Merge branch 'release/v8.0.0.M23'

v8.0.0.M22

.gitignore

@@ -44,5 +44,10 @@ webgoat-server/mongo-data/*
 webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml
 **/.sts4-cache/*
 **/.vscode/*
-
+**/.factorypath
 /.sonatype
+**/bin/*
+webgoat.lck
+webgoat.log
+webgoat.properties
+webgoat.script

.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1 @@
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.5.4/apache-maven-3.5.4-bin.zip

.travis.yml

@@ -2,7 +2,7 @@ services:
   - docker
 language: java
 jdk:
-- oraclejdk8
+- openjdk11
 install: "/bin/true"
 script:
 - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
@@ -28,12 +28,6 @@ deploy:
     on:
       repo: WebGoat/WebGoat
       tags: true
-  - provider: script
-    skip_cleanup: true
-    script: bash scripts/deploy-webgoat.sh
-    on:
-      repo: WebGoat/WebGoat
-      branch: develop
   - provider: releases
     skip_cleanup: true
     overwrite: true

CREATE_RELEASE.MD

@@ -13,17 +13,15 @@ At the moment we use Gitflow, for a release you create a new release branch and
 git checkout develop
 git flow release start <version>
 mvn versions:set <<version>  
-git commit -am "New release, updaing pom.xml" 
+git commit -am "New release, updating pom.xml" 
 git flow release publish
-```
+git push origin develop
-
+git push origin master
-Now we can make a new release, be sure you committed all your changes.
+git push --tags
-
-```
-git tag v8.0.0.M15
-git push origin v8.0.0.M15 
 ```
 
 Now Travis takes over and will create the release in Github and on Docker Hub.
 
+NOTE: the `mvn versions:set` command above is just there to make sure the master branch contains the latest version
+
 

README.MD

@@ -29,70 +29,47 @@ first thing that all hackers claim.*
 
 # Run Instructions:
 
-## 1. Run using Docker
+## 1. Standalone 
-
-From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version
-[https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/).
-First install Docker, then open a command shell/window and type:
-
-```Shell
-docker pull webgoat/webgoat-8.0
-docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh 
-```
-
-If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a 
-folder on the host system as follows:
-
-```Shell
-docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh
-```
-
-where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system.
-
-Wait for the Docker container to start, and run `docker ps` to verify it's running.
-
-- If you are using `docker-machine`, verify the machine IP using `docker-machine env`
-- If you are using `boot2docker` on OSX, verify the IP by running `docker network inspect bridge`
-- Otherwise, the host will be bound to localhost
-
-Once you have the IP and port, you'll want to navigate to the `/WebGoat` path in the URL. For example:
-
-```
-http://192.168.99.100:8080/WebGoat
-```
-
-Here you'll be able to register a new user and get started.
-
-_Please note: this version may not be completely in sync with the develop branch._
-
-## 2. Standalone 
 
 Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```Shell
-java -jar webgoat-server-<<version>>.jar
+java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
 ```
 
-By default WebGoat starts at port 8080 in order to change this use the following property:
+By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
+can bind it to a different address (default localhost)
+
+If you use Java 9 or higher you need to run WebGoat as follows:
 
 ```Shell
-java -jar webgoat-server-<<version>>.jar --server.port=9090
+java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar
 ```
 
-You can specify one of the following arguments when starting WebGoat:
+## 2. Run using Docker
 
-```Shell
+Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
-java -jar webgoat-server-<<version>>.jar --server.port=9090 --server.address=x.x.x.x
+
+### Using docker-compose
+
+The easiest way to start WebGoat as a Docker container is to use the `docker-compose.yml` [file](https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml) 
+from our Github repository. This will start both containers and it also takes care of setting up the
+connection between WebGoat and WebWolf.
+
+```shell
+curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up
 ```
 
-This will start WebGoat on a different port and/or different address.
+**Important**: the current directory on your host will be mapped into the container for keeping state.
+
+Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and running.
 
 
 ## 3. Run from the sources
 
 ### Prerequisites:
 
-* Java 8
+* Java 11
 * Maven > 3.2.1
 * Your favorite IDE
 * Git, or Git support in your IDE
@@ -127,7 +104,7 @@ server.address=x.x.x.x
 
 # Vagrant
 
-We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
+We supply a complete environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
 
 ```shell
    $ cd WebGoat/webgoat-images/vagrant-training
@@ -135,7 +112,7 @@ We supply a complete development environment using Vagrant, to run WebGoat with
 ```
 
 Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant.
-The source code will be available in the home directory.
+WebGoat and WebWolf will automatically start when you login to this image.
 
 
 # Building a new Docker image

docker-compose-local.yml

@@ -0,0 +1,13 @@
+version: '2.1'
+
+services:
+  webgoat:
+    image: webgoat/webgoat-v8.0.0.snapshot
+    extends:
+      file: docker-compose.yml
+      service: webgoat
+  webwolf:
+    extends:
+      file: docker-compose.yml
+      service: webwolf
+    image: webgoat/webwolf-v8.0.0.snapshot

docker-compose-postgres.yml

@@ -6,11 +6,14 @@ services:
     user: webgoat
     environment:
       - WEBWOLF_HOST=webwolf
+      - WEBWOLF_PORT=9090
       - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
       - spring.datasource.username=webgoat
       - spring.datasource.password=webgoat
       - spring.datasource.driver-class-name=org.postgresql.Driver
       - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
+      - webgoat.server.directory=/home/webgoat/.webgoat/
+      - webgoat.user.directory=/home/webgoat/.webgoat/
     ports:
       - "8080:8080"
   webwolf:
@@ -22,10 +25,12 @@ services:
       - spring.datasource.driver-class-name=org.postgresql.Driver
       - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
     ports:
-      - "8081:8081"
+      - "9090:9090"
-  db:
+  webgoat_db:
-    container_name: webgoat_db
+    image: postgres:9.4
-    image: postgres:latest
+# Uncomment to store the state of the database on the host.
+#    volumes:
+#      - ./database:/var/lib/postgresql
     environment:
       - POSTGRES_PASSWORD=webgoat
       - POSTGRES_USER=webgoat

docker-compose.yml

@@ -5,24 +5,14 @@ services:
     image: webgoat/webgoat-8.0
     environment:
       - WEBWOLF_HOST=webwolf
-      - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
+      - WEBWOLF_PORT=9090
     ports:
       - "8080:8080"
-    depends_on:
+      - "9001:9001"
-      - db
+    volumes:
+      - .:/home/webgoat/.webgoat
   webwolf:
     image: webgoat/webwolf
-    environment:
-          - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
     ports:
-      - "8081:8081"
+      - "9090:9090"
-    depends_on:
+    command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0
-      - db
-  db:
-    image: blacklabelops/hsqldb
-    container_name: webgoat_db
-    environment:
-      - HSQLDB_TRACE=false
-      - HSQLDB_SILENT=true
-      - HSQLDB_DATABASE_NAME=webgoat
-      - HSQLDB_DATABASE_ALIAS=webgoat

mvnw

@@ -0,0 +1,286 @@
+#!/bin/sh
+# ----------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Maven2 Start Up Batch script
+#
+# Required ENV vars:
+# ------------------
+#   JAVA_HOME - location of a JDK home dir
+#
+# Optional ENV vars
+# -----------------
+#   M2_HOME - location of maven2's installed home dir
+#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#     e.g. to debug Maven itself, use
+#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+# ----------------------------------------------------------------------------
+
+if [ -z "$MAVEN_SKIP_RC" ] ; then
+
+  if [ -f /etc/mavenrc ] ; then
+    . /etc/mavenrc
+  fi
+
+  if [ -f "$HOME/.mavenrc" ] ; then
+    . "$HOME/.mavenrc"
+  fi
+
+fi
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false;
+darwin=false;
+mingw=false
+case "`uname`" in
+  CYGWIN*) cygwin=true ;;
+  MINGW*) mingw=true;;
+  Darwin*) darwin=true
+    # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
+    # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
+    if [ -z "$JAVA_HOME" ]; then
+      if [ -x "/usr/libexec/java_home" ]; then
+        export JAVA_HOME="`/usr/libexec/java_home`"
+      else
+        export JAVA_HOME="/Library/Java/Home"
+      fi
+    fi
+    ;;
+esac
+
+if [ -z "$JAVA_HOME" ] ; then
+  if [ -r /etc/gentoo-release ] ; then
+    JAVA_HOME=`java-config --jre-home`
+  fi
+fi
+
+if [ -z "$M2_HOME" ] ; then
+  ## resolve links - $0 may be a link to maven's home
+  PRG="$0"
+
+  # need this for relative symlinks
+  while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+      PRG="$link"
+    else
+      PRG="`dirname "$PRG"`/$link"
+    fi
+  done
+
+  saveddir=`pwd`
+
+  M2_HOME=`dirname "$PRG"`/..
+
+  # make it fully qualified
+  M2_HOME=`cd "$M2_HOME" && pwd`
+
+  cd "$saveddir"
+  # echo Using m2 at $M2_HOME
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --unix "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+fi
+
+# For Mingw, ensure paths are in UNIX format before anything is touched
+if $mingw ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME="`(cd "$M2_HOME"; pwd)`"
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
+  # TODO classpath?
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+  javaExecutable="`which javac`"
+  if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
+    # readlink(1) is not available as standard on Solaris 10.
+    readLink=`which readlink`
+    if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
+      if $darwin ; then
+        javaHome="`dirname \"$javaExecutable\"`"
+        javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
+      else
+        javaExecutable="`readlink -f \"$javaExecutable\"`"
+      fi
+      javaHome="`dirname \"$javaExecutable\"`"
+      javaHome=`expr "$javaHome" : '\(.*\)/bin'`
+      JAVA_HOME="$javaHome"
+      export JAVA_HOME
+    fi
+  fi
+fi
+
+if [ -z "$JAVACMD" ] ; then
+  if [ -n "$JAVA_HOME"  ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+    fi
+  else
+    JAVACMD="`which java`"
+  fi
+fi
+
+if [ ! -x "$JAVACMD" ] ; then
+  echo "Error: JAVA_HOME is not defined correctly." >&2
+  echo "  We cannot execute $JAVACMD" >&2
+  exit 1
+fi
+
+if [ -z "$JAVA_HOME" ] ; then
+  echo "Warning: JAVA_HOME environment variable is not set."
+fi
+
+CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
+
+# traverses directory structure from process work directory to filesystem root
+# first directory with .mvn subdirectory is considered project base directory
+find_maven_basedir() {
+
+  if [ -z "$1" ]
+  then
+    echo "Path not specified to find_maven_basedir"
+    return 1
+  fi
+
+  basedir="$1"
+  wdir="$1"
+  while [ "$wdir" != '/' ] ; do
+    if [ -d "$wdir"/.mvn ] ; then
+      basedir=$wdir
+      break
+    fi
+    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+    if [ -d "${wdir}" ]; then
+      wdir=`cd "$wdir/.."; pwd`
+    fi
+    # end of workaround
+  done
+  echo "${basedir}"
+}
+
+# concatenates all lines of a file
+concat_lines() {
+  if [ -f "$1" ]; then
+    echo "$(tr -s '\n' ' ' < "$1")"
+  fi
+}
+
+BASE_DIR=`find_maven_basedir "$(pwd)"`
+if [ -z "$BASE_DIR" ]; then
+  exit 1;
+fi
+
+##########################################################################################
+# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+# This allows using the maven wrapper in projects that prohibit checking in binary data.
+##########################################################################################
+if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Found .mvn/wrapper/maven-wrapper.jar"
+    fi
+else
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
+    fi
+    jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
+    while IFS="=" read key value; do
+      case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
+      esac
+    done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Downloading from: $jarUrl"
+    fi
+    wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+
+    if command -v wget > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found wget ... using wget"
+        fi
+        wget "$jarUrl" -O "$wrapperJarPath"
+    elif command -v curl > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found curl ... using curl"
+        fi
+        curl -o "$wrapperJarPath" "$jarUrl"
+    else
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Falling back to using Java to download"
+        fi
+        javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        if [ -e "$javaClass" ]; then
+            if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Compiling MavenWrapperDownloader.java ..."
+                fi
+                # Compiling the Java class
+                ("$JAVA_HOME/bin/javac" "$javaClass")
+            fi
+            if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                # Running the downloader
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Running MavenWrapperDownloader.java ..."
+                fi
+                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
+            fi
+        fi
+    fi
+fi
+##########################################################################################
+# End of extension
+##########################################################################################
+
+export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
+if [ "$MVNW_VERBOSE" = true ]; then
+  echo $MAVEN_PROJECTBASEDIR
+fi
+MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --path --windows "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+  [ -n "$MAVEN_PROJECTBASEDIR" ] &&
+    MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
+fi
+
+WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+exec "$JAVACMD" \
+  $MAVEN_OPTS \
+  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"

mvnw.cmd

@@ -0,0 +1,161 @@
+@REM ----------------------------------------------------------------------------
+@REM Licensed to the Apache Software Foundation (ASF) under one
+@REM or more contributor license agreements.  See the NOTICE file
+@REM distributed with this work for additional information
+@REM regarding copyright ownership.  The ASF licenses this file
+@REM to you under the Apache License, Version 2.0 (the
+@REM "License"); you may not use this file except in compliance
+@REM with the License.  You may obtain a copy of the License at
+@REM
+@REM    http://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing,
+@REM software distributed under the License is distributed on an
+@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+@REM KIND, either express or implied.  See the License for the
+@REM specific language governing permissions and limitations
+@REM under the License.
+@REM ----------------------------------------------------------------------------
+
+@REM ----------------------------------------------------------------------------
+@REM Maven2 Start Up Batch script
+@REM
+@REM Required ENV vars:
+@REM JAVA_HOME - location of a JDK home dir
+@REM
+@REM Optional ENV vars
+@REM M2_HOME - location of maven2's installed home dir
+@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending
+@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM     e.g. to debug Maven itself, use
+@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+@REM ----------------------------------------------------------------------------
+
+@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@echo off
+@REM set title of command window
+title %0
+@REM enable echoing my setting MAVEN_BATCH_ECHO to 'on'
+@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+
+@REM set %HOME% to equivalent of $HOME
+if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
+
+@REM Execute a user defined script before this one
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
+@REM check for pre script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat"
+if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd"
+:skipRcPre
+
+@setlocal
+
+set ERROR_CODE=0
+
+@REM To isolate internal variables from possible post scripts, we use another setlocal
+@setlocal
+
+@REM ==== START VALIDATION ====
+if not "%JAVA_HOME%" == "" goto OkJHome
+
+echo.
+echo Error: JAVA_HOME not found in your environment. >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+:OkJHome
+if exist "%JAVA_HOME%\bin\java.exe" goto init
+
+echo.
+echo Error: JAVA_HOME is set to an invalid directory. >&2
+echo JAVA_HOME = "%JAVA_HOME%" >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+@REM ==== END VALIDATION ====
+
+:init
+
+@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
+@REM Fallback to current working directory if not found.
+
+set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
+IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
+
+set EXEC_DIR=%CD%
+set WDIR=%EXEC_DIR%
+:findBaseDir
+IF EXIST "%WDIR%"\.mvn goto baseDirFound
+cd ..
+IF "%WDIR%"=="%CD%" goto baseDirNotFound
+set WDIR=%CD%
+goto findBaseDir
+
+:baseDirFound
+set MAVEN_PROJECTBASEDIR=%WDIR%
+cd "%EXEC_DIR%"
+goto endDetectBaseDir
+
+:baseDirNotFound
+set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
+cd "%EXEC_DIR%"
+
+:endDetectBaseDir
+
+IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
+
+@setlocal EnableExtensions EnableDelayedExpansion
+for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
+@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
+
+:endReadAdditionalConfig
+
+SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
+set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
+set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
+FOR /F "tokens=1,2 delims==" %%A IN (%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties) DO (
+	IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B 
+)
+
+@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if exist %WRAPPER_JAR% (
+    echo Found %WRAPPER_JAR%
+) else (
+    echo Couldn't find %WRAPPER_JAR%, downloading it ...
+	echo Downloading from: %DOWNLOAD_URL%
+    powershell -Command "(New-Object Net.WebClient).DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"
+    echo Finished downloading %WRAPPER_JAR%
+)
+@REM End of extension
+
+%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
+if ERRORLEVEL 1 goto error
+goto end
+
+:error
+set ERROR_CODE=1
+
+:end
+@endlocal & set ERROR_CODE=%ERROR_CODE%
+
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost
+@REM check for post script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat"
+if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd"
+:skipRcPost
+
+@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if "%MAVEN_BATCH_PAUSE%" == "on" pause
+
+if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE%
+
+exit /B %ERROR_CODE%

platformQuickStarts/GCP/GKE-Docker/deploy.cfg

@@ -0,0 +1,4 @@
+CURTAG=webgoat/webgoat-8.0
+DEST_TAG=gcr.io/astech-training/raging-wire-webgoat
+CLUSTER_NAME=raging-wire-webgoat
+PORT_NUM=8080

platformQuickStarts/GCP/GKE-Docker/gke-deploy-config.sh

@@ -0,0 +1,4 @@
+CURTAG=webgoat/webgoat-8.0
+DEST_TAG=gcr.io/your-gke-project/your-webgoat-tag
+CLUSTER_NAME=your-cluster-name
+PORT_NUM=8080

pom.xml

@@ -1,11 +1,12 @@
 <?xml version="1.0"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>v8.0.0.M15</version>
+    <version>v8.0.0.M23</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@@ -20,7 +21,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>1.5.12.RELEASE</version>
+        <version>1.5.18.RELEASE</version>
     </parent>
 
     <licenses>
@@ -53,17 +54,17 @@
         <developer>
             <id>jwayman</id>
             <name>Jeff Wayman</name>
-            <email />
+            <email/>
         </developer>
         <developer>
             <id>dcowden</id>
             <name>Dave Cowden</name>
-            <email />
+            <email/>
         </developer>
         <developer>
             <id>lawson89</id>
             <name>Richard Lawson</name>
-            <email />
+            <email/>
         </developer>
         <developer>
             <id>dougmorato</id>
@@ -92,8 +93,8 @@
         <url>https://github.com/WebGoat/WebGoat</url>
         <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
         <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
-      <tag>HEAD</tag>
+        <tag>HEAD</tag>
-  </scm>
+    </scm>
 
     <issueManagement>
         <system>Github Issues</system>
@@ -106,9 +107,6 @@
     </ciManagement>
 
     <properties>
-        <maven.compiler.source>1.8</maven.compiler.source>
-        <maven.compiler.target>1.8</maven.compiler.target>
-
         <!-- Use UTF-8 Encoding -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
@@ -128,7 +126,7 @@
         <commons-digester.version>2.1</commons-digester.version>
         <commons-discovery.version>0.5</commons-discovery.version>
         <commons-fileupload.version>1.3.1</commons-fileupload.version>
-        <commons-io.version>2.4</commons-io.version>
+        <commons-io.version>2.6</commons-io.version>
         <commons-lang3.version>3.4</commons-lang3.version>
         <coveralls-maven-plugin.version>4.0.0</coveralls-maven-plugin.version>
         <gatling.version>2.2.5</gatling.version>
@@ -140,30 +138,25 @@
         <jackson-core.version>2.6.3</jackson-core.version>
         <jackson-databind.version>2.6.3</jackson-databind.version>
         <javaee-api.version>6.0</javaee-api.version>
-        <javax.transaction-api.version>1.2</javax.transaction-api.version>
+        <javax.transaction-api.version>1.3</javax.transaction-api.version>
         <jcl-over-slf4j.version>1.7.12</jcl-over-slf4j.version>
         <jtds.version>1.3.1</jtds.version>
         <junit.version>4.12</junit.version>
+        <lombok.version>1.18.4</lombok.version>
         <mail-api.version>1.5.4</mail-api.version>
-        <maven-compiler-plugin.version>3.3</maven-compiler-plugin.version>
+        <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
-        <maven-failsafe-plugin.version>2.19</maven-failsafe-plugin.version>
+        <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
         <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
         <maven-jar-plugin.version>2.6</maven-jar-plugin.version>
         <maven-javadoc-plugin.version>2.10.4</maven-javadoc-plugin.version>
         <maven-release-plugin.version>2.5.2</maven-release-plugin.version>
         <maven-source-plugin.version>3.0.1</maven-source-plugin.version>
-        <maven-surefire-plugin.version>2.19</maven-surefire-plugin.version>
+        <maven-surefire-plugin.version>2.22.0</maven-surefire-plugin.version>
         <nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
         <scala.version>2.11.7</scala.version>
         <sauce_junit.version>2.1.20</sauce_junit.version>
         <selenium-java.version>2.48.2</selenium-java.version>
         <spring.security.version>3.2.4.RELEASE</spring.security.version>
-        <standard.version>1.1.2</standard.version>
-        <tiles.version>3.0.5</tiles.version>
-        <tomcat-catalina.version>7.0.65</tomcat-catalina.version>
-        <tomcat7-maven-plugin.version>2.3-SNAPSHOT</tomcat7-maven-plugin.version>
-        <versioneye-maven-plugin.version>3.5.1</versioneye-maven-plugin.version>
-        <wsdl4j.version>1.6.3</wsdl4j.version>
     </properties>
 
     <modules>
@@ -199,103 +192,12 @@
         </pluginRepository>
     </pluginRepositories>
 
-    <profiles>
-        <profile>
-            <id>release</id>
-			<dependencies>
-                <dependency>
-                    <groupId>org.owasp.webgoat.lesson</groupId>
-                    <artifactId>dist</artifactId>
-                    <version>1.0</version>
-                    <type>zip</type>
-                    <scope>provided</scope>
-                    <classifier>plugins</classifier>
-                </dependency>
-            </dependencies>
-            <build>
-                <plugins>
-				    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-dependency-plugin</artifactId>
-                        <executions>
-                            <execution>
-                                <id>unpack-lesson</id>
-                                <goals>
-                                    <goal>unpack-dependencies</goal>
-                                </goals>
-                                <phase>generate-resources</phase>
-                                <configuration>
-                                    <outputDirectory>${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons</outputDirectory>
-                                    <includeArtifactIds>dist</includeArtifactIds>
-                                    <includes>*.jar</includes>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                    <plugin>
-                        <groupId>org.sonatype.plugins</groupId>
-                        <artifactId>nexus-staging-maven-plugin</artifactId>
-                        <version>${nexus-staging-maven-plugin.version}</version>
-                        <extensions>true</extensions>
-                        <configuration>
-                            <serverId>ossrh</serverId>
-                            <nexusUrl>https://oss.sonatype.org/</nexusUrl>
-                            <autoReleaseAfterClose>false</autoReleaseAfterClose>
-                        </configuration>
-                    </plugin>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-source-plugin</artifactId>
-                        <version>${maven-source-plugin.version}</version>
-                        <executions>
-                            <execution>
-                                <id>attach-sources</id>
-                                <goals>
-                                    <goal>jar-no-fork</goal>
-                                </goals>
-                            </execution>
-                        </executions>
-                    </plugin>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-javadoc-plugin</artifactId>
-                        <version>${maven-javadoc-plugin.version}</version>
-                        <executions>
-                            <execution>
-                                <id>attach-javadocs</id>
-                                <goals>
-                                    <goal>jar</goal>
-                                </goals>
-                            </execution>
-                        </executions>
-                    </plugin>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-gpg-plugin</artifactId>
-                        <version>${maven-gpg-plugin.version}</version>
-                        <executions>
-                            <execution>
-                                <id>sign-artifacts</id>
-                                <phase>verify</phase>
-                                <goals>
-                                    <goal>sign</goal>
-                                </goals>
-                                <configuration>
-                                    <keyname>WebGoat</keyname>
-                                </configuration>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-    </profiles>
-
     <dependencies>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
             <scope>provided</scope>
+            <version>${lombok.version}</version>
             <optional>true</optional>
         </dependency>
         <dependency>
@@ -303,10 +205,25 @@
             <artifactId>commons-exec</artifactId>
             <version>1.3</version>
         </dependency>
+        <dependency>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+            <version>2.3.0</version>
+        </dependency>
     </dependencies>
 
     <build>
         <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${maven-compiler-plugin.version}</version>
+                <configuration>
+                    <source>11</source>
+                    <target>11</target>
+                    <encoding>UTF-8</encoding>
+                </configuration>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-release-plugin</artifactId>
@@ -324,7 +241,7 @@
                 <artifactId>coveralls-maven-plugin</artifactId>
                 <version>${coveralls-maven-plugin.version}</version>
                 <configuration>
-                    <repoToken />
+                    <repoToken/>
                 </configuration>
             </plugin>
             <plugin>
@@ -332,22 +249,13 @@
                 <artifactId>cobertura-maven-plugin</artifactId>
                 <version>${cobertura-maven-plugin.version}</version>
                 <configuration>
-                    <check />
+                    <check/>
                     <format>xml</format>
                     <maxmem>256m</maxmem>
                     <!-- aggregated reports for multi-module projects -->
                     <aggregate>true</aggregate>
                 </configuration>
             </plugin>
-            <plugin>
-                <groupId>com.versioneye</groupId>
-                <artifactId>versioneye-maven-plugin</artifactId>
-                <version>${versioneye-maven-plugin.version}</version>
-                <configuration>
-                    <apiKey>a1e4a9da4ed34ee44cab</apiKey>
-                    <projectId>562da95be346d7000e0369ac</projectId>
-                </configuration>
-            </plugin>
         </plugins>
     </build>
 

scripts/build-all.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+cd ..
+
+nc -zv 127.0.0.1 8080 2>/dev/null
+SUCCESS=$?
+nc -zv 127.0.0.1 9090 2>/dev/null
+SUCCESS=${SUCCESS}$?
+
+if [[ "${SUCCESS}" -eq 0 ]] ; then
+  echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!"
+  exit 127
+fi
+
+
+sh mvnw clean install
+if [[ "$?" -ne 0 ]] ; then
+  exit y$?
+fi
+
+cd -
+sh build_docker.sh
+if [[ "$?" -ne 0 ]] ; then
+  exit y$?
+fi
+
+while true; do
+    read -p "Do you want to run docker-compose?" yn
+    case ${yn} in
+        [Yy]* ) sh clean-run-docker-compose.sh; break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer yes or no.";;
+    esac
+done

scripts/build_docker.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+WEBGOAT_HOME=$(pwd)/../
+
+cd "${WEBGOAT_HOME}"/webgoat-server
+docker build -t webgoat/webgoat-v8.0.0.snapshot .
+
+cd "${WEBGOAT_HOME}"/webwolf
+docker build -t webgoat/webwolf-v8.0.0.snapshot .
+

scripts/clean-run-docker-compose.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+cd ..
+docker-compose rm -f
+docker-compose -f docker-compose-local.yml up

scripts/deploy-webgoat.sh

@@ -6,14 +6,14 @@ export REPO=webgoat/webgoat-8.0
 cd webgoat-server
 ls target/
 
-if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${TRAVIS_TAG}" ]; then
   # If we push a tag to master this will update the LATEST Docker image and tag with the version number
   docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
   docker push $REPO
-elif [ ! -z "${TRAVIS_TAG}" ]; then
+#elif [ ! -z "${TRAVIS_TAG}" ]; then
-  # Creating a tag build we push it to Docker with that tag
+#  # Creating a tag build we push it to Docker with that tag
-  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
+#  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
-  docker push $REPO
+#  docker push $REPO
 #elif [ "${BRANCH}" == "develop" ]; then
 #  docker build -f Dockerfile -t $REPO:snapshot .
 #  docker push $REPO
@@ -27,14 +27,10 @@ cd ..
 cd webwolf
 ls target/
 
-if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
+if [ ! -z "${TRAVIS_TAG}" ]; then
   # If we push a tag to master this will update the LATEST Docker image and tag with the version number
   docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
   docker push $REPO
-elif [ ! -z "${TRAVIS_TAG}" ]; then
-  # Creating a tag build we push it to Docker with that tag
-  docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
-  docker push $REPO
 else
   echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
 fi

scripts/run-docker-compose.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+cd ..
+docker-compose up

scripts/start.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+DATABASE_PORT=9001
+
+checkDatabaseAvailable(){
+
+  #for i in $(seq 1 5); do command && s=0 && break || s=$? && sleep 15; done; (exit $s)
+  local started = $(netstat -lnt | grep ${DATABASE_PORT})
+  echo $?
+}
+
+#java -Djava.security.egd=file:/dev/./urandom -jar home/webgoat/webgoat.jar --server.address=0.0.0.0
+$(checkDatabaseAvailable)
+
+
+#java -Djava.security.egd=file:/dev/./urandom -jar /home/webwolf/webwolf.jar --server.port=9090 --server.address=0.0.0.0
+
+

webgoat-container/pom.xml

@@ -10,7 +10,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
     <profiles>
@@ -64,16 +64,6 @@
                     <useDefaultDelimiters>false</useDefaultDelimiters>
                 </configuration>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>${maven-compiler-plugin.version}</version>
-                <configuration>
-                    <source>1.8</source>
-                    <target>1.8</target>
-                    <encoding>ISO-8859-1</encoding>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
@@ -191,7 +181,9 @@
             <artifactId>junit</artifactId>
             <version>${junit.version}</version>
             <type>jar</type>
+            <scope>test</scope>
         </dependency>
+
         <!-- ************* END: Dependencies for Unit and Integration Testing ************** -->
         <!-- ************* END: <dependencies> ************** -->
     </dependencies>

webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java

@@ -37,6 +37,7 @@ import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
 import org.owasp.webgoat.asciidoc.WebGoatVersionMacro;
 import org.owasp.webgoat.asciidoc.WebWolfMacro;
+import org.owasp.webgoat.asciidoc.WebWolfRootMacro;
 import org.owasp.webgoat.i18n.Language;
 import org.thymeleaf.TemplateProcessingParameters;
 import org.thymeleaf.resourceresolver.IResourceResolver;
@@ -87,6 +88,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
                     StringWriter writer = new StringWriter();
                     JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
                     extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
+                    extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
                     extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
 
                     asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java

@@ -45,6 +45,10 @@ public class WebWolfMacro extends InlineMacroProcessor {
         HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
         String ip = request.getRemoteAddr();
         String hostname = StringUtils.hasText(ip) ? ip : host;
-        return "http://" + hostname + ":" + port + "/WebWolf";
+        return "http://" + hostname + ":" + port + (includeWebWolfContext() ? "/WebWolf" : "");
+    }
+
+    protected boolean includeWebWolfContext() {
+        return true;
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java

@@ -0,0 +1,20 @@
+package org.owasp.webgoat.asciidoc;
+
+import java.util.Map;
+
+/**
+ * Usage in asciidoc:
+ * <p>
+ * webWolfLink:here[] will display a href with here as text
+ * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
+ */
+public class WebWolfRootMacro extends WebWolfMacro {
+
+    public WebWolfRootMacro(String macroName, Map<String, Object> config) {
+        super(macroName, config);
+    }
+
+    protected boolean includeWebWolfContext() {
+        return false;
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java

@@ -232,7 +232,7 @@ public class CreateDB {
 
         // Create the new table
         try {
-            String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key,"
+            String createTableStatement = "CREATE TABLE user_system_data (" + "userid int not null primary key,"
                     + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")";
             statement.executeUpdate(createTableStatement);
         } catch (SQLException e) {
@@ -240,11 +240,11 @@ public class CreateDB {
         }
 
         // Populate
-        String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')";
+        String insertData1 = "INSERT INTO user_system_data VALUES (101,'jsnow','passwd1', '')";
-        String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')";
+        String insertData2 = "INSERT INTO user_system_data VALUES (102,'jdoe','passwd2', '')";
-        String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')";
+        String insertData3 = "INSERT INTO user_system_data VALUES (103,'jplane','passwd3', '')";
-        String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')";
+        String insertData4 = "INSERT INTO user_system_data VALUES (104,'jeff','jeff', '')";
-        String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')";
+        String insertData5 = "INSERT INTO user_system_data VALUES (105,'dave','passW0rD', '')";
         statement.executeUpdate(insertData1);
         statement.executeUpdate(insertData2);
         statement.executeUpdate(insertData3);

webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java

@@ -4,6 +4,7 @@ import lombok.Getter;
 import lombok.Setter;
 
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
 import javax.validation.constraints.Size;
 
 /**
@@ -16,6 +17,7 @@ public class UserForm {
 
     @NotNull
     @Size(min=6, max=20)
+    @Pattern(regexp = "[a-zA-Z0-9-]*", message = "can only contain letters, digits, and -")
     private String username;
     @NotNull
     @Size(min=6, max=10)

webgoat-container/src/main/resources/application.properties

@@ -37,7 +37,7 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
 webgoat.default.language=en
 
 webwolf.host=${WEBWOLF_HOST:localhost}
-webwolf.port=${WEBWOLF_PORT:8081}
+webwolf.port=${WEBWOLF_PORT:9090}
 webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
 webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
 webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail

webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js

@@ -79,6 +79,7 @@ define(['jquery',
                     this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton);
                     this.lessonContentView.navToPage(pageNum);
                     this.lessonHintView.hideHints();
+                    this.lessonHintView.showFirstHint();
                     //this.lessonHintView.selectHints();
                     this.titleView.render(this.lessonInfoModel.get('lessonTitle'));
                     return;
@@ -160,7 +161,7 @@ define(['jquery',
                 }
                 //
                 this.lessonHintView.render();
-                if (this.lessonHintView.getHintsCount > 0) {
+                if (this.lessonHintView.getHintsCount() > 0) {
                     this.helpControlsView.showHintsButton();
                 } else {
                     this.helpControlsView.hideHintsButton();

webgoat-container/src/main/resources/static/js/goatApp/model/LessonContentModel.js

@@ -32,7 +32,11 @@ define(['jquery',
             }
             this.set('content',content);
             this.set('lessonUrl',document.URL.replace(/\.lesson.*/,'.lesson'));
-            this.set('pageNum',document.URL.replace(/.*\.lesson\/(\d{1,4})$/,'$1'));
+            if (/.*\.lesson\/(\d{1,4})$/.test(document.URL)) {
+                this.set('pageNum',document.URL.replace(/.*\.lesson\/(\d{1,4})$/,'$1'));
+            } else {
+                this.set('pageNum',0);
+            }
             this.trigger('content:loaded',this,loadHelps);
         },
 

webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js

@@ -32,21 +32,19 @@ function($,
 
         toggleLabel: function() {
             if (this.isVisible()) {
-                $('show-hints-button').text('Hide hints');
+                $('#show-hints-button').text('Hide hints');
             } else {
-                $('show-hints-button').text('Show hints');
+                $('#show-hints-button').text('Show hints');
             }
         },
 
 		render:function() {
 			if (this.isVisible()) {
-				this.$el.hide(350);
+				this.$el.hide(350, this.toggleLabel.bind(this));
 			} else if (this.hintsToShow.length > 0) {
-				this.$el.show(350);
+				this.$el.show(350, this.toggleLabel.bind(this));
 			}
 
-            this.toggleLabel()
-
 			if (this.hintsToShow.length > 0) {
 				this.hideShowPrevNextButtons();
 			}
@@ -90,9 +88,9 @@ function($,
 
 		hideHints: function() {
 			if (this.$el.is(':visible')) {
-				this.$el.hide(350);
+				this.$el.hide(350, this.toggleLabel.bind(this));
 			}
-		},			
+        },
 
 		showNextHint: function() {
 			this.curHint = (this.curHint < this.hintsToShow.length -1) ? this.curHint+1 : this.curHint;
@@ -106,6 +104,12 @@ function($,
 			this.displayHint(this.curHint);
 		},
 
+        showFirstHint: function() {
+            this.curHint = 0;
+            this.hideShowPrevNextButtons();
+            this.displayHint(this.curHint);
+        },
+
 		displayHint: function(curHint) {
             if(this.hintsToShow.length == 0) {
                // this.hideHints();

webgoat-container/src/main/resources/templates/list_users.html

@@ -123,8 +123,9 @@
     <section class="main-content-wrapper">
         <section id="main-content"> <!--ng-controller="goatLesson"-->
             <div id="lesson-page" class="pages">
-                <span th:text="${numUsers}"> Users in WebGoat</span>
+                <span th:text="${numUsers}"></span>
-                <!-- iterate over users below -->su
+                <span> Users in WebGoat</span>
+
                 <div sec:authorize="hasAuthority('WEBGOAT_ADMIN')">
                     <h3>WebGoat Users</h3>
                     <div th:each="user : ${allUsers}">

webgoat-images/vagrant-training/Vagrantfile

@@ -3,7 +3,7 @@
 Vagrant.configure(2) do |config|
   config.vm.box = "ubuntu/trusty64"
   config.vm.network :forwarded_port, guest: 8080, host: 8080
-  config.vm.network :forwarded_port, guest: 8081, host: 8081
+  config.vm.network :forwarded_port, guest: 9090, host: 9090
   config.vm.provider "virtualbox" do |vb|
   	vb.gui = false
   	vb.memory = "4096"
@@ -19,17 +19,17 @@ Vagrant.configure(2) do |config|
   end
 
   config.vm.provision "shell", inline: <<-SHELL
-    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webgoat-server-8.0.0.RELEASE.jar
+    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webgoat-server-8.0.0.M21.jar
-    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webwolf-8.0.0.RELEASE.jar
+    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M21/webwolf-8.0.0.M21.jar
     sudo add-apt-repository ppa:openjdk-r/ppa
     sudo apt-get update
     sudo apt-get install openjdk-8-jre -y
     SHELL
 
   config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL
-    java -jar webgoat-server-8.0.0.RELEASE.jar &
+    java -jar webgoat-server-8.0.0.M21.jar --server.address=0.0.0.0 &
     sleep 40s
-    java -jar webwolf-8.0.0.RELEASE.jar
+    java -jar webwolf-8.0.0.M21.jar --server.address=0.0.0.0 &
     SHELL
 
 end

webgoat-lessons/auth-bypass/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
 </project>

webgoat-lessons/auth-bypass/src/main/java/org/owasp/webgoat/plugin/AccountVerificationHelper.java

@@ -58,7 +58,7 @@ public class AccountVerificationHelper {
             return false;
         }
 
-        if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("seQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
+        if (submittedQuestions.containsKey("secQuestion1") && !submittedQuestions.get("secQuestion1").equals(secQuestionStore.get(verifyUserId).get("secQuestion1"))) {
             return false;
         }
 

webgoat-lessons/bypass-restrictions/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 </project>

webgoat-lessons/challenge/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
 

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java

@@ -11,7 +11,5 @@ public interface SolutionConstants {
     //TODO should be random generated when starting the server
     String PASSWORD = "!!webgoat_admin_1234!!";
     String PASSWORD_TOM = "thisisasecretfortomonly";
-    String PASSWORD_LARRY = "larryknows";
-    String JWT_PASSWORD = "victory";
     String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
 }

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java

@@ -1,150 +0,0 @@
-package org.owasp.webgoat.plugin.challenge3;
-
-import com.beust.jcommander.internal.Lists;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.EvictingQueue;
-import com.google.common.collect.Maps;
-import com.google.common.io.Files;
-import lombok.SneakyThrows;
-import lombok.extern.slf4j.Slf4j;
-import org.joda.time.DateTime;
-import org.joda.time.format.DateTimeFormat;
-import org.joda.time.format.DateTimeFormatter;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.plugin.Flag;
-import org.owasp.webgoat.session.WebSession;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestHeader;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.annotation.PostConstruct;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.Unmarshaller;
-import javax.xml.stream.XMLInputFactory;
-import javax.xml.stream.XMLStreamReader;
-import java.io.File;
-import java.io.IOException;
-import java.io.StringReader;
-import java.nio.charset.Charset;
-import java.util.Collection;
-import java.util.Map;
-
-import static org.springframework.http.MediaType.ALL_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-import static org.springframework.web.bind.annotation.RequestMethod.GET;
-import static org.springframework.web.bind.annotation.RequestMethod.POST;
-
-/**
- * @author nbaars
- * @since 4/8/17.
- */
-@AssignmentPath("/challenge/3")
-@Slf4j
-public class Assignment3 extends AssignmentEndpoint {
-
-    @Value("${webgoat.server.directory}")
-    private String webGoatHomeDirectory;
-    @Autowired
-    private WebSession webSession;
-    private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
-
-    private static final Map<String, EvictingQueue<Comment>> userComments = Maps.newHashMap();
-    private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
-    private static final String secretContents = "Congratulations you may now collect your flag";
-
-    static {
-        comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-)."));
-    }
-
-    @PostConstruct
-    @SneakyThrows
-    public void copyFile() {
-        File targetDirectory = new File(webGoatHomeDirectory);
-        if (!targetDirectory.exists()) {
-            targetDirectory.mkdir();
-        }
-        log.info("Copied secret.txt to: {}", targetDirectory);
-        Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset());
-    }
-
-    @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public Collection<Comment> retrieveComments() {
-        Collection<Comment> allComments = Lists.newArrayList();
-        Collection<Comment> xmlComments = userComments.get(webSession.getUserName());
-        if (xmlComments != null) {
-            allComments.addAll(xmlComments);
-        }
-        allComments.addAll(comments);
-        return allComments;
-    }
-
-    @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
-        Comment comment = null;
-        AttackResult attackResult = failed().build();
-        if (APPLICATION_JSON_VALUE.equals(contentType)) {
-            comment = parseJson(commentStr);
-            comment.setDateTime(DateTime.now().toString(fmt));
-            comment.setUser(webSession.getUserName());
-            comments.add(comment);
-        }
-        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
-            //Do not show these comments to all users
-            comment = parseXml(commentStr);
-            comment.setDateTime(DateTime.now().toString(fmt));
-            comment.setUser(webSession.getUserName());
-            EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
-            comments.add(comment);
-            userComments.put(webSession.getUserName(), comments);
-        }
-        if (checkSolution(comment)) {
-            attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(3)).build();
-        }
-        return attackResult;
-    }
-
-    private boolean checkSolution(Comment comment) {
-        if (comment.getText().contains(secretContents)) {
-            comment.setText("Congratulations to " + webSession.getUserName() + " for finding the flag!! Check your original response where you posted the XXE attack ");
-            comments.add(comment);
-            return true;
-        }
-        return false;
-    }
-
-    public static Comment parseXml(String xml) throws Exception {
-        JAXBContext jc = JAXBContext.newInstance(Comment.class);
-
-        XMLInputFactory xif = XMLInputFactory.newFactory();
-        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
-        xif.setProperty(XMLInputFactory.IS_VALIDATING, false);
-
-        xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
-        XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
-
-        Unmarshaller unmarshaller = jc.createUnmarshaller();
-        return (Comment) unmarshaller.unmarshal(xsr);
-    }
-
-    private Comment parseJson(String comment) {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            return mapper.readValue(comment, Comment.class);
-        } catch (IOException e) {
-            return new Comment();
-        }
-    }
-
-
-}
-

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java

@@ -1,39 +0,0 @@
-package org.owasp.webgoat.plugin.challenge3;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.util.List;
-
-/**
- * @author nbaars
- * @since 3/21/17.
- */
-public class Challenge3 extends NewLesson {
-
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
-
-    @Override
-    public List<String> getHints() {
-        return Lists.newArrayList();
-    }
-
-    @Override
-    public Integer getDefaultRanking() {
-        return 10;
-    }
-
-    @Override
-    public String getTitle() {
-        return "challenge3.title";
-    }
-
-    @Override
-    public String getId() {
-        return "Challenge3";
-    }
-}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java

@@ -1,24 +0,0 @@
-package org.owasp.webgoat.plugin.challenge3;
-
-import lombok.AllArgsConstructor;
-import lombok.Getter;
-import lombok.NoArgsConstructor;
-import lombok.Setter;
-
-import javax.xml.bind.annotation.XmlRootElement;
-
-/**
- * @author nbaars
- * @since 4/8/17.
- */
-@Getter
-@Setter
-@AllArgsConstructor
-@NoArgsConstructor
-@XmlRootElement
-public class Comment {
-    private String user;
-    private String dateTime;
-    private String text;
-}
-

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java

@@ -1,17 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-
-/**
- * @author nbaars
- * @since 5/3/17.
- */
-@AssignmentPath("/challenge/4")
-@Slf4j
-public class Assignment4 extends AssignmentEndpoint {
-
-    //just empty, posting the flag will mark the challenge as done as well no need to specify an endpoint here
-
-}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java

@@ -1,39 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.util.List;
-
-/**
- * @author nbaars
- * @since 3/21/17.
- */
-public class Challenge4 extends NewLesson {
-
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
-
-    @Override
-    public List<String> getHints() {
-        return Lists.newArrayList();
-    }
-
-    @Override
-    public Integer getDefaultRanking() {
-        return 10;
-    }
-
-    @Override
-    public String getTitle() {
-        return "challenge4.title";
-    }
-
-    @Override
-    public String getId() {
-        return "Challenge4";
-    }
-}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java

@@ -1,16 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-/**
- * @author nbaars
- * @since 4/30/17.
- */
-public class Views {
-    interface GuestView {
-    }
-
-    interface UserView extends GuestView {
-    }
-
-    interface AdminView extends UserView {
-    }
-}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Vote.java

@@ -1,49 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import com.fasterxml.jackson.annotation.JsonView;
-import lombok.Getter;
-import lombok.Setter;
-
-/**
- * @author nbaars
- * @since 5/2/17.
- */
-@Getter
-public class Vote {
-    @JsonView(Views.GuestView.class)
-    private final String title;
-    @JsonView(Views.GuestView.class)
-    private final String information;
-    @JsonView(Views.GuestView.class)
-    private final String imageSmall;
-    @JsonView(Views.GuestView.class)
-    private final String imageBig;
-    @JsonView(Views.UserView.class)
-    private int numberOfVotes;
-    @JsonView(Views.AdminView.class)
-    @Setter
-    private String flag;
-    @JsonView(Views.UserView.class)
-    private boolean votingAllowed = true;
-    @JsonView(Views.UserView.class)
-    private long average = 0;
-
-
-    public Vote(String title, String information, String imageSmall, String imageBig, int numberOfVotes, int totalVotes) {
-        this.title = title;
-        this.information = information;
-        this.imageSmall = imageSmall;
-        this.imageBig = imageBig;
-        this.numberOfVotes = numberOfVotes;
-        this.average = calculateStars(totalVotes);
-    }
-
-    public void incrementNumberOfVotes(int totalVotes) {
-        this.numberOfVotes = this.numberOfVotes + 1;
-        this.average = calculateStars(totalVotes);
-    }
-
-    private long calculateStars(int totalVotes) {
-        return Math.round(((double) numberOfVotes / (double) totalVotes) * 4);
-    }
-}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/VotesEndpoint.java

@@ -1,124 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import com.google.common.collect.Maps;
-import io.jsonwebtoken.*;
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.ResponseEntity;
-import org.springframework.http.converter.json.MappingJacksonValue;
-import org.springframework.web.bind.annotation.*;
-
-import javax.annotation.PostConstruct;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletResponse;
-import java.util.Collection;
-import java.util.Date;
-import java.util.Map;
-import java.util.concurrent.TimeUnit;
-
-import static java.util.Comparator.comparingLong;
-import static java.util.Optional.ofNullable;
-import static java.util.stream.Collectors.toList;
-import static org.owasp.webgoat.plugin.Flag.FLAGS;
-import static org.owasp.webgoat.plugin.SolutionConstants.JWT_PASSWORD;
-
-/**
- * @author nbaars
- * @since 4/23/17.
- */
-@RestController
-@RequestMapping("/votings")
-public class VotesEndpoint {
-
-    private static String validUsers = "TomJerrySylvester";
-
-    private static int totalVotes = 38929;
-    private Map<String, Vote> votes = Maps.newHashMap();
-
-    @PostConstruct
-    public void initVotes() {
-        votes.put("Admin lost password", new Vote("Admin lost password",
-                "In this challenge you will need to help the admin and find the password in order to login",
-                "challenge1-small.png", "challenge1.png", 36000, totalVotes));
-        votes.put("Vote for your favourite",
-                new Vote("Vote for your favourite",
-                        "In this challenge ...",
-                        "challenge5-small.png", "challenge5.png", 30000, totalVotes));
-        votes.put("Get it for free",
-                new Vote("Get it for free",
-                        "The objective for this challenge is to buy a Samsung phone for free.",
-                        "challenge2-small.png", "challenge2.png", 20000, totalVotes));
-        votes.put("Photo comments",
-                new Vote("Photo comments",
-                        "n this challenge you can comment on the photo you will need to find the flag somewhere.",
-                        "challenge3-small.png", "challenge3.png", 10000, totalVotes));
-    }
-
-    @GetMapping("/login")
-    public void login(@RequestParam("user") String user, HttpServletResponse response) {
-        if (validUsers.contains(user)) {
-            Map<String, Object> claims = Maps.newHashMap();
-            claims.put("admin", "false");
-            claims.put("user", user);
-            String token = Jwts.builder()
-                    .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
-                    .setClaims(claims)
-                    .signWith(SignatureAlgorithm.HS512, JWT_PASSWORD)
-                    .compact();
-            Cookie cookie = new Cookie("access_token", token);
-            response.addCookie(cookie);
-            response.setStatus(HttpStatus.OK.value());
-        } else {
-            Cookie cookie = new Cookie("access_token", "");
-            response.addCookie(cookie);
-            response.setStatus(HttpStatus.UNAUTHORIZED.value());
-        }
-    }
-
-    @GetMapping
-    public MappingJacksonValue getVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
-        MappingJacksonValue value = new MappingJacksonValue(votes.values().stream().sorted(comparingLong(Vote::getAverage).reversed()).collect(toList()));
-        if (StringUtils.isEmpty(accessToken)) {
-            value.setSerializationView(Views.GuestView.class);
-        } else {
-            try {
-                Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
-                Claims claims = (Claims) jwt.getBody();
-                String user = (String) claims.get("user");
-                boolean isAdmin = Boolean.valueOf((String) claims.get("admin"));
-                if ("Guest".equals(user) || !validUsers.contains(user)) {
-                    value.setSerializationView(Views.GuestView.class);
-                } else {
-                    ((Collection<Vote>) value.getValue()).forEach(v -> v.setFlag(FLAGS.get(4)));
-                    value.setSerializationView(isAdmin ? Views.AdminView.class : Views.UserView.class);
-                }
-            } catch (JwtException e) {
-                value.setSerializationView(Views.GuestView.class);
-            }
-        }
-        return value;
-    }
-
-    @PostMapping(value = "{title}")
-    @ResponseBody
-    @ResponseStatus(HttpStatus.ACCEPTED)
-    public ResponseEntity<?> vote(@PathVariable String title, @CookieValue(value = "access_token", required = false) String accessToken) {
-        if (StringUtils.isEmpty(accessToken)) {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-        } else {
-            try {
-                Jwt jwt = Jwts.parser().setSigningKey(JWT_PASSWORD).parse(accessToken);
-                Claims claims = (Claims) jwt.getBody();
-                String user = (String) claims.get("user");
-                if (validUsers.contains(user)) {
-                    ofNullable(votes.get(title)).ifPresent(v -> v.incrementNumberOfVotes(totalVotes));
-                    return ResponseEntity.accepted().build();
-                } else {
-                    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-                }
-            } catch (JwtException e) {
-                return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-            }
-        }
-    }
-}

webgoat-lessons/challenge/src/main/resources/css/challenge3.css

@@ -1,75 +0,0 @@
-/* Component: Posts */
-.post .post-heading {
-    height: 95px;
-    padding: 20px 15px;
-}
-.post .post-heading .avatar {
-    width: 60px;
-    height: 60px;
-    display: block;
-    margin-right: 15px;
-}
-.post .post-heading .meta .title {
-    margin-bottom: 0;
-}
-.post .post-heading .meta .title a {
-    color: black;
-}
-.post .post-heading .meta .title a:hover {
-    color: #aaaaaa;
-}
-.post .post-heading .meta .time {
-    margin-top: 8px;
-    color: #999;
-}
-.post .post-image .image {
-    width:20%;
-    height: 40%;
-}
-.post .post-description {
-    padding: 5px;
-}
-.post .post-footer {
-    border-top: 1px solid #ddd;
-    padding: 15px;
-}
-.post .post-footer .input-group-addon a {
-    color: #454545;
-}
-.post .post-footer .comments-list {
-    padding: 0;
-    margin-top: 20px;
-    list-style-type: none;
-}
-.post .post-footer .comments-list .comment {
-    display: block;
-    width: 100%;
-    margin: 20px 0;
-}
-.post .post-footer .comments-list .comment .avatar {
-    width: 35px;
-    height: 35px;
-}
-.post .post-footer .comments-list .comment .comment-heading {
-    display: block;
-    width: 100%;
-}
-.post .post-footer .comments-list .comment .comment-heading .user {
-    font-size: 14px;
-    font-weight: bold;
-    display: inline;
-    margin-top: 0;
-    margin-right: 10px;
-}
-.post .post-footer .comments-list .comment .comment-heading .time {
-    font-size: 12px;
-    color: #aaa;
-    margin-top: 0;
-    display: inline;
-}
-.post .post-footer .comments-list .comment .comment-body {
-    margin-left: 50px;
-}
-.post .post-footer .comments-list .comment > .comments-list {
-    margin-left: 50px;
-}

webgoat-lessons/challenge/src/main/resources/css/challenge4.css

@@ -1,12 +0,0 @@
-a.list-group-item {
-    height:auto;
-}
-a.list-group-item.active small {
-    color:#fff;
-}
-.stars {
-    margin:20px auto 1px;
-}
-.img-responsive {
-    min-width: 100%;
-}

webgoat-lessons/challenge/src/main/resources/html/Challenge3.html

@@ -1,72 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_3.adoc"></div>
-    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge3.css}"/>
-    <script th:src="@{/lesson_js/challenge3.js}" language="JavaScript"></script>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-
-        <div class="container-fluid">
-            <div class="panel post">
-                <div class="post-heading">
-                    <div class="pull-left image">
-                        <img th:src="@{/images/avatar1.png}"
-                             class="img-circle avatar" alt="user profile image"/>
-                    </div>
-                    <div class="pull-left meta">
-                        <div class="title h5">
-                            <a href="#"><b>John Doe</b></a>
-                            uploaded a photo.
-                        </div>
-                        <h6 class="text-muted time">24 days ago</h6>
-                    </div>
-                </div>
-
-                <div class="post-image">
-                    <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
-                </div>
-
-                <div class="post-description">
-
-                </div>
-                <div class="post-footer">
-                    <div class="input-group">
-                        <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
-                        <span class="input-group-addon">
-                                <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
-                            </span>
-                    </div>
-                    <ul class="comments-list">
-                        <div id="list">
-                        </div>
-                    </ul>
-                </div>
-            </div>
-        </div>
-
-        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
-            <div class="form-group">
-                <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
-                                                      style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flag" name="flag"
-                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
-                </div>
-                <div class="input-group" style="margin-top: 10px">
-                    <button type="submit" class="btn btn-primary">Submit flag</button>
-                </div>
-            </div>
-
-        </form>
-
-
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
-</html>

webgoat-lessons/challenge/src/main/resources/html/Challenge4.html

@@ -1,75 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_4.adoc"></div>
-    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge4.css}"/>
-    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
-    <script th:src="@{/lesson_js/challenge4.js}" language="JavaScript"></script>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <div class="container-fluid">
-
-            <div class="row">
-
-                <div class="well">
-                    <div class="pull-right">
-                        <div class="dropdown">
-                            <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle">
-                                <i class="fa fa-user"></i> <span class="caret"></span>
-                            </button>
-                            <ul class="dropdown-menu dropdown-menu-left">
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Guest')"
-                                                           th:text="Guest">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Tom')"
-                                                           th:text="Tom">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Jerry')"
-                                                           th:text="Jerry">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Sylvester')"
-                                                           th:text="Sylvester">current</a></li>
-                            </ul>
-                        </div>
-                        <div>
-                            <p class="text-right">Welcome back, <b><span id="name"></span></b></p>
-                        </div>
-                    </div>
-
-                    <div>
-                        <h3>Vote for your favorite</h3>
-                    </div>
-                    <div id ="votesList" class="list-group">
-
-                    </div>
-                </div>
-            </div>
-        </div>
-
-        <br/>
-        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
-            <div class="form-group">
-                <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
-                                                      style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flag" name="flag"
-                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
-                </div>
-                <div class="input-group" style="margin-top: 10px">
-                    <button type="submit" class="btn btn-primary">Submit flag</button>
-                </div>
-            </div>
-
-        </form>
-
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
-
-</html>

webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties

@@ -2,7 +2,6 @@ challenge0.title=WebGoat Challenge
 challenge1.title=Admin lost password
 challenge2.title=Get it for free
 challenge3.title=Photo comments
-challenge4.title=Voting
 challenge5.title=Without password
 challenge6.title=Creating a new account
 challenge7.title=Admin password reset

webgoat-lessons/challenge/src/main/resources/js/challenge3.js

@@ -1,45 +0,0 @@
-$(document).ready(function () {
-    $("#postComment").on("click", function () {
-        var commentInput = $("#commentInput").val();
-        $.ajax({
-            type: 'POST',
-            url: 'challenge/3',
-            data: JSON.stringify({text: commentInput}),
-            contentType: "application/json",
-            dataType: 'json'
-        }).then(
-            function () {
-                getChallenges();
-                $("#commentInput").val('');
-            }
-        )
-    })
-
-    var html = '<li class="comment">' +
-        '<div class="pull-left">' +
-        '<img class="avatar" src="images/avatar1.png" alt="avatar"/>' +
-        '</div>' +
-        '<div class="comment-body">' +
-        '<div class="comment-heading">' +
-        '<h4 class="user">USER</h4>' +
-        '<h5 class="time">DATETIME</h5>' +
-        '</div>' +
-        '<p>COMMENT</p>' +
-        '</div>' +
-        '</li>';
-
-    getChallenges();
-
-    function getChallenges() {
-        $("#list").empty();
-        $.get("challenge/3", function (result, status) {
-            for (var i = 0; i < result.length; i++) {
-                var comment = html.replace('USER', result[i].user);
-                comment = comment.replace('DATETIME', result[i].dateTime);
-                comment = comment.replace('COMMENT', result[i].text);
-                $("#list").append(comment);
-            }
-
-        });
-    }
-})

webgoat-lessons/challenge/src/main/resources/js/challenge4.js

@@ -1,84 +0,0 @@
-$(document).ready(function () {
-    login('Guest');
-})
-
-function login(user) {
-    $("#name").text(user);
-    $.ajax({
-        url: "votings/login?user=" + user,
-        complete: function (result, status) {
-            getVotings();
-        }
-    });
-}
-
-var html = '<a href="#" class="list-group-item ACTIVE">' +
-    '<div class="media col-md-3">' +
-    '<figure> ' +
-    '<img class="media-object img-rounded" src="images/IMAGE_SMALL" alt="placehold.it/350x250"/>' +
-    '</figure>' +
-    '</div> ' +
-    '<div class="col-md-6">' +
-    '<h4 class="list-group-item-heading">TITLE</h4>' +
-    '<p class="list-group-item-text">INFORMATION</p>' +
-    '</div>' +
-    '<div class="col-md-3 text-center">' +
-    '<h2 HIDDEN_VIEW_VOTES>NO_VOTES' +
-    '<small HIDDEN_VIEW_VOTES> votes</small>' +
-    '</h2>' +
-    '<button type="button" id="TITLE" class="btn BUTTON btn-lg btn-block" onclick="vote(this.id)">Vote Now!</button>' +
-    '<div style="visibility:HIDDEN_VIEW_RATING;" class="stars"> ' +
-    '<span class="glyphicon glyphicon-star"></span>' +
-    '<span class="glyphicon glyphicon-star"></span>' +
-    '<span class="glyphicon glyphicon-star"></span>' +
-    '<span class="glyphicon glyphicon-star-empty"></span>' +
-    '</div>' +
-    '<p HIDDEN_VIEW_RATING>Average AVERAGE<small> /</small>4</p>' +
-    '</div>' +
-    '<div class="clearfix"></div>' +
-    '</a>';
-
-function getVotings() {
-    $("#votesList").empty();
-    $.get("votings/", function (result, status) {
-        for (var i = 0; i < result.length; i++) {
-            var voteTemplate = html.replace('IMAGE_SMALL', result[i].imageSmall);
-            if (i === 0) {
-                voteTemplate = voteTemplate.replace('ACTIVE', 'active');
-                voteTemplate = voteTemplate.replace('BUTTON', 'btn-default');
-            } else {
-                voteTemplate = voteTemplate.replace('ACTIVE', '');
-                voteTemplate = voteTemplate.replace('BUTTON', 'btn-primary');
-            }
-            voteTemplate = voteTemplate.replace(/TITLE/g, result[i].title);
-            voteTemplate = voteTemplate.replace('INFORMATION', result[i].information || '');
-            voteTemplate = voteTemplate.replace('NO_VOTES', result[i].numberOfVotes || '');
-            voteTemplate = voteTemplate.replace('AVERAGE', result[i].average || '');
-
-            var hidden = (result[i].numberOfVotes === undefined ? 'hidden' : '');
-            voteTemplate = voteTemplate.replace(/HIDDEN_VIEW_VOTES/g, hidden);
-            hidden = (result[i].average === undefined ? 'hidden' : '');
-            voteTemplate = voteTemplate.replace(/HIDDEN_VIEW_RATING/g, hidden);
-
-            $("#votesList").append(voteTemplate);
-        }
-    })
-}
-
-function vote(title) {
-    var user = $("#name").text();
-    if (user === 'Guest') {
-        alert("As a guest you are not allowed to vote, please login first.")
-    } else {
-        $.ajax({
-            type: 'POST',
-            url: 'votings/' + title
-        }).then(
-            function () {
-                getVotings();
-            }
-        )
-    }
-}
-
-

webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc

@@ -1 +0,0 @@
-Changing language can help you find the 'secret' file

webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc

@@ -1 +0,0 @@
-Try to change to a different user, maybe you can find the flag?

webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java

@@ -1,161 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import org.hamcrest.CoreMatchers;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.runners.MockitoJUnitRunner;
-import org.owasp.webgoat.plugin.Flag;
-import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.test.web.servlet.MvcResult;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
-import javax.servlet.http.Cookie;
-
-import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
-/**
- * @author nbaars
- * @since 5/2/17.
- */
-@RunWith(MockitoJUnitRunner.class)
-public class VotesEndpointTest {
-
-    private MockMvc mockMvc;
-
-    @Before
-    public void setup() {
-        VotesEndpoint votesEndpoint = new VotesEndpoint();
-        votesEndpoint.initVotes();
-        new Flag().initFlags();
-        this.mockMvc = standaloneSetup(votesEndpoint).build();
-    }
-
-    @Test
-    public void loginWithUnknownUser() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "uknown"))
-                .andExpect(unauthenticated());
-    }
-
-    @Test
-    public void loginWithTomShouldGiveJwtToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token"));
-    }
-
-    @Test
-    public void loginWithGuestShouldNotGiveJwtToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Guest"))
-                .andExpect(unauthenticated()).andExpect(cookie().value("access_token", ""));
-    }
-
-    @Test
-    public void userShouldSeeMore() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings")
-                .cookie(mvcResult.getResponse().getCookie("access_token")))
-                .andExpect(jsonPath("$.[*].numberOfVotes").exists());
-    }
-
-    @Test
-    public void guestShouldNotSeeNumberOfVotes() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Guest"))
-                .andExpect(unauthenticated()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings")
-                .cookie(mvcResult.getResponse().getCookie("access_token")))
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void adminShouldSeeFlags() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiSmVycnkifQ.")))
-                .andExpect(jsonPath("$.[*].flag").isNotEmpty());
-    }
-
-    @Test
-    public void votingIsNotAllowedAsGuest() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free"))
-                .andExpect(unauthenticated());
-    }
-
-    @Test
-    public void normalUserShouldBeAbleToVote() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
-                .cookie(mvcResult.getResponse().getCookie("access_token")));
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(mvcResult.getResponse().getCookie("access_token")))
-                .andExpect(jsonPath("$..[?(@.title == 'Get it for free')].numberOfVotes", CoreMatchers.hasItem(20001)));
-    }
-
-    @Test
-    public void votingForUnknownLessonShouldNotCrash() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
-                .cookie(mvcResult.getResponse().getCookie("access_token"))).andExpect(status().isAccepted());
-    }
-
-    @Test
-    public void votingWithInvalidToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
-                .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
-    }
-
-    @Test
-    public void gettingVotesWithInvalidToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
-    }
-
-    @Test
-    public void gettingVotesWithUnknownUserInToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiVW5rbm93biJ9.")))
-                .andExpect(unauthenticated())
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void gettingVotesForUnknownShouldWork() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
-                .andExpect(unauthenticated())
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void gettingVotesForKnownWithoutAdminFieldShouldWork() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVG9tIn0.")))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.[*].numberOfVotes").exists());
-    }
-
-    @Test
-    public void gettingVotesWithEmptyToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "")))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void votingAsUnknownUserShouldNotBeAllowed() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
-                .andExpect(unauthenticated());
-    }
-}

webgoat-lessons/client-side-filtering/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
 </project>

webgoat-lessons/cross-site-scripting/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
     <build>
        <plugins>

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java

@@ -49,10 +49,7 @@ import org.owasp.encoder.*;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
 import java.io.IOException;
-import java.util.ArrayList;
+import java.util.*;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
 
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
@@ -72,20 +69,19 @@ public class StoredXssComments extends AssignmentEndpoint {
         comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
         comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe"));
         comments.add(new Comment("guest", DateTime.now().toString(fmt), "This one is safe too."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment,  calling webgoat.customjs.phoneHome() ?"));
+        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
     }
 
     @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
     @ResponseBody
     public Collection<Comment> retrieveComments() {
-        Collection<Comment> allComments = Lists.newArrayList();
+        List<Comment> allComments = Lists.newArrayList();
         Collection<Comment> newComments = userComments.get(webSession.getUserName());
+        allComments.addAll(comments);
         if (newComments != null) {
             allComments.addAll(newComments);
         }
-
+        Collections.reverse(allComments);
-        allComments.addAll(comments);
-
         return allComments;
     }
 

webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties

@@ -5,7 +5,7 @@ xss-reflected-5a-failure=Try again. We do want to see this specific javascript (
 xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
 xss-reflected-5b-failure=Nope, pretty easy to guess now though.
 xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
-xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
+xss-reflected-6a-failure=No, look at the example. Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
 xss.lesson1.failure=Are you sure? Try using a tab from a different site.
 xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
 xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc

@@ -4,7 +4,7 @@ You should have been able to execute script with the last example. At this point
 
 Why is that?
 
-That is because there is no link that would tigger that XSS.
+That is because there is no link that would trigger that XSS.
 You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to):
 
-link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('myjavascripthere')</script>4128+3214+0002+1999&field2=111
+link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc

@@ -1,15 +1,15 @@
-== Ientify Potential for DOM-Based XSS
+== Identify Potential for DOM-Based XSS
 
 DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
-Look for a route that takes inputs that you can ID being 'reflected' to the page.
+Look for a route that takes inputs that are being 'reflected' to the page.
 
 For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library).
 Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
 
 Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
-it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/5 (although maybe slightly different). The 'base route' in this case is:
+it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
 *start.mvc#lesson/*
+The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the javascript route handler.
 
-The *CrossSiteScripting.lesson/#* after that are parameters that are processed by javascript route handler.
+So, what is the route for the test code that stayed in the app during production?
-
+To answer this question, you have to check the javascript source.
-So, what is test route for this test code?

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc

@@ -8,4 +8,4 @@ The function you want to execute is ...
 
 Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
 
-Once you do trigger it, a subsequent response will come to the browser with a random number. Put that random number in below.
+Once you do trigger it, a subsequent response will come to your browser's console with a random number. Put that random number in below.

webgoat-lessons/csrf/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 </project>

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java

@@ -64,11 +64,11 @@ public class CSRFFeedback extends AssignmentEndpoint {
 
     private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
         String referer = request.getHeader("referer");
-        String origin = request.getHeader("origin");
+        String host = request.getHeader("host");
         if (referer != null) {
-            return !referer.contains(origin);
+            return !referer.contains(host);
         } else {
-            return true; //this case referer is null or origin does not matter we cannot compare so we return true which should of course be false
+            return true;
         }
     }
 

webgoat-lessons/csrf/src/main/resources/html/CSRF.html

@@ -20,7 +20,7 @@
           action="/WebGoat/csrf/basic-get-flag"
           enctype="application/json;charset=UTF-8">
         <input name="csrf" type="hidden" value="false"/>
-        <input type="submit" name="ubmit="/>
+        <input type="submit" name="submit"/>
 
     </form>
 

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Login.adoc

@@ -16,9 +16,11 @@ the activities of the user.
 image::images/login-csrf.png[caption="Figure: ", title="Login CSRF from Robust Defenses for Cross-Site Request Forgery", width="800", height="500", style="lesson-image" link="http://seclab.stanford.edu/websec/csrf/csrf.pdf"]
 
 {blank}
-For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper]
+For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper].
 
-In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. First create a user 
+In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack.
-based on your own username prefixed with csrf. So if your username is `tom` you must create
+Leave this tab open and in another tab create a user based on your own username prefixed with `csrf-`.
-a new user called `csrf-tom`
+So if your username is `tom` you must create a new user called `csrf-tom`.
 
+Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab.
+Because you are logged in as a different user, the attacker learns that you clicked the button.

webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java

@@ -46,7 +46,7 @@ public class CSRFFeedbackTest extends LessonTest {
         mockMvc.perform(post("/csrf/feedback/message")
                 .contentType(MediaType.TEXT_PLAIN)
                 .cookie(new Cookie("JSESSIONID", "test"))
-                .header("origin", "localhost:8080")
+                .header("host", "localhost:8080")
                 .header("referer", "webgoat.org")
                 .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
                 .andExpect(jsonPath("lessonCompleted", is(true)))

webgoat-lessons/html-tampering/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
     <dependencies>

webgoat-lessons/html-tampering/src/main/resources/lessonPlans/en/HtmlTampering_Mitigation.adoc

@@ -1,6 +1,6 @@
 === Mitigation
 
-In this simple example you noticed that the price is calculated server side and send to the server. The server
+In this simple example you noticed that the price is calculated client-side and sent to the server. The server
 accepted the input as a given and did not calculate the price again. One of the mitigations in this case is to look up
 the price of the television in your database and calculate the total price again.
 

webgoat-lessons/http-basics/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
 </project>

webgoat-lessons/http-proxies/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
     <dependencies>

webgoat-lessons/http-proxies/src/main/resources/html/HttpProxies.html

@@ -3,36 +3,27 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
     <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
     </div>
 
-	<div class="lesson-page-wrapper">
+    <div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
 	</div>
 
     <div class="lesson-page-wrapper">
-        <!-- stripped down without extra comments -->
         <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro4.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro5.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
@@ -48,4 +39,8 @@
             <div class="attack-output"></div>
         </div>
     </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro6.adoc"></div>
+    </div>
 </html>

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro4.adoc

@@ -1,26 +1,25 @@
-=== Use the intercept
+=== Exclude WebGoat internal requests
 
-To intercept a request, you start by clicking the green button. This will set a break point for the next request.
+Before we start diving into intercepting requests with ZAP we need to exclude the internal requests from the WebGoat
+framework otherwise ZAP will also stop at all the requests which are only necessary for the internal working of WebGoat.
 
-image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
+Right click on one of the links in history tab and select: `Exclude from -> Proxy`, see image below:
+
+image::images/zap_exclude.png[Select URL from history,style="lesson-image"]
+
+{nbsp}
+
+A new window will open and add the following entries:
+
+```
+http://localhost:8080/WebGoat/service/.*
+http://localhost:8080/WebGoat/.*.lesson.lesson
+```
+
+Click Ok to close the window, ZAP will now no longer proxy internal WebGoat requests.
 
 
-*NOTE*: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
+image::images/zap_exclude_url.png[Exclude internal APIs from WebGoat,style="lesson-image"]
-That's part of what hackers do ... explore!
 
-Once you are intercepting requests and a request is made, it should look something like this:
 
-image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
 
-=== Intercept and modify a request
-
-Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
-modify it as follows.
-
-* Change the Method to GET
-* Add a header 'x-request-intercepted:true'
-* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
-
-Then let the request continue through (by hitting the play button).
-
-NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro5.adoc

@@ -0,0 +1,26 @@
+=== Use the intercept
+
+To intercept a request, you start by clicking the green button. This will set a break point for the next request.
+
+image::images/proxy-intercept-button.png[Set break/intercept button,style="lesson-image"]
+
+
+*NOTE*: It is also possible set breakpoints that are triggered on conditions. That won't be covered in this lesson though. You are encouraged to explore.
+That's part of what hackers do ... explore!
+
+Once you are intercepting requests and a request is made, it should look something like this:
+
+image::images/proxy-intercept-details.png[ZAP history tab,style="lesson-image"]
+
+=== Intercept and modify a request
+
+Set up the intercept as noted above and then submit the form/request below by clicking the submit button. When you request is intercepted (hits the breakpoint),
+modify it as follows.
+
+* Change the Method to GET
+* Add a header 'x-request-intercepted:true'
+* Change the input value 'changeMe' to 'Requests are tampered easily' (without the single quotes)
+
+Then let the request continue through (by hitting the play button).
+
+NOTE: The two play buttons behave a little differently, but we'll let you tinker and figure that out for yourself.

webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro6.adoc

@@ -0,0 +1,29 @@
+=== Use the "Edit and resend" functionality in ZAP
+
+Another way to send a request again instead of clicking in WebGoat on a button and intercept the request there is also
+an option to resend the same request again from within ZAP.
+This may significantly help you to solve an assignment because you do not have to switch to ZAP enable the intercept button
+and go back to WebGoat and perform the request again from within the browser.
+
+Let's look at an example, we are going to use the e-mail example from the WebWolf introduction lesson. This lesson
+will generate a request for `/WebGoat/WebWolf/mail`, in the "History" window select the URL you want to resend right click
+on the URL and select `Open/Resend with Request Editor`. You can also find the request in the left pane of ZAP as indicated
+with the red arrow in the image below:
+
+image::images/zap_edit_and_resend.png[Open/Resend with Request Editor,style="lesson-image"]
+
+{nbsp}
+
+A new window will open and here you can modify the request for example change the e-mail address to someone else and send it again.
+In the response tab you can inspect the response of the request. In some assignments the response will show a solved message
+but sometimes you get a code/flag which you need to submit in WebGoat in order to complete the assignment. Always be on the
+lookout for the response. If you solved the assignment by make a request in this way WebGoat will automatically mark
+the lesson as solved.
+
+image::images/zap_edit_and_send.png[Open/Resend with Request Editor,style="lesson-image"]
+
+{nbsp}
+
+image::images/zap_edit_and_response.png[Open/Resend response,style="lesson-image"]
+
+

webgoat-lessons/idor/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
 </project>

webgoat-lessons/insecure-deserialization/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
     <dependencies>

webgoat-lessons/insecure-login/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
     <dependencies>

webgoat-lessons/jwt/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
     <dependencies>

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTSecretKeyEndpoint.java

@@ -1,6 +1,7 @@
 package org.owasp.webgoat.plugin;
 
 import com.google.common.collect.Lists;
+import io.jsonwebtoken.impl.TextCodec;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
@@ -23,7 +24,7 @@ import java.util.List;
 @AssignmentHints({"jwt-secret-hint1", "jwt-secret-hint2", "jwt-secret-hint3"})
 public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
 
-    public static final String JWT_SECRET = "victory";
+    public static final String JWT_SECRET = TextCodec.BASE64.encode("victory");
     private static final String WEBGOAT_USER = "WebGoat";
     private static final List<String> expectedClaims = Lists.newArrayList("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
 

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTVotesEndpoint.java

@@ -5,6 +5,7 @@ import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.impl.TextCodec;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
@@ -25,7 +26,6 @@ import java.time.Duration;
 import java.time.Instant;
 import java.util.Date;
 import java.util.Map;
-import java.util.concurrent.TimeUnit;
 
 import static java.util.Comparator.comparingLong;
 import static java.util.Optional.ofNullable;
@@ -39,7 +39,7 @@ import static java.util.stream.Collectors.toList;
 @AssignmentHints({"jwt-change-token-hint1", "jwt-change-token-hint2", "jwt-change-token-hint3", "jwt-change-token-hint4", "jwt-change-token-hint5"})
 public class JWTVotesEndpoint extends AssignmentEndpoint {
 
-    public static final String JWT_PASSWORD = "victory";
+    public static final String JWT_PASSWORD = TextCodec.BASE64.encode("victory");
     private static String validUsers = "TomJerrySylvester";
 
     private static int totalVotes = 38929;

webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_refresh.adoc

@@ -63,15 +63,15 @@ whether the location is still the same if not revoke all the tokens and let the
 === Need for refresh tokens
 
 Does it make sense to use a refresh token in a modern single page application (SPA)? As we have seen in the section
-about storing tokens there are two option: web storage or a cookie which mean a refresh token is right beside an
+about storing tokens there are two options: web storage or a cookie which mean a refresh token is right beside an
-access token, so if the access token is leaked changes are the refresh token will also be compromised. Most of the time
+access token, so if the access token is leaked chances are the refresh token will also be compromised. Most of the time
-there is a difference of course, the access token is send when you make an API call, the refresh token is only send
+there is a difference of course. The access token is sent when you make an API call, the refresh token is only sent
 when a new access token should be obtained, which in most cases is a different endpoint. If you end up on the same
-server you can chose to only use the access token.
+server you can choose to only use the access token.
 
 As stated above using an access token and a separate refresh token gives some leverage for the server not to check
 the access token over and over. Only perform the check when the user needs a new access token.
-It is certainly possible to only use an access token, at the server you store the exact same information you would
+It is certainly possible to only use an access token. At the server you store the exact same information you would
 store for a refresh token, see previous paragraph. This way you need to check the token each time but this might
 be suitable depending on the application. In the case the refresh tokens are stored for validation it is important to protect these tokens as well (at least
 use a hash function to store them in your database).

webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_weak_keys

@@ -9,5 +9,5 @@ dictionary attack is not feasible. Once you have a token you can start an offlin
 Given we have the following token try to find out secret key and submit a new key with the userId changed to WebGoat.
 
 ```
-eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJ0b21Ad2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQuY29tIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.m-jSyfYEsVzD3CBI6N39wZ7AcdKdp_GiO7F_Ym12u-0
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJXZWJHb2F0IFRva2VuIEJ1aWxkZXIiLCJpYXQiOjE1MjQyMTA5MDQsImV4cCI6MTYxODkwNTMwNCwiYXVkIjoid2ViZ29hdC5vcmciLCJzdWIiOiJ0b21Ad2ViZ29hdC5jb20iLCJ1c2VybmFtZSI6IlRvbSIsIkVtYWlsIjoidG9tQHdlYmdvYXQuY29tIiwiUm9sZSI6WyJNYW5hZ2VyIiwiUHJvamVjdCBBZG1pbmlzdHJhdG9yIl19.vPe-qQPOt78zK8wrbN1TjNJj3LeX9Qbch6oo23RUJgM
 ```

webgoat-lessons/missing-function-ac/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
 </project>

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACYourHash.java

@@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @AssignmentPath("/access-control/user-hash")
 @AssignmentHints({"access-control.hash.hint1","access-control.hash.hint2","access-control.hash.hint3",
         "access-control.hash.hint4","access-control.hash.hint5","access-control.hash.hint6","access-control.hash.hint7",
-        "access-control.hash.hint8","access-control.hash.hint9"})
+        "access-control.hash.hint8","access-control.hash.hint9","access-control.hash.hint10","access-control.hash.hint11","access-control.hash.hint12"})
 public class MissingFunctionACYourHash extends AssignmentEndpoint {
 
     @Autowired

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/Users.java

@@ -1,6 +1,5 @@
 package org.owasp.webgoat.plugin;
 
-import com.sun.org.apache.xpath.internal.axes.HasPositionalPredChecker;
 import org.owasp.webgoat.assignments.Endpoint;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.UserSessionData;
@@ -13,9 +12,6 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import javax.servlet.http.HttpServletRequest;
 import java.sql.*;
 import java.util.HashMap;
-import java.util.Map;
-
-import static javax.swing.UIManager.getString;
 
 public class Users extends Endpoint{
 
@@ -51,7 +47,7 @@ public class Users extends Endpoint{
                         userMap.put("cc", results.getString(3));
                         userMap.put("ccType", results.getString(4));
                         userMap.put("cookie", results.getString(5));
-                        userMap.put("loginCOunt",Integer.toString(results.getInt(6)));
+                        userMap.put("loginCount",Integer.toString(results.getInt(6)));
                         allUsersMap.put(id,userMap);
                     }
                     userSessionData.setValue("allUsers",allUsersMap);

webgoat-lessons/missing-function-ac/src/main/resources/i18n/WebGoatLabels.properties

@@ -11,12 +11,15 @@ access-control.hidden-menus.hint3=Look for something a super-user or administato
 access-control.hash.success=Congrats! You really succeeded when you added the user.
 access-control.hash.close=Keep trying, this one may take several attempts & steps to achieve. See the hints for help.
 
-access-control.hash.hint1=If you haven't found the hidden menus from the earlier exercise, go do that now.
+access-control.hash.hint1=There is an easier way and a 'harder' way to achieve this, the easier way involves one simple change in a GET request.
-access-control.hash.hint2=When you look at the users page, there is a hint that more info is viewable by a given role of user. 
+access-control.hash.hint2= If you haven't found the hidden menus from the earlier exercise, go do that first.
-access-control.hash.hint3=Have you tried tampering the GET request? Can you find supported or unsupported methods? Can you trigger 500 errors?
+access-control.hash.hint3=When you look at the users page, there is a hint that more info is viewable by a given role. 
-access-control.hash.hint4=There are actually two ways to solve this one. The first involves just changing a request header.
+access-control.hash.hint4=For the easy way, have you tried tampering the GET request? Different content-types?
-access-control.hash.hint5=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
+access-control.hash.hint5=For the 'easy' way, modify the GET request to /users to include 'Content-Type: application/json'
-access-control.hash.hint6=If you're still looking for hints ... try changing the Content-type header in the GET request.
+access-control.hash.hint6=Now for the harder way ... it builds on the easier way
-access-control.hash.hint7=The harder way involves changing the Content-type AND the method ... As well as a proper payload for the request.  Look at how registration works first and extrapolate out from there.
+access-control.hash.hint7=If the request to view users, were a 'service' or 'RESTful' endpoint, what would be different about it?
-access-control.hash.hint8=See if you can add a user with a webgoat admin role, and if more is visible once you log in as that user.
+access-control.hash.hint8=If you're still looking for hints ... try changing the Content-type header as in the GET request.
-access-control.hash.hint9=If you create a new user with the admin role ... The role should include 'WEBGOAT' and 'ADMIN' in the role name. You'll have to do some guessing beyond that.
+access-control.hash.hint9=You also need to deliver a proper payload for the request (look at how registration works). This should be formatted in line with the content-type you just defined.
+access-control.hash.hint10=You will want to add  WEBGOAT_ADMIN for the user's role. Yes, you'd have to guess/fuzz this in a real-world setting. 
+access-control.hash.hint11=OK, here it is. First, create an admin user ... Change the method to POST, change the content-type to "application/json". And your payload should look something like: {"username":"newUser2","password":"newUser12","matchingPassword":"newUser12","role":"WEBGOAT_ADMIN"}
+access-control.hash.hint12=Now log in as that user and bring up WebGoat/users. Copy your hash and log back in to your original account and input it there to get credit.

webgoat-lessons/password-reset/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
     <dependencies>

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/ResetLinkAssignment.java

@@ -62,7 +62,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
         resetLinks.add(resetLink);
         String host = request.getHeader("host");
         if (org.springframework.util.StringUtils.hasText(email)) {
-            if (email.equals(TOM_EMAIL) && host.contains("8081")) { //User indeed changed the host header.
+            if (email.equals(TOM_EMAIL) && host.contains("9090")) { //User indeed changed the host header.
                 userToTomResetLink.put(getWebSession().getUserName(), resetLink);
                 fakeClickingLinkEmail(host, resetLink);
             } else {

webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/plugin/SimpleMailAssignment.java

@@ -4,7 +4,6 @@ import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.plugin.PasswordResetEmail;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -14,8 +13,6 @@ import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestTemplate;
 
 import java.time.LocalDateTime;
-import java.util.Map;
-import java.util.Optional;
 
 import static java.util.Optional.ofNullable;
 
@@ -37,23 +34,10 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
 
     @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
     @ResponseBody
-    public AttackResult sendEmail(@RequestParam Map<String, Object> json) {
+    public AttackResult login(@RequestParam String email, @RequestParam String password) {
-        String email = (String) json.get("emailReset");
+        String emailAddress = ofNullable(email).orElse("unknown@webgoat.org");
-        if (StringUtils.isEmpty(email)) {
+        String username = extractUsername(emailAddress);
-            email = (String) json.getOrDefault("email", "unknown@webgoat.org");
-        }
-        String password = (String) json.getOrDefault("password", "");
-        int index = email.indexOf("@");
-        String username = email.substring(0, index == -1 ? email.length() : index);
 
-        if (StringUtils.isEmpty(password)) {
-            return sendEmail(username, email);
-        } else {
-            return checkPassword(password, username);
-        }
-    }
-
-    private AttackResult checkPassword(String password, String username) {
         if (username.equals(getWebSession().getUserName()) && StringUtils.reverse(username).equals(password)) {
             return trackProgress(success().build());
         } else {
@@ -61,6 +45,18 @@ public class SimpleMailAssignment extends AssignmentEndpoint {
         }
     }
 
+    @PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/reset")
+    @ResponseBody
+    public AttackResult resetPassword(@RequestParam String emailReset) {
+        String email = ofNullable(emailReset).orElse("unknown@webgoat.org");
+        return sendEmail(extractUsername(email), email);
+    }
+
+    private String extractUsername(String email) {
+        int index = email.indexOf("@");
+        return email.substring(0, index == -1 ? email.length() : index);
+    }
+
     private AttackResult sendEmail(String username, String email) {
         if (username.equals(getWebSession().getUserName())) {
             PasswordResetEmail mailEvent = PasswordResetEmail.builder()

webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html

@@ -14,16 +14,18 @@
     <div class="attack-container">
         <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
-              method="POST"
-              action="/WebGoat/PasswordReset/simple-mail"
-              enctype="application/json;charset=UTF-8">
-            <div class="container-fluid">
 
-                <div class="row">
+        <div class="container-fluid">
-                    <div class="col-md-4">
+
+            <div class="row">
+                <div class="col-md-4">
+                    <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
+                          method="POST"
+                          action="/WebGoat/PasswordReset/simple-mail"
+                          enctype="application/json;charset=UTF-8">
                         <div style="padding: 20px;" id="password-login-2">
-                            <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i> Account
+                            <h4 style="border-bottom: 1px solid #c5c5c5;"><i class="glyphicon glyphicon-user"></i>
+                                Account
                                 Access</h4>
                             <fieldset>
                                 <div class="form-group input-group">
@@ -41,7 +43,8 @@
                                         Access
                                     </button>
                                     <p class="help-block">
-                                        <a class="pull-right text-muted" href="#" id="olvidado" onclick="showPasswordReset()">
+                                        <a class="pull-right text-muted" href="#" id="olvidado"
+                                           onclick="showPasswordReset()">
                                             <small>Forgot your password?</small>
                                         </a>
                                     </p>
@@ -49,6 +52,12 @@
                             </fieldset>
 
                         </div>
+                    </form>
+
+                    <form class="attack-form" accept-charset="UNKNOWN" novalidate="novalidate"
+                          method="POST"
+                          action="/WebGoat/PasswordReset/simple-mail/reset"
+                          enctype="application/json;charset=UTF-8">
                         <div style="display: none;" id="password-reset-2">
                             <h4 class="">Forgot your password?</h4>
 
@@ -69,10 +78,10 @@
                             </fieldset>
 
                         </div>
-                    </div>
+                    </form>
                 </div>
             </div>
-        </form>
+        </div>
         <br/>
 
         <br/>

webgoat-lessons/password-reset/src/main/resources/i18n/WebGoatLabels.properties

@@ -15,7 +15,7 @@ password-reset-not-solved=Sorry but you did not redirect the reset link to WebWo
 password-reset-hint1=Try to send a password reset link to your own account at {user}@webgoat.org, you can read this e-mail in WebWolf.
 password-reset-hint2=Look at the link, can you think how the server creates this link?
 password-reset-hint3=Tom clicks all the links he receives in his mailbox, you can use the landing page in WebWolf to get the reset link...
-password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:8081
+password-reset-hint4=The link points to localhost:8080/PasswordReset/.... can you change the host to localhost:9090?
 password-reset-hint5=Intercept the request and change the host header
 login_failed=Login failed
 login_failed.tom=Sorry only Tom can login at the moment

webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc

@@ -14,5 +14,5 @@ The time out is necessary to restrict the attack window, having a link opens up
 
 Tom always resets his password immediately after receiving the email with the link.
 Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
-that password.
+that password. Note: it is not possible to use OWASP ZAP for this lesson.
 

webgoat-lessons/password-reset/src/main/resources/templates/password_reset.html

@@ -9,7 +9,7 @@
 <div class="container">
     <div class="row">
         <div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
-            <form role="form" method="POST" action="/WebGoat/PasswordReset/reset/change-password" th:object="${form}">
+            <form role="form" method="POST" action="/WebGoat/PasswordReset/reset/change-password" th:object="${form}" novalidate="novalidate">
                 <h2 class="sign_up_title">Reset your password</h2>
                     <div class="form-group" th:classappend="${#fields.hasErrors('password')}? 'has-error'">
                         <input type="hidden" name="resetLink" th:field="*{resetLink}" />

webgoat-lessons/pom.xml

@@ -5,12 +5,12 @@
     <groupId>org.owasp.webgoat.lesson</groupId>
     <artifactId>webgoat-lessons-parent</artifactId>
     <packaging>pom</packaging>
-    <version>v8.0.0.M15</version>
+    <version>v8.0.0.M23</version>
 
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M23</version>
     </parent>
 
     <modules>