chore: new release 2025.3

Closes: gh-1178

.github/workflows/release.yml

@@ -68,7 +68,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Set up QEMU"
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.6.0
         with:
           platforms: all
 
@@ -82,7 +82,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push WebGoat"
-        uses: docker/build-push-action@v6.14.0
+        uses: docker/build-push-action@v6.15.0
         with:
           context: ./
           file: ./Dockerfile
@@ -95,7 +95,7 @@ jobs:
             webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
 
       - name: "Build and push WebGoat desktop"
-        uses: docker/build-push-action@v6.14.0
+        uses: docker/build-push-action@v6.15.0
         with:
           context: ./
           file: ./Dockerfile_desktop

CREATE_RELEASE.md

@@ -8,7 +8,8 @@ and 2023.01 in the `pom.xml`.
 ### Release notes:
 
 Update the release notes with the correct version. Use `git shortlog -s -n --since "JAN 06 2023"` for the list of
-committers. In order to fetch the list of issues included use: `git log --graph --pretty='%C(auto)%d%Creset%s' v2023.4..origin/main`
+committers. In order to fetch the list of issues included use:
+`git log --graph --pretty='%C(auto)%d%Creset%s' v2023.4..origin/main`
 
 ```
 mvn versions:set
@@ -17,5 +18,9 @@ mvn verify
 git commit ....
 git tag v2023.01
 git push --tags
+git push
 ```
 
+After the release has been tagged and the build process is done. The release notes should be updated in the GitHub
+release page.
+

RELEASE_NOTES.md

@@ -1,6 +1,24 @@
 # WebGoat release notes
 
-## Version 2025.0
+## Version 2025.3
+
+### 🐞 Bug fixes
+
+- Changed URLs imply other exclusion filters for ZAP (#2052)
+- XSS lesson stage 12 (2 issues) (#1178)
+
+### 🔄 Technical tasks
+
+- bump docker/setup-qemu-action from 3.4.0 to 3.6.0 (#2049)
+- bump docker/build-push-action from 6.14.0 to 6.15.0 (#2050)
+
+## Version 2025.2
+
+### 🐞 Bug fixes
+
+- Fix SQL advanced lesson assignment 5 (#2047)
+
+## Version 2025.1
 
 ### 🚀 New functionality
 
@@ -43,6 +61,19 @@
 
 - Lots of dependency updates
 
+## Contributors
+
+Special thanks to the following contributors providing us with a pull request:
+
+- François Capon
+- GoogTech HackHuang
+- Peter Potrowl
+- cap-dev0x
+- Benjamin Mouncer
+- Jeong Rok Suh
+- Rui Melo
+- Vandeputte Brice
+
 ## Version 2023.8
 
 ### 🚀 New functionality

pom.xml

@@ -10,7 +10,7 @@
 
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
-  <version>2025.0</version>
+  <version>2025.3</version>
   <packaging>jar</packaging>
 
   <name>WebGoat</name>

src/it/java/org/owasp/webgoat/integration/SqlInjectionAdvancedIntegrationTest.java

@@ -15,17 +15,16 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
     startLesson("SqlInjectionAdvanced");
 
     Map<String, Object> params = new HashMap<>();
-    params.clear();
     params.put("username_reg", "tom' AND substring(password,1,1)='t");
     params.put("password_reg", "password");
     params.put("email_reg", "someone@microsoft.com");
     params.put("confirm_password", "password");
-      checkAssignmentWithPUT(webGoatUrlConfig.url("SqlInjectionAdvanced/challenge"), params, true);
+      checkAssignmentWithPUT(webGoatUrlConfig.url("SqlInjectionAdvanced/register"), params, false);
 
     params.clear();
     params.put("username_login", "tom");
     params.put("password_login", "thisisasecretfortomonly");
-      checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/challenge_Login"), params, true);
+      checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/login"), params, true);
 
     params.clear();
     params.put("userid_6a", "'; SELECT * FROM user_system_data;--");
@@ -59,7 +58,5 @@ public class SqlInjectionAdvancedIntegrationTest extends IntegrationTest {
         "question_4_solution",
         "Solution 4: The database registers 'Robert' ); DROP TABLE Students;--'.");
       checkAssignment(webGoatUrlConfig.url("SqlInjectionAdvanced/quiz"), params, true);
-
-    checkResults("SqlInjectionAdvanced");
   }
 }

src/it/java/org/owasp/webgoat/playwright/webgoat/lessons/HttpBasicsLessonUITest.java

@@ -2,7 +2,7 @@
  * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
-package org.owasp.webgoat.playwright.webgoat;
+package org.owasp.webgoat.playwright.webgoat.lessons;
 
 import static com.microsoft.playwright.assertions.PlaywrightAssertions.assertThat;
 
@@ -15,8 +15,9 @@ import org.junit.jupiter.api.Order;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestMethodOrder;
 import org.owasp.webgoat.container.lessons.LessonName;
+import org.owasp.webgoat.playwright.webgoat.PlaywrightTest;
 import org.owasp.webgoat.playwright.webgoat.helpers.Authentication;
-import org.owasp.webgoat.playwright.webgoat.pages.HttpBasicsLessonPage;
+import org.owasp.webgoat.playwright.webgoat.pages.lessons.HttpBasicsLessonPage;
 
 @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
 public class HttpBasicsLessonUITest extends PlaywrightTest {

src/it/java/org/owasp/webgoat/playwright/webgoat/lessons/SqlInjectionAdvancedUITest.java

@@ -0,0 +1,120 @@
+/*
+ * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+package org.owasp.webgoat.playwright.webgoat.lessons;
+
+import static com.microsoft.playwright.assertions.PlaywrightAssertions.assertThat;
+
+import com.microsoft.playwright.Browser;
+import com.microsoft.playwright.Page;
+import com.microsoft.playwright.Page.GetByRoleOptions;
+import com.microsoft.playwright.options.AriaRole;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.container.lessons.LessonName;
+import org.owasp.webgoat.playwright.webgoat.PlaywrightTest;
+import org.owasp.webgoat.playwright.webgoat.helpers.Authentication;
+import org.owasp.webgoat.playwright.webgoat.pages.lessons.LessonPage;
+
+public class SqlInjectionAdvancedUITest extends PlaywrightTest {
+
+  private LessonPage lessonPage;
+
+  @BeforeEach
+  void navigateToLesson(Browser browser) {
+    var lessonName = new LessonName("SqlInjectionAdvanced");
+    var page = Authentication.sylvester(browser);
+
+    this.lessonPage = new LessonPage(page);
+    lessonPage.resetLesson(lessonName);
+    lessonPage.open(lessonName);
+  }
+
+  @Test
+  @DisplayName("Login as Tom with incorrect password")
+  void loginAsTomWithIncorrectPassword() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Login")).click();
+    page.locator("[name='username_login']").fill("tom");
+    page.locator("[name='password_login']").fill("test");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Log In")).click();
+
+    assertThat(lessonPage.getAssignmentOutput())
+        .containsText("Wrong username or password. Try again.");
+  }
+
+  @Test
+  @DisplayName("Login as Tom with correct password")
+  void loginAsTomWithCorrectPassword() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Login")).click();
+    page.locator("[name='username_login']").fill("tom");
+    page.locator("[name='password_login']").fill("thisisasecretfortomonly");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Log In")).click();
+
+    lessonPage.isAssignmentSolved(5);
+  }
+
+  @Test
+  @DisplayName("Register as Tom should show error that Tom already exists")
+  void registerAsTomShouldDisplayError() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Register")).click();
+    page.locator("[name='username_reg']").fill("tom");
+    page.locator("[name='email_reg']").fill("tom@tom.org");
+    page.locator("[name='password_reg']").fill("test");
+    page.locator("[name='confirm_password_reg']").fill("test");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Register Now")).click();
+
+    assertThat(lessonPage.getAssignmentOutput()).containsText("User tom already exists");
+  }
+
+  @Test
+  @DisplayName(
+      "Using SQL Injection to register as Tom to guess the password and the guess is correct")
+  void startGuessingCorrect() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Register")).click();
+    page.locator("[name='username_reg']").fill("tom' AND substring(password,1,1)='t");
+    page.locator("[name='email_reg']").fill("tom@tom.org");
+    page.locator("[name='password_reg']").fill("test");
+    page.locator("[name='confirm_password_reg']").fill("test");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Register Now")).click();
+
+    assertThat(lessonPage.getAssignmentOutput())
+        .containsText("User tom' AND substring(password,1,1)='t already exists");
+  }
+
+  @Test
+  @DisplayName(
+      "Using SQL Injection to register as Tom to guess the password and the guess is incorrect")
+  void startGuessingIncorrect() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.LINK, new GetByRoleOptions().setName("Register")).click();
+    page.locator("[name='username_reg']").fill("tom' AND substring(password,1,1)='a");
+    page.locator("[name='email_reg']").fill("tom@tom.org");
+    page.locator("[name='password_reg']").fill("test");
+    page.locator("[name='confirm_password_reg']").fill("test");
+    page.getByRole(AriaRole.BUTTON, new GetByRoleOptions().setName("Register Now")).click();
+
+    assertThat(lessonPage.getAssignmentOutput())
+        .containsText(
+            "User tom' AND substring(password,1,1)='a created, please proceed to the login page.");
+  }
+
+  @Test
+  @DisplayName("Should display correct hints")
+  void shouldDisplayCorrectHints() {
+    lessonPage.navigateTo(5);
+    var page = lessonPage.getPage();
+    page.getByRole(AriaRole.BUTTON, new Page.GetByRoleOptions().setName("Show hints")).click();
+    assertThat(lessonPage.getAssignmentOutput()).containsText("Look at the different");
+  }
+}

src/it/java/org/owasp/webgoat/playwright/webgoat/pages/lessons/HttpBasicsLessonPage.java

@@ -2,7 +2,7 @@
  * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
-package org.owasp.webgoat.playwright.webgoat.pages;
+package org.owasp.webgoat.playwright.webgoat.pages.lessons;
 
 import com.microsoft.playwright.Locator;
 import com.microsoft.playwright.Page;

src/it/java/org/owasp/webgoat/playwright/webgoat/pages/lessons/LessonPage.java

@@ -2,7 +2,7 @@
  * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
-package org.owasp.webgoat.playwright.webgoat.pages;
+package org.owasp.webgoat.playwright.webgoat.pages.lessons;
 
 import static org.owasp.webgoat.playwright.webgoat.PlaywrightTest.webGoatUrl;
 
@@ -14,7 +14,7 @@ import org.assertj.core.api.Assertions;
 import org.owasp.webgoat.container.lessons.LessonName;
 
 @Getter
-class LessonPage {
+public class LessonPage {
 
   private final Page page;
 
@@ -65,4 +65,8 @@ class LessonPage {
   public Locator getAssignmentOutput() {
     return page.locator("#lesson-content-wrapper");
   }
+
+  public Locator getHintsOutput() {
+    return page.locator("#lesson-hint");
+  }
 }

src/main/java/org/owasp/webgoat/container/assignments/AttackResultBuilder.java

@@ -4,11 +4,9 @@
  */
 package org.owasp.webgoat.container.assignments;
 
-import org.owasp.webgoat.container.i18n.PluginMessages;
-
 public class AttackResultBuilder {
 
-  private boolean lessonCompleted;
+  private boolean assignmentCompleted;
   private Object[] feedbackArgs;
   private String feedbackResourceBundleKey;
   private String output;
@@ -16,15 +14,8 @@ public class AttackResultBuilder {
   private AssignmentEndpoint assignment;
   private boolean attemptWasMade = false;
 
-  public AttackResultBuilder lessonCompleted(boolean lessonCompleted) {
+  public AttackResultBuilder assignmentCompleted(boolean lessonCompleted) {
-    this.lessonCompleted = lessonCompleted;
+    this.assignmentCompleted = lessonCompleted;
-    this.feedbackResourceBundleKey = "lesson.completed";
-    return this;
-  }
-
-  public AttackResultBuilder lessonCompleted(boolean lessonCompleted, String resourceBundleKey) {
-    this.lessonCompleted = lessonCompleted;
-    this.feedbackResourceBundleKey = resourceBundleKey;
     return this;
   }
 
@@ -55,7 +46,7 @@ public class AttackResultBuilder {
 
   public AttackResult build() {
     return new AttackResult(
-        lessonCompleted,
+            assignmentCompleted,
         feedbackResourceBundleKey,
         feedbackArgs,
         output,
@@ -81,7 +72,7 @@ public class AttackResultBuilder {
    */
   public static AttackResultBuilder success(AssignmentEndpoint assignment) {
     return new AttackResultBuilder()
-        .lessonCompleted(true)
+        .assignmentCompleted(true)
         .attemptWasMade()
         .feedback("assignment.solved")
         .assignment(assignment);
@@ -99,13 +90,13 @@ public class AttackResultBuilder {
    */
   public static AttackResultBuilder failed(AssignmentEndpoint assignment) {
     return new AttackResultBuilder()
-        .lessonCompleted(false)
+        .assignmentCompleted(false)
         .attemptWasMade()
         .feedback("assignment.not.solved")
         .assignment(assignment);
   }
 
   public static AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
-    return new AttackResultBuilder().lessonCompleted(false).assignment(assignment);
+    return new AttackResultBuilder().assignmentCompleted(false).assignment(assignment);
   }
 }

src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java

@@ -84,7 +84,7 @@ public class CourseConfiguration {
 
   @Bean
   public Course course() {
-    assignments.stream().forEach(this::attachToLesson);
+    assignments.forEach(this::attachToLesson);
 
     // Check if all assignments are attached to a lesson
     var assignmentsAttachedToLessons =
@@ -99,7 +99,7 @@ public class CourseConfiguration {
 
   private List<String> findDiff() {
     var matchedToLessons =
-        lessons.stream().flatMap(l -> l.getAssignments().stream()).map(a -> a.getName()).toList();
+        lessons.stream().flatMap(l -> l.getAssignments().stream()).map(Assignment::getName).toList();
     var allAssignments = assignments.stream().map(a -> a.getClass().getSimpleName()).toList();
 
     var diff = new ArrayList<>(allAssignments);

src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java

@@ -5,7 +5,7 @@
 package org.owasp.webgoat.lessons.sqlinjection.advanced;
 
 import static org.owasp.webgoat.container.assignments.AttackResultBuilder.failed;
-import static org.owasp.webgoat.container.assignments.AttackResultBuilder.success;
+import static org.owasp.webgoat.container.assignments.AttackResultBuilder.informationMessage;
 
 import java.sql.*;
 import lombok.extern.slf4j.Slf4j;
@@ -19,13 +19,17 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-/**
- * @author nbaars
- * @since 4/8/17.
- */
 @RestController
 @AssignmentHints(
-    value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
+    value = {
+      "SqlInjectionChallenge1",
+      "SqlInjectionChallenge2",
+      "SqlInjectionChallenge3",
+      "SqlInjectionChallenge4",
+      "SqlInjectionChallenge5",
+      "SqlInjectionChallenge6",
+      "SqlInjectionChallenge7"
+    })
 @Slf4j
 public class SqlInjectionChallenge implements AssignmentEndpoint {
 
@@ -35,38 +39,34 @@ public class SqlInjectionChallenge implements AssignmentEndpoint {
     this.dataSource = dataSource;
   }
 
-  @PutMapping("/SqlInjectionAdvanced/challenge")
+  @PutMapping("/SqlInjectionAdvanced/register")
   // assignment path is bounded to class so we use different http method :-)
   @ResponseBody
   public AttackResult registerNewUser(
-      @RequestParam String username_reg,
+      @RequestParam("username_reg") String username,
-      @RequestParam String email_reg,
+      @RequestParam("email_reg") String email,
-      @RequestParam String password_reg)
+      @RequestParam("password_reg") String password) {
-      throws Exception {
+    AttackResult attackResult = checkArguments(username, email, password);
-    AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
 
     if (attackResult == null) {
 
       try (Connection connection = dataSource.getConnection()) {
         String checkUserQuery =
-            "select userid from sql_challenge_users where userid = '" + username_reg + "'";
+            "select userid from sql_challenge_users where userid = '" + username + "'";
         Statement statement = connection.createStatement();
         ResultSet resultSet = statement.executeQuery(checkUserQuery);
 
         if (resultSet.next()) {
-          if (username_reg.contains("tom'")) {
+          attackResult = failed(this).feedback("user.exists").feedbackArgs(username).build();
-            attackResult = success(this).feedback("user.exists").build();
-          } else {
-            attackResult = failed(this).feedback("user.exists").feedbackArgs(username_reg).build();
-          }
         } else {
           PreparedStatement preparedStatement =
               connection.prepareStatement("INSERT INTO sql_challenge_users VALUES (?, ?, ?)");
-          preparedStatement.setString(1, username_reg);
+          preparedStatement.setString(1, username);
-          preparedStatement.setString(2, email_reg);
+          preparedStatement.setString(2, email);
-          preparedStatement.setString(3, password_reg);
+          preparedStatement.setString(3, password);
           preparedStatement.execute();
-          attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
+          attackResult =
+              informationMessage(this).feedback("user.created").feedbackArgs(username).build();
         }
       } catch (SQLException e) {
         attackResult = failed(this).output("Something went wrong").build();
@@ -75,13 +75,13 @@ public class SqlInjectionChallenge implements AssignmentEndpoint {
     return attackResult;
   }
 
-  private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) {
+  private AttackResult checkArguments(String username, String email, String password) {
-    if (StringUtils.isEmpty(username_reg)
+    if (StringUtils.isEmpty(username)
-        || StringUtils.isEmpty(email_reg)
+        || StringUtils.isEmpty(email)
-        || StringUtils.isEmpty(password_reg)) {
+        || StringUtils.isEmpty(password)) {
       return failed(this).feedback("input.invalid").build();
     }
-    if (username_reg.length() > 250 || email_reg.length() > 30 || password_reg.length() > 30) {
+    if (username.length() > 250 || email.length() > 30 || password.length() > 30) {
       return failed(this).feedback("input.invalid").build();
     }
     return null;

src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallengeLogin.java

@@ -9,7 +9,6 @@ import static org.owasp.webgoat.container.assignments.AttackResultBuilder.succes
 
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -17,13 +16,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-@AssignmentHints(
-    value = {
-      "SqlInjectionChallengeHint1",
-      "SqlInjectionChallengeHint2",
-      "SqlInjectionChallengeHint3",
-      "SqlInjectionChallengeHint4"
-    })
 public class SqlInjectionChallengeLogin implements AssignmentEndpoint {
   private final LessonDataSource dataSource;
 
@@ -31,20 +23,22 @@ public class SqlInjectionChallengeLogin implements AssignmentEndpoint {
     this.dataSource = dataSource;
   }
 
-  @PostMapping("/SqlInjectionAdvanced/challenge_Login")
+  @PostMapping("/SqlInjectionAdvanced/login")
   @ResponseBody
   public AttackResult login(
-      @RequestParam String username_login, @RequestParam String password_login) throws Exception {
+      @RequestParam("username_login") String username,
+      @RequestParam("password_login") String password)
+      throws Exception {
     try (var connection = dataSource.getConnection()) {
       var statement =
           connection.prepareStatement(
               "select password from sql_challenge_users where userid = ? and password = ?");
-      statement.setString(1, username_login);
+      statement.setString(1, username);
-      statement.setString(2, password_login);
+      statement.setString(2, password);
       var resultSet = statement.executeQuery();
 
       if (resultSet.next()) {
-        return ("tom".equals(username_login))
+        return ("tom".equals(username))
             ? success(this).build()
             : failed(this).feedback("ResultsButNotTom").build();
       } else {

src/main/resources/i18n/messages.properties

@@ -1,4 +1,3 @@
-lesson.completed=Congratulations. You have successfully completed this lesson.
 assignment.solved=Congratulations. You have successfully completed the assignment.
 assignment.not.solved=Sorry the solution is not correct, please try again.
 RestartLesson=Restart this Lesson

src/main/resources/i18n/messages_de.properties

@@ -1,5 +1,4 @@
 #General
-lesson.completed=Herzlichen Gl\u00fcckwunsch! Sie haben diese Lektion erfolgreich abgeschlossen.
 assignment.solved=Herzlichen Gl\u00fcckwunsch! Sie haben diesen Auftrag erfolgreich abgeschlossen.
 assignment.not.solved=Die L\u00f6sung ist nicht korrekt, versuchen Sie es erneut.
 

src/main/resources/i18n/messages_fr.properties

@@ -1,5 +1,4 @@
 #General
-lesson.completed=F\u00e9licitations. Vous avez termin\u00e9 cette le\u00e7on avec succ\u00e9s.
 RestartLesson=Recommencer cette le\u00e7on
 SolutionVideos=Solution vid\u00e9os
 ErrorGenerating=Error generating

src/main/resources/i18n/messages_nl.properties

@@ -1,4 +1,3 @@
-lesson.completed=Gefeliciteerd, je hebt deze les succesvol afgerond.
 assignment.solved=Gefeliciteerd, je hebt deze opdracht succesvol afgerond.
 assignment.not.solved=Sorry de oplossing is niet correct, probeer het nog eens.
 RestartLesson=Herstart de les

src/main/resources/lessons/challenges/i18n/WebGoatLabels.properties

@@ -10,7 +10,7 @@ challenge9.title=Changing password
 challenge.solved=Congratulations, you solved the challenge. Here is your flag: {0}
 challenge.close=This is not the correct password for Larry, please try again.
 
-email.send=An e-mail has been send to {0}
+email.send=An e-mail has been sent to {0}
 
 user.exists=User {0} already exists please try to register with a different username.
 user.created=User {0} created, please proceed to the login page.

src/main/resources/lessons/httpbasics/i18n/WebGoatLabels_ru.properties

@@ -1,2 +0,0 @@
-EnterYourName=\u0412\u0432\u0435\u0434\u0438\u0442\u0435 \u0432\u0430\u0448\u0435 \u0438\u043c\u044f
-Go!=\u0412\u043f\u0435\u0440\u0451\u0434!

src/main/resources/lessons/httpproxies/documentation/3browsersetup.adoc

@@ -1,24 +1,7 @@
 ==== Setting up browser
 
-If you use the latest ZAP version (>= 2.8.0), you only need to start ZAP and click the browser button to be able to proxy, see image below:
+As the ZAP setup for proxying localhost varies based on your browser, we recommend following the instructions at: https://www.zaproxy.org/docs/desktop/start/proxies/
-
+After you setup the proxy, you should see the following in OWASP ZAP on the history panel:
-{nbsp} +
-
-image::images/zap-browser-button.png[ZAP Start,style="lesson-image"]
-
-{nbsp} +
-
-In the browser type: http://localhost:8080/WebGoat, you should see WebGoat and the OWASP ZAP Heads On Display (if you use OWASP ZAP as the proxy):
-
-{nbsp} +
-
-image::images/loginscreen.png[Browser with HUD,style="lesson-image"]
-
-{nbsp} +
-
-You might notice that this is the Dutch login screen. The browser determines the language settings. For some pages, there will be some local translations. You can contribute to WebGoat and add more for your preferred language. You can disable the Heads On Display by clicking on the highlighted button. You can learn about the OWASP ZAP HUD on their website. For now, we recommend disabling it as it kind of blocks the menu items.
-
-You should see the following in OWASP ZAP on the history panel:
 
 {nbsp} +
 

src/main/resources/lessons/httpproxies/documentation/5configurefilterandbreakpoints.adoc

@@ -17,7 +17,7 @@ And in the `URL Exc Regex` box type:
 
 [source]
 ----
-.*lesson.*.mvc
+.*lesson.*.mvc.*
 ----
 
 Click 'Apply to close the window, and ZAP will now no longer show internal WebGoat requests.

src/main/resources/lessons/sqlinjection/html/SqlInjectionAdvanced.html

@@ -79,7 +79,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          th:action="@{/SqlInjectionAdvanced/Challenge_Login}"
+                                          th:action="@{/SqlInjectionAdvanced/login}"
                                           role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
@@ -115,7 +115,7 @@
                                     </form>
                                     <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="PUT" name="form"
-                                          th:action="@{/SqlInjectionAdvanced/challenge}"
+                                          th:action="@{/SqlInjectionAdvanced/register}"
                                           style="display: none;" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_reg" id="username" tabindex="1"

src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels.properties

@@ -3,12 +3,8 @@
 2.sql.advanced.title=SQL Injection (advanced)
 3.sql.mitigation.title=SQL Injection (mitigation)
 
-
+NoResultsMatched=Wrong username or password. Try again.
-SqlInjectionChallenge1=Look at the different response you receive from the server
+ResultsButNotTom=Try to log in as Tom!
-SqlInjectionChallenge2=The vulnerability is on the register form
-SqlInjectionChallenge3=Use tooling to automate this attack
-NoResultsMatched=No results matched, try again.
-ResultsButNotTom=Try To login as Tom!
 
 sql-injection.2.success=You have succeeded!
 sql-injection.2.failed=Something went wrong! You got no results, check your SQL Statement and the table above.
@@ -100,10 +96,13 @@ SqlStringInjectionHint-mitigation-13-2=Intercept the request and try to specify
 SqlStringInjectionHint-mitigation-13-3=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 SqlStringInjectionHint-mitigation-13-4=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 
-SqlInjectionChallengeHint1=The table name is randomized at each start of WebGoat, try to figure out the name first.
+SqlInjectionChallenge1=Look at the different response you receive from the server when you try different entries
-SqlInjectionChallengeHint2=Find the field which is vulnerable to SQL injection use that to change the password.
+SqlInjectionChallenge2=Does the register form give you any indication a user already exists?
-SqlInjectionChallengeHint3=Change the password through an UPDATE Statement.
+SqlInjectionChallenge3=Try to guess the password of the user 'tom' one character at a time
-SqlInjectionChallengeHint4=The vulnerable field is the username field of the register form.
+SqlInjectionChallenge4=Use substring(column, start, length) to get the password of the user 'tom' one character at a time
+SqlInjectionChallenge5=Use tom' AND substring(password,1,1)='a for the guess of the first character of the password
+SqlInjectionChallenge6=It is important to look at the different responses you receive from the server when you try different entries
+SqlInjectionChallenge7=You can use tooling to automate this attack
 
 SqlOnlyInputValidation-failed=Using spaces is not allowed!
 SqlOnlyInputValidation-1=Spaces are rejected, try to find a way around this restriction

src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_de.properties

@@ -1,7 +1,7 @@
 #StringSqlInjection.java
 StringSqlInjectionSecondStage=Da sie nun erfolgreich eine SQL Injection durchgef\u00fchrt haben, versuchen Sie denselben Typ von Angriff auf eine parametrisierte Anfrage. Starten Sie Diese Lektion neu, wenn Sie zur verwundbaren SQL Anfrage gelangen m\u00f6chten.
     EnterLastName=Geben Sie Ihren Nachnamen ein:
-NoResultsMatched=Keine Resultate gefunden, versuchen Sie es erneut
+NoResultsMatched=Falscher Benutzername oder falsches Passwort. Versuchen Sie es erneut.
 SqlStringInjectionHint1=The application is taking your input and inserting it at the end of a pre-formed SQL command.
 SqlStringInjectionHint2=This is the code for the query being built and issued by WebGoat:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
 SqlStringInjectionHint3=Compound SQL statements can be made by joining multiple tests with keywords like AND and OR. Try appending a SQL statement that always resolves to true

src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_fr.properties

@@ -1,7 +1,7 @@
 #StringSqlInjection.java
 StringSqlInjectionSecondStage=Maintenant que vous avez r\u00e9alis\u00e9 une injection SQL avec succ\u00e8s, essayer le m\u00eame type d'attaque sur une requ\u00eate param\u00e9tr\u00e9e. Red\u00e9marrez la le\u00e7on si vous souhaitez revenir \u00e0 la requ\u00eate injectable.
 EnterLastName=Entrez votre nom :
-NoResultsMatched=Aucun r\u00e9sultat correspondant. Essayez encore.
+NoResultsMatched=Aucun nom d'utilisateur ou mot de passe incorrect. Essayez encore.
 SqlStringInjectionHint1=L'application r\u00e9cup\u00e8re votre saisie et l'ins\u00e8re \u00e0 la fin d'une commande SQL pr\u00e9-form\u00e9e.
 SqlStringInjectionHint2=Voici le code de la requ\u00eate assembl\u00e9e et ex\u00e9cut\u00e9e par WebGoat :<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
 SqlStringInjectionHint3=Les commandes SQL compos\u00e9es peuvent \u00eatre assembl\u00e9es en associant de multiples conditions au moyen de mots-cl\u00e9 tels que AND et OR. Essayez d'assembler une condition qui sera toujours r\u00e9solue \u00e0 vrai.

src/main/resources/lessons/sqlinjection/i18n/WebGoatLabels_ru.properties

@@ -1,8 +0,0 @@
-#StringSqlInjection.java
-StringSqlInjectionSecondStage=\u0422\u0435\u043f\u0435\u0440\u044c, \u043a\u043e\u0433\u0434\u0430 \u0432\u0430\u043c \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u0443\u0434\u0430\u0447\u043d\u043e \u043f\u0440\u043e\u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c SQL-\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044e, \u043f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c \u044d\u0442\u043e \u0441 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u043c. \u041d\u0430\u0447\u043d\u0438\u0442\u0435 \u0443\u0440\u043e\u043a \u0437\u0430\u043d\u043e\u0432\u043e \u0435\u0441\u043b\u0438 \u0432\u044b \u0445\u043e\u0442\u0438\u0442\u0435 \u0432\u043d\u043e\u0432\u044c \u0443\u0432\u0438\u0434\u0435\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0435 \u043f\u043e\u043b\u0435.
-EnterLastName=\u0412\u0432\u0435\u0434\u0438\u0442\u0435 \u0432\u0430\u0448\u0443 \u0444\u0430\u043c\u0438\u043b\u0438\u044e:
-NoResultsMatched=\u041d\u0435\u0442 \u0441\u043e\u0432\u043f\u0430\u0434\u0435\u043d\u0438\u0439. \u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0441\u043d\u043e\u0432\u0430.
-SqlStringInjectionHint1=\u041f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u0431\u0435\u0440\u0451\u0442 \u0442\u043e \u0447\u0442\u043e \u0432\u044b \u0432\u0432\u043e\u0434\u0438\u0442\u0435 \u0438 \u0432\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0432 \u043a\u043e\u043d\u0435\u0446 \u0437\u0430\u0440\u0430\u043d\u0435\u0435 \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e SQL-\u0437\u0430\u043f\u0440\u043e\u0441\u0430.
-SqlStringInjectionHint2=\u0412\u043e\u0442 \u043a\u043e\u0434 \u0437\u0430\u043f\u0440\u043e\u0441\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f WebGoat`\u043e\u043c:<br><br> "SELECT * FROM user_data WHERE last_name = "accountName"
-SqlStringInjectionHint3=\u0426\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c SQL-\u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043c\u043e\u0436\u043d\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0442\u044c \u043f\u0440\u043e\u0432\u0435\u0434\u044f \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u043e\u043a \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0442\u0430\u043a\u0438\u0445 \u043a\u043b\u044e\u0447\u0435\u0432\u044b\u0445 \u0441\u043b\u043e\u0432 \u043a\u0430\u043a AND \u0438 OR. \u041f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0441\u043e\u0441\u0442\u0430\u0432\u0438\u0442\u044c \u0442\u0430\u043a\u043e\u0435 SQL-\u0432\u044b\u0440\u0430\u0436\u0435\u043d\u0438\u0435, \u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u0432\u0441\u0435\u0433\u0434\u0430 \u0431\u0443\u0434\u0435\u0442 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0442\u044c \u0438\u0441\u0442\u0438\u043d\u0443.
-SqlStringInjectionHint4=\u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0432\u0432\u0435\u0441\u0442\u0438 [ smith' OR '1' = '1 ].

src/main/resources/lessons/sqlinjection/js/questions_sql_injection.json

@@ -1,13 +1,15 @@
 {
-  "questions": [{
+    "questions": [
+        {
             "text": "What is the difference between a prepared statement and a statement?",
             "solutions": {
                 "1": "Prepared statements are statements with hard-coded parameters.",
                 "2": "Prepared statements are not stored in the database.",
-      "3": "A statement is faster.",
+                "3": "A statement is faster executes faster than a prepared statement.",
-      "4": "A statement has got values instead of a prepared statement"
+                "4": "A statement includes actual values, whereas a prepared statement uses placeholders."
             }
-  }, {
+        },
+        {
             "text": "Which one of the following characters is a placeholder for variables?",
             "solutions": {
                 "1": "*",
@@ -15,29 +17,33 @@
                 "3": "?",
                 "4": "!"
             }
-  }, {
+        },
+        {
             "text": "How can prepared statements be faster than statements?",
             "solutions": {
-      "1": "They are not static so they can compile better written code than statements.",
+                "1": "Prepared statements are not static, allowing them to be optimized more efficiently than regular statements.",
-      "2": "Prepared statements are compiled once by the database management system waiting for input and are pre-compiled this way.",
+                "2": "Prepared statements are compiled once by the database management system and then reused with different inputs, reducing compilation overhead.",
-      "3": "Prepared statements are stored and wait for input it raises performance considerably.",
+                "3": "Since prepared statements are stored and wait for input, they improve performance significantly.",
-      "4": "Oracle optimized prepared statements. Because of the minimal use of the databases resources it is faster."
+                "4": "Oracle optimizes prepared statements, making them faster by minimizing the use of database resources."
             }
-  }, {
+        },
-    "text": "How can a prepared statement prevent SQL-Injection?",
+        {
+            "text": "How do prepared statements help prevent SQL injection?",
             "solutions": {
-      "1": "Prepared statements have got an inner check to distinguish between input and logical errors.",
+                "1": "Prepared statements have built-in mechanisms to distinguish between user input and SQL logic, preventing malicious manipulation.",
-      "2": "Prepared statements use the placeholders to make rules what input is allowed to use.",
+                "2": "Prepared statements use placeholders to enforce rules on allowed input, reducing the risk of SQL injection.",
-      "3": "Placeholders can prevent that the users input gets attached to the SQL query resulting in a seperation of code and data.",
+                "3": "Placeholders prevent user input from being directly appended to the SQL query, ensuring a clear separation between code and data.",
-      "4": "Prepared statements always read inputs literally and never mixes it with its SQL commands."
+                "4": "Prepared statements treat all user input as literal values, never mixing it with SQL commands."
             }
-  }, {
+        },
-    "text": "What happens if a person with malicious intent writes into a register form :Robert); DROP TABLE Students;-- that has a prepared statement?",
+        {
+            "text": "What happens if a person with malicious intent enters the following input into a registration form that uses a prepared statement? Input: Robert); DROP TABLE Students;--",
             "solutions": {
-      "1": "The table Students and all of its content will be deleted.",
+                "1": "The Students table and all its data will be deleted.",
-      "2": "The input deletes all students with the name Robert.",
+                "2": "The input deletes all students named Robert.",
-      "3": "The database registers 'Robert' and deletes the table afterwards.",
+                "3": "The database registers Robert and then deletes the table.",
-      "4": "The database registers 'Robert' ); DROP TABLE Students;--'."
+                "4": "The database treats the entire input as a plain string: Robert); DROP TABLE Students;-- without executing it as SQL."
             }
-  }]
+        }
+    ]
 }

src/main/resources/lessons/xss/js/questions_cross_site_scripting.json

@@ -1,19 +1,19 @@
 {
   "questions": [{
-    "text": "Are trusted websites immune to XSS attacks?",
+    "text": "Is a well known website, like Netflix, immune to XSS attacks?",
     "solutions": {
-      "1": "Yes they are safe because the browser checks the code before executing.",
+      "1": "Yes, they are safe because the browser checks the code before executing.",
-      "2": "Yes because Google has got an algorithm that blocks malicious code.",
+      "2": "Yes, because Google has got an algorithm that blocks malicious code.",
-      "3": "No because the script that is executed will break through the defense algorithm of the browser.",
+      "3": "No, because the script that is executed will break through the defense algorithm of the browser.",
-      "4": "No because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."
+      "4": "No, because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."
     }
   }, {
     "text": "When do XSS attacks occur?",
     "solutions": {
-      "1": "Data enters a web application through a trusted source.",
+      "1": "When malicious scripts are injected into a website's server-side code.",
-      "2": "Data enters a browser application through the website.",
+      "2": "When a user submits sensitive information without encryption.",
-      "3": "The data is included in dynamic content that is sent to a web user without being validated for malicious content.",
+      "3": "When a website fails to validate or sanitize user input, allowing malicious scripts to be executed in a user's browser.",
-      "4": "The data is excluded in static content that way it is sent without being validated."
+      "4": "When a website uses outdated SSL/TLS protocols."
     }
   }, {
     "text": "What are Stored XSS attacks?",
@@ -27,17 +27,17 @@
     "text": "What are Reflected XSS attacks?",
     "solutions": {
       "1": "Reflected attacks reflect malicious code from the database to the web server and then reflect it back to the user.",
-      "2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the request.",
+      "2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the response.",
       "3": "Reflected attacks reflect from the firewall off to the database where the user requests information from.",
       "4": "Reflected XSS is an attack where the injected script is reflected off the database and web server to the user."
     }
   }, {
     "text": "Is JavaScript the only way to perform XSS attacks?",
     "solutions": {
-      "1": "Yes you can only make use of tags through JavaScript.",
+      "1": "Yes, you can only make use of tags through JavaScript.",
-      "2": "Yes otherwise you cannot steal cookies.",
+      "2": "Yes, otherwise you cannot steal cookies.",
-      "3": "No there is ECMAScript too.",
+      "3": "No, there is ECMAScript too.",
-      "4": "No there are many other ways. Like HTML, Flash or any other type of code that the browser executes."
+      "4": "No, there are many other ways. Like HTML, Flash or any other type of code that the browser executes."
     }
   }]
 }