fix: WIP

chore: bump docker/login-action from 2.1.0 to 2.2.0 (#1502 )
Bumps [docker/login-action](https://github.com/docker/login-action) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v2.1.0...v2.2.0) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-19 17:42:20 +02:00 · 2023-06-13 17:06:35 +02:00 · 2023-06-13 10:50:53 +02:00 · 2023-06-13 10:00:50 +02:00 · 2023-06-07 21:31:54 +02:00 · 2023-06-07 09:41:13 +02:00
149 changed files with 1024 additions and 670 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,7 +1,15 @@
 version: 2
 updates:
  # Maintain dependencies for GitHub Actions
    -   package-ecosystem: "github-actions"
        directory: "/"
        schedule:
-      interval: "daily"
+            interval: "weekly"
    -   package-ecosystem: "maven"
        directory: "/"
        schedule:
            interval: "weekly"
    -   package-ecosystem: "docker"
        directory: "/"
        schedule:
            interval: "weekly"
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -27,7 +27,7 @@ jobs:
                    java-version: 17
                    architecture: x64
            -   name: Cache Maven packages
-                uses: actions/cache@v3.2.5
+                uses: actions/cache@v3.3.1
                with:
                    path: ~/.m2
                    key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@ -42,7 +42,7 @@ jobs:
                uses: docker/setup-buildx-action@v2
            -   name: "Verify Docker WebGoat build"
                if: runner.os == 'Linux'
-                uses: docker/build-push-action@v4.0.0
+                uses: docker/build-push-action@v4.1.0
                with:
                    context: ./
                    file: ./Dockerfile
@ -50,7 +50,7 @@ jobs:
                    build-args: |
                        webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
            -   name: "Verify Docker WebGoat desktop build"
-                uses: docker/build-push-action@v4.0.0
+                uses: docker/build-push-action@v4.1.0
                if: runner.os == 'Linux'
                with:
                    context: ./
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -21,7 +21,7 @@ jobs:
          architecture: x64
      - name: Cache Maven packages
-        uses: actions/cache@v3.2.5
+        uses: actions/cache@v3.3.1
        with:
          path: ~/.m2
          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@ -80,13 +80,13 @@ jobs:
        uses: docker/setup-buildx-action@v2
      - name: "Login to dockerhub"
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v2.2.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: "Build and push WebGoat"
-        uses: docker/build-push-action@v4.0.0
+        uses: docker/build-push-action@v4.1.0
        with:
          context: ./
          file: ./Dockerfile
@ -99,12 +99,12 @@ jobs:
            webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
      - name: "Build and push WebGoat desktop"
-        uses: docker/build-push-action@v4.0.0
+        uses: docker/build-push-action@v4.1.0
        with:
          context: ./
          file: ./Dockerfile_desktop
          push: true
-          platforms: linux/amd64, linux/arm64, linux/arm/v7
+          platforms: linux/amd64, linux/arm64
          tags: |
            webgoat/webgoat-desktop:${{ env.WEBGOAT_TAG_VERSION }}
            webgoat/webgoat-desktop:latest
@ -123,6 +123,7 @@ jobs:
      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          distribution: 'temurin'
          java-version: 17
          architecture: x64
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -37,7 +37,7 @@ jobs:
                    architecture: x64
            #Uses an action to set up a cache using a certain key based on the hash of the dependencies
            -   name: Cache Maven packages
-                uses: actions/cache@v3.2.5
+                uses: actions/cache@v3.3.1
                with:
                    path: ~/.m2
                    key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
@ -48,6 +48,8 @@ jobs:
                        robotframework
                        robotframework-SeleniumLibrary
                        webdriver-manager
                        selenium==4.9.1
                    # TODO https://github.com/robotframework/SeleniumLibrary/issues/1835
            -   name: Run with Maven
                run: mvn --no-transfer-progress spring-boot:run &
            -   name: Wait to start
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -3,6 +3,7 @@
 [![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
 ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
 ![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
 This document describes how you can contribute to WebGoat. Please read it carefully.
@ -41,6 +42,19 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 ### Write a good commit message
 * We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and use the following types:
  - fix:
  - feat:
  - build:
  - chore:
  - ci:
  - docs:
  - refactor:
  - test:
  Using this style of commits makes it possible to create our release notes automatically.
 * Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
 * If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.
--- a/CREATE_RELEASE.md
+++ b/CREATE_RELEASE.md
@ -13,6 +13,7 @@ committers.
 ```
 mvn versions:set 
 << update release notes >>
 mvn verify
 git commit ....
 git tag v2023.01 
 git push --tags
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-FROM docker.io/eclipse-temurin:17-jre-focal
+FROM docker.io/eclipse-temurin:19-jre-focal
 LABEL NAME = "WebGoat: A deliberately insecure Web Application"
 MAINTAINER "WebGoat team"
@ -27,6 +27,8 @@ ENTRYPOINT [ "java", \
   "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
   "--add-opens", "java.base/java.util=ALL-UNNAMED", \
   "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
   "-Drunning.in.docker=true", \
   "-Dwebgoat.host=0.0.0.0", \
   "-Dwebwolf.host=0.0.0.0", \
--- a/11
+++ b/11
@ -10,12 +10,17 @@ COPY config/desktop/start_zap.sh /config/start_zap.sh
 COPY config/desktop/WebGoat.txt /config/Desktop/
 RUN \
 case $(uname -m) in \
  x86_64) ARCH=x64;; \
  aarch64) ARCH=aarch64;; \
  *) ARCH=unknown;; \
 esac && \
 curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz && \
 tar zfxv ZAP_2.12.0_Linux.tar.gz && \
 rm -rf ZAP_2.12.0_Linux.tar.gz && \
- curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
+ curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
- tar zfxv OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
+ tar zfxv OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
- rm -rf OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
+ rm -rf OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
 chmod +x /config/start_webgoat.sh && \
 chmod +x /config/start_zap.sh && \
 apt-get update &&  \
--- a/FAQ.md
+++ b/FAQ.md
@ -0,0 +1,8 @@
 # FAQ for development
 ## Introduction
 ### Integration tests fail
 Try to run the command in the console `java -jar ...` and remove `-Dlogging.pattern.console=` from the command line.
--- a/README.md
+++ b/README.md
@ -6,6 +6,7 @@
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 [![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
 [![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
 # Introduction
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@ -1,5 +1,18 @@
 # WebGoat release notes
 ## Version 2023.4
 ### New functionality
 - [#1422 Add Docker Linux Desktop variant with all tools installed](https://github.com/WebGoat/WebGoat/issues/1422). Thanks to the [OWASP WrongSecrets project](https://owasp.org/www-project-wrongsecrets/) we now have a Docker Linux desktop image with all the tools installed. No need to install any tools locally only run the new Docker image. See README.md for details on how to start it.
 - [#1411 JWT: looks that buy as Tom also works with alg:none](https://github.com/WebGoat/WebGoat/issues/1411).
 ### Bug fixes
 - [#1410 WebWolf: JWT decode is broken](https://github.com/WebGoat/WebGoat/issues/1410).
 - [#1396 password_reset return 500 Error](https://github.com/WebGoat/WebGoat/issues/1396).
 - [#1379 Move XXE to A05:2021-Security Misconfiguration](https://github.com/WebGoat/WebGoat/issues/1379).
 ## Version 2023.3
 With great pleasure, we present you with a new release of WebGoat **2023.3**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
--- a/pom.xml
+++ b/pom.xml
@ -1,16 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
-    <version>2.7.1</version>
+    <version>3.1.0</version>
  </parent>
  <groupId>org.owasp.webgoat</groupId>
  <artifactId>webgoat</artifactId>
-  <version>2023.4-SNAPSHOT</version>
+  <version>2023.5-SNAPSHOT</version>
  <packaging>jar</packaging>
  <name>WebGoat</name>
@ -27,6 +27,7 @@
      <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
    </license>
  </licenses>
  <developers>
    <developer>
      <id>mayhew64</id>
@ -94,7 +95,6 @@
      <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
    </mailingList>
  </mailingLists>
  <scm>
    <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
    <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
@ -108,44 +108,46 @@
  </issueManagement>
  <properties>
    <!-- Shared properties with plugins and version numbers across submodules-->
    <asciidoctorj.version>2.5.3</asciidoctorj.version>
    <!-- Upgrading needs UI work in WebWolf -->
    <bootstrap.version>3.3.7</bootstrap.version>
-    <cglib.version>2.2</cglib.version>
+    <cglib.version>3.3.0</cglib.version>
    <!-- do not update necessary for lesson -->
-    <checkstyle.version>3.1.2</checkstyle.version>
+    <checkstyle.version>3.3.0</checkstyle.version>
    <commons-collections.version>3.2.1</commons-collections.version>
-    <commons-io.version>2.6</commons-io.version>
+    <commons-io.version>2.11.0</commons-io.version>
    <commons-lang3.version>3.12.0</commons-lang3.version>
-    <commons-text.version>1.9</commons-text.version>
+    <commons-text.version>1.10.0</commons-text.version>
-    <guava.version>30.1-jre</guava.version>
+    <guava.version>31.1-jre</guava.version>
    <jacoco.version>0.8.10</jacoco.version>
    <java.version>17</java.version>
    <jaxb.version>2.3.1</jaxb.version>
    <jjwt.version>0.9.1</jjwt.version>
-    <jose4j.version>0.7.6</jose4j.version>
+    <jose4j.version>0.9.3</jose4j.version>
    <jquery.version>3.5.1</jquery.version>
-    <jsoup.version>1.14.3</jsoup.version>
+    <jsoup.version>1.16.1</jsoup.version>
    <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
    <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
    <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
    <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
    <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
-    <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
+    <maven-surefire-plugin.version>3.1.0</maven-surefire-plugin.version>
    <maven.compiler.source>17</maven.compiler.source>
    <maven.compiler.target>17</maven.compiler.target>
    <pmd.version>3.15.0</pmd.version>
    <!-- Use UTF-8 Encoding -->
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
+    <thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
-    <webdriver.version>4.3.1</webdriver.version>
+    <webdriver.version>5.3.2</webdriver.version>
    <webgoat.port>8080</webgoat.port>
    <webwolf.port>9090</webwolf.port>
    <wiremock.version>2.27.2</wiremock.version>
    <xml-resolver.version>1.2</xml-resolver.version>
    <xstream.version>1.4.5</xstream.version>
    <!-- do not update necessary for lesson -->
-    <zxcvbn.version>1.5.2</zxcvbn.version>
+    <zxcvbn.version>1.7.0</zxcvbn.version>
  </properties>
  <dependencyManagement>
@ -154,7 +156,7 @@
      <dependency>
        <groupId>org.ow2.asm</groupId>
        <artifactId>asm</artifactId>
-        <version>9.1</version>
+        <version>9.5</version>
      </dependency>
      <dependency>
@ -241,16 +243,15 @@
      <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-compress</artifactId>
-        <version>1.21</version>
+        <version>1.22</version>
      </dependency>
      <dependency>
        <groupId>org.jruby</groupId>
        <artifactId>jruby</artifactId>
-        <version>9.3.6.0</version>
+        <version>9.4.2.0</version>
      </dependency>
    </dependencies>
  </dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>org.apache.commons</groupId>
@ -269,6 +270,7 @@
    <dependency>
      <groupId>javax.xml.bind</groupId>
      <artifactId>jaxb-api</artifactId>
      <version>${jaxb.version}</version>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
@ -310,7 +312,11 @@
    </dependency>
    <dependency>
      <groupId>org.thymeleaf.extras</groupId>
-      <artifactId>thymeleaf-extras-springsecurity5</artifactId>
+      <artifactId>thymeleaf-extras-springsecurity6</artifactId>
    </dependency>
    <dependency>
      <groupId>jakarta.servlet</groupId>
      <artifactId>jakarta.servlet-api</artifactId>
    </dependency>
    <dependency>
      <groupId>org.hsqldb</groupId>
@ -369,8 +375,13 @@
      <artifactId>jquery</artifactId>
    </dependency>
    <dependency>
-      <groupId>org.glassfish.jaxb</groupId>
+      <groupId>jakarta.xml.bind</groupId>
-      <artifactId>jaxb-runtime</artifactId>
+      <artifactId>jakarta.xml.bind-api</artifactId>
    </dependency>
    <dependency>
      <groupId>com.sun.xml.bind</groupId>
      <artifactId>jaxb-impl</artifactId>
      <scope>runtime</scope>
    </dependency>
    <dependency>
@ -386,6 +397,7 @@
    <dependency>
      <groupId>com.github.tomakehurst</groupId>
      <artifactId>wiremock</artifactId>
      <version>3.0.0-beta-2</version>
      <scope>test</scope>
    </dependency>
    <dependency>
@ -393,6 +405,11 @@
      <artifactId>rest-assured</artifactId>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-properties-migrator</artifactId>
      <scope>runtime</scope>
    </dependency>
  </dependencies>
  <repositories>
@ -490,7 +507,8 @@
          <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
          --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
          --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
-                        --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
+          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
          --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED</argLine>
          <excludes>
            <exclude>**/*IntegrationTest.java</exclude>
            <exclude>src/it/java</exclude>
@ -514,7 +532,7 @@
      <plugin>
        <groupId>com.diffplug.spotless</groupId>
        <artifactId>spotless-maven-plugin</artifactId>
-        <version>2.29.0</version>
+        <version>2.33.0</version>
        <configuration>
          <formats>
            <format>
@ -575,7 +593,7 @@
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
-        <version>3.0.0</version>
+        <version>3.3.0</version>
        <executions>
          <execution>
            <id>restrict-log4j-versions</id>
@ -678,6 +696,10 @@
                    <argument>java.base/java.io=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/java.util=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
                    <argument>--add-opens</argument>
                    <argument>java.base/java.io=ALL-UNNAMED</argument>
                    <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
                  </arguments>
                  <waitForInterrupt>false</waitForInterrupt>
@ -727,6 +749,82 @@
        </plugins>
      </build>
    </profile>
    <profile>
      <!-- run with: mvn test -Pcoverage -->
      <id>coverage</id>
      <activation>
        <activeByDefault>false</activeByDefault>
      </activation>
      <build>
        <plugins>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-surefire-plugin</artifactId>
            <version>${maven-surefire-plugin.version}</version>
            <configuration>
              <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
          --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
          --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
          ${surefire.jacoco.args}</argLine>
              <excludes>
                <exclude>**/*IntegrationTest.java</exclude>
                <exclude>src/it/java</exclude>
                <exclude>org/owasp/webgoat/*Test</exclude>
              </excludes>
            </configuration>
          </plugin>
          <plugin>
            <groupId>org.jacoco</groupId>
            <artifactId>jacoco-maven-plugin</artifactId>
            <version>${jacoco.version}</version>
            <executions>
              <execution>
                <id>before-unit-test</id>
                <goals>
                  <goal>prepare-agent</goal>
                </goals>
                <configuration>
                  <destFile>${project.build.directory}/jacoco/jacoco-ut.exec</destFile>
                  <propertyName>surefire.jacoco.args</propertyName>
                </configuration>
              </execution>
              <execution>
                <id>check</id>
                <goals>
                  <goal>check</goal>
                </goals>
                <configuration>
                  <rules>
                    <rule>
                      <element>BUNDLE</element>
                      <limits>
                        <limit>
                          <counter>CLASS</counter>
                          <value>COVEREDCOUNT</value>
                          <minimum>0.6</minimum>
                        </limit>
                      </limits>
                    </rule>
                  </rules>
                  <dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
                </configuration>
              </execution>
              <execution>
                <id>after-unit-test</id>
                <goals>
                  <goal>report</goal>
                </goals>
                <phase>test</phase>
                <configuration>
                  <dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
                  <outputDirectory>${project.reporting.outputDirectory}/jacoco-unit-test-coverage-report</outputDirectory>
                </configuration>
              </execution>
            </executions>
          </plugin>
        </plugins>
      </build>
    </profile>
  </profiles>
 </project>
--- a/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java
@ -7,12 +7,14 @@ import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.springframework.http.HttpStatus;
 public class ChallengeIntegrationTest extends IntegrationTest {
  @Test
-  public void testChallenge1() {
+  void testChallenge1() {
    startLesson("Challenge1");
    byte[] resultBytes =
@ -67,7 +69,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
  }
  @Test
-  public void testChallenge5() {
+  void testChallenge5() {
    startLesson("Challenge5");
    Map<String, Object> params = new HashMap<>();
@ -107,4 +109,62 @@ public class ChallengeIntegrationTest extends IntegrationTest {
            .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
    assertTrue(capturefFlags.contains("Without password"));
  }
  @Test
  void testChallenge7() {
    startLesson("Challenge7");
    cleanMailbox();
    // One should first be able to download git.zip from WebGoat
    RestAssured.given()
        .when()
        .relaxedHTTPSValidation()
        .cookie("JSESSIONID", getWebGoatCookie())
        .get(url("/WebGoat/challenge/7/.git"))
        .then()
        .statusCode(200)
        .extract()
        .asString();
    // Should send an email to WebWolf inbox this should give a hint to the link being static
    RestAssured.given()
        .when()
        .relaxedHTTPSValidation()
        .cookie("JSESSIONID", getWebGoatCookie())
        .formParams("email", getUser() + "@webgoat.org")
        .post(url("/WebGoat/challenge/7"))
        .then()
        .statusCode(200)
        .extract()
        .asString();
    // Check whether email has been received
    var responseBody =
        RestAssured.given()
            .when()
            .relaxedHTTPSValidation()
            .cookie("WEBWOLFSESSION", getWebWolfCookie())
            .get(webWolfUrl("/mail"))
            .then()
            .extract()
            .response()
            .getBody()
            .asString();
    Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
    // Call reset link with admin link
    String result =
        RestAssured.given()
            .when()
            .relaxedHTTPSValidation()
            .cookie("JSESSIONID", getWebGoatCookie())
            .get(url("/challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
            .then()
            .statusCode(HttpStatus.ACCEPTED.value())
            .extract()
            .asString();
    String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
    checkAssignment(url("/WebGoat/challenge/flag"), Map.of("flag", flag), true);
  }
 }
--- a/src/it/java/org/owasp/webgoat/IntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/IntegrationTest.java
@ -11,6 +11,7 @@ import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.springframework.http.HttpStatus;
 public abstract class IntegrationTest {
@ -252,4 +253,14 @@ public abstract class IntegrationTest {
        .getBody()
        .asString();
  }
  public void cleanMailbox() {
    RestAssured.given()
        .when()
        .relaxedHTTPSValidation()
        .cookie("WEBWOLFSESSION", getWebWolfCookie())
        .delete(webWolfUrl("/mail"))
        .then()
        .statusCode(HttpStatus.ACCEPTED.value());
  }
 }
--- a/src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
@ -5,7 +5,6 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 import io.restassured.RestAssured;
 import java.util.Arrays;
 import java.util.Map;
 import lombok.SneakyThrows;
 import org.apache.commons.lang3.StringUtils;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.AfterEach;
@ -16,7 +15,6 @@ import org.junit.jupiter.api.TestFactory;
 public class PasswordResetLessonIntegrationTest extends IntegrationTest {
  @BeforeEach
  @SneakyThrows
  public void init() {
    startLesson("/PasswordReset");
  }
--- a/src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java
@ -29,9 +29,9 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
              .relaxedHTTPSValidation()
              .cookie("JSESSIONID", getWebGoatCookie())
              .formParams(Map.of("flag", "test"))
-              .post(url("/challenge/flag/"));
+              .post(url("/challenge/flag"));
        };
-    ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
+    ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS);
    List<? extends Callable<Response>> flagCalls =
        IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
    var responses = executorService.invokeAll(flagCalls);
--- a/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
+++ b/src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java
@ -27,10 +27,10 @@
 */
 package org.owasp.webgoat.container;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
--- a/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
+++ b/src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java
@ -33,6 +33,7 @@ package org.owasp.webgoat.container;
 import static org.asciidoctor.Asciidoctor.Factory.create;
 import io.undertow.util.Headers;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@ -41,7 +42,6 @@ import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
@ -60,7 +60,7 @@ import org.thymeleaf.templateresource.StringTemplateResource;
 * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
 *
 * <p><code>
- * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
+ * <div th:replace="~{doc:AccessControlMatrix_plan.adoc}"></div>
 * </code>
 */
@Slf4j
--- a/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java
@ -50,12 +50,13 @@ public class DatabaseConfiguration {
  }
  @Bean
-  public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
+  public Function<String, Flyway> flywayLessons() {
    return schema ->
        Flyway.configure()
            .configuration(Map.of("driver", properties.getDriverClassName()))
            .schemas(schema)
-            .dataSource(lessonDataSource)
+            .cleanDisabled(false)
            .dataSource(dataSource())
            .locations("lessons")
            .load();
  }
--- a/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/MvcConfiguration.java
@ -56,10 +56,10 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
 import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.thymeleaf.IEngineConfiguration;
-import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
+import org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect;
-import org.thymeleaf.spring5.SpringTemplateEngine;
+import org.thymeleaf.spring6.SpringTemplateEngine;
-import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
+import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver;
-import org.thymeleaf.spring5.view.ThymeleafViewResolver;
+import org.thymeleaf.spring6.view.ThymeleafViewResolver;
 import org.thymeleaf.templatemode.TemplateMode;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresolver.ITemplateResolver;
--- a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
@ -37,26 +37,26 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 /** Security configuration for WebGoat. */
@Configuration
@AllArgsConstructor
@EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
  private final UserService userDetailsService;
-  @Override
+  @Bean
-  protected void configure(HttpSecurity http) throws Exception {
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
+    http.authorizeHttpRequests(
-        http.authorizeRequests()
+        auth ->
-            .antMatchers(
+            auth.requestMatchers(
                    "/css/**",
                    "/images/**",
                    "/js/**",
@ -67,20 +67,19 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                    "/actuator/**")
                .permitAll()
                .anyRequest()
-            .authenticated();
+                .authenticated());
-    security
+    http.formLogin()
        .and()
        .formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/welcome.mvc", true)
        .usernameParameter("username")
        .passwordParameter("password")
        .permitAll();
-    security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
+    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-    security.and().csrf().disable();
+    http.csrf().disable();
    http.headers().cacheControl().disable();
    http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
    return http.build();
  }
  @Autowired
@ -89,15 +88,14 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  }
  @Bean
-  @Override
+  public UserDetailsService userDetailsServiceBean() {
  public UserDetailsService userDetailsServiceBean() throws Exception {
    return userDetailsService;
  }
  @Override
  @Bean
-  protected AuthenticationManager authenticationManager() throws Exception {
+  public AuthenticationManager authenticationManager(
-    return super.authenticationManager();
+      AuthenticationConfiguration authenticationConfiguration) throws Exception {
    return authenticationConfiguration.getAuthenticationManager();
  }
  @SuppressWarnings("deprecation")
--- a/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
+++ b/src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.asciidoc;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 import org.springframework.web.context.request.RequestContextHolder;
--- a/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
+++ b/src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java
@ -75,7 +75,8 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
    } else {
      userTracker.assignmentFailed(webSession.getCurrentLesson());
    }
-    userTrackerRepository.saveAndFlush(userTracker);
+    userTrackerRepository.save(userTracker);
    return attackResult;
  }
 }
--- a/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
+++ b/src/main/java/org/owasp/webgoat/container/controller/StartLesson.java
@ -31,7 +31,7 @@
 */
 package org.owasp.webgoat.container.controller;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.session.Course;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.stereotype.Controller;
--- a/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
+++ b/src/main/java/org/owasp/webgoat/container/controller/Welcome.java
@ -29,8 +29,8 @@
 */
 package org.owasp.webgoat.container.controller;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.servlet.ModelAndView;
@ -49,7 +49,7 @@ public class Welcome {
  /**
   * welcome.
   *
-   * @param request a {@link javax.servlet.http.HttpServletRequest} object.
+   * @param request a {@link jakarta.servlet.http.HttpServletRequest} object.
   * @return a {@link org.springframework.web.servlet.ModelAndView} object.
   */
  @GetMapping(path = {"welcome.mvc"})
--- a/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/Assignment.java
@ -1,9 +1,14 @@
 package org.owasp.webgoat.container.lessons;
 import jakarta.persistence.Entity;
 import jakarta.persistence.GeneratedValue;
 import jakarta.persistence.GenerationType;
 import jakarta.persistence.Id;
 import jakarta.persistence.Transient;
 import java.util.ArrayList;
 import java.util.List;
-import javax.persistence.*;
+import lombok.EqualsAndHashCode;
-import lombok.*;
+import lombok.Getter;
 /**
 * ************************************************************************************************
@ -41,7 +46,7 @@ import lombok.*;
 public class Assignment {
  @Id
-  @GeneratedValue(strategy = GenerationType.AUTO)
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
  private Long id;
  private String name;
--- a/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java
@ -4,15 +4,13 @@ import java.lang.reflect.InvocationHandler;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.sql.Connection;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 /**
 * Handler which sets the correct schema for the currently bounded user. This way users are not
- * seeing each other data and we can reset data for just one particular user.
+ * seeing each other data, and we can reset data for just one particular user.
 */
@Slf4j
 public class LessonConnectionInvocationHandler implements InvocationHandler {
  private final Connection targetConnection;
--- a/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
+++ b/src/main/java/org/owasp/webgoat/container/users/LessonTracker.java
@ -1,8 +1,20 @@
 package org.owasp.webgoat.container.users;
-import java.util.*;
+import jakarta.persistence.CascadeType;
 import jakarta.persistence.Entity;
 import jakarta.persistence.FetchType;
 import jakarta.persistence.GeneratedValue;
 import jakarta.persistence.GenerationType;
 import jakarta.persistence.Id;
 import jakarta.persistence.OneToMany;
 import jakarta.persistence.Version;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
-import javax.persistence.*;
+import lombok.EqualsAndHashCode;
 import lombok.Getter;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@ -39,10 +51,11 @@ import org.owasp.webgoat.container.lessons.Lesson;
 * @since October 29, 2003
 */
@Entity
@EqualsAndHashCode
 public class LessonTracker {
  @Id
-  @GeneratedValue(strategy = GenerationType.AUTO)
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
  private Long id;
  @Getter private String lessonName;
--- a/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
+++ b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
@ -1,11 +1,10 @@
 package org.owasp.webgoat.container.users;
-import javax.servlet.ServletException;
+import jakarta.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
-import javax.validation.Valid;
+import jakarta.validation.Valid;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.GetMapping;
@ -23,7 +22,6 @@ public class RegistrationController {
  private UserValidator userValidator;
  private UserService userService;
  private AuthenticationManager authenticationManager;
  @GetMapping("/registration")
  public String showForm(UserForm userForm) {
--- a/src/main/java/org/owasp/webgoat/container/users/UserForm.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserForm.java
@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.users;
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
-import javax.validation.constraints.Pattern;
+import jakarta.validation.constraints.Pattern;
-import javax.validation.constraints.Size;
+import jakarta.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
--- a/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
+++ b/src/main/java/org/owasp/webgoat/container/users/UserTracker.java
@ -1,11 +1,19 @@
 package org.owasp.webgoat.container.users;
 import jakarta.persistence.CascadeType;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
 import jakarta.persistence.FetchType;
 import jakarta.persistence.GeneratedValue;
 import jakarta.persistence.GenerationType;
 import jakarta.persistence.Id;
 import jakarta.persistence.OneToMany;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
-import javax.persistence.*;
+import lombok.EqualsAndHashCode;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@ -43,10 +51,11 @@ import org.owasp.webgoat.container.lessons.Lesson;
 */
@Slf4j
@Entity
@EqualsAndHashCode
 public class UserTracker {
  @Id
-  @GeneratedValue(strategy = GenerationType.AUTO)
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
  private Long id;
  @Column(name = "username")
--- a/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
+++ b/src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java
@ -1,10 +1,10 @@
 package org.owasp.webgoat.container.users;
 import jakarta.persistence.Entity;
 import jakarta.persistence.Id;
 import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
 import javax.persistence.Entity;
 import javax.persistence.Id;
 import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
--- a/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
+++ b/src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java
@ -22,13 +22,13 @@
 package org.owasp.webgoat.lessons.authbypass;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java
@ -1,89 +1,13 @@
 /*
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
 *
 * Copyright (c) 2002 - 2019 Bruce Mayhew
 *
 * This program is free software; you can redistribute it and/or modify it under the terms of the
 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along with this program; if
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 *
 * Getting Source ==============
 *
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
 */
 package org.owasp.webgoat.lessons.challenges;
-import java.util.HashMap;
+public record Flag(int number, String answer) {
 import java.util.Map;
 import java.util.UUID;
 import java.util.stream.IntStream;
 import javax.annotation.PostConstruct;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
 import org.owasp.webgoat.container.users.UserTracker;
 import org.owasp.webgoat.container.users.UserTrackerRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
-/**
+  public boolean isCorrect(String flag) {
- * @author nbaars
+    return answer.equals(flag);
 * @since 3/23/17.
 */
@RestController
 public class Flag extends AssignmentEndpoint {
  public static final Map<Integer, String> FLAGS = new HashMap<>();
  @Autowired private UserTrackerRepository userTrackerRepository;
  @Autowired private WebSession webSession;
  @AllArgsConstructor
  private class FlagPosted {
    @Getter private boolean lessonCompleted;
  }
-  @PostConstruct
+  @Override
-  public void initFlags() {
+  public String toString() {
-    IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
+    return answer;
  }
  @RequestMapping(
      path = "/challenge/flag",
      method = RequestMethod.POST,
      produces = MediaType.APPLICATION_JSON_VALUE)
  @ResponseBody
  public AttackResult postFlag(@RequestParam String flag) {
    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
    String currentChallenge = webSession.getCurrentLesson().getName();
    int challengeNumber =
        Integer.valueOf(
            currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
    String expectedFlag = FLAGS.get(challengeNumber);
    final AttackResult attackResult;
    if (expectedFlag.equals(flag)) {
      userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
      attackResult = success(this).feedback("challenge.flag.correct").build();
    } else {
      userTracker.assignmentFailed(webSession.getCurrentLesson());
      attackResult = failed(this).feedback("challenge.flag.incorrect").build();
    }
    userTrackerRepository.save(userTracker);
    return attackResult;
  }
 }
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java
@ -0,0 +1,52 @@
 /*
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
 *
 * Copyright (c) 2002 - 2019 Bruce Mayhew
 *
 * This program is free software; you can redistribute it and/or modify it under the terms of the
 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along with this program; if
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 *
 * Getting Source ==============
 *
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
 */
 package org.owasp.webgoat.lessons.challenges;
 import lombok.AllArgsConstructor;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
@RestController
@AllArgsConstructor
 public class FlagController extends AssignmentEndpoint {
  private final WebSession webSession;
  private final Flags flags;
  @PostMapping(path = "/challenge/flag", produces = MediaType.APPLICATION_JSON_VALUE)
  @ResponseBody
  public AttackResult postFlag(@RequestParam String flag) {
    Flag expectedFlag = flags.getFlag(webSession.getCurrentLesson());
    if (expectedFlag.isCorrect(flag)) {
      return success(this).feedback("challenge.flag.correct").build();
    } else {
      return failed(this).feedback("challenge.flag.incorrect").build();
    }
  }
 }
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/Flags.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/Flags.java
@ -0,0 +1,27 @@
 package org.owasp.webgoat.lessons.challenges;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.UUID;
 import java.util.stream.IntStream;
 import org.owasp.webgoat.container.lessons.Lesson;
 import org.springframework.context.annotation.Configuration;
@Configuration
 public class Flags {
  private final Map<Integer, Flag> FLAGS = new HashMap<>();
  public Flags() {
    IntStream.range(1, 10).forEach(i -> FLAGS.put(i, new Flag(i, UUID.randomUUID().toString())));
  }
  public Flag getFlag(Lesson forLesson) {
    String lessonName = forLesson.getName();
    int challengeNumber = Integer.valueOf(lessonName.substring(lessonName.length() - 1));
    return FLAGS.get(challengeNumber);
  }
  public Flag getFlag(int flagNumber) {
    return FLAGS.get(flagNumber);
  }
 }
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java
@ -32,6 +32,4 @@ public interface SolutionConstants {
  // TODO should be random generated when starting the server
  String PASSWORD = "!!webgoat_admin_1234!!";
  String PASSWORD_TOM = "thisisasecretfortomonly";
  String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
 }
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java
@ -2,11 +2,10 @@ package org.owasp.webgoat.lessons.challenges.challenge1;
 import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
-import javax.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.Flags;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@ -43,12 +42,14 @@ import org.springframework.web.bind.annotation.RestController;
 * @since August 11, 2016
 */
@RestController
@RequiredArgsConstructor
 public class Assignment1 extends AssignmentEndpoint {
  private final Flags flags;
  @PostMapping("/challenge/1")
  @ResponseBody
-  public AttackResult completed(
+  public AttackResult completed(@RequestParam String username, @RequestParam String password) {
      @RequestParam String username, @RequestParam String password, HttpServletRequest request) {
    boolean ipAddressKnown = true;
    boolean passwordCorrect =
        "admin".equals(username)
@ -56,14 +57,10 @@ public class Assignment1 extends AssignmentEndpoint {
                .replace("1234", String.format("%04d", ImageServlet.PINCODE))
                .equals(password);
    if (passwordCorrect && ipAddressKnown) {
-      return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
+      return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(1)).build();
    } else if (passwordCorrect) {
      return failed(this).feedback("ip.address.unknown").build();
    }
    return failed(this).build();
  }
  public static boolean containsHeader(HttpServletRequest request) {
    return StringUtils.hasText(request.getHeader("X-Forwarded-For"));
  }
 }
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java
@ -4,8 +4,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.GET;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 import java.io.IOException;
-import java.security.SecureRandom;
+import java.util.Random;
 import javax.servlet.http.HttpServlet;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestMapping;
@ -13,10 +12,9 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
@RestController
-public class ImageServlet extends HttpServlet {
+public class ImageServlet {
-  private static final long serialVersionUID = 9132775506936676850L;
+  public static final int PINCODE = new Random().nextInt(10000);
  public static final int PINCODE = new SecureRandom().nextInt(10000);
  @RequestMapping(
      method = {GET, POST},
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java
@ -24,11 +24,12 @@ package org.owasp.webgoat.lessons.challenges.challenge5;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.Flags;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@ -37,13 +38,11 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@Slf4j
@RequiredArgsConstructor
 public class Assignment5 extends AssignmentEndpoint {
  private final LessonDataSource dataSource;
-
+  private final Flags flags;
  public Assignment5(LessonDataSource dataSource) {
    this.dataSource = dataSource;
  }
  @PostMapping("/challenge/5")
  @ResponseBody
@ -66,7 +65,7 @@ public class Assignment5 extends AssignmentEndpoint {
      ResultSet resultSet = statement.executeQuery();
      if (resultSet.next()) {
-        return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
+        return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(5)).build();
      } else {
        return failed(this).feedback("challenge.close").build();
      }
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java
@ -1,16 +1,14 @@
 package org.owasp.webgoat.lessons.challenges.challenge7;
 import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.time.LocalDateTime;
 import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.challenges.Email;
-import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.Flags;
 import org.owasp.webgoat.lessons.challenges.SolutionConstants;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.HttpStatus;
@ -33,6 +31,8 @@ import org.springframework.web.client.RestTemplate;
@Slf4j
 public class Assignment7 extends AssignmentEndpoint {
  public static final String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
  private static final String TEMPLATE =
      "Hi, you requested a password reset link, please use this <a target='_blank'"
          + " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your"
@ -44,22 +44,26 @@ public class Assignment7 extends AssignmentEndpoint {
          + "Kind regards, \n"
          + "Team WebGoat";
-  @Autowired private RestTemplate restTemplate;
+  private final Flags flags;
  private final RestTemplate restTemplate;
  private final String webWolfMailURL;
-  @Value("${webwolf.mail.url}")
+  public Assignment7(
-  private String webWolfMailURL;
+      Flags flags, RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfMailURL) {
    this.flags = flags;
    this.restTemplate = restTemplate;
    this.webWolfMailURL = webWolfMailURL;
  }
  @GetMapping("/challenge/7/reset-password/{link}")
  public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
-    if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
+    if (link.equals(ADMIN_PASSWORD_LINK)) {
      return ResponseEntity.accepted()
          .body(
              "<h1>Success!!</h1>"
                  + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
                  + "<br/><br/>Here is your flag: "
-                  + "<b>"
+                  + flags.getFlag(7));
                  + Flag.FLAGS.get(7)
                  + "</b>");
    }
    return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT)
        .body("That is not the reset link for admin");
@ -94,6 +98,6 @@ public class Assignment7 extends AssignmentEndpoint {
  @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
  @ResponseBody
  public ClassPathResource git() {
-    return new ClassPathResource("challenge7/git.zip");
+    return new ClassPathResource("lessons/challenges/challenge7/git.zip");
  }
 }
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java
@ -1,13 +1,14 @@
 package org.owasp.webgoat.lessons.challenges.challenge8;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.stream.Collectors;
-import javax.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.Flags;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@ -15,12 +16,9 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 /**
 * @author nbaars
 * @since 4/8/17.
 */
@RestController
@Slf4j
@RequiredArgsConstructor
 public class Assignment8 extends AssignmentEndpoint {
  private static final Map<Integer, Integer> votes = new HashMap<>();
@ -33,6 +31,8 @@ public class Assignment8 extends AssignmentEndpoint {
    votes.put(5, 300);
  }
  private final Flags flags;
  @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
  @ResponseBody
  public ResponseEntity<?> vote(
@ -47,7 +47,7 @@ public class Assignment8 extends AssignmentEndpoint {
    Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0);
    votes.put(nrOfStars, allVotesForStar + 1);
    return ResponseEntity.ok()
-        .header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8))
+        .header("X-FlagController", "Thanks for voting, your flag is: " + flags.getFlag(8))
        .build();
  }
--- a/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
+++ b/src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java
@ -22,6 +22,7 @@
 package org.owasp.webgoat.lessons.clientsidefiltering;
 import jakarta.annotation.PostConstruct;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@ -31,7 +32,6 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import javax.annotation.PostConstruct;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java
@ -22,9 +22,9 @@
 package org.owasp.webgoat.lessons.cryptography;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.Base64;
 import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java
@ -22,10 +22,10 @@
 package org.owasp.webgoat.lessons.cryptography;
 import jakarta.servlet.http.HttpServletRequest;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
--- a/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java
@ -22,11 +22,11 @@
 package org.owasp.webgoat.lessons.cryptography;
 import jakarta.servlet.http.HttpServletRequest;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.RSAPublicKey;
 import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java
@ -24,11 +24,11 @@ package org.owasp.webgoat.lessons.csrf;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Map;
 import java.util.UUID;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
@ -22,10 +22,10 @@
 package org.owasp.webgoat.lessons.csrf;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.i18n.PluginMessages;
 import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java
@ -22,7 +22,7 @@
 package org.owasp.webgoat.lessons.csrf;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
--- a/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
+++ b/src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java
@ -25,6 +25,7 @@ package org.owasp.webgoat.lessons.csrf;
 import static org.springframework.http.MediaType.ALL_VALUE;
 import com.google.common.collect.Lists;
 import jakarta.servlet.http.HttpServletRequest;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
@ -32,7 +33,6 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
--- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java
@ -22,8 +22,8 @@
 package org.owasp.webgoat.lessons.hijacksession;
-import javax.servlet.http.Cookie;
+import jakarta.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
--- a/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
+++ b/src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java
@ -22,7 +22,7 @@
 package org.owasp.webgoat.lessons.httpproxies;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.HttpMethod;
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java
@ -97,7 +97,8 @@ public class IDOREditOtherProfiile extends AssignmentEndpoint {
          .feedback("idor.edit.profile.failure3")
          .output(currentUserProfile.profileToMap().toString())
          .build();
-    } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
+    } else if (userSubmittedProfile.getUserId() != null
        && userSubmittedProfile.getUserId().equals(authUserId)) {
      return failed(this).feedback("idor.edit.profile.failure4").build();
    }
--- a/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
+++ b/src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java
@ -22,9 +22,9 @@
 package org.owasp.webgoat.lessons.idor;
 import jakarta.servlet.http.HttpServletResponse;
 import java.util.HashMap;
 import java.util.Map;
 import javax.servlet.http.HttpServletResponse;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java
@ -31,14 +31,14 @@ import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.impl.TextCodec;
 import jakarta.annotation.PostConstruct;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletResponse;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 import javax.annotation.PostConstruct;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
--- a/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
+++ b/src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java
@ -22,10 +22,10 @@
 package org.owasp.webgoat.lessons.logging;
 import jakarta.annotation.PostConstruct;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.UUID;
 import javax.annotation.PostConstruct;
 import org.apache.logging.log4j.util.Strings;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java
@ -22,8 +22,8 @@
 package org.owasp.webgoat.lessons.passwordreset;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.UUID;
 import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java
@ -1,7 +1,7 @@
 package org.owasp.webgoat.lessons.passwordreset.resetlink;
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
-import javax.validation.constraints.Size;
+import jakarta.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
--- a/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
+++ b/src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java
@ -1,5 +1,7 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 import jakarta.annotation.PostConstruct;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@ -8,8 +10,6 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.util.Base64;
 import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
--- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java
@ -22,9 +22,9 @@
 package org.owasp.webgoat.lessons.spoofcookie;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletResponse;
 import java.util.Map;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java
@ -22,11 +22,11 @@
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 import jakarta.annotation.PostConstruct;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 import javax.annotation.PostConstruct;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
@ -22,9 +22,9 @@
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.sql.*;
 import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
@ -44,12 +44,12 @@ public class SSRFTask1 extends AssignmentEndpoint {
    try {
      StringBuilder html = new StringBuilder();
-      if (url.matches("images/tom.png")) {
+      if (url.matches("images/tom\\.png")) {
        html.append(
            "<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\""
                + " height=\"25%\">");
        return failed(this).feedback("ssrf.tom").output(html.toString()).build();
-      } else if (url.matches("images/jerry.png")) {
+      } else if (url.matches("images/jerry\\.png")) {
        html.append(
            "<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\""
                + " height=\"25%\">");
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java
@ -46,7 +46,7 @@ public class SSRFTask2 extends AssignmentEndpoint {
  }
  protected AttackResult furBall(String url) {
-    if (url.matches("http://ifconfig.pro")) {
+    if (url.matches("http://ifconfig\\.pro")) {
      String html;
      try (InputStream in = new URL(url).openStream()) {
        html =
--- a/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java
@ -22,9 +22,9 @@
 package org.owasp.webgoat.lessons.webwolfintroduction;
 import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
 import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
--- a/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java
@ -22,8 +22,8 @@
 package org.owasp.webgoat.lessons.xss;
 import jakarta.servlet.http.HttpServletRequest;
 import java.security.SecureRandom;
 import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.UserSessionData;
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java
@ -22,7 +22,8 @@
 package org.owasp.webgoat.lessons.xxe;
-import javax.xml.bind.annotation.XmlRootElement;
+import jakarta.xml.bind.annotation.XmlRootElement;
 import jakarta.xml.bind.annotation.XmlType;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@ -37,7 +38,8 @@ import lombok.ToString;
@Setter
@AllArgsConstructor
@NoArgsConstructor
-@XmlRootElement
+@XmlRootElement(name = "comment")
@XmlType
@ToString
 public class Comment {
  private String user;
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java
@ -26,6 +26,8 @@ import static java.util.Optional.empty;
 import static java.util.Optional.of;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.xml.bind.JAXBContext;
 import jakarta.xml.bind.JAXBException;
 import java.io.IOException;
 import java.io.StringReader;
 import java.time.LocalDateTime;
@ -36,8 +38,6 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 import javax.xml.XMLConstants;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import org.owasp.webgoat.container.session.WebSession;
@ -93,7 +93,7 @@ public class CommentsCache {
   * progress etc). In real life the XmlMapper bean defined above will be used automatically and the
   * Comment class can be directly used in the controller method (instead of a String)
   */
-  protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
+  protected Comment parseXml(String xml) throws XMLStreamException, JAXBException {
    var jc = JAXBContext.newInstance(Comment.class);
    var xif = XMLInputFactory.newInstance();
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java
@ -24,7 +24,7 @@ package org.owasp.webgoat.lessons.xxe;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@ -60,8 +60,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
  public AttackResult createNewUser(
      HttpServletRequest request,
      @RequestBody String commentStr,
-      @RequestHeader("Content-Type") String contentType)
+      @RequestHeader("Content-Type") String contentType) {
      throws Exception {
    AttackResult attackResult = failed(this).build();
    if (APPLICATION_JSON_VALUE.equals(contentType)) {
--- a/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java
@ -25,7 +25,7 @@ package org.owasp.webgoat.lessons.xxe;
 import static org.springframework.http.MediaType.ALL_VALUE;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
--- a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
@ -24,10 +24,10 @@ package org.owasp.webgoat.webwolf;
 import static org.springframework.http.MediaType.ALL_VALUE;
 import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
 import javax.servlet.http.HttpServletRequest;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
--- a/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java
@ -22,8 +22,8 @@
 package org.owasp.webgoat.webwolf;
 import jakarta.annotation.PostConstruct;
 import java.io.File;
 import javax.annotation.PostConstruct;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
--- a/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
@ -29,54 +29,49 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
-/** Security configuration for WebGoat. */
+/** Security configuration for WebWolf. */
@Configuration
@AllArgsConstructor
@EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
  private final UserService userDetailsService;
-  @Override
+  @Bean
-  protected void configure(HttpSecurity http) throws Exception {
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
+    http.authorizeHttpRequests(
-        http.authorizeRequests()
+        auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
-            .antMatchers(HttpMethod.POST, "/fileupload")
+    http.authorizeHttpRequests(
-            .authenticated()
+        auth ->
-            .antMatchers(HttpMethod.GET, "/files", "/mail", "/requests")
+            auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
-            .authenticated()
+    http.authorizeHttpRequests().anyRequest().permitAll();
-            .and()
+    http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
-            .authorizeRequests()
+    http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
-            .anyRequest()
+    http.logout().permitAll();
-            .permitAll();
+    return http.build();
    security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
    security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
    security.and().logout().permitAll();
  }
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-    auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
+    auth.userDetailsService(userDetailsService);
  }
  @Bean
-  @Override
+  public UserDetailsService userDetailsServiceBean() {
  public UserDetailsService userDetailsServiceBean() throws Exception {
    return userDetailsService;
  }
  @Override
  @Bean
-  protected AuthenticationManager authenticationManager() throws Exception {
+  public AuthenticationManager authenticationManager(
-    return super.authenticationManager();
+      AuthenticationConfiguration authenticationConfiguration) throws Exception {
    return authenticationConfiguration.getAuthenticationManager();
  }
  @Bean
--- a/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebWolf.java
@ -23,7 +23,7 @@
 package org.owasp.webgoat.webwolf;
 import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
-import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
+import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
@ -37,7 +37,7 @@ import org.springframework.context.annotation.PropertySource;
 public class WebWolf {
  @Bean
-  public HttpTraceRepository traceRepository() {
+  public HttpExchangeRepository traceRepository() {
    return new WebWolfTraceRepository();
  }
 }
--- a/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java
@ -23,10 +23,14 @@
 package org.owasp.webgoat.webwolf.mailbox;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
 import jakarta.persistence.GeneratedValue;
 import jakarta.persistence.GenerationType;
 import jakarta.persistence.Id;
 import java.io.Serializable;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 import javax.persistence.*;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
--- a/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java
@ -23,26 +23,25 @@
 package org.owasp.webgoat.webwolf.mailbox;
 import java.util.List;
-import lombok.AllArgsConstructor;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
@RestController
-@AllArgsConstructor
+@RequiredArgsConstructor
@Slf4j
 public class MailboxController {
  private final MailboxRepository mailboxRepository;
-  @GetMapping(value = "/mail")
+  @GetMapping("/mail")
  public ModelAndView mail() {
    UserDetails user =
        (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
@ -56,9 +55,15 @@ public class MailboxController {
    return modelAndView;
  }
-  @PostMapping(value = "/mail")
+  @PostMapping("/mail")
-  public ResponseEntity<?> sendEmail(@RequestBody Email email) {
+  @ResponseStatus(HttpStatus.CREATED)
  public void sendEmail(@RequestBody Email email) {
    mailboxRepository.save(email);
-    return ResponseEntity.status(HttpStatus.CREATED).build();
+  }
  @DeleteMapping("/mail")
  @ResponseStatus(HttpStatus.ACCEPTED)
  public void deleteAllMail() {
    mailboxRepository.deleteAll();
  }
 }
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java
@ -22,8 +22,8 @@
 package org.owasp.webgoat.webwolf.requests;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.concurrent.Callable;
 import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java
@ -32,8 +32,7 @@ import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
-import org.springframework.boot.actuate.trace.http.HttpTrace;
+import org.springframework.boot.actuate.web.exchanges.HttpExchange;
 import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Controller;
@ -78,8 +77,8 @@ public class Requests {
    return model;
  }
-  private boolean allowedTrace(HttpTrace t, UserDetails user) {
+  private boolean allowedTrace(HttpExchange t, UserDetails user) {
-    Request req = t.getRequest();
+    HttpExchange.Request req = t.getRequest();
    boolean allowed = true;
    /* do not show certain traces to other users in a classroom setup */
    if (req.getUri().getPath().contains("/files")
@ -95,11 +94,11 @@ public class Requests {
    return allowed;
  }
-  private String path(HttpTrace t) {
+  private String path(HttpExchange t) {
    return (String) t.getRequest().getUri().getPath();
  }
-  private String toJsonString(HttpTrace t) {
+  private String toJsonString(HttpExchange t) {
    try {
      return objectMapper.writeValueAsString(t);
    } catch (JsonProcessingException e) {
--- a/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java
@ -26,8 +26,8 @@ import com.google.common.collect.EvictingQueue;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.boot.actuate.trace.http.HttpTrace;
+import org.springframework.boot.actuate.web.exchanges.HttpExchange;
-import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
+import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
 /**
 * Keep track of all the incoming requests, we are only keeping track of request originating from
@ -37,9 +37,9 @@ import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
 * @since 8/13/17.
 */
@Slf4j
-public class WebWolfTraceRepository implements HttpTraceRepository {
+public class WebWolfTraceRepository implements HttpExchangeRepository {
-  private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
+  private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000);
  private final List<String> exclusionList =
      List.of(
          "/tmpdir",
@ -54,11 +54,11 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
          "/mail");
  @Override
-  public List<HttpTrace> findAll() {
+  public List<HttpExchange> findAll() {
    return List.of();
  }
-  public List<HttpTrace> findAllTraces() {
+  public List<HttpExchange> findAllTraces() {
    return new ArrayList<>(traces);
  }
@ -67,7 +67,7 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
  }
  @Override
-  public void add(HttpTrace httpTrace) {
+  public void add(HttpExchange httpTrace) {
    var path = httpTrace.getRequest().getUri().getPath();
    if (!isInExclusionList(path)) {
      traces.add(httpTrace);
--- a/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java
@ -22,11 +22,11 @@
 package org.owasp.webgoat.webwolf.user;
 import jakarta.persistence.Entity;
 import jakarta.persistence.Id;
 import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
 import javax.persistence.Entity;
 import javax.persistence.Id;
 import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.User;
--- a/src/main/resources/application-webgoat.properties
+++ b/src/main/resources/application-webgoat.properties
@ -13,11 +13,12 @@ server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
 server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
 server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
 spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
 spring.banner.location=classpath:banner.txt
 spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.open-in-view=false
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.jpa.properties.hibernate.default_schema=CONTAINER
 logging.level.org.thymeleaf=INFO
 logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
@ -28,6 +29,7 @@ logging.level.org.springframework=INFO
 logging.level.org.springframework.boot.devtools=INFO
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webgoat=DEBUG
 logging.level.org.hidbernate.SQL=DEBUG
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@ -51,11 +53,11 @@ spring.jackson.serialization.write-dates-as-timestamps=false
 #For static file refresh ... and faster dev :D
 spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
 exclude.categories=${EXCLUDE_CATEGORIES:none,none}
 #exclude based on the enum of the Category
 exclude.categories=${EXCLUDE_CATEGORIES:none,none}
 exclude.lessons=${EXCLUDE_LESSONS:none,none}
 #exclude based on the class name of a lesson e.g.: LessonTemplate
 exclude.lessons=${EXCLUDE_LESSONS:none,none}
 management.health.db.enabled=true
 management.endpoint.health.show-details=always
--- a/src/main/resources/application-webwolf.properties
+++ b/src/main/resources/application-webwolf.properties
@ -18,6 +18,7 @@ spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
 spring.jpa.open-in-view=false
 spring.messages.basename=i18n/messages
 spring.jmx.enabled=false
@ -26,7 +27,7 @@ logging.level.org.springframework.boot.devtools=WARN
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webwolf=TRACE
-management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
+management.httpexchanges.recording.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
 management.endpoint.httptrace.enabled=true
 spring.thymeleaf.cache=false
--- a/src/main/resources/db/container/V3__id.sql
+++ b/src/main/resources/db/container/V3__id.sql
@ -0,0 +1,4 @@
 ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
 ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
 ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
--- a/src/main/resources/lessons/authbypass/html/AuthBypass.html
+++ b/src/main/resources/lessons/authbypass/html/AuthBypass.html
@ -4,14 +4,14 @@
        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
        which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/bypass-intro.adoc}"></div>
    </div>
    <div class="lesson-page-wrapper">
        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
        which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/2fa-bypass.adoc}"></div>
        <div class="attack-container">
            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
            <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -72,9 +72,9 @@
        <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-video.adoc}"></div>-->
        <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
+        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-attack.adoc}"></div>-->
        <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
--- a/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
+++ b/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
@ -6,12 +6,12 @@
    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
    <!-- include content here. Content will be presented via asciidocs files,
    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
    <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc}"></div>
    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -59,7 +59,7 @@
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc}"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
--- a/src/main/resources/lessons/challenges/html/Challenge.html
+++ b/src/main/resources/lessons/challenges/html/Challenge.html
@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
 </div>
 </html>
--- a/src/main/resources/lessons/challenges/html/Challenge1.html
+++ b/src/main/resources/lessons/challenges/html/Challenge1.html
@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
    <div class="attack-container">
--- a/src/main/resources/lessons/challenges/html/Challenge5.html
+++ b/src/main/resources/lessons/challenges/html/Challenge5.html
@ -4,7 +4,7 @@
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_5.adoc}"></div>
    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
--- a/src/main/resources/lessons/challenges/html/Challenge6.html
+++ b/src/main/resources/lessons/challenges/html/Challenge6.html
@ -4,7 +4,7 @@
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_6.adoc}"></div>
    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
    <script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
    <div class="attack-container">
--- a/src/main/resources/lessons/challenges/html/Challenge7.html
+++ b/src/main/resources/lessons/challenges/html/Challenge7.html
@ -12,7 +12,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_7.adoc}"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <div class="container-fluid">
--- a/src/main/resources/lessons/challenges/html/Challenge8.html
+++ b/src/main/resources/lessons/challenges/html/Challenge8.html
@ -3,7 +3,7 @@
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_8.adoc}"></div>
    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
    <script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>
--- a/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
+++ b/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
@ -4,22 +4,22 @@
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc}"></div>
 </div>
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc}"></div>
 </div>
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc}"></div>
 </div>
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc}"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
@ -35,12 +35,12 @@
 <!-- 5 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc}"></div>
 </div>
 <!-- 6 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc}"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <form class="attack-form" accept-charset="UNKNOWN"
--- a/src/main/resources/lessons/cia/html/CIA.html
+++ b/src/main/resources/lessons/cia/html/CIA.html
@ -3,19 +3,19 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_intro.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_confidentiality.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_integrity.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_availability.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
@ -23,7 +23,7 @@
    <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
    <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
    <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_quiz.adoc}"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
        <div class="container-fluid">
--- a/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
+++ b/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
@ -2,10 +2,10 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc}"></div>
    <br/>
@ -74,7 +74,7 @@
    </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc}"></div>
    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
    <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
    <div class="attack-container">
--- a/src/main/resources/lessons/cryptography/html/Cryptography.html
+++ b/src/main/resources/lessons/cryptography/html/Cryptography.html
@ -18,11 +18,11 @@ $(document).ready(initialise);
 <body>
 	<!-- 1. overview -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/Crypto_plan.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/Crypto_plan.adoc}"></div>
 	</div>
 	<!-- 2. encoding -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan.adoc}"></div>
 		<!-- 2. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -41,7 +41,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 3. encoding xor -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan2.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan2.adoc}"></div>
 		<!-- 3. assignment xor -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -58,7 +58,7 @@ $(document).ready(initialise);
 	<!-- 4. hashing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/hashing_plan.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/hashing_plan.adoc}"></div>
 		<!-- 4. weak hashing exercise -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -76,12 +76,12 @@ $(document).ready(initialise);
 	<!-- 5. encryption -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encryption.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encryption.adoc}"></div>
 	</div>
 	<!-- 6. signing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/signing.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/signing.adoc}"></div>
 		<!-- 6. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -101,12 +101,12 @@ $(document).ready(initialise);
 	<!-- 7. keystores -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/keystores.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/keystores.adoc}"></div>
 	</div>
 	<!-- 8. security defaults -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/defaults.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/defaults.adoc}"></div>
 		<!-- 8. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@ -123,7 +123,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 9. postquantum -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/postquantum.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/postquantum.adoc}"></div>
 	</div>
 </body>
 </html>
--- a/src/main/resources/lessons/csrf/html/CSRF.html
+++ b/src/main/resources/lessons/csrf/html/CSRF.html
@ -3,15 +3,15 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_intro.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_intro.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_GET.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_GET.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Get_Flag.adoc}"></div>
    <form accept-charset="UNKNOWN" id="basic-csrf-get"
          method="POST" name="form1"
@ -23,7 +23,7 @@
    </form>
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Basic_Get-1.adoc}"></div>
    <div class="attack-container">
        <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
@ -54,7 +54,7 @@
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Reviews.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Reviews.adoc}"></div>
    <!-- comment area -->
    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@ -121,15 +121,15 @@
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Frameworks.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Frameworks.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_JSON.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_JSON.adoc}"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_ContentType.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_ContentType.adoc}"></div>
    <script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script>
    <div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66;
@ -227,7 +227,7 @@
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Login.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Login.adoc}"></div>
    <div class="attack-container">
        <div class="assignment-success">
@ -251,7 +251,7 @@
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc"></div>
+    <div class="adoc-content" th:replace="~{doc:lessons/csrf/documentation/CSRF_Impact_Defense.adoc}"></div>
 </div>
--- a/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
+++ b/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
@ -3,24 +3,24 @@
 <html xmlns:th="http://www.thymeleaf.org">
    <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Intro.adoc}"></div>
    </div>
    <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_WhatIs.adoc}"></div>
    </div>
    <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc}"></div>
    </div>
    <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc}"></div>
    </div>
    <div class="lesson-page-wrapper">
        <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc"></div>
+        <div class="adoc-content" th:replace="~{doc:lessons/deserialization/documentation/InsecureDeserialization_Task.adoc}"></div>
        <div class="attack-container">
            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
            <form class="attack-form" accept-charset="UNKNOWN" name="task"
--- a/src/main/resources/lessons/hijacksession/documentation/HijackSession_content0.adoc
+++ b/src/main/resources/lessons/hijacksession/documentation/HijackSession_content0.adoc
@ -1,4 +1,4 @@
 = Hijack a Session
-In this lesson we are trying to predict the 'hijack_cookie' value. THe 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.
+In this lesson we are trying to predict the 'hijack_cookie' value. The 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.
--- a/src/main/resources/lessons/hijacksession/html/HijackSession.html
+++ b/src/main/resources/lessons/hijacksession/html/HijackSession.html
@ -7,12 +7,12 @@
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_plan.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_plan.adoc}"></div>
 </div>
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-	<div class="adoc-content" th:replace="doc:lessons/hijacksession/documentation/HijackSession_content0.adoc"></div>
+	<div class="adoc-content" th:replace="~{doc:lessons/hijacksession/documentation/HijackSession_content0.adoc}"></div>
 	<div class="attack-container">
 		<div class="assignment-success">
 			<i class="fa fa-2 fa-check hidden" aria-hidden="true"></i>
--- a/src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
+++ b/src/main/resources/lessons/hijacksession/lessonSolutions/html/HijackSession.html
@ -7,7 +7,7 @@
 	<div class="lesson-page-wrapper">
 		<!-- reuse this block for each 'page' of content -->
 		<!-- include content here ... will be first page/tab  multiple -->
-		<div class="adoc-content" th:replace="doc:HijackSession_solution.adoc"></div>
+		<div class="adoc-content" th:replace="~{doc:HijackSession_solution.adoc}"></div>
 	</div>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Nanne Baars	bd5fe360c7	fix: WIP	2023-06-19 17:42:20 +02:00
dependabot[bot]	015216df5f	chore: bump docker/login-action from 2.1.0 to 2.2.0 (#1502 ) Bumps [docker/login-action](https://github.com/docker/login-action) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v2.1.0...v2.2.0) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-06-13 17:06:35 +02:00
dependabot[bot]	60fc807d36	chore: bump docker/build-push-action from 4.0.0 to 4.1.0 (#1501 ) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v4.0.0...v4.1.0) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-06-13 10:50:53 +02:00
Nanne Baars	636a2bdaf5	fix: robotframework fails due to updated dependencies (#1508 )	2023-06-13 10:00:50 +02:00
dependabot[bot]	816a694c84	chore: bump maven-surefire-plugin from 3.0.0-M9 to 3.1.0 (#1499 ) Bumps [maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.0.0-M9 to 3.1.0. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.0.0-M9...surefire-3.1.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: René Zubcevic <rene@zubcevic.com>	2023-06-07 21:31:54 +02:00
dependabot[bot]	06a55ab278	chore: bump maven-checkstyle-plugin from 3.2.1 to 3.3.0 (#1496 ) Bumps [maven-checkstyle-plugin](https://github.com/apache/maven-checkstyle-plugin) from 3.2.1 to 3.3.0. - [Commits](https://github.com/apache/maven-checkstyle-plugin/compare/maven-checkstyle-plugin-3.2.1...maven-checkstyle-plugin-3.3.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-checkstyle-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: René Zubcevic <rene@zubcevic.com>	2023-06-07 09:41:13 +02:00
dependabot[bot]	0136c1070f	chore: bump spring-boot-starter-parent from 3.0.5 to 3.1.0 (#1497 ) Bumps [spring-boot-starter-parent](https://github.com/spring-projects/spring-boot) from 3.0.5 to 3.1.0. - [Release notes](https://github.com/spring-projects/spring-boot/releases) - [Commits](https://github.com/spring-projects/spring-boot/compare/v3.0.5...v3.1.0) --- updated-dependencies: - dependency-name: org.springframework.boot:spring-boot-starter-parent dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-06-06 16:21:11 +02:00
Nanne Baars	dce5eeb797	bug: fix Java image inside Docker file The image now downloads the correct Java version based on the architecture.	2023-06-04 14:56:46 +02:00
Nanne Baars	ca886b4818	feat: upgrade to Spring Boot version 3 (#1477 )	2023-06-04 11:19:47 +02:00
dependabot[bot]	ff3a2983e2	chore: bump zxcvbn from 1.5.2 to 1.7.0 (#1471 ) Bumps [zxcvbn](https://github.com/nulab/zxcvbn4j) from 1.5.2 to 1.7.0. - [Release notes](https://github.com/nulab/zxcvbn4j/releases) - [Changelog](https://github.com/nulab/zxcvbn4j/blob/master/CHANGELOG.md) - [Commits](https://github.com/nulab/zxcvbn4j/compare/1.5.2...1.7.0) --- updated-dependencies: - dependency-name: com.nulab-inc:zxcvbn dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: René Zubcevic <rene@zubcevic.com>	2023-06-02 16:21:17 +02:00
dependabot[bot]	6f0b88f9b6	chore: bump cglib-nodep from 2.2 to 3.3.0 (#1470 ) Bumps [cglib-nodep](https://github.com/cglib/cglib) from 2.2 to 3.3.0. - [Release notes](https://github.com/cglib/cglib/releases) - [Commits](https://github.com/cglib/cglib/commits) --- updated-dependencies: - dependency-name: cglib:cglib-nodep dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: René Zubcevic <rene@zubcevic.com>	2023-06-02 16:06:55 +02:00
dependabot[bot]	9d9fb092be	chore: bump maven-enforcer-plugin from 3.2.1 to 3.3.0 (#1468 ) Bumps [maven-enforcer-plugin](https://github.com/apache/maven-enforcer) from 3.2.1 to 3.3.0. - [Release notes](https://github.com/apache/maven-enforcer/releases) - [Commits](https://github.com/apache/maven-enforcer/compare/enforcer-3.2.1...enforcer-3.3.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-enforcer-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: René Zubcevic <rene@zubcevic.com>	2023-06-02 09:01:54 +02:00
dependabot[bot]	4bc53a6666	chore: bump maven-checkstyle-plugin from 3.1.2 to 3.2.1 (#1472 ) Bumps [maven-checkstyle-plugin](https://github.com/apache/maven-checkstyle-plugin) from 3.1.2 to 3.2.1. - [Release notes](https://github.com/apache/maven-checkstyle-plugin/releases) - [Commits](https://github.com/apache/maven-checkstyle-plugin/compare/maven-checkstyle-plugin-3.1.2...maven-checkstyle-plugin-3.2.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-checkstyle-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: René Zubcevic <rene@zubcevic.com>	2023-06-02 08:54:21 +02:00
dependabot[bot]	61d5fb9ece	chore: bump jsoup from 1.15.4 to 1.16.1 (#1484 ) Bumps [jsoup](https://github.com/jhy/jsoup) from 1.15.4 to 1.16.1. - [Release notes](https://github.com/jhy/jsoup/releases) - [Changelog](https://github.com/jhy/jsoup/blob/master/CHANGES) - [Commits](https://github.com/jhy/jsoup/compare/jsoup-1.15.4...jsoup-1.16.1) --- updated-dependencies: - dependency-name: org.jsoup:jsoup dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-06-02 08:43:43 +02:00
dependabot[bot]	6eafa45e4c	chore: bump jacoco-maven-plugin from 0.8.8 to 0.8.10 Bumps [jacoco-maven-plugin](https://github.com/jacoco/jacoco) from 0.8.8 to 0.8.10. - [Release notes](https://github.com/jacoco/jacoco/releases) - [Commits](https://github.com/jacoco/jacoco/compare/v0.8.8...v0.8.10) --- updated-dependencies: - dependency-name: org.jacoco:jacoco-maven-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2023-05-01 23:48:16 +02:00
caputdraconis	ac6de9d788	Fix typo of HijackSession_content0.adoc	2023-04-17 09:04:15 +02:00
dependabot[bot]	f6855bf6a5	chore: bump guava from 30.1-jre to 31.1-jre (#1448 ) Bumps [guava](https://github.com/google/guava) from 30.1-jre to 31.1-jre. - [Release notes](https://github.com/google/guava/releases) - [Commits](https://github.com/google/guava/commits) --- updated-dependencies: - dependency-name: com.google.guava:guava dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-04-06 11:55:22 +02:00
dependabot[bot]	f7b4af5023	chore: bump bootstrap from 3.3.7 to 5.2.3 (#1441 ) Bumps [bootstrap](https://github.com/webjars/bootstrap) from 3.3.7 to 5.2.3. - [Release notes](https://github.com/webjars/bootstrap/releases) - [Commits](https://github.com/webjars/bootstrap/compare/bootstrap-3.3.7...bootstrap-5.2.3) --- updated-dependencies: - dependency-name: org.webjars:bootstrap dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-04-06 11:55:08 +02:00
dependabot[bot]	e720eec5f9	chore: bump jruby from 9.3.6.0 to 9.4.2.0 (#1454 ) Bumps jruby from 9.3.6.0 to 9.4.2.0. --- updated-dependencies: - dependency-name: org.jruby:jruby dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-04-06 11:54:51 +02:00
dependabot[bot]	a43a6125e8	chore: bump actions/cache from 3.2.6 to 3.3.1 (#1453 ) Bumps [actions/cache](https://github.com/actions/cache) from 3.2.6 to 3.3.1. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v3.2.6...v3.3.1) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-04-06 11:54:05 +02:00
dependabot[bot]	d3e2164716	chore: bump asm from 9.1 to 9.5 (#1460 ) Bumps asm from 9.1 to 9.5. --- updated-dependencies: - dependency-name: org.ow2.asm:asm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-04-06 11:53:50 +02:00
Loris Sierra	cbf2e153d9	Restrict SSRF Regexes	2023-03-08 23:22:38 +01:00
dependabot[bot]	0795ff0fc5	chore: bump commons-io from 2.6 to 2.11.0 Bumps commons-io from 2.6 to 2.11.0. --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2023-03-01 11:09:19 +01:00
dependabot[bot]	d7cdfeec2a	chore: bump webdrivermanager from 4.3.1 to 5.3.2 Bumps [webdrivermanager](https://github.com/bonigarcia/webdrivermanager) from 4.3.1 to 5.3.2. - [Release notes](https://github.com/bonigarcia/webdrivermanager/releases) - [Changelog](https://github.com/bonigarcia/webdrivermanager/blob/master/CHANGELOG.md) - [Commits](https://github.com/bonigarcia/webdrivermanager/compare/webdrivermanager-4.3.1...webdrivermanager-5.3.2) --- updated-dependencies: - dependency-name: io.github.bonigarcia:webdrivermanager dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2023-03-01 11:09:08 +01:00
dependabot[bot]	491fe2d84d	chore: bump maven-enforcer-plugin from 3.0.0 to 3.2.1 Bumps [maven-enforcer-plugin](https://github.com/apache/maven-enforcer) from 3.0.0 to 3.2.1. - [Release notes](https://github.com/apache/maven-enforcer/releases) - [Commits](https://github.com/apache/maven-enforcer/compare/enforcer-3.0.0...enforcer-3.2.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-enforcer-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2023-03-01 11:08:28 +01:00
dependabot[bot]	a509e8e24e	chore: bump commons-text from 1.9 to 1.10.0 Bumps commons-text from 1.9 to 1.10.0. --- updated-dependencies: - dependency-name: org.apache.commons:commons-text dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2023-03-01 11:07:37 +01:00
Nanne Baars	e50986a098	fix: challenge 7 (#1433 )	2023-02-22 22:55:48 +01:00
Àngel Ollé Blázquez	61dac201f0	Add coverage profile	2023-02-22 14:51:55 +01:00
dependabot[bot]	c5629be618	chore: bump spotless-maven-plugin from 2.29.0 to 2.33.0 (#1426 ) Bumps [spotless-maven-plugin](https://github.com/diffplug/spotless) from 2.29.0 to 2.33.0. - [Release notes](https://github.com/diffplug/spotless/releases) - [Changelog](https://github.com/diffplug/spotless/blob/main/CHANGES.md) - [Commits](https://github.com/diffplug/spotless/compare/lib/2.29.0...lib/2.33.0) --- updated-dependencies: - dependency-name: com.diffplug.spotless:spotless-maven-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-02-22 13:36:24 +01:00
dependabot[bot]	df8c83fe74	chore: bump eclipse-temurin from 17-jre-focal to 19-jre-focal (#1427 ) Bumps eclipse-temurin from 17-jre-focal to 19-jre-focal. --- updated-dependencies: - dependency-name: eclipse-temurin dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-02-22 13:36:07 +01:00
dependabot[bot]	6d3813c2ce	chore: bump commons-compress from 1.21 to 1.22 (#1428 ) Bumps commons-compress from 1.21 to 1.22. --- updated-dependencies: - dependency-name: org.apache.commons:commons-compress dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-02-22 13:35:52 +01:00
dependabot[bot]	ecfa0197af	chore: bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M9 (#1429 ) Bumps [maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.0.0-M5 to 3.0.0-M9. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.0.0-M5...surefire-3.0.0-M9) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-02-22 13:35:36 +01:00
dependabot[bot]	8467ae8a0b	chore: bump jsoup from 1.14.3 to 1.15.4 (#1430 ) Bumps [jsoup](https://github.com/jhy/jsoup) from 1.14.3 to 1.15.4. - [Release notes](https://github.com/jhy/jsoup/releases) - [Changelog](https://github.com/jhy/jsoup/blob/master/CHANGES) - [Commits](https://github.com/jhy/jsoup/compare/jsoup-1.14.3...jsoup-1.15.4) --- updated-dependencies: - dependency-name: org.jsoup:jsoup dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-02-22 13:35:20 +01:00
dependabot[bot]	5243fa2bf2	chore: bump jose4j from 0.7.6 to 0.9.3 (#1431 ) Bumps [jose4j](https://bitbucket.org/b_c/jose4j) from 0.7.6 to 0.9.3. - [Commits](https://bitbucket.org/b_c/jose4j/branches/compare/jose4j-0.9.3..jose4j-0.7.6) --- updated-dependencies: - dependency-name: org.bitbucket.b_c:jose4j dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-02-22 13:35:01 +01:00
dependabot[bot]	36f99dede8	Bump actions/cache from 3.2.5 to 3.2.6 Bumps [actions/cache](https://github.com/actions/cache) from 3.2.5 to 3.2.6. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v3.2.5...v3.2.6) --- updated-dependencies: - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2023-02-22 13:34:10 +01:00
Nanne Baars	5dbe2eaf19	refactor: update challenge code - Flags are now wired through a Spring config - Introduced Flag class - Removed Flags from the FlagController	2023-02-22 11:01:34 +01:00
Nanne Baars	1b49b2fd3b	chore: format markdown file	2023-02-22 11:01:34 +01:00
Nanne Baars	b49c61636b	ci: add maven and docker to dependabot configuration	2023-02-22 11:01:34 +01:00
Nanne Baars	8269207d6b	docs: add documentation we start using Conventional Commits. Fixes #1022	2023-02-22 11:01:34 +01:00
Nanne Baars	de2f568229	chore: back to snapshot version after release	2023-02-22 11:01:34 +01:00
Nanne Baars	9f6cf39ff2	ci: add distribution in snapshot job	2023-02-22 11:01:34 +01:00
Nanne Baars	19d54dbe95	chore: release version 2023.4	2023-02-22 11:01:34 +01:00
`@ -1,4 +1,4 @@`
	`= Hijack a Session`	`= Hijack a Session`

	`In this lesson we are trying to predict the 'hijack_cookie' value. THe 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.`	`In this lesson we are trying to predict the 'hijack_cookie' value. The 'hijack_cookie' is used to differentiate authenticated and anonymous users of WebGoat.`