chore: new release 2025.3

Closes: gh-1178

.github/workflows/release.yml

@@ -68,7 +68,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Set up QEMU"
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.6.0
         with:
           platforms: all
 
@@ -82,7 +82,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push WebGoat"
-        uses: docker/build-push-action@v6.14.0
+        uses: docker/build-push-action@v6.15.0
         with:
           context: ./
           file: ./Dockerfile
@@ -95,7 +95,7 @@ jobs:
             webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
 
       - name: "Build and push WebGoat desktop"
-        uses: docker/build-push-action@v6.14.0
+        uses: docker/build-push-action@v6.15.0
         with:
           context: ./
           file: ./Dockerfile_desktop

RELEASE_NOTES.md

@@ -1,5 +1,17 @@
 # WebGoat release notes
 
+## Version 2025.3
+
+### 🐞 Bug fixes
+
+- Changed URLs imply other exclusion filters for ZAP (#2052)
+- XSS lesson stage 12 (2 issues) (#1178)
+
+### 🔄 Technical tasks
+
+- bump docker/setup-qemu-action from 3.4.0 to 3.6.0 (#2049)
+- bump docker/build-push-action from 6.14.0 to 6.15.0 (#2050)
+
 ## Version 2025.2
 
 ### 🐞 Bug fixes

pom.xml

@@ -10,7 +10,7 @@
 
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
-  <version>2025.2</version>
+  <version>2025.3</version>
   <packaging>jar</packaging>
 
   <name>WebGoat</name>

src/main/resources/lessons/httpproxies/documentation/3browsersetup.adoc

@@ -1,24 +1,7 @@
 ==== Setting up browser
 
-If you use the latest ZAP version (>= 2.8.0), you only need to start ZAP and click the browser button to be able to proxy, see image below:
+As the ZAP setup for proxying localhost varies based on your browser, we recommend following the instructions at: https://www.zaproxy.org/docs/desktop/start/proxies/
-
+After you setup the proxy, you should see the following in OWASP ZAP on the history panel:
-{nbsp} +
-
-image::images/zap-browser-button.png[ZAP Start,style="lesson-image"]
-
-{nbsp} +
-
-In the browser type: http://localhost:8080/WebGoat, you should see WebGoat and the OWASP ZAP Heads On Display (if you use OWASP ZAP as the proxy):
-
-{nbsp} +
-
-image::images/loginscreen.png[Browser with HUD,style="lesson-image"]
-
-{nbsp} +
-
-You might notice that this is the Dutch login screen. The browser determines the language settings. For some pages, there will be some local translations. You can contribute to WebGoat and add more for your preferred language. You can disable the Heads On Display by clicking on the highlighted button. You can learn about the OWASP ZAP HUD on their website. For now, we recommend disabling it as it kind of blocks the menu items.
-
-You should see the following in OWASP ZAP on the history panel:
 
 {nbsp} +
 

src/main/resources/lessons/httpproxies/documentation/5configurefilterandbreakpoints.adoc

@@ -17,7 +17,7 @@ And in the `URL Exc Regex` box type:
 
 [source]
 ----
-.*lesson.*.mvc
+.*lesson.*.mvc.*
 ----
 
 Click 'Apply to close the window, and ZAP will now no longer show internal WebGoat requests.

src/main/resources/lessons/sqlinjection/js/questions_sql_injection.json

@@ -1,43 +1,49 @@
 {
-  "questions": [{
+    "questions": [
-    "text": "What is the difference between a prepared statement and a statement?",
+        {
-    "solutions": {
+            "text": "What is the difference between a prepared statement and a statement?",
-      "1": "Prepared statements are statements with hard-coded parameters.",
+            "solutions": {
-      "2": "Prepared statements are not stored in the database.",
+                "1": "Prepared statements are statements with hard-coded parameters.",
-      "3": "A statement is faster.",
+                "2": "Prepared statements are not stored in the database.",
-      "4": "A statement has got values instead of a prepared statement"
+                "3": "A statement is faster executes faster than a prepared statement.",
-    }
+                "4": "A statement includes actual values, whereas a prepared statement uses placeholders."
-  }, {
+            }
-    "text": "Which one of the following characters is a placeholder for variables?",
+        },
-    "solutions": {
+        {
-      "1": "*",
+            "text": "Which one of the following characters is a placeholder for variables?",
-      "2": "=",
+            "solutions": {
-      "3": "?",
+                "1": "*",
-      "4": "!"
+                "2": "=",
-    }
+                "3": "?",
-  }, {
+                "4": "!"
-    "text": "How can prepared statements be faster than statements?",
+            }
-    "solutions": {
+        },
-      "1": "They are not static so they can compile better written code than statements.",
+        {
-      "2": "Prepared statements are compiled once by the database management system waiting for input and are pre-compiled this way.",
+            "text": "How can prepared statements be faster than statements?",
-      "3": "Prepared statements are stored and wait for input it raises performance considerably.",
+            "solutions": {
-      "4": "Oracle optimized prepared statements. Because of the minimal use of the databases resources it is faster."
+                "1": "Prepared statements are not static, allowing them to be optimized more efficiently than regular statements.",
-    }
+                "2": "Prepared statements are compiled once by the database management system and then reused with different inputs, reducing compilation overhead.",
-  }, {
+                "3": "Since prepared statements are stored and wait for input, they improve performance significantly.",
-    "text": "How can a prepared statement prevent SQL-Injection?",
+                "4": "Oracle optimizes prepared statements, making them faster by minimizing the use of database resources."
-    "solutions": {
+            }
-      "1": "Prepared statements have got an inner check to distinguish between input and logical errors.",
+        },
-      "2": "Prepared statements use the placeholders to make rules what input is allowed to use.",
+        {
-      "3": "Placeholders can prevent that the users input gets attached to the SQL query resulting in a seperation of code and data.",
+            "text": "How do prepared statements help prevent SQL injection?",
-      "4": "Prepared statements always read inputs literally and never mixes it with its SQL commands."
+            "solutions": {
-    }
+                "1": "Prepared statements have built-in mechanisms to distinguish between user input and SQL logic, preventing malicious manipulation.",
-  }, {
+                "2": "Prepared statements use placeholders to enforce rules on allowed input, reducing the risk of SQL injection.",
-    "text": "What happens if a person with malicious intent writes into a register form :Robert); DROP TABLE Students;-- that has a prepared statement?",
+                "3": "Placeholders prevent user input from being directly appended to the SQL query, ensuring a clear separation between code and data.",
-    "solutions": {
+                "4": "Prepared statements treat all user input as literal values, never mixing it with SQL commands."
-      "1": "The table Students and all of its content will be deleted.",
+            }
-      "2": "The input deletes all students with the name Robert.",
+        },
-      "3": "The database registers 'Robert' and deletes the table afterwards.",
+        {
-      "4": "The database registers 'Robert' ); DROP TABLE Students;--'."
+            "text": "What happens if a person with malicious intent enters the following input into a registration form that uses a prepared statement? Input: Robert); DROP TABLE Students;--",
-    }
+            "solutions": {
-  }]
+                "1": "The Students table and all its data will be deleted.",
+                "2": "The input deletes all students named Robert.",
+                "3": "The database registers Robert and then deletes the table.",
+                "4": "The database treats the entire input as a plain string: Robert); DROP TABLE Students;-- without executing it as SQL."
+            }
+        }
+    ]
 }

src/main/resources/lessons/xss/js/questions_cross_site_scripting.json

@@ -1,19 +1,19 @@
 {
   "questions": [{
-    "text": "Are trusted websites immune to XSS attacks?",
+    "text": "Is a well known website, like Netflix, immune to XSS attacks?",
     "solutions": {
-      "1": "Yes they are safe because the browser checks the code before executing.",
+      "1": "Yes, they are safe because the browser checks the code before executing.",
-      "2": "Yes because Google has got an algorithm that blocks malicious code.",
+      "2": "Yes, because Google has got an algorithm that blocks malicious code.",
-      "3": "No because the script that is executed will break through the defense algorithm of the browser.",
+      "3": "No, because the script that is executed will break through the defense algorithm of the browser.",
-      "4": "No because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."
+      "4": "No, because the browser trusts the website if it is acknowledged trusted, then the browser does not know that the script is malicious."
     }
   }, {
     "text": "When do XSS attacks occur?",
     "solutions": {
-      "1": "Data enters a web application through a trusted source.",
+      "1": "When malicious scripts are injected into a website's server-side code.",
-      "2": "Data enters a browser application through the website.",
+      "2": "When a user submits sensitive information without encryption.",
-      "3": "The data is included in dynamic content that is sent to a web user without being validated for malicious content.",
+      "3": "When a website fails to validate or sanitize user input, allowing malicious scripts to be executed in a user's browser.",
-      "4": "The data is excluded in static content that way it is sent without being validated."
+      "4": "When a website uses outdated SSL/TLS protocols."
     }
   }, {
     "text": "What are Stored XSS attacks?",
@@ -27,17 +27,17 @@
     "text": "What are Reflected XSS attacks?",
     "solutions": {
       "1": "Reflected attacks reflect malicious code from the database to the web server and then reflect it back to the user.",
-      "2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the request.",
+      "2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the response.",
       "3": "Reflected attacks reflect from the firewall off to the database where the user requests information from.",
       "4": "Reflected XSS is an attack where the injected script is reflected off the database and web server to the user."
     }
   }, {
     "text": "Is JavaScript the only way to perform XSS attacks?",
     "solutions": {
-      "1": "Yes you can only make use of tags through JavaScript.",
+      "1": "Yes, you can only make use of tags through JavaScript.",
-      "2": "Yes otherwise you cannot steal cookies.",
+      "2": "Yes, otherwise you cannot steal cookies.",
-      "3": "No there is ECMAScript too.",
+      "3": "No, there is ECMAScript too.",
-      "4": "No there are many other ways. Like HTML, Flash or any other type of code that the browser executes."
+      "4": "No, there are many other ways. Like HTML, Flash or any other type of code that the browser executes."
     }
   }]
 }