New version

Changed introduction
Added test for XXE
2017-11-02 21:44:30 +01:00 · 2017-11-02 20:44:21 +01:00 · 2017-11-02 20:41:30 +01:00 · 2017-11-02 16:14:44 +01:00 · 2017-11-02 15:44:45 +01:00 · 2017-11-02 15:39:49 +01:00
59 changed files with 288 additions and 516 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -11,6 +11,15 @@ script:
 cache:
  directories:
  - "$HOME/.m2"
 before_deploy:
  - export WEBGOAT_SERVER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-server/target
  - export WEBWOLF_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webwolf/target
  - export WEBGOAT_ARTIFACTS_FOLDER=$HOME/build/$TRAVIS_REPO_SLUG/Deployable_Artifacts/
  - mkdir -p $WEBGOAT_ARTIFACTS_FOLDER
  - cp -fa $WEBGOAT_SERVER_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/
  - cp -fa $WEBWOLF_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/
  - echo "Contents of artifacts folder:"
  - ls $WEBGOAT_ARTIFACTS_FOLDER
 deploy:
  - provider: script
    skip_cleanup: true
@ -25,10 +34,13 @@ deploy:
      repo: WebGoat/WebGoat
      branch: develop
  - provider: releases
    skip_cleanup: true
    overwrite: true
    api_key:
      #api-key from webgoat-github user
      secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=
-    file: "webgoat-server/target/webgoat-server*.jar"
+    file_glob: true
    file: $WEBGOAT_ARTIFACTS_FOLDER/*
    on:
      repo: WebGoat/WebGoat
      tags: true
--- a/README.MD
+++ b/README.MD
@ -65,7 +65,7 @@ _Please note: this version may not be completely in sync with the develop branch
 Download the latest WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 ```Shell
-java -jar webwolf-<<version>>.jar
+java -jar webgoat-server-<<version>>.jar
 ```
--- a/pom.xml
+++ b/pom.xml
@ -5,7 +5,7 @@
    <groupId>org.owasp.webgoat</groupId>
    <artifactId>webgoat-parent</artifactId>
    <packaging>pom</packaging>
-    <version>8.0.0.M1</version>
+    <version>8.0.0.M3</version>
    <name>WebGoat Parent Pom</name>
    <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@ -142,7 +142,6 @@
        <javaee-api.version>6.0</javaee-api.version>
        <javax.transaction-api.version>1.2</javax.transaction-api.version>
        <jcl-over-slf4j.version>1.7.12</jcl-over-slf4j.version>
        <jstl.version>1.2</jstl.version>
        <jtds.version>1.3.1</jtds.version>
        <junit.version>4.12</junit.version>
        <mail-api.version>1.5.4</mail-api.version>
@ -296,8 +295,8 @@
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <version>1.16.10</version>
            <scope>provided</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.apache.commons</groupId>
--- a/scripts/deploy-webgoat.sh
+++ b/scripts/deploy-webgoat.sh
@ -7,13 +7,11 @@ cd webgoat-server
 if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
  # If we push a tag to master this will update the LATEST Docker image and tag with the version number
-  docker build -f Dockerfile -t $REPO:latest .
+  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
  docker tag $REPO:${TRAVIS_TAG}
  docker push $REPO
 elif [ ! -z "${TRAVIS_TAG}" ]; then
  # Creating a tag build we push it to Docker with that tag
-  docker build -f Dockerfile -t $REPO:${TRAVIS_TAG} .
+  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} .
  docker tag $REPO:${TRAVIS_TAG}
  docker push $REPO
 elif [ "${BRANCH}" == "develop" ]; then
  docker build -f Dockerfile -t $REPO:snapshot .
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@ -10,7 +10,7 @@
    <parent>
        <groupId>org.owasp.webgoat</groupId>
        <artifactId>webgoat-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <profiles>
@ -92,29 +92,6 @@
                    <forkMode>never</forkMode>
                </configuration>
            </plugin>
            <plugin>
                <artifactId>maven-clean-plugin</artifactId>
                <configuration>
                    <filesets>
                        <fileset>
                            <directory>${project.basedir}/src/main/resources/plugin_lessons</directory>
                            <includes>
                                <include>**/*.jar</include>
                                <include>**/*.pom</include>
                            </includes>
                        </fileset>
                        <fileset>
                            <directory>${user.home}/.webgoat/</directory>
                            <includes>
                                <include>**/*.jar</include>
                                <include>**/org/**</include>
                                <include>**/plugin/**</include>
                            </includes>
                        </fileset>
                    </filesets>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jar-plugin</artifactId>
@ -135,14 +112,6 @@
            <groupId>com.fasterxml.jackson.datatype</groupId>
            <artifactId>jackson-datatype-jsr310</artifactId>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
@ -152,10 +121,6 @@
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-cache</artifactId>
        </dependency>
               <dependency>
            <groupId>org.asciidoctor</groupId>
            <artifactId>asciidoctorj</artifactId>
            <version>1.5.4</version>
@ -169,24 +134,19 @@
            <artifactId>commons-lang3</artifactId>
            <version>${commons-lang3.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>${guava.version}</version>
        </dependency>
        <dependency>
            <groupId>io.gatling.highcharts</groupId>
            <artifactId>gatling-charts-highcharts</artifactId>
            <version>${gatling.version}</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-jdbc</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
@ -205,11 +165,6 @@
            <artifactId>activation</artifactId>
            <version>${activation.version}</version>
        </dependency>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
            <version>${h2.version}</version>
        </dependency>
        <dependency>
            <groupId>org.hsqldb</groupId>
            <artifactId>hsqldb</artifactId>
@ -224,19 +179,7 @@
            <groupId>org.scala-lang</groupId>
            <artifactId>scala-compiler</artifactId>
            <version>${scala.version}</version>
-        </dependency>
+            <scope>test</scope>
        <!-- Apache Commons Upload -->
        <dependency>
            <groupId>commons-fileupload</groupId>
            <artifactId>commons-fileupload</artifactId>
            <version>${commons-fileupload.version}</version>
        </dependency>
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
            <version>${guava.version}</version>
        </dependency>
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
@ -1,66 +0,0 @@
 /**
 * *************************************************************************************************
 * <p>
 * <p>
 * This file is part of WebGoat, an Open Web Application Security Project
 * utility. For details, please see http://www.owasp.org/
 * <p>
 * Copyright (c) 2002 - 20014 Bruce Mayhew
 * <p>
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software
 * Foundation; either version 2 of the License, or (at your option) any later
 * version.
 * <p>
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 * <p>
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 * Place - Suite 330, Boston, MA 02111-1307, USA.
 * <p>
 * Getting Source ==============
 * <p>
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
 * for free software projects.
 */
 package org.owasp.webgoat.service;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 /**
 * <p>SolutionService class.</p>
 *
 * @author rlawson
 * @version $Id: $Id
 */
@Controller
 public class SolutionService {
    /**
     * Returns solution for current attack
     *
     * @return a {@link java.lang.String} object.
     */
    @RequestMapping(path = "/service/solution.mvc", produces = "text/html")
    public
    @ResponseBody
    String showSolution() {
        //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
        String source = getSolution();
        return source;
    }
    /**
     * <p>getSolution.</p>
     *
     * @return a {@link java.lang.String} object.
     */
    protected String getSolution() {
        return "Solution  is not available";
    }
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
@ -1,82 +0,0 @@
 /**
 * *************************************************************************************************
 * <p>
 * <p>
 * This file is part of WebGoat, an Open Web Application Security Project
 * utility. For details, please see http://www.owasp.org/
 * <p>
 * Copyright (c) 2002 - 20014 Bruce Mayhew
 * <p>
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software
 * Foundation; either version 2 of the License, or (at your option) any later
 * version.
 * <p>
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 * <p>
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 * Place - Suite 330, Boston, MA 02111-1307, USA.
 * <p>
 * Getting Source ==============
 * <p>
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
 * for free software projects.
 */
 package org.owasp.webgoat.service;
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import javax.servlet.http.HttpSession;
 /**
 * <p>SourceService class.</p>
 *
 * @author rlawson
 * @version $Id: $Id
 */
@Controller
 //TODO REMOVE!
 public class SourceService {
    /**
     * Description of the Field
     */
    public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
    /** Constant <code>END_SOURCE_SKIP="END_OMIT_SOURCE"</code> */
    public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
    /**
     * Returns source for current attack
     *
     * @param session a {@link javax.servlet.http.HttpSession} object.
     * @return a {@link java.lang.String} object.
     */
    @RequestMapping(path = "/service/source.mvc", produces = "application/text")
    public
    @ResponseBody
    String showSource(HttpSession session) {
        //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
        String source = getSource();
        if (source == null) {
            source = "No source listing found";
        }
        return StringEscapeUtils.escapeHtml4(source);
    }
    /**
     * Description of the Method
     *
     * @return Description of the Return Value
     */
    protected String getSource() {
        return "Source code is not available for this lesson.";
    }
 }
--- a/webgoat-container/src/main/resources/application.properties
+++ b/webgoat-container/src/main/resources/application.properties
@ -30,16 +30,15 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
 webgoat.default.language=en
 webgoat.embedded.mongo=${WG_INTERNAL_MONGO:true}
-webwolf.port=8081
+webwolf.host=${WEBWOLF_HOST:localhost}
-webwolf.url=http://localhost:${webwolf.port}/WebWolf
+webwolf.port=${WEBWOLF_PORT:8081}
-webworf.url.landingpage=http://localhost:${webwolf.port}/landing
+webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
-webworf.url.mail=http://localhost:${webwolf.port}/mail
+webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
 webworf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false
 spring.activemq.brokerUrl=tcp://${WG_MQ_HOST:localhost}:${WG_MQ_PORT:61616}
 spring.data.mongodb.host=${WG_MONGO_HOST:localhost}
 spring.data.mongodb.port=${WG_MONGO_PORT:27017}
 spring.data.mongodb.database=webgoat
--- a/webgoat-lessons/auth-bypass/pom.xml
+++ b/webgoat-lessons/auth-bypass/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v
+++ b/webgoat-lessons/auth-bypass/src/main/resources/video/sample-video.m4v
--- a/webgoat-lessons/bypass-restrictions/pom.xml
+++ b/webgoat-lessons/bypass-restrictions/pom.xml
@ -6,6 +6,6 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/challenge/pom.xml
+++ b/webgoat-lessons/challenge/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
--- a/webgoat-lessons/client-side-filtering/pom.xml
+++ b/webgoat-lessons/client-side-filtering/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/cross-site-scripting/pom.xml
+++ b/webgoat-lessons/cross-site-scripting/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <build>
       <plugins>
--- a/webgoat-lessons/csrf/pom.xml
+++ b/webgoat-lessons/csrf/pom.xml
@ -6,6 +6,6 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/csrf/webgoat-lesson-template/getting-started.txt
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/getting-started.txt
@ -1,55 +0,0 @@
 ##### To include lesson template in build #####
 1. edit theh webgoat-server/pom.xml file and uncomment the section under ...
 <!--uncommment below to run/include lesson template in WebGoat Build-->
 2. Also uncomment in webgoat-lessons/pom.xml where it says ...
 <!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
 ##### To add a lesson to WebGoat #####
 There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
 0. The POM file
 	a. change the ...
 	<artifactId>webgoat-lesson-template</artifactId>
 	... line to give your lesson its own artifactId.That should be all you need to do there
 1.	The Base Class ...
 	In webgoat-lessons/{your-lesson}/src/main/java, refactor the LessonTemplate.java class, changing ...
 	a. the category in which you want your lesson to be in.  You can create a new category if you want, or put in an issue to have one added
 	b. The 'defaultRanking' will move your lesson up or down in the categories list
 	c. implement a new key name pair "lesson-template.title" (the key) and update the same key/value pair (your.key=your value) in src/main/resources/i18n/WebGoatLabels.properties
 	d. Implement a new value for the getId method, which leads us to ...
 2. The HTML content framing ...
 	a. Rename the provided file in src/main/resources/html using your value from the getId method in your lesson's base class (e.g. public String getId() { return "your-lesson";  } >> "your-lesson.html")
 	b. Modify that file following the commented instructions in there
 	c. In conjunction with this file you
 3. Assignment Endpoints
 	a. In the above html file, you will see an example of an 'attack form'.  You can create endpoints to handle these attacks and provide the user feedback and simulated output.  See the example file here as well as other existing lessons for ways to extend these.  You will extend the AssignmentEndpoint as the example will show
 	b. You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.  
 	c. See other lesson examples for creating unit/integration tests for your project as well
 4. Getting your lesson to show up
 	a. modify the webgoat-lessons/pom.xml to include your project in the <modules> section
 	<modules>
 		<!-- ... -->
 		<module>webgoat-lesson-template</module>
 		<!-- ... -->
 	</modules>
 	b. modify the webgoat-server/pom.xml to add your project as a dependency in the <dependencies> section ...
 	<dependencies>
 		<!-- .... >
        <dependency>
            <groupId>org.owasp.webgoat.lesson</groupId>
            <artifactId>your-artfifact-id-here</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- .... >
    <dependencies>
 5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/plugin/SampleAttack.java
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/plugin/SampleAttack.java
@ -1,62 +0,0 @@
 package org.owasp.webgoat.plugin;
 import com.google.common.collect.Lists;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 /**
 * Created by jason on 1/5/17.
 */
@AssignmentPath("/lesson-template/sample-attack")
 public class SampleAttack extends AssignmentEndpoint {
    String secretValue = "secr37Value";
    //UserSessionData is bound to session and can be used to persist data across multiple assignments
    @Autowired
    UserSessionData userSessionData;
    @GetMapping(produces = {"application/json"})
    public @ResponseBody
    AttackResult completed(String param1, String param2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        if (userSessionData.getValue("some-value") != null) {
            // do any session updating you want here ... or not, just comment/example here
            //return trackProgress(failed().feedback("lesson-template.sample-attack.failure-2").build());
        }
        //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
        if (secretValue.equals(param1)) {
            return trackProgress(success()
                    .output("Custom Output ...if you want, for success")
                    .feedback("lesson-template.sample-attack.success")
                    .build());
            //lesson-template.sample-attack.success is defined in src/main/resources/i18n/WebGoatLabels.properties
        }
        // else
        return trackProgress(failed()
                .feedback("lesson-template.sample-attack.failure-2")
                .output("Custom output for this failure scenario, usually html that will get rendered directly ... yes, you can self-xss if you want")
                .build());
    }
 }
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/html/LessonTemplate.html
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/html/LessonTemplate.html
@ -1,54 +0,0 @@
 <html xmlns:th="http://www.thymeleaf.org">
    <div class="lesson-page-wrapper">
        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
        which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
        <div class="adoc-content" th:replace="doc:lesson-template-intro.adoc"></div>
    </div>
    <div class="lesson-page-wrapper">
        <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
        <div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>
        <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
        <div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>
        <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
        <div class="attack-container">
            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
            <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
            <!-- modify the action to point to the intended endpoint and set other attributes as desired -->
            <script th:src="@{/lesson_js/idor.js}" />
            <form class="attack-form" accept-charset="UNKNOWN"
                  method="GET" name="form"
                  action="/WebGoat/lesson-template/sample-attack"  
                  enctype="application/json;charset=UTF-8">
                <table>
                    <tr>
                        <td>two random params</td>
                        <td>parameter 1:<input name="param1" value="" type="TEXT" /></td>
                        <td>parameter 2:<input name="param2" value="" type="TEXT" /></td>
                        <td>
                            <input
                                name="submit" value="Submit" type="SUBMIT"/>
                        </td>
                    </tr>
                </table>
            </form>
            <!-- do not remove the two following div's, this is where your feedback/output will land -->
            <!-- the attack response will include a 'feedback' and that will automatically go here -->
            <div class="attack-feedback"></div>
            <!-- output is intended to be a simulation of what the screen would display in an attack -->
            <div class="attack-output"></div>
        </div>
    </div>
    <!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ...
        see other lessons for other more complex examples -->
 </html>
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/i18n/WebGoatLabels.properties
@ -1,7 +0,0 @@
 lesson-template.title=Lesson Template
 lesson-template.sample-attack.failure-1=Sample failure message
 lesson-template.sample-attack.failure-2=Sample failure message 2
 lesson-template.sample-attack.success=Sample success message
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/images/firefox-proxy-config.png
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/images/firefox-proxy-config.png
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/js/idor.js
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/js/idor.js
@ -1,18 +0,0 @@
 // need custom js for this?
 webgoat.customjs.idorViewProfile = function(data) {
    webgoat.customjs.jquery('#idor-profile').html(
        'name:' + data.name + '<br/>'+
        'color:' + data.color + '<br/>'+
        'size:' + data.size + '<br/>'
    );
 }
 var onViewProfile = function () {
    console.warn("on view profile activated")
    webgoat.customjs.jquery.ajax({
        method: "GET",
        url: "/WebGoat/IDOR/profile",
        contentType: 'application/json; charset=UTF-8'
     }).then(webgoat.customjs.idorViewProfile);
 }
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc
@ -1,3 +0,0 @@
 === Attack Explanation
 Explanation of attack here ... Instructions etc.
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc
@ -1,19 +0,0 @@
 == Lesson Template Intro
 This is the lesson template intro.
 === Sub-heading
 Check asciidoc for syntax, but more = means smaller headings.  You can *bold* text and other things.
 === Structuring files
 You should set up all content so that it is these *.adoc files.
 === Images
 Images can be refereneced as below including setting style (recommended to use lesson-image as the style). The root is {lesson}/src/main/resources
 image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video.adoc
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video.adoc
@ -1,7 +0,0 @@
 === More Content, Video too ...
 You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though.
 video::video/sample-video.m4v[width=480,start=5]
 see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/video/sample-video.m4v
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/video/sample-video.m4v
--- a/webgoat-lessons/html-tampering/pom.xml
+++ b/webgoat-lessons/html-tampering/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <dependencies>
--- a/webgoat-lessons/http-basics/pom.xml
+++ b/webgoat-lessons/http-basics/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/http-proxies/pom.xml
+++ b/webgoat-lessons/http-proxies/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <dependencies>
--- a/webgoat-lessons/idor/pom.xml
+++ b/webgoat-lessons/idor/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/insecure-login/pom.xml
+++ b/webgoat-lessons/insecure-login/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <dependencies>
--- a/webgoat-lessons/jwt/pom.xml
+++ b/webgoat-lessons/jwt/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/missing-function-ac/pom.xml
+++ b/webgoat-lessons/missing-function-ac/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@ -5,12 +5,12 @@
    <groupId>org.owasp.webgoat.lesson</groupId>
    <artifactId>webgoat-lessons-parent</artifactId>
    <packaging>pom</packaging>
-    <version>8.0.0.M1</version>
+    <version>8.0.0.M3</version>
    <parent>
        <groupId>org.owasp.webgoat</groupId>
        <artifactId>webgoat-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <modules>
@ -27,6 +27,7 @@
        <module>xxe</module>
        <module>idor</module>
        <module>vulnerable-components</module>
        <module>webgoat-introduction</module>
        <module>webwolf-introduction</module>
 	    <module>auth-bypass</module>
        <module>missing-function-ac</module>
--- a/webgoat-lessons/sol.txt
+++ b/webgoat-lessons/sol.txt
@ -11,6 +11,7 @@ bender@juice-sh.op' --
 101 or 1=1
 Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
 Smith' union select all 1, '2' ,user_name,password, 'MC', cookie, 2 from user_system_data --
 ## XXE ##
--- a/webgoat-lessons/sql-injection/pom.xml
+++ b/webgoat-lessons/sql-injection/pom.xml
@ -6,6 +6,6 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/vulnerable-components/pom.xml
+++ b/webgoat-lessons/vulnerable-components/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <dependencies>
        <dependency>
--- a/webgoat-lessons/csrf/webgoat-lesson-template/pom.xml
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/pom.xml
@ -1,12 +1,11 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webgoat-lesson-template</artifactId>
+    <artifactId>webgoat-introduction</artifactId>
    <packaging>jar</packaging>
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0-SNAPSHOT</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/webgoat-introduction/pom.xml.versionsBackup
+++ b/webgoat-lessons/webgoat-introduction/pom.xml.versionsBackup
@ -0,0 +1,11 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <artifactId>webwolf-introduction</artifactId>
    <packaging>jar</packaging>
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
        <version>8.0-SNAPSHOT</version>
    </parent>
 </project>
--- a/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/plugin/LessonTemplate.java
+++ b/webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/plugin/LessonTemplate.java
@ -1,9 +1,9 @@
 package org.owasp.webgoat.plugin;
 import com.beust.jcommander.internal.Lists;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.NewLesson;
 import java.util.ArrayList;
 import java.util.List;
 /**
@ -31,35 +31,33 @@ import java.util.List;
 * projects.
 * <p>
 *
- * @author misfir3
+ * @author WebGoat
 * @version $Id: $Id
- * @since January 3, 2017
+ * @since October 12, 2016
 */
-public class LessonTemplate extends NewLesson {
+public class WebGoatIntroduction extends NewLesson {
    @Override
    public Category getDefaultCategory() {
-        return Category.GENERAL;
+        return Category.INTRODUCTION;
    }
    @Override
    public List<String> getHints() {
-        return Lists.newArrayList();
+        return new ArrayList();
    }
    @Override
    public Integer getDefaultRanking() {
-        return 30;
+        return 1;
    }
    @Override
    public String getTitle() {
-        return "lesson-template.title";
+        return "webgoat.title";
    }
    @Override
    public String getId() {
-        return "LessonTemplate";
+        return "WebGoatIntroduction";
    }
 }
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html
+++ b/webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html
@ -0,0 +1,8 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org">
 <div class="lesson-page-wrapper">
    <div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
 </div>
 </html>
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/webgoat-introduction/src/main/resources/i18n/WebGoatLabels.properties
@ -0,0 +1 @@
 webgoat.title=WebGoat
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/images/wg_logo.png
+++ b/webgoat-lessons/webgoat-introduction/src/main/resources/images/wg_logo.png
--- a/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc
+++ b/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc
@ -0,0 +1,18 @@
 == What is WebGoat?
 ---
 WebGoat is a deliberately insecure application that allows interested developers just like you to _test vulnerabilities_
 commonly found in Java-based applications that use common and popular open source components.
 Now, while we in no way condone causing intentional harm to any animal, goat or otherwise, we think learning everything
 you can about security vulnerabilities is essential to understanding just what happens when even a small bit of
 unintended code gets into your applications.
 What better way to do that than with your very own scapegoat?
 Feel free to do what you will with Hack. Poke, prod and if it makes you feel better, scare him until your heart’s content.
 Go ahead, and Hack the goat. We promise he likes it.
 Thanks for your interest!
 *The WebGoat Team*
--- a/webgoat-lessons/webgoat-lesson-template/src/main/resources/video/sample-video.m4v
+++ b/webgoat-lessons/webgoat-lesson-template/src/main/resources/video/sample-video.m4v
--- a/webgoat-lessons/webwolf-introduction/pom.xml
+++ b/webgoat-lessons/webwolf-introduction/pom.xml
@ -6,6 +6,6 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
 </project>
--- a/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
+++ b/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html
@ -2,7 +2,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
+    <div class="adoc-content" th:replace="doc:IntroductionWebWolf.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
--- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
+++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
@ -1,5 +1,8 @@
 == Introducing WebWolf
 NOTE: You only need WebWolf if you a lesson specifies you can use it. For a lot of lessons you use WebGoat without
 starting WebWolf.
 WebWolf is a separate web application which simulates an attackers machine. It makes it possible for us to
 make a clear distinction between what takes place on the attacked website and the actions you need to do as
 an "attacker". WebWolf was introduced after a couple of workshops where we received feedback about the fact there
--- a/webgoat-lessons/xxe/pom.xml
+++ b/webgoat-lessons/xxe/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <dependencies>
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
@ -1,7 +1,8 @@
 package org.owasp.webgoat.plugin;
 import com.google.common.base.Charsets;
 import com.google.common.io.Files;
 import lombok.SneakyThrows;
 import org.apache.commons.io.FileUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
@ -63,7 +64,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
        if (!targetDirectory.exists()) {
            targetDirectory.mkdir();
        }
-        FileUtils.write(new File(targetDirectory, "secret.txt"), CONTENTS);
+        Files.write(CONTENTS, new File(targetDirectory, "secret.txt"), Charsets.UTF_8);
    }
    @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
@ -20,6 +20,10 @@ import java.io.IOException;
 import java.io.StringReader;
 import java.util.Collection;
 import java.util.Map;
 import java.util.Optional;
 import static java.util.Optional.empty;
 import static java.util.Optional.of;
 /**
 * @author nbaars
@ -67,12 +71,12 @@ public class Comments {
        return (Comment) unmarshaller.unmarshal(xsr);
    }
-    protected Comment parseJson(String comment) {
+    protected Optional<Comment> parseJson(String comment) {
        ObjectMapper mapper = new ObjectMapper();
        try {
-            return mapper.readValue(comment, Comment.class);
+            return of(mapper.readValue(comment, Comment.class));
        } catch (IOException e) {
-            return new Comment();
+            return empty();
        }
    }
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
@ -61,27 +61,26 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
    @ResponseBody
    public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
        AttackResult attackResult = failed().build();
-        Comment comment = null;
+
        if (APPLICATION_JSON_VALUE.equals(contentType)) {
-            comment = comments.parseJson(commentStr);
+            comments.parseJson(commentStr).ifPresent(c -> comments.addComment(c, true));
            comments.addComment(comment, true);
            attackResult = failed().feedback("xxe.content.type.feedback.json").build();
        }
        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
            String error = "";
            try {
-                comment = comments.parseXml(commentStr);
+                Comment comment = comments.parseXml(commentStr);
                comments.addComment(comment, false);
                if (checkSolution(comment)) {
                    attackResult = success().build();
                }
            } catch (Exception e) {
                error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
                attackResult = failed().feedback("xxe.content.type.feedback.xml").output(error).build();
            }
            attackResult = failed().feedback("xxe.content.type.feedback.xml").output(error).build();
        }
        if (checkSolution(comment)) {
            attackResult = success().build();
        }
        return trackProgress(attackResult);
    }
@ -89,7 +88,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
        String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
        boolean success = true;
        for (String directory : directoriesToCheck) {
-            success &= comment.getText().contains(directory);
+            success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
        }
        return success;
    }
--- a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/ContentTypeAssignmentTest.java
+++ b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/ContentTypeAssignmentTest.java
@ -0,0 +1,75 @@
 package org.owasp.webgoat.plugin;
 import org.hamcrest.CoreMatchers;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.owasp.webgoat.plugins.LessonTest;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 /**
 * @author nbaars
 * @since 11/2/17.
 */
@RunWith(SpringJUnit4ClassRunner.class)
 public class ContentTypeAssignmentTest extends LessonTest {
    @Autowired
    private Comments comments;
    @Before
    public void setup() throws Exception {
        XXE xxe = new XXE();
        when(webSession.getCurrentLesson()).thenReturn(xxe);
        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
        when(webSession.getUserName()).thenReturn("unit-test");
    }
    @Test
    public void sendingXmlButContentTypeIsJson() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
                .contentType(MediaType.APPLICATION_JSON)
                .content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
    }
    @Test
    public void workingAttack() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
                .contentType(MediaType.APPLICATION_XML)
                .content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
    }
    @Test
    public void postingJsonShouldAddComment() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{  \"text\" : \"Hello World\"}"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
        assertThat(comments.getComments().stream().filter(c -> c.getText().equals("Hello World")).count()).isEqualTo(1);
    }
    @Test
    public void postingInvalidJsonShouldAddComment() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
                .contentType(MediaType.APPLICATION_JSON)
                .content("{  'text' : 'Wrong'"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
        assertThat(comments.getComments().stream().filter(c -> c.getText().equals("Wrong")).count()).isEqualTo(0);
    }
 }
--- a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/SimpleXXETest.java
+++ b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/SimpleXXETest.java
@ -0,0 +1,66 @@
 package org.owasp.webgoat.plugin;
 import org.hamcrest.CoreMatchers;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.owasp.webgoat.plugins.LessonTest;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 /**
 * @author nbaars
 * @since 11/2/17.
 */
@RunWith(SpringJUnit4ClassRunner.class)
 public class SimpleXXETest extends LessonTest {
    @Before
    public void setup() throws Exception {
        XXE xxe = new XXE();
        when(webSession.getCurrentLesson()).thenReturn(xxe);
        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
        when(webSession.getUserName()).thenReturn("unit-test");
    }
    @Test
    public void workingAttack() throws Exception {
        //Call with XXE injection
        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
                .content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
    }
    @Test
    public void postingJsonCommentShouldNotSolveAssignment() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
                .content("<comment><text>test</ext></comment>"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
    }
    @Test
    public void postingXmlCommentWithoutXXEShouldNotSolveAssignment() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
                .content("<?xml version=\"1.0\" standalone=\"yes\" ?><comment><text>&root;</text></comment>"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
    }
    @Test
    public void postingPlainTextShouldShwoException() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
                .content("test"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.output", CoreMatchers.startsWith("javax.xml.bind.UnmarshalException\\n - with linked exception")))
                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
    }
 }
--- a/webgoat-server/Dockerfile
+++ b/webgoat-server/Dockerfile
@ -1,10 +1,11 @@
 FROM openjdk:8-jre-slim
 ARG webgoat_version=8.0-SNAPSHOT
 RUN useradd --home-dir /home/webgoat --create-home -U webgoat
 RUN apt-get update; apt-get install curl -y
 COPY start.sh /home/webgoat/start.sh
 RUN chmod +x /home/webgoat/start.sh
@ -12,4 +13,4 @@ USER webgoat
 RUN mkdir -p /home/webgoat/.embedmongo/linux
 RUN curl -o /home/webgoat/.embedmongo/linux/mongodb-linux-x86_64-3.2.2.tgz https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-3.2.2.tgz
 RUN cd /home/webgoat/; mkdir -p .webgoat
-COPY target/webgoat-server-8.0-SNAPSHOT.jar /home/webgoat/webgoat.jar
+COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
--- a/webgoat-server/pom.xml
+++ b/webgoat-server/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat</groupId>
        <artifactId>webgoat-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <properties>
@ -87,7 +87,8 @@
            <groupId>com.spotify</groupId>
            <artifactId>docker-maven-plugin</artifactId>
            <version>0.4.10</version>
-            <scope>compile</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>de.flapdoodle.embed</groupId>
@ -174,6 +175,11 @@
            <artifactId>auth-bypass</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.owasp.webgoat.lesson</groupId>
            <artifactId>webgoat-introduction</artifactId>
            <version>${project.version}</version>
        </dependency>
        <dependency>
            <groupId>org.owasp.webgoat.lesson</groupId>
            <artifactId>webwolf-introduction</artifactId>
@ -205,6 +211,7 @@
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <excludeDevtools>true</excludeDevtools>
                    <!-- See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-extract-specific-libraries-when-an-executable-jar-runs -->
                    <requiresUnpack>
                        <dependency>
--- a/webwolf/Dockerfile
+++ b/webwolf/Dockerfile
@ -1,8 +1,13 @@
 FROM openjdk:8-jre-slim
 ARG webwolf_version=8.0-SNAPSHOT
 RUN useradd --home-dir /home/webwolf --create-home -U webwolf
 RUN apt-get update; apt-get install curl -y
 COPY start.sh /home/webwolf/start.sh
 RUN chmod +x /home/webwolf/start.sh
 USER webwolf
-RUN cd /home/webwolf/
+COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar
 COPY target/webwolf-8.0-SNAPSHOT.jar /home/webwolf/webwolf.jar
 COPY start.sh /home/webwolf/start.sh
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@ -6,7 +6,7 @@
    <parent>
        <groupId>org.owasp.webgoat</groupId>
        <artifactId>webgoat-parent</artifactId>
-        <version>8.0.0.M1</version>
+        <version>8.0.0.M3</version>
    </parent>
    <dependencies>
--- a/webwolf/src/main/resources/application.properties
+++ b/webwolf/src/main/resources/application.properties
@ -27,16 +27,12 @@ multipart.max-request-size=1Mb
 webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
-
+spring.data.mongodb.host=${WG_MONGO_HOST:}
 spring.data.mongodb.host=${WG_MONGO_HOST:localhost}
 spring.data.mongodb.port=${WG_MONGO_PORT:27017}
 spring.data.mongodb.database=webgoat
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false
 spring.activemq.broker-url=tcp://${WG_MQ_HOST:localhost}:${WG_MQ_PORT:61616}
 spring.activemq.in-memory=true
 #For static file refresh ... and faster dev :D
 spring.devtools.restart.additional-paths=webwolf/src/main/resources/static/
--- a/webwolf/src/main/resources/templates/requests.html
+++ b/webwolf/src/main/resources/templates/requests.html
@ -18,7 +18,7 @@
        <p>
            Challenges in which you need to call your hacker machine WebWolf offers a simple httpd
            server functionality which only logs the incoming request. You can use the following URL:
-            http://localhost:8081/ and the incoming request will be available below.
+            http://webwolf/landing/* and the incoming request will be available below.
        </p>
        <p>
            This is by no means a substitution of httpd but it offers enough functionality to callback to a safe
Author	SHA1	Message	Date
Nanne Baars	f91f77708a	New version	2017-11-02 21:44:30 +01:00
Nanne Baars	100876ad6c	Changed introduction	2017-11-02 20:44:21 +01:00
Nanne Baars	56fc0fce05	Added test for XXE	2017-11-02 20:41:30 +01:00
Nanne Baars	fc1353b2f1	Pom cleanup	2017-11-02 16:14:44 +01:00
Nanne Baars	1e9f92220d	Removed unnecessary JPA libraries	2017-11-02 15:44:45 +01:00
Nanne Baars	a11d3d0b1b	- Made movie little bit shorter because webgoat-server.jar was over 200Mb - Movie was copy and pasted to csrf and auth lesson removed it from those lessons - Made jars which are not necessary in the webgoat-server.jar optional	2017-11-02 15:39:49 +01:00
Nanne Baars	87a7521dcd	Adding introduction to WebGoat as the web interface opens with WebWolf which is confusing because people thought you needed to download WebWolf and start it directly. Feedback received during workshops	2017-11-02 14:28:20 +01:00
Nanne Baars	8729d9bfcf	Fixed minor issues for properties and starting WebGoat	2017-11-02 12:42:19 +01:00
Nanne Baars	bb3bc9b883	Releasing v8.0.0.M2	2017-10-18 22:36:58 +02:00
Nanne Baars	bb5e0c06dd	Directory can already exists	2017-10-18 22:26:46 +02:00
Nanne Baars	0508859cf5	Copy jar files to directory for Github release	2017-10-18 22:14:04 +02:00
Nanne Baars	738b2d8054	Skipping the clean-up while releasing to Github	2017-10-18 21:39:52 +02:00
Nanne Baars	0c88dcf463	Bug when passing version to Docker (v8.0 should be 8.0)	2017-10-18 21:08:59 +02:00
Nanne Baars	d1729e8f3c	Adding version number to Dockerfile as variable	2017-10-18 20:57:57 +02:00
Nanne Baars	1ecb43092d	Bumped version number	2017-10-18 19:58:14 +02:00
Nanne Baars	904a6b363d	Fixing Docker build	2017-10-18 19:52:57 +02:00
		`@ -1,3 +0,0 @@`
			`=== Attack Explanation`

			`Explanation of attack here ... Instructions etc.`