Merge branch 'release/v8.0.0.M19'

New release

.gitignore

@@ -42,3 +42,7 @@ webgoat-lessons/**/target
 **/.DS_Store
 webgoat-server/mongo-data/*
 webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml
+**/.sts4-cache/*
+**/.vscode/*
+
+/.sonatype

CREATE_RELEASE.MD

@@ -20,8 +20,8 @@ git flow release publish
 Now we can make a new release, be sure you committed all your changes.
 
 ```
-git tag v8.0.0.M3
-git push origin v8.0.0.M3 
+git tag v8.0.0.M15
+git push origin v8.0.0.M15 
 ```
 
 Now Travis takes over and will create the release in Github and on Docker Hub. 

README.MD

@@ -29,7 +29,18 @@ first thing that all hackers claim.*
 
 # Run Instructions:
 
-## 1. Run using Docker
+## 1. Standalone 
+
+Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
+
+```Shell
+java -jar webgoat-server-<<version>>.jar [--server.port=8080] [--server.address=localhost]
+```
+
+By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
+can bind it to a different address (default localhost)
+
+## 2. Run using Docker
 
 From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version
 [https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/).
@@ -40,6 +51,15 @@ docker pull webgoat/webgoat-8.0
 docker run -p 8080:8080 -it webgoat/webgoat-8.0 /home/webgoat/start.sh 
 ```
 
+If you want to keep the database between Docker sessions you need to map the WebGoat data directory to a 
+folder on the host system as follows:
+
+```Shell
+docker run -p 8080:8080 -it -v /tmp/webgoat-data:/home/webgoat/.webgoat-${VERSION} webgoat/webgoat-8.0 /home/webgoat/start.sh
+```
+
+where `${VERSION}` is for example `v8.0.0.M14`. The data will now be stored in `/tmp/webgoat-data` on your host system.
+
 Wait for the Docker container to start, and run `docker ps` to verify it's running.
 
 - If you are using `docker-machine`, verify the machine IP using `docker-machine env`
@@ -56,27 +76,6 @@ Here you'll be able to register a new user and get started.
 
 _Please note: this version may not be completely in sync with the develop branch._
 
-## 2. Standalone 
-
-Download the latest WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
-
-```Shell
-java -jar webgoat-server-<<version>>.jar
-```
-
-By default WebGoat starts at port 8080 in order to change this use the following property:
-
-```Shell
-java -jar webgoat-server-<<version>>.jar --server.port=9090
-```
-
-You can specify one of the following arguments when starting WebGoat:
-
-```Shell
-java -jar webgoat-server-<<version>>.jar --server.port=9090 --server.address=x.x.x.x
-```
-
-This will start WebGoat on a different port and/or different address.
 
 
 ## 3. Run from the sources

docker-compose-postgres.yml

@@ -0,0 +1,36 @@
+version: '2.0'
+
+services:
+  webgoat:
+    image: webgoat/webgoat-8.0
+    user: webgoat
+    environment:
+      - WEBWOLF_HOST=webwolf
+      - WEBWOLF_PORT=9090
+      - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
+      - spring.datasource.username=webgoat
+      - spring.datasource.password=webgoat
+      - spring.datasource.driver-class-name=org.postgresql.Driver
+      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
+    ports:
+      - "8080:8080"
+  webwolf:
+    image: webgoat/webwolf
+    environment:
+      - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
+      - spring.datasource.username=webgoat
+      - spring.datasource.password=webgoat
+      - spring.datasource.driver-class-name=org.postgresql.Driver
+      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
+    ports:
+      - "9090:9090"
+  db:
+    container_name: webgoat_db
+    image: postgres:latest
+    environment:
+      - POSTGRES_PASSWORD=webgoat
+      - POSTGRES_USER=webgoat
+      - POSTGRES_DB=webgoat
+    ports:
+      - "5432:5432"
+

docker-compose.yml

@@ -1,15 +1,29 @@
-version: '2.0'
+version: '2.1'
 
 services:
   webgoat:
-    build: webgoat-server/
-    command: "sh /home/webgoat/start.sh"
+    image: webgoat/webgoat-8.0
+    environment:
+      - WEBWOLF_HOST=webwolf
+      - WEBWOLF_PORT=9090
+      - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
     ports:
       - "8080:8080"
-  webwolf:
-    build: webwolf/
-    command: "sh /home/webwolf/start.sh"
     depends_on:
-      - webgoat
+      - db
+  webwolf:
+    image: webgoat/webwolf
+    environment:
+          - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
     ports:
-      - "8081:8081"
+      - "9090:9090"
+    depends_on:
+      - db
+  db:
+    image: blacklabelops/hsqldb
+    container_name: webgoat_db
+    environment:
+      - HSQLDB_TRACE=false
+      - HSQLDB_SILENT=true
+      - HSQLDB_DATABASE_NAME=webgoat
+      - HSQLDB_DATABASE_ALIAS=webgoat

platformQuickStarts/GCP/GKE-Docker/deploy.cfg

@@ -0,0 +1,4 @@
+CURTAG=webgoat/webgoat-8.0
+DEST_TAG=gcr.io/astech-training/raging-wire-webgoat
+CLUSTER_NAME=raging-wire-webgoat
+PORT_NUM=8080

platformQuickStarts/GCP/GKE-Docker/gke-deploy-config.sh

@@ -0,0 +1,4 @@
+CURTAG=webgoat/webgoat-8.0
+DEST_TAG=gcr.io/your-gke-project/your-webgoat-tag
+CLUSTER_NAME=your-cluster-name
+PORT_NUM=8080

pom.xml

@@ -1,11 +1,12 @@
 <?xml version="1.0"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>v8.0.0.M14</version>
+    <version>v8.0.0.M19</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@@ -20,7 +21,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>1.5.9.RELEASE</version>
+        <version>1.5.12.RELEASE</version>
     </parent>
 
     <licenses>
@@ -53,17 +54,17 @@
         <developer>
             <id>jwayman</id>
             <name>Jeff Wayman</name>
-            <email />
+            <email/>
         </developer>
         <developer>
             <id>dcowden</id>
             <name>Dave Cowden</name>
-            <email />
+            <email/>
         </developer>
         <developer>
             <id>lawson89</id>
             <name>Richard Lawson</name>
-            <email />
+            <email/>
         </developer>
         <developer>
             <id>dougmorato</id>
@@ -92,8 +93,8 @@
         <url>https://github.com/WebGoat/WebGoat</url>
         <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
         <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
-      <tag>HEAD</tag>
-  </scm>
+        <tag>HEAD</tag>
+    </scm>
 
     <issueManagement>
         <system>Github Issues</system>
@@ -135,7 +136,7 @@
         <gatling-plugin.version>2.2.4</gatling-plugin.version>
         <guava.version>18.0</guava.version>
         <h2.version>1.4.190</h2.version>
-        <hsqldb.version>2.3.2</hsqldb.version>
+        <hsqldb.version>2.3.4</hsqldb.version>
         <j2h.version>1.3.1</j2h.version>
         <jackson-core.version>2.6.3</jackson-core.version>
         <jackson-databind.version>2.6.3</jackson-databind.version>
@@ -202,7 +203,7 @@
     <profiles>
         <profile>
             <id>release</id>
-			<dependencies>
+            <dependencies>
                 <dependency>
                     <groupId>org.owasp.webgoat.lesson</groupId>
                     <artifactId>dist</artifactId>
@@ -214,7 +215,7 @@
             </dependencies>
             <build>
                 <plugins>
-				    <plugin>
+                    <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-dependency-plugin</artifactId>
                         <executions>
@@ -225,7 +226,9 @@
                                 </goals>
                                 <phase>generate-resources</phase>
                                 <configuration>
-                                    <outputDirectory>${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons</outputDirectory>
+                                    <outputDirectory>
+                                        ${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons
+                                    </outputDirectory>
                                     <includeArtifactIds>dist</includeArtifactIds>
                                     <includes>*.jar</includes>
                                 </configuration>
@@ -324,7 +327,7 @@
                 <artifactId>coveralls-maven-plugin</artifactId>
                 <version>${coveralls-maven-plugin.version}</version>
                 <configuration>
-                    <repoToken />
+                    <repoToken/>
                 </configuration>
             </plugin>
             <plugin>
@@ -332,7 +335,7 @@
                 <artifactId>cobertura-maven-plugin</artifactId>
                 <version>${cobertura-maven-plugin.version}</version>
                 <configuration>
-                    <check />
+                    <check/>
                     <format>xml</format>
                     <maxmem>256m</maxmem>
                     <!-- aggregated reports for multi-module projects -->

scripts/build-all.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+cd ..
+
+nc -zv 127.0.0.1 8080 2>/dev/null
+SUCCESS=$?
+nc -zv 127.0.0.1 9090 2>/dev/null
+SUCCESS=${SUCCESS}$?
+
+if [[ "${SUCCESS}" -eq 00 ]] ; then
+  echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!"
+  exit 127
+fi
+
+
+#mvn clean install
+#if [[ "$?" -ne 0 ]] ; then
+#  exit y$?
+#fi
+
+cd -
+sh build_docker.sh
+
+echo "Do you want to run docker-compose?"
+while true; do
+    read -p "Do you want to run docker-compose?" yn
+    case ${yn} in
+        [Yy]* ) sh clean-run-docker-compose.sh; break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer yes or no.";;
+    esac
+done

scripts/build_docker.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+WEBGOAT_HOME=$(pwd)/../
+
+cd ${WEBGOAT_HOME}/webgoat-server
+docker build -t webgoat/webgoat-8.0 .
+
+cd ${WEBGOAT_HOME}/webwolf
+docker build -t webgoat/webwolf .
+

scripts/clean-run-docker-compose.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+cd ..
+docker-compose rm -f
+docker-compose up

scripts/deploy-webgoat.sh

@@ -10,10 +10,10 @@ if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
   # If we push a tag to master this will update the LATEST Docker image and tag with the version number
   docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
   docker push $REPO
-elif [ ! -z "${TRAVIS_TAG}" ]; then
-  # Creating a tag build we push it to Docker with that tag
-  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
-  docker push $REPO
+#elif [ ! -z "${TRAVIS_TAG}" ]; then
+#  # Creating a tag build we push it to Docker with that tag
+#  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
+#  docker push $REPO
 #elif [ "${BRANCH}" == "develop" ]; then
 #  docker build -f Dockerfile -t $REPO:snapshot .
 #  docker push $REPO

scripts/run-docker-compose.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+cd ..
+docker-compose up

webgoat-container/pom.xml

@@ -10,7 +10,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M14</version>
+        <version>v8.0.0.M19</version>
     </parent>
 
     <profiles>

webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java

@@ -35,6 +35,7 @@ import com.google.common.collect.Sets;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
+import org.owasp.webgoat.asciidoc.WebGoatVersionMacro;
 import org.owasp.webgoat.asciidoc.WebWolfMacro;
 import org.owasp.webgoat.i18n.Language;
 import org.thymeleaf.TemplateProcessingParameters;
@@ -86,6 +87,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
                     StringWriter writer = new StringWriter();
                     JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
                     extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
+                    extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
 
                     asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
                     return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8));

webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java

@@ -130,6 +130,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
     @Bean
     public PluginMessages pluginMessages(Messages messages, Language language) {
         PluginMessages pluginMessages = new PluginMessages(messages, language);
+        pluginMessages.setDefaultEncoding("UTF-8");
         pluginMessages.setBasenames("i18n/WebGoatLabels");
         return pluginMessages;
     }
@@ -142,6 +143,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
     @Bean
     public Messages messageSource(Language language) {
         Messages messages = new Messages(language);
+        messages.setDefaultEncoding("UTF-8");
         messages.setBasename("classpath:i18n/messages");
         return messages;
     }

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java

@@ -0,0 +1,23 @@
+package org.owasp.webgoat.asciidoc;
+
+import org.asciidoctor.ast.AbstractBlock;
+import org.asciidoctor.extension.InlineMacroProcessor;
+import org.springframework.core.env.Environment;
+import org.springframework.util.StringUtils;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Map;
+
+public class WebGoatVersionMacro extends InlineMacroProcessor {
+
+    public WebGoatVersionMacro(String macroName, Map<String, Object> config) {
+        super(macroName, config);
+    }
+
+    @Override
+    protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
+        return EnvironmentExposure.getEnv().getProperty("webgoat.build.version");
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java

@@ -10,6 +10,12 @@ import org.springframework.web.context.request.ServletRequestAttributes;
 import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
 
+/**
+ * Usage in asciidoc:
+ * <p>
+ * webWolfLink:here[] will display a href with here as text
+ * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
+ */
 public class WebWolfMacro extends InlineMacroProcessor {
 
     public WebWolfMacro(String macroName, Map<String, Object> config) {
@@ -20,9 +26,17 @@ public class WebWolfMacro extends InlineMacroProcessor {
     protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
         Environment env = EnvironmentExposure.getEnv();
         String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
+
+        if (displayCompleteLinkNoFormatting(attributes)) {
+            return hostname + (hostname.endsWith("/") ? "" : "/") + target;
+        }
         return "<a href=\"" + hostname + "\" target=\"_blank\">" + target + "</a>";
     }
 
+    private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
+        return attributes.values().stream().filter(a -> a.equals("noLink")).findFirst().isPresent();
+    }
+
     /**
      * Look at the remote address from received from the browser first. This way it will also work if you run
      * the browser in a Docker container and WebGoat on your local machine.

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java

@@ -46,6 +46,7 @@ public enum Category {
     INSECURE_CONFIGURATION("Insecure Configuration", new Integer(600)),
     INSECURE_COMMUNICATION("Insecure Communication", new Integer(700)),
     INSECURE_STORAGE("Insecure Storage", new Integer(800)),
+    INSECURE_DESERIALIZATION("Insecure Deserialization", new Integer(850)),
     REQUEST_FORGERIES("Request Forgeries", new Integer(900)),
     VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(950)),
     AJAX_SECURITY("AJAX Security", new Integer(1000)),

webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonInfoModel.java

@@ -2,7 +2,6 @@ package org.owasp.webgoat.lessons;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
-import org.owasp.webgoat.session.WebSession;
 
 /**
  * <p>LessonInfoModel class.</p>

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java

@@ -40,17 +40,19 @@ public class LessonProgressService {
     @RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
     @ResponseBody
     public Map getLessonInfo() {
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
         Map json = Maps.newHashMap();
-        String successMessage = "";
-        boolean lessonCompleted = false;
-        if (lessonTracker != null) {
-            lessonCompleted = lessonTracker.isLessonSolved();
-            successMessage = "LessonCompleted"; //@todo we still use this??
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+        if (webSession.getCurrentLesson() != null) {
+            LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
+            String successMessage = "";
+            boolean lessonCompleted = false;
+            if (lessonTracker != null) {
+                lessonCompleted = lessonTracker.isLessonSolved();
+                successMessage = "LessonCompleted"; //@todo we still use this??
+            }
+            json.put("lessonCompleted", lessonCompleted);
+            json.put("successMessage", successMessage);
         }
-        json.put("lessonCompleted", lessonCompleted);
-        json.put("successMessage", successMessage);
         return json;
     }
 

webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java

@@ -32,6 +32,7 @@ import com.google.common.collect.Lists;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.Setter;
+import org.owasp.webgoat.i18n.PluginMessages;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
@@ -57,6 +58,7 @@ public class ReportCardService {
     private final WebSession webSession;
     private final UserTrackerRepository userTrackerRepository;
     private final Course course;
+    private final PluginMessages pluginMessages;
 
     /**
      * Endpoint which generates the report card for the current use to show the stats on the solved lessons
@@ -74,7 +76,7 @@ public class ReportCardService {
         for (AbstractLesson lesson : lessons) {
             LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
             LessonStatistics lessonStatistics = new LessonStatistics();
-            lessonStatistics.setName(lesson.getTitle());
+            lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));
             lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts());
             lessonStatistics.setSolved(lessonTracker.isLessonSolved());
             reportCard.lessonStatistics.add(lessonStatistics);

webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java

@@ -81,6 +81,39 @@ public class CreateDB {
         }
     }
 
+    /**
+     * Description of the Method
+     *
+     * @param connection Description of the Parameter
+     * @throws SQLException Description of the Exception
+     */
+    private void createJWTKeys(Connection connection) throws SQLException {
+        Statement statement = connection.createStatement();
+
+        // Drop servers table
+        try {
+            String dropTable = "DROP TABLE jwt_keys";
+            statement.executeUpdate(dropTable);
+        } catch (SQLException e) {
+            System.out.println("Info - Could not drop jwtkeys table");
+        }
+
+        // Create the new table
+        try {
+            String createTableStatement = "CREATE TABLE jwt_keys"
+                    + " (" + "id varchar(20),"
+                    + "key varchar(20))";
+            statement.executeUpdate(createTableStatement);
+
+            String insertData1 = "INSERT INTO jwt_keys VALUES ('webgoat_key', 'qwertyqwerty1234')";
+            String insertData2 = "INSERT INTO jwt_keys VALUES ('webwolf_key', 'doesnotreallymatter')";
+            statement.executeUpdate(insertData1);
+            statement.executeUpdate(insertData2);
+        } catch (SQLException e) {
+            System.out.println("Error creating product table " + e.getLocalizedMessage());
+        }
+    }
+
 
     /**
      * Description of the Method
@@ -199,7 +232,7 @@ public class CreateDB {
 
         // Create the new table
         try {
-            String createTableStatement = "CREATE TABLE user_system_data (" + "userid varchar(5) not null primary key,"
+            String createTableStatement = "CREATE TABLE user_system_data (" + "userid int not null primary key,"
                     + "user_name varchar(12)," + "password varchar(10)," + "cookie varchar(30)" + ")";
             statement.executeUpdate(createTableStatement);
         } catch (SQLException e) {
@@ -207,11 +240,11 @@ public class CreateDB {
         }
 
         // Populate
-        String insertData1 = "INSERT INTO user_system_data VALUES ('101','jsnow','passwd1', '')";
-        String insertData2 = "INSERT INTO user_system_data VALUES ('102','jdoe','passwd2', '')";
-        String insertData3 = "INSERT INTO user_system_data VALUES ('103','jplane','passwd3', '')";
-        String insertData4 = "INSERT INTO user_system_data VALUES ('104','jeff','jeff', '')";
-        String insertData5 = "INSERT INTO user_system_data VALUES ('105','dave','dave', '')";
+        String insertData1 = "INSERT INTO user_system_data VALUES (101,'jsnow','passwd1', '')";
+        String insertData2 = "INSERT INTO user_system_data VALUES (102,'jdoe','passwd2', '')";
+        String insertData3 = "INSERT INTO user_system_data VALUES (103,'jplane','passwd3', '')";
+        String insertData4 = "INSERT INTO user_system_data VALUES (104,'jeff','jeff', '')";
+        String insertData5 = "INSERT INTO user_system_data VALUES (105,'dave','passW0rD', '')";
         statement.executeUpdate(insertData1);
         statement.executeUpdate(insertData2);
         statement.executeUpdate(insertData3);
@@ -975,6 +1008,7 @@ public class CreateDB {
         createTanTable(connection);
         createMFEImagesTable(connection);
         createModifyWithSQLLessonTable(connection);
+        createJWTKeys(connection);
         System.out.println("Success: creating tables.");
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java

@@ -4,6 +4,7 @@ import lombok.Getter;
 import lombok.Setter;
 
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
 import javax.validation.constraints.Size;
 
 /**
@@ -16,6 +17,7 @@ public class UserForm {
 
     @NotNull
     @Size(min=6, max=20)
+    @Pattern(regexp = "[a-zA-Z0-9-]*", message = "can only contain letters, digits, and -")
     private String username;
     @NotNull
     @Size(min=6, max=10)

webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java

@@ -52,6 +52,7 @@ public class UserTracker {
     @Id
     @GeneratedValue(strategy = GenerationType.AUTO)
     private Long id;
+    @Column(name = "username")
     private String user;
     @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
     private Set<LessonTracker> lessonTrackers = Sets.newHashSet();

webgoat-container/src/main/resources/application.properties

@@ -5,12 +5,14 @@ server.contextPath=/WebGoat
 server.port=8080
 server.address=127.0.0.1
 
-spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webgoat
+spring.datasource.url=jdbc:hsqldb:hsql://localhost:9001/webgoat
 spring.jpa.hibernate.ddl-auto=update
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
+spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 
 
-logging.level.org.springframework=WARN
-logging.level.org.springframework.boot.devtools=WARN
+logging.level.org.springframework=INFO
+logging.level.org.springframework.boot.devtools=INFO
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webgoat=TRACE
 
@@ -20,6 +22,7 @@ security.enable-csrf=false
 spring.resources.cache-period=0
 spring.thymeleaf.cache=false
 
+webgoat.start.hsqldb=true
 webgoat.clean=false
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@@ -34,9 +37,9 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
 webgoat.default.language=en
 
 webwolf.host=${WEBWOLF_HOST:localhost}
-webwolf.port=${WEBWOLF_PORT:8081}
+webwolf.port=${WEBWOLF_PORT:9090}
 webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
-webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
+webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
 webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
 
 spring.jackson.serialization.indent_output=true

webgoat-container/src/main/resources/static/css/main.css

@@ -1066,6 +1066,7 @@ span.show-next-page, span.show-prev-page {
 
 /* ATTACK DISPLAY */
 .attack-container {
+  position: relative;
   background-color: #f1f1f1;
   border: 2px solid #a66;
   border-radius: 12px;
@@ -1150,4 +1151,16 @@ div.captured-flag {
     height: 117px;
     width: 1268px;
     margin-bottom: 20px;
+}
+
+#content {
+  position:relative;
+}
+
+.webwolf-enabled {
+  position:absolute;
+  top: 10px;
+  right: 25px;
+  width: 42px;
+  height: 47px;
 }

webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js

@@ -73,25 +73,27 @@ define(['jquery',
             }
 
             this.loadLesson = function(name,pageNum) {
+
                 if (this.name === name) {
                     this.listenToOnce(this.lessonHintView, 'hints:showButton', this.onShowHintsButton);
                     this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton);
                     this.lessonContentView.navToPage(pageNum);
                     this.lessonHintView.hideHints();
+                    this.lessonHintView.showFirstHint();
                     //this.lessonHintView.selectHints();
                     this.titleView.render(this.lessonInfoModel.get('lessonTitle'));
                     return;
                 }
 
+                if (pageNum && !this.name) {
+                    //placeholder
+                }
+
                 this.helpsLoaded = {};
                 if (typeof(name) === 'undefined' || name === null) {
                     //TODO: implement lesson not found or return to welcome page?
                 }
                 this.lessonContent.loadData({'name':name});
-//                this.planView = {};
-//                this.solutionView = {};
-//                this.sourceView = {};
-//                this.lessonHintView = {};
                 this.name = name;
             };
 
@@ -124,15 +126,8 @@ define(['jquery',
                     this.helpControlsView = null;
                     this.lessonContentView.model = this.lessonContent;
                     this.lessonContentView.render();
-                    
-                    //this.planView = new PlanView();
-                    //this.solutionView = new SolutionView();
-                    //this.sourceView = new SourceView();
-                    if (this.lessonHintView) {
-                        this.lessonHintView.stopListening();
-                        this.lessonHintView = null;
-                    }
-                    this.lessonHintView = new HintView();
+                    //TODO: consider moving hintView as child of lessonContentView ...
+                    this.createLessonHintView();
 
                     //TODO: instantiate model with values (not sure why was not working before)
                     var paramModel = new ParamModel({});
@@ -148,42 +143,25 @@ define(['jquery',
                 this.lessonProgressModel.completed();
             };
 
+            this.createLessonHintView = function () {
+                if (this.lessonHintView) {
+                    this.lessonHintView.stopListening();
+                    this.lessonHintView = null;
+                }
+                this.lessonHintView = new HintView();
+            }
+
             this.addCurHelpState = function (curHelp) {
                 this.helpsLoaded[curHelp.helpElement] = curHelp.value;
             };
 
-//            this.hideShowHelps = function(showHelp) {
-//                var showId = '#lesson-' + showHelp + '-row';
-//                var contentId = '#lesson-' + showHelp + '-content';
-//                $('.lesson-help').not(showId).hide();
-//                if (!showId) {
-//                    return;
-//                }
-//
-//                if ($(showId).is(':visible')) {
-//                    $(showId).hide();
-//                    return;
-//                } else {
-//                    //TODO: move individual .html operations into individual help views
-//                    switch(showHelp) {
-//                        case 'plan':
-//                            $(contentId).html(this.planView.model.get('content'));
-//                            break;
-//                        case 'solution':
-//                            $(showId).html(this.solutionView.model.get('content'));
-//                            break;
-//                        case 'source':
-//                            $(contentId).html('<pre>' + this.sourceView.model.get('content') + '</pre>');
-//                            break;
-//                    }
-//                    $(showId).show();
-//                    GoatUtils.scrollToHelp()
-//                }
-//            };
-
             this.showHintsView = function() {
+                if (!this.lessonHintView) {
+                    this.createLessonHintView();
+                }
+                //
                 this.lessonHintView.render();
-                if (this.lessonHintView.getHintsCount > 0) {
+                if (this.lessonHintView.getHintsCount() > 0) {
                     this.helpControlsView.showHintsButton();
                 } else {
                     this.helpControlsView.hideHintsButton();

webgoat-container/src/main/resources/static/js/goatApp/model/LessonContentModel.js

@@ -32,7 +32,11 @@ define(['jquery',
             }
             this.set('content',content);
             this.set('lessonUrl',document.URL.replace(/\.lesson.*/,'.lesson'));
-            this.set('pageNum',document.URL.replace(/.*\.lesson\/(\d{1,4})$/,'$1'));
+            if (/.*\.lesson\/(\d{1,4})$/.test(document.URL)) {
+                this.set('pageNum',document.URL.replace(/.*\.lesson\/(\d{1,4})$/,'$1'));
+            } else {
+                this.set('pageNum',0);
+            }
             this.trigger('content:loaded',this,loadHelps);
         },
 

webgoat-container/src/main/resources/static/js/goatApp/model/MenuCollection.js

@@ -1,29 +1,33 @@
 define(['jquery',
-	'underscore',
-	'backbone',
-	'goatApp/model/MenuModel'], 
-	function($,_,Backbone,MenuModel) {
+        'underscore',
+        'backbone',
+        'goatApp/model/MenuModel'],
+    function ($, _, Backbone, MenuModel) {
 
-	return Backbone.Collection.extend({
-		model: MenuModel,
-		url:'service/lessonmenu.mvc',
-		initialize: function () {
-			var self = this;
-			this.fetch();
-		},
+        return Backbone.Collection.extend({
+            model: MenuModel,
+            url: 'service/lessonmenu.mvc',
 
-		onDataLoaded: function() {
-			this.trigger('menuData:loaded');
-		},
+            initialize: function () {
+                var self = this;
+                this.fetch();
+                setInterval(function () {
+                    this.fetch()
+                }.bind(this), 5000);
+            },
 
-		fetch: function() {
-			var self=this;
-			Backbone.Collection.prototype.fetch.apply(this,arguments).then(
-				function(data) {
-					this.models = data;
-					self.onDataLoaded();
-				}
-			);
-		}
-	});
-});
+            onDataLoaded: function () {
+                this.trigger('menuData:loaded');
+            },
+
+            fetch: function () {
+                var self = this;
+                Backbone.Collection.prototype.fetch.apply(this, arguments).then(
+                    function (data) {
+                        this.models = data;
+                        self.onDataLoaded();
+                    }
+                );
+            }
+        });
+    });

webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js

@@ -67,7 +67,7 @@ define(['jquery',
                     contentType: 'application/x-www-form-urlencoded; charset=UTF-8',
                     success: function (data) {
                         //devs leave stuff like this in all the time
-                        console.log('phone home said '  + data);
+                        console.log('phone home said '  + JSON.stringify(data));
                     }
                 });
             }

webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js

@@ -32,21 +32,19 @@ function($,
 
         toggleLabel: function() {
             if (this.isVisible()) {
-                $('show-hints-button').text('Hide hints');
+                $('#show-hints-button').text('Hide hints');
             } else {
-                $('show-hints-button').text('Show hints');
+                $('#show-hints-button').text('Show hints');
             }
         },
 
 		render:function() {
 			if (this.isVisible()) {
-				this.$el.hide(350);
+				this.$el.hide(350, this.toggleLabel.bind(this));
 			} else if (this.hintsToShow.length > 0) {
-				this.$el.show(350);
+				this.$el.show(350, this.toggleLabel.bind(this));
 			}
 
-            this.toggleLabel()
-
 			if (this.hintsToShow.length > 0) {
 				this.hideShowPrevNextButtons();
 			}
@@ -90,9 +88,9 @@ function($,
 
 		hideHints: function() {
 			if (this.$el.is(':visible')) {
-				this.$el.hide(350);
+				this.$el.hide(350, this.toggleLabel.bind(this));
 			}
-		},			
+        },
 
 		showNextHint: function() {
 			this.curHint = (this.curHint < this.hintsToShow.length -1) ? this.curHint+1 : this.curHint;
@@ -106,6 +104,12 @@ function($,
 			this.displayHint(this.curHint);
 		},
 
+        showFirstHint: function() {
+            this.curHint = 0;
+            this.hideShowPrevNextButtons();
+            this.displayHint(this.curHint);
+        },
+
 		displayHint: function(curHint) {
             if(this.hintsToShow.length == 0) {
                // this.hideHints();

webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js

@@ -25,6 +25,9 @@ define(['jquery',
                 self.navToPage(page);
               }
             });
+            setInterval(function () {
+                this.updatePagination();
+            }.bind(this), 5000);
         },
 
         findPage: function(assignment) {
@@ -56,11 +59,13 @@ define(['jquery',
             var currentPage = (!isNaN(startPageNum) && startPageNum && startPageNum < this.$contentPages) ? startPageNum : 0;
             //init views & pagination
             this.showCurContentPage(currentPage);
-            this.paginationControlView = new PaginationControlView(this.$contentPages,this.model.get('lessonUrl'));
+            this.paginationControlView = new PaginationControlView(this.$contentPages,this.model.get('lessonUrl'),startPageNum);
          },
 
          updatePagination: function() {
-            this.paginationControlView.updateCollection();
+            if ( this.paginationControlView != undefined ) {
+                this.paginationControlView.updateCollection();
+            }
          },
 
          getCurrentPage: function () {
@@ -85,6 +90,8 @@ define(['jquery',
             var prepareDataFunctionName = $(curForm).attr('prepareData');
             var callbackFunctionName = $(curForm).attr('callback');
             var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
+            var additionalHeadersFunctionName =  $(curForm).attr('additionalHeaders');
+            var additionalHeaders = (typeof webgoat.customjs[additionalHeadersFunctionName] === 'function') ? webgoat.customjs[additionalHeadersFunctionName]() : function() {};
             var successCallBackFunctionName = $(curForm).attr('successCallback');
             var failureCallbackFunctionName = $(curForm).attr('failureCallback');
             var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {};
@@ -99,6 +106,7 @@ define(['jquery',
             $.ajax({
                 //data:submitData,
                 url:formUrl,
+                headers: additionalHeaders,
                 method:formMethod,
                 contentType:contentType,
                 data: submitData,
@@ -146,14 +154,23 @@ define(['jquery',
             return false;
         },
 
+        removeSlashesFromJSON: function(str) {
+        // slashes are leftover escapes from JSON serialization by server
+        // for every two char sequence starting with backslash,
+        // replace them in the text with second char only
+            return str.replace(/\\(.)/g, "$1");
+        },
+
         renderFeedback: function(feedback) {
-            this.$curFeedback.html(polyglot.t(feedback) || "");
+            var s = this.removeSlashesFromJSON(feedback);
+            this.$curFeedback.html(polyglot.t(s) || "");
             this.$curFeedback.show(400)
 
         },
 
         renderOutput: function(output) {
-            this.$curOutput.html(polyglot.t(output) || "");
+            var s = this.removeSlashesFromJSON(output);
+            this.$curOutput.html(polyglot.t(s) || "");
             this.$curOutput.show(400)
         },
 
@@ -173,13 +190,19 @@ define(['jquery',
             return endpoints;
         },
 
+        onNavToPage: function(pageNum) {
+            var assignmentPaths = this.findAssigmentEndpointsOnPage(pageNum);
+            this.trigger('endpoints:filtered',assignmentPaths);
+        },
+
         navToPage: function (pageNum) {
             this.paginationControlView.setCurrentPage(pageNum);//provides validation
             this.showCurContentPage(this.paginationControlView.currentPage);
             this.paginationControlView.render();
             this.paginationControlView.hideShowNavButtons();
-            var assignmentPaths = this.findAssigmentEndpointsOnPage(pageNum);
-            this.trigger('endpoints:filtered',assignmentPaths);
+            this.onNavToPage(pageNum);
+            //var assignmentPaths = this.findAssigmentEndpointsOnPage(pageNum);
+            //this.trigger('endpoints:filtered',assignmentPaths);
         },
 
         /* for testing */

webgoat-container/src/main/resources/static/js/goatApp/view/PaginationControlView.js

@@ -12,14 +12,14 @@ define(['jquery',
             template: PaginationTemplate,
             el: '#lesson-page-controls',
 
-            initialize: function ($contentPages,baseLessonUrl) {
+            initialize: function ($contentPages,baseLessonUrl,initPageNum) {
                 this.$contentPages = $contentPages;
                 this.collection = new LessonOverviewCollection();
                 this.listenTo(this.collection, 'reset', this.render);
                 this.numPages = this.$contentPages.length;
                 this.baseUrl = baseLessonUrl;
                 this.collection.fetch({reset:true});
-                this.initPagination();
+                this.initPagination(initPageNum);
                 //this.render();
              },
 
@@ -117,9 +117,9 @@ define(['jquery',
                 $('span.glyphicon-class.glyphicon.glyphicon-circle-arrow-right.show-next-page').hide();
             },
 
-            initPagination: function() {
-               //track pagination state in this view ... start at 0
-               this.currentPage = 0;
+            initPagination: function(initPageNum) {
+               //track pagination state in this view ... start at 0 .. unless a pageNum was provided
+               this.currentPage = !initPageNum ? 0 : initPageNum;
             },
 
             setCurrentPage: function (pageNum) {

webgoat-container/src/main/resources/static/js/main.js

@@ -30,7 +30,7 @@ require.config({
   shim: {
 	"jqueryui": {
 	  exports:"$",
-	  deps: ['jquery']
+	  deps: ['libs/jquery-2.1.4.min']
 	},
     underscore: {
       exports: "_"

webgoat-container/src/main/resources/templates/list_users.html

@@ -123,8 +123,9 @@
     <section class="main-content-wrapper">
         <section id="main-content"> <!--ng-controller="goatLesson"-->
             <div id="lesson-page" class="pages">
-                <span th:text="${numUsers}"> Users in WebGoat</span>
-                <!-- iterate over users below -->su
+                <span th:text="${numUsers}"></span>
+                <span> Users in WebGoat</span>
+
                 <div sec:authorize="hasAuthority('WEBGOAT_ADMIN')">
                     <h3>WebGoat Users</h3>
                     <div th:each="user : ${allUsers}">

webgoat-container/src/main/resources/templates/main_new.html

@@ -76,24 +76,25 @@
                     </a>
                     </li>
                     <li role="presentation" class="divider"></li>
-                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#"
-                                                                th:text="#{version}">Version: <span
-                            th:text="${@environment.getProperty('webgoat.build.version')}"></span></a>
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">
+                        <span th:text="#{version}">Version:</span><span>: </span>
+                        <span th:text="${@environment.getProperty('webgoat.build.version')}"></span></a>
                     </li>
-                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#"
-                                                                th:text="#{build}">Build:
+                    <li role="presentation" class="disabled"><a role="menuitem" tabindex="-1" href="#">
+                        <span th:text="#{build}">Build:</span><span>: </span>
                         <span th:text="${@environment.getProperty('webgoat.build.number')}"></span></a></li>
-
                 </ul>
             </div>
             <div style="display:inline" id="settings">
                 <!--<button type="button" id="admin-button" class="btn btn-default right_nav_button" title="Administrator">-->
                 <!--<i class="fa fa-cog"></i>-->
                 <!--</button>-->
-                <button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up"
-                        th:title="#{report.card}">
-                    <a href="#reportCard"><i class="fa fa-bar-chart-o"></i></a>
-                </button>
+                <a href="#reportCard">
+                    <button type="button" id="report-card-button" class="btn btn-default right_nav_button button-up"
+                            th:title="#{report.card}">
+                       <i class="fa fa-bar-chart-o"></i>
+                    </button>
+                </a>
                 <!--<button type="button" id="user-management" class="btn btn-default right_nav_button"-->
                 <!--title="User management">-->
                 <!--<i class="fa fa-users"></i>-->

webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java

@@ -6,6 +6,7 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.i18n.PluginMessages;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
@@ -40,10 +41,13 @@ public class ReportCardServiceTest {
     private UserTrackerRepository userTrackerRepository;
     @Mock
     private WebSession websession;
+    @Mock
+    private PluginMessages pluginMessages;
 
     @Before
     public void setup() {
-        this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course)).build();
+        this.mockMvc = standaloneSetup(new ReportCardService(websession, userTrackerRepository, course, pluginMessages)).build();
+        when(pluginMessages.getMessage(anyString())).thenReturn("Test");
     }
 
     @Test

webgoat-container/src/test/resources/logback-test.xml

@@ -1 +1,15 @@
-<configuration />
+<configuration />
+
+<!--
+Enable below if you want to debug a unit test and see why the controller fails the configuration above is there
+to keep the Travis build going otherwise it fails with too much logging.
+//TODO we should use a different Spring profile for Travis
+-->
+
+<!--
+<configuration>
+<include resource="org/springframework/boot/logging/logback/base.xml"/>
+<logger name="org.springframework.web" level="DEBUG"/>
+</configuration>
+
+-->

webgoat-images/vagrant-training/Vagrantfile

@@ -3,7 +3,7 @@
 Vagrant.configure(2) do |config|
   config.vm.box = "ubuntu/trusty64"
   config.vm.network :forwarded_port, guest: 8080, host: 8080
-  config.vm.network :forwarded_port, guest: 8081, host: 8081
+  config.vm.network :forwarded_port, guest: 9090, host: 9090
   config.vm.provider "virtualbox" do |vb|
   	vb.gui = false
   	vb.memory = "4096"

webgoat-lessons/auth-bypass/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M14</version>
+        <version>v8.0.0.M19</version>
     </parent>
 
 </project>

webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc

@@ -1,4 +1,4 @@
-== Authentication Bpasses
+== Authentication Bypasses
 
 Authentication Bypasses happen in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
 
@@ -12,4 +12,4 @@ Sometimes, if an attacker doesn't know the correct value of a parameter, they ma
 
 === Forced Browsing
 
-If an area of a site is not protected properly by configuation, that area of the site may be accessed by guessing/brute-forcing.
+If an area of a site is not protected properly by configuration, that area of the site may be accessed by guessing/brute-forcing.

webgoat-lessons/bypass-restrictions/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M14</version>
+        <version>v8.0.0.M19</version>
     </parent>
 </project>

webgoat-lessons/challenge/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M14</version>
+        <version>v8.0.0.M19</version>
     </parent>
 
 

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java

@@ -10,11 +10,6 @@ public interface SolutionConstants {
 
     //TODO should be random generated when starting the server
     String PASSWORD = "!!webgoat_admin_1234!!";
-    String SUPER_COUPON_CODE = "get_it_for_free";
     String PASSWORD_TOM = "thisisasecretfortomonly";
-    String PASSWORD_LARRY = "larryknows";
-    String JWT_PASSWORD = "victory";
     String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
-    String PASSWORD_TOM_9 = "somethingVeryRandomWhichNoOneWillEverTypeInAsPasswordForTom";
-    String TOM_EMAIL = "tom@webgoat-cloud.org";
 }

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge2/Challenge2.java

@@ -1,39 +0,0 @@
-package org.owasp.webgoat.plugin.challenge2;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.util.List;
-
-/**
- * @author nbaars
- * @since 3/21/17.
- */
-public class Challenge2 extends NewLesson {
-
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
-
-    @Override
-    public List<String> getHints() {
-        return Lists.newArrayList();
-    }
-
-    @Override
-    public Integer getDefaultRanking() {
-        return 10;
-    }
-
-    @Override
-    public String getTitle() {
-        return "challenge2.title";
-    }
-
-    @Override
-    public String getId() {
-        return "Challenge2";
-    }
-}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java

@@ -1,150 +0,0 @@
-package org.owasp.webgoat.plugin.challenge3;
-
-import com.beust.jcommander.internal.Lists;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.EvictingQueue;
-import com.google.common.collect.Maps;
-import com.google.common.io.Files;
-import lombok.SneakyThrows;
-import lombok.extern.slf4j.Slf4j;
-import org.joda.time.DateTime;
-import org.joda.time.format.DateTimeFormat;
-import org.joda.time.format.DateTimeFormatter;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.plugin.Flag;
-import org.owasp.webgoat.session.WebSession;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestHeader;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.annotation.PostConstruct;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.Unmarshaller;
-import javax.xml.stream.XMLInputFactory;
-import javax.xml.stream.XMLStreamReader;
-import java.io.File;
-import java.io.IOException;
-import java.io.StringReader;
-import java.nio.charset.Charset;
-import java.util.Collection;
-import java.util.Map;
-
-import static org.springframework.http.MediaType.ALL_VALUE;
-import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
-import static org.springframework.web.bind.annotation.RequestMethod.GET;
-import static org.springframework.web.bind.annotation.RequestMethod.POST;
-
-/**
- * @author nbaars
- * @since 4/8/17.
- */
-@AssignmentPath("/challenge/3")
-@Slf4j
-public class Assignment3 extends AssignmentEndpoint {
-
-    @Value("${webgoat.server.directory}")
-    private String webGoatHomeDirectory;
-    @Autowired
-    private WebSession webSession;
-    private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
-
-    private static final Map<String, EvictingQueue<Comment>> userComments = Maps.newHashMap();
-    private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
-    private static final String secretContents = "Congratulations you may now collect your flag";
-
-    static {
-        comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-)."));
-    }
-
-    @PostConstruct
-    @SneakyThrows
-    public void copyFile() {
-        File targetDirectory = new File(webGoatHomeDirectory);
-        if (!targetDirectory.exists()) {
-            targetDirectory.mkdir();
-        }
-        log.info("Copied secret.txt to: {}", targetDirectory);
-        Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset());
-    }
-
-    @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public Collection<Comment> retrieveComments() {
-        Collection<Comment> allComments = Lists.newArrayList();
-        Collection<Comment> xmlComments = userComments.get(webSession.getUserName());
-        if (xmlComments != null) {
-            allComments.addAll(xmlComments);
-        }
-        allComments.addAll(comments);
-        return allComments;
-    }
-
-    @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
-    @ResponseBody
-    public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
-        Comment comment = null;
-        AttackResult attackResult = failed().build();
-        if (APPLICATION_JSON_VALUE.equals(contentType)) {
-            comment = parseJson(commentStr);
-            comment.setDateTime(DateTime.now().toString(fmt));
-            comment.setUser(webSession.getUserName());
-            comments.add(comment);
-        }
-        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
-            //Do not show these comments to all users
-            comment = parseXml(commentStr);
-            comment.setDateTime(DateTime.now().toString(fmt));
-            comment.setUser(webSession.getUserName());
-            EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
-            comments.add(comment);
-            userComments.put(webSession.getUserName(), comments);
-        }
-        if (checkSolution(comment)) {
-            attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(3)).build();
-        }
-        return attackResult;
-    }
-
-    private boolean checkSolution(Comment comment) {
-        if (comment.getText().contains(secretContents)) {
-            comment.setText("Congratulations to " + webSession.getUserName() + " for finding the flag!! Check your original response where you posted the XXE attack ");
-            comments.add(comment);
-            return true;
-        }
-        return false;
-    }
-
-    public static Comment parseXml(String xml) throws Exception {
-        JAXBContext jc = JAXBContext.newInstance(Comment.class);
-
-        XMLInputFactory xif = XMLInputFactory.newFactory();
-        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true);
-        xif.setProperty(XMLInputFactory.IS_VALIDATING, false);
-
-        xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
-        XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));
-
-        Unmarshaller unmarshaller = jc.createUnmarshaller();
-        return (Comment) unmarshaller.unmarshal(xsr);
-    }
-
-    private Comment parseJson(String comment) {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            return mapper.readValue(comment, Comment.class);
-        } catch (IOException e) {
-            return new Comment();
-        }
-    }
-
-
-}
-

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Challenge3.java

@@ -1,39 +0,0 @@
-package org.owasp.webgoat.plugin.challenge3;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.util.List;
-
-/**
- * @author nbaars
- * @since 3/21/17.
- */
-public class Challenge3 extends NewLesson {
-
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
-
-    @Override
-    public List<String> getHints() {
-        return Lists.newArrayList();
-    }
-
-    @Override
-    public Integer getDefaultRanking() {
-        return 10;
-    }
-
-    @Override
-    public String getTitle() {
-        return "challenge3.title";
-    }
-
-    @Override
-    public String getId() {
-        return "Challenge3";
-    }
-}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java

@@ -1,24 +0,0 @@
-package org.owasp.webgoat.plugin.challenge3;
-
-import lombok.AllArgsConstructor;
-import lombok.Getter;
-import lombok.NoArgsConstructor;
-import lombok.Setter;
-
-import javax.xml.bind.annotation.XmlRootElement;
-
-/**
- * @author nbaars
- * @since 4/8/17.
- */
-@Getter
-@Setter
-@AllArgsConstructor
-@NoArgsConstructor
-@XmlRootElement
-public class Comment {
-    private String user;
-    private String dateTime;
-    private String text;
-}
-

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Assignment4.java

@@ -1,17 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-
-/**
- * @author nbaars
- * @since 5/3/17.
- */
-@AssignmentPath("/challenge/4")
-@Slf4j
-public class Assignment4 extends AssignmentEndpoint {
-
-    //just empty, posting the flag will mark the challenge as done as well no need to specify an endpoint here
-
-}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Challenge4.java

@@ -1,39 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.util.List;
-
-/**
- * @author nbaars
- * @since 3/21/17.
- */
-public class Challenge4 extends NewLesson {
-
-    @Override
-    public Category getDefaultCategory() {
-        return Category.CHALLENGE;
-    }
-
-    @Override
-    public List<String> getHints() {
-        return Lists.newArrayList();
-    }
-
-    @Override
-    public Integer getDefaultRanking() {
-        return 10;
-    }
-
-    @Override
-    public String getTitle() {
-        return "challenge4.title";
-    }
-
-    @Override
-    public String getId() {
-        return "Challenge4";
-    }
-}

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge4/Views.java

@@ -1,16 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-/**
- * @author nbaars
- * @since 4/30/17.
- */
-public class Views {
-    interface GuestView {
-    }
-
-    interface UserView extends GuestView {
-    }
-
-    interface AdminView extends UserView {
-    }
-}

webgoat-lessons/challenge/src/main/resources/css/challenge3.css

@@ -1,75 +0,0 @@
-/* Component: Posts */
-.post .post-heading {
-    height: 95px;
-    padding: 20px 15px;
-}
-.post .post-heading .avatar {
-    width: 60px;
-    height: 60px;
-    display: block;
-    margin-right: 15px;
-}
-.post .post-heading .meta .title {
-    margin-bottom: 0;
-}
-.post .post-heading .meta .title a {
-    color: black;
-}
-.post .post-heading .meta .title a:hover {
-    color: #aaaaaa;
-}
-.post .post-heading .meta .time {
-    margin-top: 8px;
-    color: #999;
-}
-.post .post-image .image {
-    width:20%;
-    height: 40%;
-}
-.post .post-description {
-    padding: 5px;
-}
-.post .post-footer {
-    border-top: 1px solid #ddd;
-    padding: 15px;
-}
-.post .post-footer .input-group-addon a {
-    color: #454545;
-}
-.post .post-footer .comments-list {
-    padding: 0;
-    margin-top: 20px;
-    list-style-type: none;
-}
-.post .post-footer .comments-list .comment {
-    display: block;
-    width: 100%;
-    margin: 20px 0;
-}
-.post .post-footer .comments-list .comment .avatar {
-    width: 35px;
-    height: 35px;
-}
-.post .post-footer .comments-list .comment .comment-heading {
-    display: block;
-    width: 100%;
-}
-.post .post-footer .comments-list .comment .comment-heading .user {
-    font-size: 14px;
-    font-weight: bold;
-    display: inline;
-    margin-top: 0;
-    margin-right: 10px;
-}
-.post .post-footer .comments-list .comment .comment-heading .time {
-    font-size: 12px;
-    color: #aaa;
-    margin-top: 0;
-    display: inline;
-}
-.post .post-footer .comments-list .comment .comment-body {
-    margin-left: 50px;
-}
-.post .post-footer .comments-list .comment > .comments-list {
-    margin-left: 50px;
-}

webgoat-lessons/challenge/src/main/resources/css/challenge4.css

@@ -1,12 +0,0 @@
-a.list-group-item {
-    height:auto;
-}
-a.list-group-item.active small {
-    color:#fff;
-}
-.stars {
-    margin:20px auto 1px;
-}
-.img-responsive {
-    min-width: 100%;
-}

webgoat-lessons/challenge/src/main/resources/html/Challenge2.html

@@ -1,112 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_2.adoc"></div>
-    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge2.css}"/>
-    <script th:src="@{/lesson_js/challenge2.js}" language="JavaScript"></script>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-
-        <div class="container-fluid">
-            <form class="attack-form" accept-charset="UNKNOWN"
-                  method="POST" name="form"
-                  action="/WebGoat/challenge/2"
-                  enctype="application/json;charset=UTF-8">
-
-                <input id="discount" type="hidden" value="0"/>
-                <div class="row">
-
-                    <div class="col-xs-3 item-photo">
-                        <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
-                    </div>
-                    <div class="col-xs-5" style="border:0px solid gray">
-                        <h3>Samsung Galaxy S8</h3>
-                        <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
-                            <small style="color:#337ab7">(124421 reviews)</small>
-                        </h5>
-
-                        <h6 class="title-price">
-                            <small>PRICE</small>
-                        </h6>
-                        <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
-
-                        <div class="section">
-                            <h6 class="title-attr" style="margin-top:15px;">
-                                <small>COLOR</small>
-                            </h6>
-                            <div>
-                                <div class="attr" style="width:25px;background:lightgrey;"></div>
-                                <div class="attr" style="width:25px;background:black;"></div>
-                            </div>
-                        </div>
-                        <div class="section" style="padding-bottom:5px;">
-                            <h6 class="title-attr">
-                                <small>CAPACITY</small>
-                            </h6>
-                            <div>
-                                <div class="attr2">64 GB</div>
-                                <div class="attr2">128 GB</div>
-                            </div>
-                        </div>
-                        <div class="section" style="padding-bottom:5px;">
-                            <h6 class="title-attr">
-                                <small>QUANTITY</small>
-                            </h6>
-                            <div>
-                                <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
-                                <input class="quantity" value="1"/>
-                                <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
-                            </div>
-                        </div>
-
-                        <div class="section" style="padding-bottom:5px;">
-                            <h6 class="title-attr">
-                                <small>CHECKOUT CODE</small>
-                            </h6>
-                            <!--
-                              Checkout code: webgoat, owasp, owasp-webgoat
-                            -->
-                            <input name="checkoutCode" class="checkoutCode" value=""/>
-
-                        </div>
-
-                        <div class="section" style="padding-bottom:20px;">
-                            <button type="submit" class="btn btn-success"><span style="margin-right:20px"
-                                                                                class="glyphicon glyphicon-shopping-cart"
-                                                                                aria-hidden="true"></span>Buy
-                            </button>
-                            <h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
-                                                  style="cursor:pointer;"></span>
-                                Like</a></h6>
-                        </div>
-                    </div>
-                </div>
-
-            </form>
-        </div>
-        <br/>
-        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
-            <div class="form-group">
-                <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
-                                                      style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flag" name="flag"
-                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
-                </div>
-                <div class="input-group" style="margin-top: 10px">
-                    <button type="submit" class="btn btn-primary">Submit flag</button>
-                </div>
-            </div>
-
-        </form>
-
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
-
-</html>

webgoat-lessons/challenge/src/main/resources/html/Challenge3.html

@@ -1,72 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_3.adoc"></div>
-    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge3.css}"/>
-    <script th:src="@{/lesson_js/challenge3.js}" language="JavaScript"></script>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-
-        <div class="container-fluid">
-            <div class="panel post">
-                <div class="post-heading">
-                    <div class="pull-left image">
-                        <img th:src="@{/images/avatar1.png}"
-                             class="img-circle avatar" alt="user profile image"/>
-                    </div>
-                    <div class="pull-left meta">
-                        <div class="title h5">
-                            <a href="#"><b>John Doe</b></a>
-                            uploaded a photo.
-                        </div>
-                        <h6 class="text-muted time">24 days ago</h6>
-                    </div>
-                </div>
-
-                <div class="post-image">
-                    <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
-                </div>
-
-                <div class="post-description">
-
-                </div>
-                <div class="post-footer">
-                    <div class="input-group">
-                        <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
-                        <span class="input-group-addon">
-                                <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
-                            </span>
-                    </div>
-                    <ul class="comments-list">
-                        <div id="list">
-                        </div>
-                    </ul>
-                </div>
-            </div>
-        </div>
-
-        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
-            <div class="form-group">
-                <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
-                                                      style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flag" name="flag"
-                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
-                </div>
-                <div class="input-group" style="margin-top: 10px">
-                    <button type="submit" class="btn btn-primary">Submit flag</button>
-                </div>
-            </div>
-
-        </form>
-
-
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
-</html>

webgoat-lessons/challenge/src/main/resources/html/Challenge4.html

@@ -1,75 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_4.adoc"></div>
-    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge4.css}"/>
-    <script th:src="@{/lesson_js/bootstrap.min.js}" language="JavaScript"></script>
-    <script th:src="@{/lesson_js/challenge4.js}" language="JavaScript"></script>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <div class="container-fluid">
-
-            <div class="row">
-
-                <div class="well">
-                    <div class="pull-right">
-                        <div class="dropdown">
-                            <button type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle">
-                                <i class="fa fa-user"></i> <span class="caret"></span>
-                            </button>
-                            <ul class="dropdown-menu dropdown-menu-left">
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Guest')"
-                                                           th:text="Guest">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Tom')"
-                                                           th:text="Tom">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Jerry')"
-                                                           th:text="Jerry">current</a></li>
-                                <li role="presentation"><a role="menuitem" tabindex="-1"
-                                                           onclick="javascript:login('Sylvester')"
-                                                           th:text="Sylvester">current</a></li>
-                            </ul>
-                        </div>
-                        <div>
-                            <p class="text-right">Welcome back, <b><span id="name"></span></b></p>
-                        </div>
-                    </div>
-
-                    <div>
-                        <h3>Vote for your favorite</h3>
-                    </div>
-                    <div id ="votesList" class="list-group">
-
-                    </div>
-                </div>
-            </div>
-        </div>
-
-        <br/>
-        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
-            <div class="form-group">
-                <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
-                                                      style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flag" name="flag"
-                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
-                </div>
-                <div class="input-group" style="margin-top: 10px">
-                    <button type="submit" class="btn btn-primary">Submit flag</button>
-                </div>
-            </div>
-
-        </form>
-
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
-
-</html>

webgoat-lessons/challenge/src/main/resources/html/Challenge9.html

@@ -1,109 +0,0 @@
-<!DOCTYPE html>
-<html xmlns:th="http://www.thymeleaf.org">
-
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:Challenge_9.adoc"></div>
-    <script th:src="@{/lesson_js/challenge9.js}" language="JavaScript"></script>
-
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-
-        <div class="container-fluid">
-            <div class="row">
-                <div class="col-md-6">
-                    <h4 style="border-bottom: 1px solid #c5c5c5;">
-                        <i class="glyphicon glyphicon-user"></i>
-                        Account Access
-                    </h4>
-                    <div style="padding: 20px;" id="form-login">
-                        <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
-                              method="POST" name="form"
-                              action="/WebGoat/challenge/9/login"
-                              enctype="application/json;charset=UTF-8" role="form">
-                            <fieldset>
-                                <div class="form-group input-group">
-                                    <span class="input-group-addon"> @ </span>
-                                    <input class="form-control" placeholder="Email" name="email" type="email"
-                                           required="" autofocus=""/>
-                                </div>
-                                <div class="form-group input-group">
-          <span class="input-group-addon">
-            <i class="glyphicon glyphicon-lock">
-            </i>
-          </span>
-                                    <input class="form-control" placeholder="Password" name="password" type="password"
-                                           value="" required=""/>
-                                </div>
-                                <div class="form-group">
-                                    <button type="submit" class="btn btn-primary btn-block">
-                                        Access
-                                    </button>
-                                    <p class="help-block">
-                                        <a class="pull-right text-muted" href="#" id="login">
-                                            <small>Forgot your password?</small>
-                                        </a>
-                                    </p>
-                                </div>
-                            </fieldset>
-                        </form>
-                    </div>
-                    <div style="display: none;" id="form-login">
-                        <h4 class="">
-                            Forgot your password?
-                        </h4>
-                        <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
-                              method="POST" name="form"
-                              action="/WebGoat/challenge/9/create-password-reset-link"
-                              enctype="application/json;charset=UTF-8" role="form">
-                            <fieldset>
-        <span class="help-block">
-          Email address you use to log in to your account
-          <br/>
-          We'll send you an email with instructions to choose a new password.
-        </span>
-                                <div class="form-group input-group">
-          <span class="input-group-addon">
-            @
-          </span>
-                                    <input class="form-control" placeholder="Email" name="email" type="email"
-                                           required=""/>
-                                </div>
-                                <button type="submit" class="btn btn-primary btn-block" id="btn-login">
-                                    Continue
-                                </button>
-                                <p class="help-block">
-                                    <a class="text-muted" href="#" id="forgot">
-                                        <small>Account Access</small>
-                                    </a>
-                                </p>
-                            </fieldset>
-                        </form>
-                    </div>
-                </div>
-            </div>
-        </div>
-
-        <br/>
-        <form class="attack-form" method="POST" name="form" action="/WebGoat/challenge/flag">
-            <div class="form-group">
-                <div class="input-group">
-                    <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
-                                                      style="font-size:20px"></i></div>
-                    <input type="text" class="form-control" id="flag" name="flag"
-                           placeholder="a7179f89-906b-4fec-9d99-f15b796e7208"/>
-                </div>
-                <div class="input-group" style="margin-top: 10px">
-                    <button type="submit" class="btn btn-primary">Submit flag</button>
-                </div>
-            </div>
-
-        </form>
-
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
-
-</html>

webgoat-lessons/challenge/src/main/resources/i18n/WebGoatLabels.properties

@@ -2,7 +2,6 @@ challenge0.title=WebGoat Challenge
 challenge1.title=Admin lost password
 challenge2.title=Get it for free
 challenge3.title=Photo comments
-challenge4.title=Voting
 challenge5.title=Without password
 challenge6.title=Creating a new account
 challenge7.title=Admin password reset
@@ -22,8 +21,7 @@ challenge.flag.incorrect=Sorry this is not the correct flag, please try again.
 
 ip.address.unknown=IP address unknown, e-mail has been sent. 
 
-login_failed=Login failed
-login_failed.tom=Sorry only Tom can login at the moment
+
 
 required4=Missing username or password, please specify both.
 user.not.larry=Please try to log in as Larry not {0}. 

webgoat-lessons/challenge/src/main/resources/js/challenge3.js

@@ -1,45 +0,0 @@
-$(document).ready(function () {
-    $("#postComment").on("click", function () {
-        var commentInput = $("#commentInput").val();
-        $.ajax({
-            type: 'POST',
-            url: 'challenge/3',
-            data: JSON.stringify({text: commentInput}),
-            contentType: "application/json",
-            dataType: 'json'
-        }).then(
-            function () {
-                getChallenges();
-                $("#commentInput").val('');
-            }
-        )
-    })
-
-    var html = '<li class="comment">' +
-        '<div class="pull-left">' +
-        '<img class="avatar" src="images/avatar1.png" alt="avatar"/>' +
-        '</div>' +
-        '<div class="comment-body">' +
-        '<div class="comment-heading">' +
-        '<h4 class="user">USER</h4>' +
-        '<h5 class="time">DATETIME</h5>' +
-        '</div>' +
-        '<p>COMMENT</p>' +
-        '</div>' +
-        '</li>';
-
-    getChallenges();
-
-    function getChallenges() {
-        $("#list").empty();
-        $.get("challenge/3", function (result, status) {
-            for (var i = 0; i < result.length; i++) {
-                var comment = html.replace('USER', result[i].user);
-                comment = comment.replace('DATETIME', result[i].dateTime);
-                comment = comment.replace('COMMENT', result[i].text);
-                $("#list").append(comment);
-            }
-
-        });
-    }
-})

webgoat-lessons/challenge/src/main/resources/js/challenge9.js

@@ -1,10 +0,0 @@
-$(document).ready(function() {
-    $('#login').click(function(e) {
-        e.preventDefault();
-        $('div#form-login').toggle('500');
-    });
-    $('#forgot').click(function(e) {
-        e.preventDefault();
-        $('div#form-login').toggle('500');
-    });
-});

webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_3.adoc

@@ -1 +0,0 @@
-Changing language can help you find the 'secret' file

webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_4.adoc

@@ -1 +0,0 @@
-Try to change to a different user, maybe you can find the flag?

webgoat-lessons/challenge/src/main/resources/lessonPlans/en/Challenge_9.adoc

@@ -1,3 +0,0 @@
-Tom always resets his password immediately after receiving the email with the link.
-Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
-that password.

webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge2/Assignment2Test.java

@@ -1,49 +0,0 @@
-package org.owasp.webgoat.plugin.challenge2;
-
-import org.hamcrest.CoreMatchers;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.runners.MockitoJUnitRunner;
-import org.owasp.webgoat.assignments.AssignmentEndpointTest;
-import org.owasp.webgoat.plugin.Flag;
-import org.owasp.webgoat.plugin.SolutionConstants;
-import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
-/**
- * @author nbaars
- * @since 5/2/17.
- */
-@RunWith(MockitoJUnitRunner.class)
-public class Assignment2Test extends AssignmentEndpointTest {
-
-    private MockMvc mockMvc;
-
-    @Before
-    public void setup() {
-        Assignment2 assignment2 = new Assignment2();
-        init(assignment2);
-        new Flag().initFlags();
-        this.mockMvc = standaloneSetup(assignment2).build();
-    }
-
-    @Test
-    public void success() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2")
-                .param("checkoutCode", SolutionConstants.SUPER_COUPON_CODE))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(2))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
-
-    @Test
-    public void wrongCouponCode() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/challenge/2")
-                .param("checkoutCode", "test"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
-    }
-}

webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/plugin/challenge4/VotesEndpointTest.java

@@ -1,161 +0,0 @@
-package org.owasp.webgoat.plugin.challenge4;
-
-import org.hamcrest.CoreMatchers;
-import org.junit.Before;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.runners.MockitoJUnitRunner;
-import org.owasp.webgoat.plugin.Flag;
-import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.test.web.servlet.MvcResult;
-import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-
-import javax.servlet.http.Cookie;
-
-import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
-import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
-
-/**
- * @author nbaars
- * @since 5/2/17.
- */
-@RunWith(MockitoJUnitRunner.class)
-public class VotesEndpointTest {
-
-    private MockMvc mockMvc;
-
-    @Before
-    public void setup() {
-        VotesEndpoint votesEndpoint = new VotesEndpoint();
-        votesEndpoint.initVotes();
-        new Flag().initFlags();
-        this.mockMvc = standaloneSetup(votesEndpoint).build();
-    }
-
-    @Test
-    public void loginWithUnknownUser() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "uknown"))
-                .andExpect(unauthenticated());
-    }
-
-    @Test
-    public void loginWithTomShouldGiveJwtToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token"));
-    }
-
-    @Test
-    public void loginWithGuestShouldNotGiveJwtToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Guest"))
-                .andExpect(unauthenticated()).andExpect(cookie().value("access_token", ""));
-    }
-
-    @Test
-    public void userShouldSeeMore() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings")
-                .cookie(mvcResult.getResponse().getCookie("access_token")))
-                .andExpect(jsonPath("$.[*].numberOfVotes").exists());
-    }
-
-    @Test
-    public void guestShouldNotSeeNumberOfVotes() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Guest"))
-                .andExpect(unauthenticated()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings")
-                .cookie(mvcResult.getResponse().getCookie("access_token")))
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void adminShouldSeeFlags() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiSmVycnkifQ.")))
-                .andExpect(jsonPath("$.[*].flag").isNotEmpty());
-    }
-
-    @Test
-    public void votingIsNotAllowedAsGuest() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free"))
-                .andExpect(unauthenticated());
-    }
-
-    @Test
-    public void normalUserShouldBeAbleToVote() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
-                .cookie(mvcResult.getResponse().getCookie("access_token")));
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(mvcResult.getResponse().getCookie("access_token")))
-                .andExpect(jsonPath("$..[?(@.title == 'Get it for free')].numberOfVotes", CoreMatchers.hasItem(20001)));
-    }
-
-    @Test
-    public void votingForUnknownLessonShouldNotCrash() throws Exception {
-        MvcResult mvcResult = mockMvc.perform(MockMvcRequestBuilders.get("/votings/login")
-                .param("user", "Tom"))
-                .andExpect(status().isOk()).andExpect(cookie().exists("access_token")).andReturn();
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
-                .cookie(mvcResult.getResponse().getCookie("access_token"))).andExpect(status().isAccepted());
-    }
-
-    @Test
-    public void votingWithInvalidToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/UKNOWN_VOTE")
-                .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
-    }
-
-    @Test
-    public void gettingVotesWithInvalidToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "abc"))).andExpect(unauthenticated());
-    }
-
-    @Test
-    public void gettingVotesWithUnknownUserInToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJhZG1pbiI6InRydWUiLCJ1c2VyIjoiVW5rbm93biJ9.")))
-                .andExpect(unauthenticated())
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void gettingVotesForUnknownShouldWork() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
-                .andExpect(unauthenticated())
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void gettingVotesForKnownWithoutAdminFieldShouldWork() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVG9tIn0.")))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.[*].numberOfVotes").exists());
-    }
-
-    @Test
-    public void gettingVotesWithEmptyToken() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/votings/")
-                .cookie(new Cookie("access_token", "")))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.[*].numberOfVotes").doesNotExist());
-    }
-
-    @Test
-    public void votingAsUnknownUserShouldNotBeAllowed() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/votings/Get it for free")
-                .cookie(new Cookie("access_token", "eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiVW5rbm93biJ9.")))
-                .andExpect(unauthenticated());
-    }
-}

webgoat-lessons/client-side-filtering/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M14</version>
+        <version>v8.0.0.M19</version>
     </parent>
 
 </project>

webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFiltering.java

@@ -56,7 +56,7 @@ public class ClientSideFiltering extends NewLesson {
 
     @Override
     public String getTitle() {
-        return "Client side filtering";
+        return "client.side.filtering.title";
     }
 
     @Override

webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignment.java

@@ -1,9 +1,9 @@
-package org.owasp.webgoat.plugin.challenge2;
+package org.owasp.webgoat.plugin;
 
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.plugin.Flag;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -11,22 +11,23 @@ import org.springframework.web.bind.annotation.ResponseBody;
 
 import java.io.IOException;
 
-import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
-
 /**
  * @author nbaars
  * @since 4/6/17.
  */
-@AssignmentPath("/challenge/2")
-public class Assignment2 extends AssignmentEndpoint {
+@AssignmentPath("/clientSideFiltering/getItForFree")
+@AssignmentHints({"client.side.filtering.free.hint1", "client.side.filtering.free.hint2", "client.side.filtering.free.hint3"})
+public class ClientSideFilteringFreeAssignment extends AssignmentEndpoint {
+
+    public static final String SUPER_COUPON_CODE = "get_it_for_free";
 
     @RequestMapping(method = RequestMethod.POST)
     public
     @ResponseBody
-    AttackResult completed(@RequestParam String checkoutCode) throws IOException {
+    AttackResult completed(@RequestParam String checkoutCode) {
         if (SUPER_COUPON_CODE.equals(checkoutCode)) {
-            return success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build();
+            return trackProgress(success().build());
         }
-        return failed().build();
+        return trackProgress(failed().build());
     }
 }

webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/plugin/ShopEndpoint.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin.challenge2;
+package org.owasp.webgoat.plugin;
 
 import com.beust.jcommander.internal.Lists;
 import lombok.AllArgsConstructor;
@@ -12,21 +12,21 @@ import org.springframework.web.bind.annotation.RestController;
 import java.util.List;
 import java.util.Optional;
 
-import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
+import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
 
 /**
  * @author nbaars
  * @since 4/6/17.
  */
 @RestController
-@RequestMapping("challenge-store")
+@RequestMapping("/clientSideFiltering/challenge-store")
 public class ShopEndpoint {
 
     @AllArgsConstructor
     private class CheckoutCodes {
 
         @Getter
-        private List<CheckoutCode> codes = Lists.newArrayList();
+        private List<CheckoutCode> codes;
 
         public Optional<CheckoutCode> get(String code) {
             return codes.stream().filter(c -> c.getCode().equals(code)).findFirst();

webgoat-lessons/client-side-filtering/src/main/resources/html/ClientSideFiltering.html

@@ -73,7 +73,96 @@
         <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
     </div>
 </div>
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:ClientSideFiltering_final.adoc"></div>
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
+    <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 
+        <div class="container-fluid">
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="form"
+                  action="/WebGoat/clientSideFiltering/getItForFree"
+                  enctype="application/json;charset=UTF-8">
+
+                <input id="discount" type="hidden" value="0"/>
+                <div class="row">
+
+                    <div class="col-xs-3 item-photo">
+                        <img style="max-width:100%;" th:src="@{/images/samsung-black.jpg}"/>
+                    </div>
+                    <div class="col-xs-5" style="border:0px solid gray">
+                        <h3>Samsung Galaxy S8</h3>
+                        <h5 style="color:#337ab7"><a href="http://www.samsung.com">Samsung</a> ·
+                            <small style="color:#337ab7">(124421 reviews)</small>
+                        </h5>
+
+                        <h6 class="title-price">
+                            <small>PRICE</small>
+                        </h6>
+                        <h3 style="margin-top:0px;"><span>US $</span><span id="price">899</span></h3>
+
+                        <div class="section">
+                            <h6 class="title-attr" style="margin-top:15px;">
+                                <small>COLOR</small>
+                            </h6>
+                            <div>
+                                <div class="attr" style="width:25px;background:lightgrey;"></div>
+                                <div class="attr" style="width:25px;background:black;"></div>
+                            </div>
+                        </div>
+                        <div class="section" style="padding-bottom:5px;">
+                            <h6 class="title-attr">
+                                <small>CAPACITY</small>
+                            </h6>
+                            <div>
+                                <div class="attr2">64 GB</div>
+                                <div class="attr2">128 GB</div>
+                            </div>
+                        </div>
+                        <div class="section" style="padding-bottom:5px;">
+                            <h6 class="title-attr">
+                                <small>QUANTITY</small>
+                            </h6>
+                            <div>
+                                <div class="btn-minus"><span class="glyphicon glyphicon-minus"></span></div>
+                                <input class="quantity" value="1"/>
+                                <div class="btn-plus"><span class="glyphicon glyphicon-plus"></span></div>
+                            </div>
+                        </div>
+
+                        <div class="section" style="padding-bottom:5px;">
+                            <h6 class="title-attr">
+                                <small>CHECKOUT CODE</small>
+                            </h6>
+                            <!--
+                              Checkout code: webgoat, owasp, owasp-webgoat
+                            -->
+                            <input name="checkoutCode" class="checkoutCode" value=""/>
+
+                        </div>
+
+                        <div class="section" style="padding-bottom:20px;">
+                            <button type="submit" class="btn btn-success"><span style="margin-right:20px"
+                                                                                class="glyphicon glyphicon-shopping-cart"
+                                                                                aria-hidden="true"></span>Buy
+                            </button>
+                            <h6><a href="#"><span class="glyphicon glyphicon-heart-empty"
+                                                  style="cursor:pointer;"></span>
+                                Like</a></h6>
+                        </div>
+                    </div>
+                </div>
+
+            </form>
+        </div>
+        <br/>
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
 
 </html>
 

webgoat-lessons/client-side-filtering/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,3 +1,4 @@
+client.side.filtering.title=Client side filtering
 ClientSideFilteringSelectUser=Select user: 
 ClientSideFilteringUserID=User ID
 ClientSideFilteringFirstName=First Name
@@ -25,3 +26,7 @@ ClientSideFilteringHint10=Stage 2: Your filter operator should look something li
 ClientSideFilteringInstructions1=STAGE 1: You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information, except the CEO,  .  Or at least you shouldn't have access to the CEO's information.  For this exercise, examine the contents of the page to see what extra information you can find.
 ClientSideFilteringInstructions2=STAGE 2: Now, fix the problem.  Modify the server to only return results that Moe Stooge is allowed to see.
 ClientSideFiltering.incorrect=This is not the salary from Neville Bartholomew...
+
+client.side.filtering.free.hint1=Look through the webpage inspect the sources etc
+client.side.filtering.free.hint2=Try to see the flow of request from the page to the backend
+client.side.fiterling.free.hint3=One of the responses contains the answer

webgoat-lessons/client-side-filtering/src/main/resources/js/clientSideFilteringFree.js

@@ -38,7 +38,7 @@ $(document).ready(function () {
     })
     $(".checkoutCode").on("blur", function () {
         var checkoutCode = $(".checkoutCode").val();
-        $.get("challenge-store/coupons/" + checkoutCode, function (result, status) {
+        $.get("clientSideFiltering/challenge-store/coupons/" + checkoutCode, function (result, status) {
             var discount = result.discount;
             if (discount > 0) {
                 $('#discount').text(discount);

webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/plugin/ClientSideFilteringFreeAssignmentTest.java

@@ -0,0 +1,49 @@
+package org.owasp.webgoat.plugin;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.owasp.webgoat.plugins.LessonTest;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+import static org.mockito.Mockito.when;
+import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+
+/**
+ * @author nbaars
+ * @since 5/2/17.
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+public class ClientSideFilteringFreeAssignmentTest extends LessonTest {
+
+    private MockMvc mockMvc;
+
+    @Before
+    public void setup() {
+        ClientSideFiltering clientSideFiltering = new ClientSideFiltering();
+        when(webSession.getCurrentLesson()).thenReturn(clientSideFiltering);
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+        when(webSession.getUserName()).thenReturn("unit-test");
+    }
+
+    @Test
+    public void success() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
+                .param("checkoutCode", SUPER_COUPON_CODE))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+
+    @Test
+    public void wrongCouponCode() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
+                .param("checkoutCode", "test"))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+}

webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/plugin/ShopEndpointTest.java

@@ -1,4 +1,4 @@
-package org.owasp.webgoat.plugin.challenge2;
+package org.owasp.webgoat.plugin;
 
 import org.hamcrest.CoreMatchers;
 import org.junit.Before;
@@ -9,7 +9,7 @@ import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import static org.hamcrest.Matchers.is;
-import static org.owasp.webgoat.plugin.SolutionConstants.SUPER_COUPON_CODE;
+import static org.owasp.webgoat.plugin.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
@@ -30,28 +30,28 @@ public class ShopEndpointTest {
 
     @Test
     public void getSuperCoupon() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/" + SUPER_COUPON_CODE))
+        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/" + SUPER_COUPON_CODE))
                 .andExpect(jsonPath("$.code", CoreMatchers.is(SUPER_COUPON_CODE)))
                 .andExpect(jsonPath("$.discount", CoreMatchers.is(100)));
     }
 
     @Test
     public void getCoupon() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/webgoat"))
+        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/webgoat"))
                 .andExpect(jsonPath("$.code", CoreMatchers.is("webgoat")))
                 .andExpect(jsonPath("$.discount", CoreMatchers.is(25)));
     }
 
     @Test
     public void askForUnknownCouponCode() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/does-not-exists"))
+        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/does-not-exists"))
                 .andExpect(jsonPath("$.code", CoreMatchers.is("no")))
                 .andExpect(jsonPath("$.discount", CoreMatchers.is(0)));
     }
 
     @Test
     public void fetchAllTheCouponsShouldContainGetItForFree() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.get("/challenge-store/coupons/"))
+        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/challenge-store/coupons/"))
                 .andExpect(jsonPath("$.codes[3].code", is("get_it_for_free")));
     }
 

webgoat-lessons/cross-site-scripting/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M14</version>
+        <version>v8.0.0.M19</version>
     </parent>
     <build>
        <plugins>

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScripting.java

@@ -60,7 +60,7 @@ public class CrossSiteScripting extends NewLesson {
 
     @Override
     public String getTitle() {
-        return "Cross Site Scripting";
+        return "xss.title";
     }
 
     @Override

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java

@@ -49,10 +49,7 @@ import org.owasp.encoder.*;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
 import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
@@ -72,20 +69,19 @@ public class StoredXssComments extends AssignmentEndpoint {
         comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
         comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe"));
         comments.add(new Comment("guest", DateTime.now().toString(fmt), "This one is safe too."));
-        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment,  calling webgoat.customjs.phoneHome() ?"));
+        comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
     }
 
     @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
     @ResponseBody
     public Collection<Comment> retrieveComments() {
-        Collection<Comment> allComments = Lists.newArrayList();
+        List<Comment> allComments = Lists.newArrayList();
         Collection<Comment> newComments = userComments.get(webSession.getUserName());
+        allComments.addAll(comments);
         if (newComments != null) {
             allComments.addAll(newComments);
         }
-
-        allComments.addAll(comments);
-
+        Collections.reverse(allComments);
         return allComments;
     }
 

webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,10 +1,11 @@
 # XSS success, failure messages and hints
+xss.title=Cross Site Scripting
 xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue.
 xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy)
 xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
 xss-reflected-5b-failure=Nope, pretty easy to guess now though.
 xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
-xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
+xss-reflected-6a-failure=No, look at the example. Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
 xss.lesson1.failure=Are you sure? Try using a tab from a different site.
 xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
 xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc

@@ -4,7 +4,7 @@ You should have been able to execute script with the last example. At this point
 
 Why is that?
 
-That is because there is no link that would tigger that XSS.
+That is because there is no link that would trigger that XSS.
 You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to):
 
-link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('myjavascripthere')</script>4128+3214+0002+1999&field2=111
+link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc

@@ -1,15 +1,15 @@
-== Ientify Potential for DOM-Based XSS
+== Identify Potential for DOM-Based XSS
 
 DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
-Look for a route that takes inputs that you can ID being 'reflected' to the page.
+Look for a route that takes inputs that are being 'reflected' to the page.
 
 For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library).
 Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
 
 Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
-it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/5 (although maybe slightly different). The 'base route' in this case is:
+it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
 *start.mvc#lesson/*
+The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the javascript route handler.
 
-The *CrossSiteScripting.lesson/#* after that are parameters that are processed by javascript route handler.
-
-So, what is test route for this test code?
+So, what is the route for the test code that stayed in the app during production?
+To answer this question, you have to check the javascript source.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc

@@ -8,4 +8,4 @@ The function you want to execute is ...
 
 Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
 
-Once you do trigger it, a subsequent response will come to the browser with a random number. Put that random number in below.
+Once you do trigger it, a subsequent response will come to your browser's console with a random number. Put that random number in below.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc

@@ -2,10 +2,10 @@
 
 
 === Why?
-Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in seession
+Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in session
 
 === What to encode?
-The basic premise of defending against XSS is *output endoding* any untrusted input that goes to the screen.
+The basic premise of defending against XSS is *output encoding* any untrusted input that goes to the screen.
 That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters*
 
 Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted).

webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/plugin/StoredXssCommentsTest.java

@@ -33,8 +33,10 @@ import org.mockito.runners.MockitoJUnitRunner;
 import org.owasp.webgoat.assignments.AssignmentEndpointTest;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.ResultActions;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.util.Assert;
 
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
@@ -80,13 +82,13 @@ public class StoredXssCommentsTest extends AssignmentEndpointTest {
      */
 
     //Ensures it is vulnerable
-//    @Test
-//    public void isNotEncoded() throws Exception {
-//        //do get to get comments after posting xss payload
-//        ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
-//        taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString("<script>console.warn('unit test me')</script>"))));
-//    }
-
+    @Test
+    public void isNotEncoded() throws Exception {
+        //do get to get comments after posting xss payload
+        ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
+        MvcResult mvcResult = taintedResults.andReturn();
+        assert(mvcResult.getResponse().getContentAsString().contains("<script>console.warn"));
+    }
 
     //Could be used to test an encoding solution ... commented out so build will pass. Uncommenting will fail build, but leaving in as positive Security Unit Test
 //    @Test
@@ -95,4 +97,4 @@ public class StoredXssCommentsTest extends AssignmentEndpointTest {
 //        ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
 //        taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString("&lt;scriptgt;"))));
 //    }
-}
+}

webgoat-lessons/csrf/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M14</version>
+        <version>v8.0.0.M19</version>
     </parent>
 </project>

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFConfirmFlag1.java

@@ -6,30 +6,31 @@ import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import javax.servlet.http.HttpServletRequest;
-
 /**
  * Created by jason on 9/29/17.
  */
 
 @AssignmentPath("/csrf/confirm-flag-1")
-@AssignmentHints({"csrf-get.hint1","csrf-get.hint2","csrf-get.hint3","csrf-get.hint4"})
+@AssignmentHints({"csrf-get.hint1", "csrf-get.hint2", "csrf-get.hint3", "csrf-get.hint4"})
 public class CSRFConfirmFlag1 extends AssignmentEndpoint {
 
     @Autowired
     UserSessionData userSessionData;
 
     @PostMapping(produces = {"application/json"})
-    public @ResponseBody AttackResult completed(String confirmFlagVal) {
+    public @ResponseBody
+    AttackResult completed(String confirmFlagVal) {
 
-        if (confirmFlagVal.equals(userSessionData.getValue("csrf-get-success").toString())) {
-            return success().feedback("csrf-get-null-referer.success").output("Correct, the flag was " + userSessionData.getValue("csrf-get-success")).build();
+        Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
+        if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
+            return trackProgress(
+                    success().feedback("csrf-get-null-referer.success").output("Correct, the flag was " + userSessionData.getValue("csrf-get-success")).build()
+            );
         }
 
-        return  failed().feedback("").build();
+        return trackProgress(failed().build());
     }
 }

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java

@@ -40,7 +40,7 @@ public class CSRFFeedback extends AssignmentEndpoint {
         try {
             objectMapper.readValue(feedback.getBytes(), Map.class);
         } catch (IOException e) {
-           return failed().feedback(ExceptionUtils.getStackTrace(e)).build();
+            return failed().feedback(ExceptionUtils.getStackTrace(e)).build();
         }
         boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().equals(MediaType.TEXT_PLAIN_VALUE);
         correctCSRF &= hostOrRefererDifferentHost(request);
@@ -65,7 +65,11 @@ public class CSRFFeedback extends AssignmentEndpoint {
     private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
         String referer = request.getHeader("referer");
         String host = request.getHeader("host");
-        return !StringUtils.contains(referer, host);
+        if (referer != null) {
+            return !referer.contains(host);
+        } else {
+            return true;
+        }
     }
 
     private boolean requestContainsWebGoatCookie(Cookie[] cookies) {

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetFlag.java

@@ -31,7 +31,7 @@ public class CSRFGetFlag extends Endpoint {
     @ResponseBody
     public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
 
-        Map<String,Object> response = new HashMap<>();
+        Map<String, Object> response = new HashMap<>();
 
         String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host");
 //        String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
@@ -40,22 +40,32 @@ public class CSRFGetFlag extends Endpoint {
         String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer");
         String[] refererArr = referer.split("/");
 
-        if (referer.equals("NULL") && req.getParameter("csrf").equals("true")) {
-            Random random = new Random();
-            userSessionData.setValue("csrf-get-success", random.nextInt(65536));
-            response.put("success",true);
-            response.put("message",pluginMessages.getMessage("csrf-get-null-referer.success"));
-            response.put("flag",userSessionData.getValue("csrf-get-success"));
-        }  else if (refererArr[2].equals(host)) {
+
+
+        if (referer.equals("NULL")) {
+            if (req.getParameter("csrf").equals("true")) {
+                Random random = new Random();
+                userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+                response.put("success", true);
+                response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success"));
+                response.put("flag", userSessionData.getValue("csrf-get-success"));
+            } else {
+                Random random = new Random();
+                userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+                response.put("success", true);
+                response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
+                response.put("flag", userSessionData.getValue("csrf-get-success"));
+            }
+        } else if (refererArr[2].equals(host)) {
             response.put("success", false);
             response.put("message", "Appears the request came from the original host");
             response.put("flag", null);
         } else {
             Random random = new Random();
             userSessionData.setValue("csrf-get-success", random.nextInt(65536));
-            response.put("success",true);
-            response.put("message",pluginMessages.getMessage("csrf-get-other-referer.success"));
-            response.put("flag",userSessionData.getValue("csrf-get-success"));
+            response.put("success", true);
+            response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
+            response.put("flag", userSessionData.getValue("csrf-get-success"));
         }
 
         return response;

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFGetXhrFlag.java

@@ -1,69 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.assignments.Endpoint;
-import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Random;
-
-/**
- * Created by jason on 9/30/17.
- */
-
-public class CSRFGetXhrFlag extends Endpoint {
-
-    @Autowired
-    UserSessionData userSessionData;
-    @Autowired
-    private PluginMessages pluginMessages;
-
-    @RequestMapping(produces = {"application/json"}, method = RequestMethod.GET)
-    @ResponseBody
-    public Map<String, Object> invoke(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-
-        Map<String,Object> response = new HashMap<>();
-
-        String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host");
-//        String origin = (req.getHeader("origin") == null) ? "NULL" : req.getHeader("origin");
-//        Integer serverPort = (req.getServerPort() < 1) ? 0 : req.getServerPort();
-//        String serverName = (req.getServerName() == null) ? "NULL" : req.getServerName();
-        String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer");
-        String[] refererArr = referer.split("/");
-
-        if (referer.equals("NULL") && req.getParameter("csrf").equals("true")) {
-            Random random = new Random();
-            userSessionData.setValue("csrf-get-success", random.nextInt(65536));
-            response.put("success",true);
-            response.put("message",pluginMessages.getMessage("csrf-get-null-referer.success"));
-            response.put("flag",userSessionData.getValue("csrf-get-success"));
-        }  else if (refererArr[2].equals(host)) {
-            response.put("success", false);
-            response.put("message", "Appears the request came from the original host");
-            response.put("flag", null);
-        } else {
-            Random random = new Random();
-            userSessionData.setValue("csrf-get-success", random.nextInt(65536));
-            response.put("success",true);
-            response.put("message",pluginMessages.getMessage("csrf-get-other-referer.success"));
-            response.put("flag",userSessionData.getValue("csrf-get-success"));
-        }
-
-        return response;
-
-    }
-
-    @Override
-    public String getPath() {
-        return "/csrf/get-xhr-flag";
-    }
-}

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java

@@ -115,22 +115,13 @@ public class ForgedReviews extends AssignmentEndpoint {
         userReviews.put(webSession.getUserName(), reviews);
         //short-circuit
         if (validateReq == null || !validateReq.equals(weakAntiCSRF)) {
-            return failed().feedback("csrf-you-forgot-something").build();
+            return trackProgress(failed().feedback("csrf-you-forgot-something").build());
         }
         //we have the spoofed files
         if (referer != "NULL" && refererArr[2].equals(host) ) {
-            return (failed().feedback("csrf-same-host").build());
+            return trackProgress(failed().feedback("csrf-same-host").build());
         } else {
-            return (success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure")
-        }
-    }
-
-    private Review parseJson(String comment) {
-        ObjectMapper mapper = new ObjectMapper();
-        try {
-            return mapper.readValue(comment, Review.class);
-        } catch (IOException e) {
-            return new Review();
+            return trackProgress(success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure")
         }
     }
 }

webgoat-lessons/csrf/src/main/resources/html/CSRF.html

@@ -15,21 +15,24 @@
 
     <form accept-charset="UNKNOWN" id="basic-csrf-get"
           method="GET" name="form1"
+          target="_blank"
           successCallback=""
           action="/WebGoat/csrf/basic-get-flag"
           enctype="application/json;charset=UTF-8">
         <input name="csrf" type="hidden" value="false"/>
-        <input type="submit" name="ubmit="/>
+        <input type="submit" name="submit"/>
 
     </form>
 
     <div class="adoc-content" th:replace="doc:CSRF_Basic_Get-1.adoc"></div>
 
     <div class="attack-container">
+        <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
         <div class="assignment-success">
             <i class="fa fa-2 fa-check hidden" aria-hidden="true">
             </i>
         </div>
+        <br/>
         <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
               method="POST" name="form2"
               successCallback=""
@@ -40,7 +43,10 @@
             <input type="text" length="6" name="confirmFlagVal" value=""/>
 
             <input name="submit" value="Submit" type="submit"/>
-
+            <br/>
+            <br/>
+            <br/>
+            <br/>
         </form>
 
         <div class="attack-feedback"></div>
@@ -56,9 +62,9 @@
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
     <script th:src="@{/lesson_js/csrf-review.js}" language="JavaScript"></script>
 
-    <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-
     <div class="attack-container">
+        <img th:src="@{/images/wolf-enabled.png}" class="webwolf-enabled"/>
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">
             <div class="panel post">
                 <div class="post-heading">
@@ -133,65 +139,71 @@
   padding: 7px;
   margin-top:7px;
   padding:5px;">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <div class="container-fluid">
-            <div class="row">
-                <div class="col-md-8">
-                    <div class="well well-sm">
-                        <form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
-                              method="POST"
-                              prepareData="feedback"
-                              action="/WebGoat/csrf/feedback/message"
-                              contentType="application/json">
-                            <div class="row">
-                                <div class="col-md-6">
-                                    <div class="form-group">
-                                        <label for="name">
-                                            Name</label>
-                                        <input type="text" class="form-control" name="name" id="name"
-                                               placeholder="Enter name"
-                                               required="required"/>
-                                    </div>
-                                    <div class="form-group">
-                                        <label for="email">
-                                            Email Address</label>
-                                        <div class="input-group">
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <div class="container-fluid">
+                <div class="row">
+                    <div class="col-md-8">
+                        <div class="well well-sm">
+                            <form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
+                                  method="POST"
+                                  prepareData="feedback"
+                                  action="/WebGoat/csrf/feedback/message"
+                                  contentType="application/json">
+                                <div class="row">
+                                    <div class="col-md-6">
+                                        <div class="form-group">
+                                            <label for="name">
+                                                Name</label>
+                                            <input type="text" class="form-control" name="name" id="name"
+                                                   placeholder="Enter name"
+                                                   required="required"/>
+                                        </div>
+                                        <div class="form-group">
+                                            <label for="email">
+                                                Email Address</label>
+                                            <div class="input-group">
                                 <span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span>
                                 </span>
-                                            <input type="email" name="email" class="form-control" id="email"
-                                                   placeholder="Enter email"
-                                                   required="required"/></div>
+                                                <input type="email" name="email" class="form-control" id="email"
+                                                       placeholder="Enter email"
+                                                       required="required"/></div>
+                                        </div>
+                                        <div class="form-group">
+                                            <label for="subject">
+                                                Subject</label>
+                                            <select id="subject" name="subject" class="form-control"
+                                                    required="required">
+                                                <option value="na" selected="">Choose One:</option>
+                                                <option value="service">General Customer Service</option>
+                                                <option value="suggestions">Suggestions</option>
+                                                <option value="product">Product Support</option>
+                                            </select>
+                                        </div>
                                     </div>
-                                    <div class="form-group">
-                                        <label for="subject">
-                                            Subject</label>
-                                        <select id="subject" name="subject" class="form-control" required="required">
-                                            <option value="na" selected="">Choose One:</option>
-                                            <option value="service">General Customer Service</option>
-                                            <option value="suggestions">Suggestions</option>
-                                            <option value="product">Product Support</option>
-                                        </select>
+                                    <div class="col-md-6">
+                                        <div class="form-group">
+                                            <label for="name">
+                                                Message</label>
+                                            <textarea name="message" id="message" class="form-control" rows="9"
+                                                      cols="25"
+                                                      required="required"
+                                                      placeholder="Message"></textarea>
+                                        </div>
+                                    </div>
+                                    <div class="col-md-12">
+                                        <button class="btn btn-primary pull-right" id="btnContactUs">
+                                            Send Message
+                                        </button>
                                     </div>
                                 </div>
-                                <div class="col-md-6">
-                                    <div class="form-group">
-                                        <label for="name">
-                                            Message</label>
-                                        <textarea name="message" id="message" class="form-control" rows="9" cols="25"
-                                                  required="required"
-                                                  placeholder="Message"></textarea>
-                                    </div>
-                                </div>
-                                <div class="col-md-12">
-                                    <button class="btn btn-primary pull-right" id="btnContactUs">
-                                        Send Message
-                                    </button>
-                                </div>
-                            </div>
-                        </form>
+                            </form>
+                        </div>
                     </div>
                 </div>
             </div>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
         </div>
     </div>
 
@@ -211,7 +223,6 @@
             <input name="submit" value="Submit" type="submit"/>
 
         </form>
-
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
     </div>

webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties

@@ -20,7 +20,7 @@ csrf-review-hint3=This one has a weak anti-CSRF protection, but you do need to o
 
 csrf-feedback-hint1=Look at the content-type.
 csrf-feedback-hint2=Try to post the same message with content-type text/plain
-csrf-feedback-hint3=The json can be put into a hidden field inside 
+csrf-feedback-hint3=The json can be put into a hidden field inside
 
 csrf-feedback-invalid-json=Invalid JSON received.
 csrf-feedback-success=Congratulations you have found the correct solution, the flag is: {0}

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc

@@ -8,11 +8,11 @@ In this assignment you need to achieve to POST the following JSON message to our
 
 [source]
 ----
-POST /csrf/feedback HTTP/1.1
+POST /csrf/feedback/message HTTP/1.1
 
 {
   "name"    : "WebGoat",
-  "email"   : "webgoat@webgoat.org"
+  "email"   : "webgoat@webgoat.org",
   "content" : "WebGoat is the best!!"
 }
 ----

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc

@@ -13,9 +13,14 @@ match and this will ensure the server the request is running on the same domain.
 
 Remember the session cookie should always be defined with http-only flag.
 
-Another effective defense can be to add a custom request header to each call. This will work if all the interactions
+== Custom headers not safe
+
+Another defense can be to add a custom request header to each call. This will work if all the interactions
 with the server are performed with JavaScript. On the server side you only need to check the presence of this header
 if this header is not present deny the request.
+Some frameworks offer this implementation by default however researcer Alex Infuhr found out that this can be bypassed
+as well. You can read about: http://insert-blogspot.nl/2018/05/adobe-reader-pdf-client-side-request.html?m=1[Adobe Reader PDF - Client Side Request Injection]
+
 
 
 

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc

@@ -4,7 +4,20 @@ The impact is limited only by what the logged in user can do (if the site/functi
 The areas that are really prone to CSRF attacks are IoT devices and 'smart' appliances.  Sadly, many consumer-grade routers
 have also proven vulnerable to CSRF.
 
-== CSRF Solution
+== CSRF solutions
+
+=== Same site cookie attribute
+
+This is a new extension which modern browsers support which limits the scope of the cookie such that it will only be
+attached to requests if those requests are 'same-site'
+For example requests for `http://webgoat.org/something` will attach same-site cookies if the request is initiated from
+`webgoat.org`.
+There are two modes, strict and lax. The first one does not allow cross site request, this means when you are on
+github.com and you want to like it through Facebook (and Facebook specifies same-site as strict) you will be
+redirected to the login page, because the browser does not attach the cookie for Facebook.
+More information can be found here: www.sjoerdlangkemper.nl/2016/04/14/preventin-csrf-with-samesite-cookie-attribute/
+
+=== Other protections
 
 Fortunately, many (web) application frameworks now come with built in support to handle CSRF attacks.  For example, Spring and
 Tomcat have this on by default.  As long as you don't turn it off (like it is in WebGoat), you should be safe from CSRF attacks.