javax.annotation.PostConstruct;
 import org.apache.logging.log4j.util.Strings;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.UUID;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;

src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java

@@ -1,7 +1,7 @@
 package org.owasp.webgoat.lessons.passwordreset.resetlink;
 
-import javax.validation.constraints.NotNull;
-import javax.validation.constraints.Size;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
 

src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java

@@ -1,5 +1,7 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
+import jakarta.annotation.PostConstruct;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -8,8 +10,6 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.util.Base64;
-import javax.annotation.PostConstruct;
-import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java

@@ -15,7 +15,8 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java

@@ -15,18 +15,20 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source ==============
+ * Getting Source
+ * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
 package org.owasp.webgoat.lessons.spoofcookie;
 
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletResponse;
 import java.util.Map;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
 import org.springframework.web.bind.UnsatisfiedServletRequestParameterException;
@@ -44,6 +46,7 @@ import org.springframework.web.bind.annotation.RestController;
  *
  */
 
+@AssignmentHints({"spoofcookie.hint1", "spoofcookie.hint2", "spoofcookie.hint3"})
 @RestController
 public class SpoofCookieAssignment extends AssignmentEndpoint {
 

src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java

@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import jakarta.annotation.PostConstruct;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-import javax.annotation.PostConstruct;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.sql.*;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java

@@ -44,12 +44,12 @@ public class SSRFTask1 extends AssignmentEndpoint {
     try {
       StringBuilder html = new StringBuilder();
 
-      if (url.matches("images/tom.png")) {
+      if (url.matches("images/tom\\.png")) {
         html.append(
             "<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\""
                 + " height=\"25%\">");
         return failed(this).feedback("ssrf.tom").output(html.toString()).build();
-      } else if (url.matches("images/jerry.png")) {
+      } else if (url.matches("images/jerry\\.png")) {
         html.append(
             "<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\""
                 + " height=\"25%\">");

src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java

@@ -46,7 +46,7 @@ public class SSRFTask2 extends AssignmentEndpoint {
   }
 
   protected AttackResult furBall(String url) {
-    if (url.matches("http://ifconfig.pro")) {
+    if (url.matches("http://ifconfig\\.pro")) {
       String html;
       try (InputStream in = new URL(url).openStream()) {
         html =

src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.webwolfintroduction;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
-import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.xss;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.security.SecureRandom;
-import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.UserSessionData;

src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java

@@ -22,7 +22,8 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
-import javax.xml.bind.annotation.XmlRootElement;
+import jakarta.xml.bind.annotation.XmlRootElement;
+import jakarta.xml.bind.annotation.XmlType;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -37,7 +38,8 @@ import lombok.ToString;
 @Setter
 @AllArgsConstructor
 @NoArgsConstructor
-@XmlRootElement
+@XmlRootElement(name = "comment")
+@XmlType
 @ToString
 public class Comment {
   private String user;

src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java

@@ -26,6 +26,8 @@ import static java.util.Optional.empty;
 import static java.util.Optional.of;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.xml.bind.JAXBContext;
+import jakarta.xml.bind.JAXBException;
 import java.io.IOException;
 import java.io.StringReader;
 import java.time.LocalDateTime;
@@ -36,8 +38,6 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 import javax.xml.XMLConstants;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBException;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import org.owasp.webgoat.container.session.WebSession;
@@ -93,7 +93,7 @@ public class CommentsCache {
    * progress etc). In real life the XmlMapper bean defined above will be used automatically and the
    * Comment class can be directly used in the controller method (instead of a String)
    */
-  protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
+  protected Comment parseXml(String xml) throws XMLStreamException, JAXBException {
     var jc = JAXBContext.newInstance(Comment.class);
     var xif = XMLInputFactory.newInstance();
 

src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java

@@ -24,7 +24,7 @@ package org.owasp.webgoat.lessons.xxe;
 
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -60,8 +60,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
   public AttackResult createNewUser(
       HttpServletRequest request,
       @RequestBody String commentStr,
-      @RequestHeader("Content-Type") String contentType)
-      throws Exception {
+      @RequestHeader("Content-Type") String contentType) {
     AttackResult attackResult = failed(this).build();
 
     if (APPLICATION_JSON_VALUE.equals(contentType)) {

src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java

@@ -25,7 +25,7 @@ package org.owasp.webgoat.lessons.xxe;
 import static org.springframework.http.MediaType.ALL_VALUE;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

src/main/java/org/owasp/webgoat/webwolf/FileServer.java

@@ -24,10 +24,10 @@ package org.owasp.webgoat.webwolf;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
-import javax.servlet.http.HttpServletRequest;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;

src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.webwolf;
 
+import jakarta.annotation.PostConstruct;
 import java.io.File;
-import javax.annotation.PostConstruct;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;

src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java

@@ -29,54 +29,49 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
 
-/** Security configuration for WebGoat. */
+/** Security configuration for WebWolf. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
   private final UserService userDetailsService;
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
-    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
-        http.authorizeRequests()
-            .antMatchers(HttpMethod.POST, "/fileupload")
-            .authenticated()
-            .antMatchers(HttpMethod.GET, "/files", "/mail", "/requests")
-            .authenticated()
-            .and()
-            .authorizeRequests()
-            .anyRequest()
-            .permitAll();
-
-    security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
-    security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
-    security.and().logout().permitAll();
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http.authorizeHttpRequests(
+        auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
+    http.authorizeHttpRequests(
+        auth ->
+            auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
+    http.authorizeHttpRequests().anyRequest().permitAll();
+    http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
+    http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
+    http.logout().permitAll();
+    return http.build();
   }
 
   @Autowired
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-    auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
+    auth.userDetailsService(userDetailsService);
   }
 
   @Bean
-  @Override
-  public UserDetailsService userDetailsServiceBean() throws Exception {
+  public UserDetailsService userDetailsServiceBean() {
     return userDetailsService;
   }
 
-  @Override
   @Bean
-  protected AuthenticationManager authenticationManager() throws Exception {
-    return super.authenticationManager();
+  public AuthenticationManager authenticationManager(
+      AuthenticationConfiguration authenticationConfiguration) throws Exception {
+    return authenticationConfiguration.getAuthenticationManager();
   }
 
   @Bean

src/main/java/org/owasp/webgoat/webwolf/WebWolf.java

@@ -23,7 +23,7 @@
 package org.owasp.webgoat.webwolf;
 
 import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
-import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
+import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
@@ -37,7 +37,7 @@ import org.springframework.context.annotation.PropertySource;
 public class WebWolf {
 
   @Bean
-  public HttpTraceRepository traceRepository() {
+  public HttpExchangeRepository traceRepository() {
     return new WebWolfTraceRepository();
   }
 }

src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java

@@ -23,10 +23,14 @@
 package org.owasp.webgoat.webwolf.mailbox;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
 import java.io.Serializable;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
-import javax.persistence.*;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;

src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java

@@ -23,26 +23,25 @@
 package org.owasp.webgoat.webwolf.mailbox;
 
 import java.util.List;
-import lombok.AllArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
+import lombok.RequiredArgsConstructor;
 import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
 @RestController
-@AllArgsConstructor
-@Slf4j
+@RequiredArgsConstructor
 public class MailboxController {
 
   private final MailboxRepository mailboxRepository;
 
-  @GetMapping(value = "/mail")
+  @GetMapping("/mail")
   public ModelAndView mail() {
     UserDetails user =
         (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
@@ -56,9 +55,15 @@ public class MailboxController {
     return modelAndView;
   }
 
-  @PostMapping(value = "/mail")
-  public ResponseEntity<?> sendEmail(@RequestBody Email email) {
+  @PostMapping("/mail")
+  @ResponseStatus(HttpStatus.CREATED)
+  public void sendEmail(@RequestBody Email email) {
     mailboxRepository.save(email);
-    return ResponseEntity.status(HttpStatus.CREATED).build();
+  }
+
+  @DeleteMapping("/mail")
+  @ResponseStatus(HttpStatus.ACCEPTED)
+  public void deleteAllMail() {
+    mailboxRepository.deleteAll();
   }
 }

src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.webwolf.requests;
 
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.concurrent.Callable;
-import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;

src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java

@@ -32,8 +32,7 @@ import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
-import org.springframework.boot.actuate.trace.http.HttpTrace;
-import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
+import org.springframework.boot.actuate.web.exchanges.HttpExchange;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Controller;
@@ -78,8 +77,8 @@ public class Requests {
     return model;
   }
 
-  private boolean allowedTrace(HttpTrace t, UserDetails user) {
-    Request req = t.getRequest();
+  private boolean allowedTrace(HttpExchange t, UserDetails user) {
+    HttpExchange.Request req = t.getRequest();
     boolean allowed = true;
     /* do not show certain traces to other users in a classroom setup */
     if (req.getUri().getPath().contains("/files")
@@ -95,11 +94,11 @@ public class Requests {
     return allowed;
   }
 
-  private String path(HttpTrace t) {
+  private String path(HttpExchange t) {
     return (String) t.getRequest().getUri().getPath();
   }
 
-  private String toJsonString(HttpTrace t) {
+  private String toJsonString(HttpExchange t) {
     try {
       return objectMapper.writeValueAsString(t);
     } catch (JsonProcessingException e) {

src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java

@@ -26,8 +26,8 @@ import com.google.common.collect.EvictingQueue;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.boot.actuate.trace.http.HttpTrace;
-import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
+import org.springframework.boot.actuate.web.exchanges.HttpExchange;
+import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
 
 /**
  * Keep track of all the incoming requests, we are only keeping track of request originating from
@@ -37,9 +37,9 @@ import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
  * @since 8/13/17.
  */
 @Slf4j
-public class WebWolfTraceRepository implements HttpTraceRepository {
+public class WebWolfTraceRepository implements HttpExchangeRepository {
 
-  private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
+  private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000);
   private final List<String> exclusionList =
       List.of(
           "/tmpdir",
@@ -54,11 +54,11 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
           "/mail");
 
   @Override
-  public List<HttpTrace> findAll() {
+  public List<HttpExchange> findAll() {
     return List.of();
   }
 
-  public List<HttpTrace> findAllTraces() {
+  public List<HttpExchange> findAllTraces() {
     return new ArrayList<>(traces);
   }
 
@@ -67,7 +67,7 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
   }
 
   @Override
-  public void add(HttpTrace httpTrace) {
+  public void add(HttpExchange httpTrace) {
     var path = httpTrace.getRequest().getUri().getPath();
     if (!isInExclusionList(path)) {
       traces.add(httpTrace);

src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java

@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.webwolf.user;
 
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
-import javax.persistence.Entity;
-import javax.persistence.Id;
-import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.User;

src/main/resources/application-webgoat.properties

@@ -13,11 +13,12 @@ server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
 server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
 server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
 
-spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
-spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
-spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
-spring.jpa.properties.hibernate.default_schema=CONTAINER
 spring.banner.location=classpath:banner.txt
+spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
+spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
+spring.jpa.open-in-view=false
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
+spring.jpa.properties.hibernate.default_schema=CONTAINER
 
 logging.level.org.thymeleaf=INFO
 logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
@@ -28,6 +29,7 @@ logging.level.org.springframework=INFO
 logging.level.org.springframework.boot.devtools=INFO
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webgoat=DEBUG
+logging.level.org.hidbernate.SQL=DEBUG
 
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@@ -51,11 +53,11 @@ spring.jackson.serialization.write-dates-as-timestamps=false
 #For static file refresh ... and faster dev :D
 spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
 
-exclude.categories=${EXCLUDE_CATEGORIES:none,none}
 #exclude based on the enum of the Category
+exclude.categories=${EXCLUDE_CATEGORIES:none,none}
 
-exclude.lessons=${EXCLUDE_LESSONS:none,none}
 #exclude based on the class name of a lesson e.g.: LessonTemplate
+exclude.lessons=${EXCLUDE_LESSONS:none,none}
 
 management.health.db.enabled=true
 management.endpoint.health.show-details=always

src/main/resources/application-webwolf.properties

@@ -18,6 +18,7 @@ spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
+spring.jpa.open-in-view=false
 spring.messages.basename=i18n/messages
 spring.jmx.enabled=false
 
@@ -26,7 +27,7 @@ logging.level.org.springframework.boot.devtools=WARN
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webwolf=TRACE
 
-management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
+management.httpexchanges.recording.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
 management.endpoint.httptrace.enabled=true
 
 spring.thymeleaf.cache=false

src/main/resources/db/container/V3__id.sql

@@ -0,0 +1,4 @@
+ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
+ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
+ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
+

src/main/resources/lessons/authbypass/html/AuthBypass.html

@@ -4,14 +4,14 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/bypass-intro.adoc}"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/2fa-bypass.adoc}"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -72,9 +72,9 @@
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-video.adoc}"></div>-->
         <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-attack.adoc}"></div>-->
 
         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
 

src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html

@@ -6,12 +6,12 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -59,7 +59,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 

src/main/resources/lessons/challenges/html/Challenge.html

@@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
 </div>
 
 </html>

src/main/resources/lessons/challenges/html/Challenge1.html

@@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
     <div class="attack-container">

src/main/resources/lessons/challenges/html/Challenge5.html

@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_5.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

src/main/resources/lessons/challenges/html/Challenge6.html

@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_6.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
     <div class="attack-container">

src/main/resources/lessons/challenges/html/Challenge7.html

@@ -12,7 +12,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_7.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">

src/main/resources/lessons/challenges/html/Challenge8.html

@@ -3,7 +3,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_8.adoc}"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
     <script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>
 

src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html

@@ -4,22 +4,22 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc}"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc}"></div>
 </div>
 
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc}"></div>
 </div>
 
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -35,12 +35,12 @@
 
 <!-- 5 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc}"></div>
 </div>
 
 <!-- 6 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"

src/main/resources/lessons/cia/html/CIA.html

@@ -3,19 +3,19 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_intro.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_confidentiality.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_integrity.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_availability.adoc}"></div>
 </div>
 
 <div class="lesson-page-wrapper">
@@ -23,7 +23,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_quiz.adoc}"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">