WIP

after push on all branches

.github/workflows/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/main.yml

@@ -0,0 +1,42 @@
+name: "CI/CD Pipeline"
+
+on:
+  push:
+    branches: [ '*' ]
+    tags-ignore:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        java: [11, 15]
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+      - name: Set up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v1
+        with:
+          java-version: ${{ matrix.java }}
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+      - name: Build with Maven
+        run: mvn clean install
+  notify-slack:
+    if: github.event_name == 'push' && (success() || failure())
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Slack workflow notification"
+        uses: Gamesight/slack-workflow-status@master
+        with:
+          repo_token: ${{secrets.GITHUB_TOKEN}}
+          slack_webhook_url: ${{secrets.SLACK_WEBHOOK_URL}}

.github/workflows/release.yml

@@ -0,0 +1,102 @@
+name: "Release Pipeline"
+on:
+  push:
+    tags:
+      - test*  # todo replace with v*
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        java: [11, 15]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v1
+        with:
+          java-version: ${{ matrix.java }}
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+      - name: Build with Maven
+        run: mvn clean install -DskipTests
+  docker:
+    name: "Docker build & push"
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: "Check out"
+        uses: actions/checkout@v2
+      - name: "Get tag name"
+        id: tag
+        uses: dawidd6/action-get-tag@v1
+      - name: "Set up QEMU"
+        uses: docker/setup-qemu-action@v1
+      - name: "Set up Docker Buildx"
+        uses: docker/setup-buildx-action@v1
+      - name: "Login to dockerhub"
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: "Build and push"
+        uses: docker/build-push-action@v2
+        with:
+          run: cd docker
+          context: .
+          file: docker/Dockerfile
+          push: false #todo enable
+          platforms: linux/amd64
+          tags: |
+            webgoat/goatandwolf:${{ steps.tag.outputs.tag }}
+          build-args: |
+            webgoat_version=${{ steps.tag.outputs.tag }}
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}
+  github_release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v2
+      - name: "Get tag name"
+        id: tag
+        uses: dawidd6/action-get-tag@v1
+      - name: "Create release"
+        uses: softprops/action-gh-release@v1
+        with:
+          draft: false
+          files: |
+            webgoat-server/target/*.jar
+            webwolf/target/*.jar
+          body: |
+            ## Version ${{ steps.tag.outputs.tag }}
+
+            ### New functionality
+
+            - test
+
+            ### Bug fixes
+
+            - [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
+
+
+            ## Contributors
+
+            Special thanks to the following contributors providing us with a pull request:
+
+            - Person 1
+            - Person 2
+
+            And everyone who provided feedback through Github.
+
+
+            Team WebGoat
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -53,3 +53,4 @@ webgoat.log
 webgoat.properties
 webgoat.script
 TestClass.class
+**/*.flattened-pom.xml

.mvn/wrapper/maven-wrapper.properties

@@ -1,2 +1,2 @@
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.2.1/apache-maven-3.2.1-bin.zip
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.2.5/apache-maven-3.2.5-bin.zip
 wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar

.travis.yml

@@ -1,10 +1,17 @@
 services:
   - docker
 language: java
+os: 
+  - linux
+  - osx
+dist: xenial
 jdk:
   - openjdk11
-  - openjdk13
+  - openjdk15
-install: "/bin/true"
+addons:
+  firefox: latest
+install:  
+  - true
 script:
   - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH;
     else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
@@ -26,20 +33,22 @@ before_deploy:
   - ls $WEBGOAT_ARTIFACTS_FOLDER
 deploy:
   - provider: script
-    jdk: openjdk11
+    cleanup: false
-    skip_cleanup: true
     script: bash scripts/deploy-webgoat.sh
     on:
+      condition: $TRAVIS_OS_NAME == 'linux'
+      jdk: openjdk11
       tags: true
   - provider: releases
-    jdk: openjdk11
+    cleanup: false
-    skip_cleanup: true
     overwrite: true
-    api_key:
+    token:
       secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=
     file_glob: true
     file: "$WEBGOAT_ARTIFACTS_FOLDER/*"
     on:
+      condition: $TRAVIS_OS_NAME == 'linux'
+      jdk: openjdk11
       tags: true
 env:
   global:

README.MD

@@ -3,9 +3,9 @@
 [![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat)
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
-[![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa)
 [![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
+[![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 
 # Introduction
 
@@ -29,19 +29,7 @@ first thing that all hackers claim.*
 
 # Installation Instructions:
 
-## 1. Standalone
+## 1. Run using Docker
-
-Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
-
-```Shell
-java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
-```
-
-The latest version of WebGoat needs Java 11 or above. By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
-can bind it to a different address (default localhost)
-
-
-## 2. Run using Docker
 
 Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
 
@@ -50,7 +38,7 @@ Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat
 The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
 
 ```shell
-docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
+docker run -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
 ```
 
 WebGoat will be located at: http://127.0.0.1:8080/WebGoat
@@ -85,6 +73,25 @@ WebWolf will be located at: http://www.webwolf.local/WebWolf
 
 **Important**: the current directory on your host will be mapped into the container for keeping state.
 
+## 2. Standalone
+
+Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
+
+```Shell
+java -jar webgoat-server-8.1.0.jar [--server.port=8080] [--server.address=localhost]
+java -jar webwolf-8.1.0.jar [--server.port=9090] [--server.address=localhost]
+```
+
+The latest version of WebGoat needs Java 11 or above. By default WebGoat and WebWolf start on port 8080,9000 and 9090 with the environment variable WEBGOAT_PORT, WEBWOLF_PORT and WEBGOAT_HSQLPORT you can set different values.
+```Shell
+export WEBGOAT_PORT=18080
+export WEBGOAT_HSQLPORT=19001
+export WEBWOLF_PORT=19090
+java -jar webgoat-server-8.1.0.jar
+java -jar webwolf-8.1.0.jar 
+```
+Use set in stead of export on Windows cmd. 
+
 
 ## 3. Run from the sources
 
@@ -123,20 +130,17 @@ To change IP address add the following variable to WebGoat/webgoat-container/src
 server.address=x.x.x.x
 ```
 
-# Building a new Docker image
+## 4. Run with custom menu
 
-NOTE: Travis will create a new Docker image automatically when making a new release.
+For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting environment variables.
 
+For instance running as a jar on a Linux/MacOS it will look like:
 ```Shell
-cd WebGoat/
+export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
-mvn install
+export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-cd webgoat-server
+java -jar webgoat-server/target/webgoat-server-v8.2.0-SNAPSHOT.jar
-docker build -t webgoat/webgoat-8.0 .
+```
-docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
+Or in a docker run it would (once this version is pushed into docker hub) look like:
-docker login
+```Shell
-docker push webgoat/webgoat-8.0
+docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/goatandwolf
 ```
-
-# Run Instructions:
-
-Once installed connect to http://localhost:8080/WebGoat and http://localhost:9090/WebWolf

docker/Dockerfile

@@ -1,14 +1,16 @@
 FROM openjdk:11.0.1-jre-slim-stretch
 
-ARG webgoat_version=v8.0.0-SNAPSHOT
+ARG webgoat_version=v8.2.0-SNAPSHOT
 ENV webgoat_version_env=${webgoat_version}
 
 RUN apt-get update && apt-get install 
 RUN useradd --home-dir /home/webgoat --create-home -U webgoat
+RUN cd /home/webgoat/; 
+RUN chgrp -R 0 /home/webgoat
+RUN chmod -R g=u /home/webgoat
 RUN apt-get -y install apt-utils nginx
 
 USER webgoat
-RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version}
 
 COPY nginx.conf /etc/nginx/nginx.conf
 COPY index.html /usr/share/nginx/html/

docker/Readme.md

@@ -2,7 +2,7 @@
 
 ## Docker build
 
-	docker build --no-cache --build-arg webgoat_version=v8.0.0-SNAPSHOT -t webgoat/goatandwolf:latest .
+	docker build --no-cache --build-arg webgoat_version=v8.2.0-SNAPSHOT -t webgoat/goatandwolf:latest .
 	
 ## Docker run
 	

docker/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
 
     <dependencies>

docker/start.sh

@@ -3,10 +3,10 @@
 cd /home/webgoat 
 service nginx start
 sleep 1
-java -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0  > webgoat.log &
+java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0  > webgoat.log &
 
 sleep 10
  
-java -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
+java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
 
 tail -300f webgoat.log

docs/index.html

@@ -2,285 +2,297 @@
 <html lang="en">
 
 <head>
-
   <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+  <meta http-equiv="refresh" content="0;url=https://owasp.org/www-project-webgoat/" />
-  <meta name="description" content="WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities
+  <link rel="canonical" href="https://owasp.org/www-project-webgoat/" />
-  commonly found in Java-based applications that use common and popular open source components">
-  <meta name="author" content="WebGoat">
-
-  <title>WebGoat</title>
-
-  <!-- Bootstrap core CSS -->
-  <link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
-
-  <!-- Custom fonts for this template -->
-  <link href="vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
-  <link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">
-  <link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css">
-
-  <!-- Plugin CSS -->
-  <link href="vendor/magnific-popup/magnific-popup.css" rel="stylesheet" type="text/css">
-
-  <!-- Custom styles for this template -->
-  <link href="css/freelancer.min.css" rel="stylesheet">
-
 </head>
-
+<body>
-<body id="page-top">
+<h1>
-
+  The page been moved to <a href="https://owasp.org/www-project-webgoat/">https://owasp.org/www-project-webgoat/</a>
-  <!-- Navigation -->
+</h1>
-  <nav class="navbar navbar-expand-lg bg-secondary fixed-top text-uppercase" id="mainNav">
-    <div class="container">
-      <!-- Brand and toggle get grouped for better mobile display -->
-      <div class="navbar-header page-scroll">
-        <img class="img-responsive" src="img/profile.png" alt="">
-      </div>
-    </div>
-  </nav>
-
-  <!-- Header -->
-  <header class="masthead bg-primary text-white text-center">
-    <div class="container">
-      <div class="row">
-        <div class="col-lg-12">
-          <h2 class="text-center text-uppercase mb-5">Learn the hack - Stop the attack</h2>
-    
-
-        </div>
-      </div>
-      <div class="row">
-        <div class="col-lg-8 mx-auto">
-          <p>WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities
-            commonly found in Java-based applications that use common and popular open source components.</p>
-        </div>
-        <div class="col-lg-8 mx-auto">
-          <a href="https://github.com/WebGoat/WebGoat/releases" class="btn btn-xl btn-outline-light">
-            <i class="fa fa-download"></i> Download standalone
-          </a>
-          <a href="https://hub.docker.com/r/webgoat/webgoat-8.0/" class="btn btn-xl btn-outline-light">
-            <i class="fa fa-download"></i> Run using Docker
-          </a>
-        </div>
-      </div>
-    </div>
-  </header>
-
-  <!-- Portfolio Grid Section -->
-  <section class="portfolio" id="portfolio">
-    <div class="container">
-      <h3 class="text-center text-uppercase text-secondary mb-0">Learn in 3 steps</h3>
-      <hr class="star-dark mb-5">
-      <div class="row">
-        <div class="col-md-6 col-lg-4 text-center">
-          <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-1">
-            <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">
-              <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">
-                <i class="fa fa-search-plus fa-3x"></i>
-              </div>
-            </div>
-            <img class="img-fluid" src="img/portfolio/teach.png" alt="">
-          </a>
-        </div>
-        <div class="col-md-6 col-lg-4 text-center">
-          <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-2">
-            <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">
-              <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">
-                <i class="fa fa-search-plus fa-3x"></i>
-              </div>
-            </div>
-            <img class="img-fluid" src="img/portfolio/assignment.png" alt="">
-          </a>
-        </div>
-        <div class="col-md-6 col-lg-4 text-center" >
-          <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-3">
-            <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">
-              <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">
-                <i class="fa fa-search-plus fa-3x"></i>
-              </div>
-            </div>
-            <img class="img-fluid" src="img/portfolio/mitigation.png" alt="">
-          </a>
-        </div>
-      </div>
-    </div>
-  </section>
-
-  <!-- Goals Section -->
-  <section class="bg-primary text-white mb-0" id="goals">
-    <div class="container">
-      <h3 class="text-center text-uppercase text-white">Goals</h3>
-      <hr class="star-light mb-5">
-      <div class="row">
-        <div class="col-lg-6 ml-auto">
-          <p class="lead">
-              Web application security is difficult to learn and practice. Not many people have full blown web applications like online book 
-              stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test 
-              tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe 
-              and legal environment.
-              
-                  </p>
-        </div>
-        <div class="col-lg-6 mr-auto">
-          <p class="lead">Even if your intentions are good, we believe you should never attempt to find vulnerabilities without
-              permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. 
-            In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
-            </p>
-        </div>
-      </div>
-    </div>
-  </section>
-
-   <!-- Contributing Section -->
-   <section class="portfolio" id="portfolio">
-      <div class="container">
-        <h3 class="text-center text-uppercase text-secondary mb-0">More information</h3>
-        <hr class="star-dark mb-5">
-        <div class="row">
-            <div class="col-lg-4 ml-auto">
-                <p class="lead">For more information about running WebGoat / FAQ see our <a href="https://github.com/WebGoat/WebGoat/wiki">wiki pages.</a>
-            </p>
-          </div>
-          <div class="col-lg-4 mr-auto">
-              <p class="lead">Interested in contributing to WebGoat, take a look at our <a href="https://github.com/WebGoat/WebGoat/issues">issues.</a> </p>
-
-          </div>
-        </div>
-      </div>
-    </section>
-  
-
-  <!-- Footer -->
-  <footer class="footer text-center">
-    <div class="container">
-      <div class="row">
-        <div class="col-md-4 mb-5 mb-lg-0">
-        </div>
-        <div class="col-md-4 mb-5 mb-lg-0">
-          <h4 class="text-uppercase mb-4">Around the Web</h4>
-          <ul class="list-inline mb-0">
-            <li class="list-inline-item">
-                  <a class="btn btn-outline-light btn-social text-center rounded-circle" href="mailto:webgoat@owasp.org">
-                    <i class="fa fa-fw fa-at"></i>
-                  </a>
-            </li>
-            <li class="list-inline-item">
-              <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://github.com/WebGoat">
-                <i class="fa fa-fw fa-github"></i>
-              </a>
-            </li>
-            <li class="list-inline-item">
-                <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://stackoverflow.com/search?q=webgoat">
-                  <i class="fa fa-fw fa-stack-overflow"></i>
-                </a>
-              </li>
-            <li class="list-inline-item">
-              <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://twitter.com/OWASP_WebGoat">
-                <i class="fa fa-fw fa-twitter"></i>
-              </a>
-            </li>
-            <li class="list-inline-item">
-                <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://owasp.slack.com/messages/#project-webgoat/">
-                  <i class="fa fa-fw fa-slack"></i>
-                </a>
-              </li>
-          </ul>
-        </div>
-      </div>
-    </div>
-  </footer>
-
-  <div class="copyright py-4 text-center text-white">
-    <div class="container">
-      <small>Team WebGoat 2019</small>
-    </div>
-  </div>
-
-  <!-- Scroll to Top Button (Only visible on small and extra-small screen sizes) -->
-  <div class="scroll-to-top d-lg-none position-fixed ">
-    <a class="js-scroll-trigger d-block text-center text-white rounded" href="#page-top">
-      <i class="fa fa-chevron-up"></i>
-    </a>
-  </div>
-
-  <!-- Explain modal -->
-  <div class="portfolio-modal mfp-hide" id="portfolio-modal-1">
-    <div class="portfolio-modal-dialog bg-white">
-      <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">
-        <i class="fa fa-3x fa-times"></i>
-      </a>
-      <div class="container text-center">
-        <div class="row">
-          <div class="col-lg-8 mx-auto">
-            <h3 class="text-secondary text-uppercase mb-0">Explain the vulnerability</h3>
-            <hr class="star-dark mb-5">
-            <img class="img-fluid mb-5" src="img/portfolio/lesson.png" alt="">
-            <p class="mb-5">Teaching is now a first class citizen of WebGoat, we explain explain the vulnerability. Instead of 'just hacking' we now focus on explaining from the beginning what for example a SQL injection is.
-            </p>
-            <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">
-              <i class="fa fa-close"></i>
-              Close</a>
-          </div>
-        </div>
-      </div>
-    </div>
-  </div>
-
-  <!-- Assignment modal -->
-  <div class="portfolio-modal mfp-hide" id="portfolio-modal-2">
-    <div class="portfolio-modal-dialog bg-white">
-      <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">
-        <i class="fa fa-3x fa-times"></i>
-      </a>
-      <div class="container text-center">
-        <div class="row">
-          <div class="col-lg-8 mx-auto">
-            <h3 class="text-secondary text-uppercase mb-0">Learn by doing</h3>
-            <hr class="star-dark mb-5">
-            <img class="img-fluid mb-5" src="img/portfolio/assignment-example.png" alt="">
-            <p class="mb-5">During the explanation of a vulnerability we build assignments which will help you understand how it works.</p>
-            <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">
-              <i class="fa fa-close"></i>
-              Close</a>
-          </div>
-        </div>
-      </div>
-    </div>
-  </div>
-
-  <!-- Mitigation modal -->
-  <div class="portfolio-modal mfp-hide" id="portfolio-modal-3">
-    <div class="portfolio-modal-dialog bg-white">
-      <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">
-        <i class="fa fa-3x fa-times"></i>
-      </a>
-      <div class="container text-center">
-        <div class="row">
-          <div class="col-lg-8 mx-auto">
-            <h3 class="text-secondary text-uppercase mb-0">Explain mitigations</h3>
-            <hr class="star-dark mb-5">
-            <img class="img-fluid mb-5" src="img/portfolio/mitigation-example.png" alt="">
-            <p class="mb-5">At the end of each lesson you will receive an overview of possible mitigations which will help you during your development work.</p>
-            <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">
-              <i class="fa fa-close"></i>
-              Close</a>
-          </div>
-        </div>
-      </div>
-    </div>
-  </div>
-
-  <!-- Bootstrap core JavaScript -->
-  <script src="vendor/jquery/jquery.min.js"></script>
-  <script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
-
-  <!-- Plugin JavaScript -->
-  <script src="vendor/jquery-easing/jquery.easing.min.js"></script>
-  <script src="vendor/magnific-popup/jquery.magnific-popup.min.js"></script>
-
-  <!-- Custom scripts for this template -->
-  <script src="js/freelancer.min.js"></script>
-
 </body>
-
 </html>
+
+<!--<head>-->
+
+<!--  <meta charset="utf-8">-->
+<!--  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">-->
+<!--  <meta name="description" content="WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities-->
+<!--  commonly found in Java-based applications that use common and popular open source components">-->
+<!--  <meta name="author" content="WebGoat">-->
+
+<!--  <title>WebGoat</title>-->
+
+<!--  &lt;!&ndash; Bootstrap core CSS &ndash;&gt;-->
+<!--  <link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">-->
+
+<!--  &lt;!&ndash; Custom fonts for this template &ndash;&gt;-->
+<!--  <link href="vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">-->
+<!--  <link href="https://fonts.googleapis.com/css?family=Montserrat:400,700" rel="stylesheet" type="text/css">-->
+<!--  <link href="https://fonts.googleapis.com/css?family=Lato:400,700,400italic,700italic" rel="stylesheet" type="text/css">-->
+
+<!--  &lt;!&ndash; Plugin CSS &ndash;&gt;-->
+<!--  <link href="vendor/magnific-popup/magnific-popup.css" rel="stylesheet" type="text/css">-->
+
+<!--  &lt;!&ndash; Custom styles for this template &ndash;&gt;-->
+<!--  <link href="css/freelancer.min.css" rel="stylesheet">-->
+
+<!--</head>-->
+
+<!--<body id="page-top">-->
+
+<!--  &lt;!&ndash; Navigation &ndash;&gt;-->
+<!--  <nav class="navbar navbar-expand-lg bg-secondary fixed-top text-uppercase" id="mainNav">-->
+<!--    <div class="container">-->
+<!--      &lt;!&ndash; Brand and toggle get grouped for better mobile display &ndash;&gt;-->
+<!--      <div class="navbar-header page-scroll">-->
+<!--        <img class="img-responsive" src="img/profile.png" alt="">-->
+<!--      </div>-->
+<!--    </div>-->
+<!--  </nav>-->
+
+<!--  &lt;!&ndash; Header &ndash;&gt;-->
+<!--  <header class="masthead bg-primary text-white text-center">-->
+<!--    <div class="container">-->
+<!--      <div class="row">-->
+<!--        <div class="col-lg-12">-->
+<!--          <h2 class="text-center text-uppercase mb-5">Learn the hack - Stop the attack</h2>-->
+<!--    -->
+
+<!--        </div>-->
+<!--      </div>-->
+<!--      <div class="row">-->
+<!--        <div class="col-lg-8 mx-auto">-->
+<!--          <p>WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities-->
+<!--            commonly found in Java-based applications that use common and popular open source components.</p>-->
+<!--        </div>-->
+<!--        <div class="col-lg-8 mx-auto">-->
+<!--          <a href="https://github.com/WebGoat/WebGoat/releases" class="btn btn-xl btn-outline-light">-->
+<!--            <i class="fa fa-download"></i> Download standalone-->
+<!--          </a>-->
+<!--          <a href="https://hub.docker.com/r/webgoat/webgoat-8.0/" class="btn btn-xl btn-outline-light">-->
+<!--            <i class="fa fa-download"></i> Run using Docker-->
+<!--          </a>-->
+<!--        </div>-->
+<!--      </div>-->
+<!--    </div>-->
+<!--  </header>-->
+
+<!--  &lt;!&ndash; Portfolio Grid Section &ndash;&gt;-->
+<!--  <section class="portfolio" id="portfolio">-->
+<!--    <div class="container">-->
+<!--      <h3 class="text-center text-uppercase text-secondary mb-0">Learn in 3 steps</h3>-->
+<!--      <hr class="star-dark mb-5">-->
+<!--      <div class="row">-->
+<!--        <div class="col-md-6 col-lg-4 text-center">-->
+<!--          <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-1">-->
+<!--            <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">-->
+<!--              <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">-->
+<!--                <i class="fa fa-search-plus fa-3x"></i>-->
+<!--              </div>-->
+<!--            </div>-->
+<!--            <img class="img-fluid" src="img/portfolio/teach.png" alt="">-->
+<!--          </a>-->
+<!--        </div>-->
+<!--        <div class="col-md-6 col-lg-4 text-center">-->
+<!--          <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-2">-->
+<!--            <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">-->
+<!--              <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">-->
+<!--                <i class="fa fa-search-plus fa-3x"></i>-->
+<!--              </div>-->
+<!--            </div>-->
+<!--            <img class="img-fluid" src="img/portfolio/assignment.png" alt="">-->
+<!--          </a>-->
+<!--        </div>-->
+<!--        <div class="col-md-6 col-lg-4 text-center" >-->
+<!--          <a class="portfolio-item d-block mx-auto" href="#portfolio-modal-3">-->
+<!--            <div class="portfolio-item-caption d-flex position-absolute h-100 w-100">-->
+<!--              <div class="portfolio-item-caption-content my-auto w-100 text-center text-white">-->
+<!--                <i class="fa fa-search-plus fa-3x"></i>-->
+<!--              </div>-->
+<!--            </div>-->
+<!--            <img class="img-fluid" src="img/portfolio/mitigation.png" alt="">-->
+<!--          </a>-->
+<!--        </div>-->
+<!--      </div>-->
+<!--    </div>-->
+<!--  </section>-->
+
+<!--  &lt;!&ndash; Goals Section &ndash;&gt;-->
+<!--  <section class="bg-primary text-white mb-0" id="goals">-->
+<!--    <div class="container">-->
+<!--      <h3 class="text-center text-uppercase text-white">Goals</h3>-->
+<!--      <hr class="star-light mb-5">-->
+<!--      <div class="row">-->
+<!--        <div class="col-lg-6 ml-auto">-->
+<!--          <p class="lead">-->
+<!--              Web application security is difficult to learn and practice. Not many people have full blown web applications like online book -->
+<!--              stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test -->
+<!--              tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe -->
+<!--              and legal environment.-->
+<!--              -->
+<!--                  </p>-->
+<!--        </div>-->
+<!--        <div class="col-lg-6 mr-auto">-->
+<!--          <p class="lead">Even if your intentions are good, we believe you should never attempt to find vulnerabilities without-->
+<!--              permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. -->
+<!--            In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.-->
+<!--            </p>-->
+<!--        </div>-->
+<!--      </div>-->
+<!--    </div>-->
+<!--  </section>-->
+
+<!--   &lt;!&ndash; Contributing Section &ndash;&gt;-->
+<!--   <section class="portfolio" id="portfolio">-->
+<!--      <div class="container">-->
+<!--        <h3 class="text-center text-uppercase text-secondary mb-0">More information</h3>-->
+<!--        <hr class="star-dark mb-5">-->
+<!--        <div class="row">-->
+<!--            <div class="col-lg-4 ml-auto">-->
+<!--                <p class="lead">For more information about running WebGoat / FAQ see our <a href="https://github.com/WebGoat/WebGoat/wiki">wiki pages.</a>-->
+<!--            </p>-->
+<!--          </div>-->
+<!--          <div class="col-lg-4 mr-auto">-->
+<!--              <p class="lead">Interested in contributing to WebGoat, take a look at our <a href="https://github.com/WebGoat/WebGoat/issues">issues.</a> </p>-->
+
+<!--          </div>-->
+<!--        </div>-->
+<!--      </div>-->
+<!--    </section>-->
+<!--  -->
+
+<!--  &lt;!&ndash; Footer &ndash;&gt;-->
+<!--  <footer class="footer text-center">-->
+<!--    <div class="container">-->
+<!--      <div class="row">-->
+<!--        <div class="col-md-4 mb-5 mb-lg-0">-->
+<!--        </div>-->
+<!--        <div class="col-md-4 mb-5 mb-lg-0">-->
+<!--          <h4 class="text-uppercase mb-4">Around the Web</h4>-->
+<!--          <ul class="list-inline mb-0">-->
+<!--            <li class="list-inline-item">-->
+<!--                  <a class="btn btn-outline-light btn-social text-center rounded-circle" href="mailto:webgoat@owasp.org">-->
+<!--                    <i class="fa fa-fw fa-at"></i>-->
+<!--                  </a>-->
+<!--            </li>-->
+<!--            <li class="list-inline-item">-->
+<!--              <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://github.com/WebGoat">-->
+<!--                <i class="fa fa-fw fa-github"></i>-->
+<!--              </a>-->
+<!--            </li>-->
+<!--            <li class="list-inline-item">-->
+<!--                <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://stackoverflow.com/search?q=webgoat">-->
+<!--                  <i class="fa fa-fw fa-stack-overflow"></i>-->
+<!--                </a>-->
+<!--              </li>-->
+<!--            <li class="list-inline-item">-->
+<!--              <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://twitter.com/OWASP_WebGoat">-->
+<!--                <i class="fa fa-fw fa-twitter"></i>-->
+<!--              </a>-->
+<!--            </li>-->
+<!--            <li class="list-inline-item">-->
+<!--                <a class="btn btn-outline-light btn-social text-center rounded-circle" href="https://owasp.slack.com/messages/#project-webgoat/">-->
+<!--                  <i class="fa fa-fw fa-slack"></i>-->
+<!--                </a>-->
+<!--              </li>-->
+<!--          </ul>-->
+<!--        </div>-->
+<!--      </div>-->
+<!--    </div>-->
+<!--  </footer>-->
+
+<!--  <div class="copyright py-4 text-center text-white">-->
+<!--    <div class="container">-->
+<!--      <small>Team WebGoat 2019</small>-->
+<!--    </div>-->
+<!--  </div>-->
+
+<!--  &lt;!&ndash; Scroll to Top Button (Only visible on small and extra-small screen sizes) &ndash;&gt;-->
+<!--  <div class="scroll-to-top d-lg-none position-fixed ">-->
+<!--    <a class="js-scroll-trigger d-block text-center text-white rounded" href="#page-top">-->
+<!--      <i class="fa fa-chevron-up"></i>-->
+<!--    </a>-->
+<!--  </div>-->
+
+<!--  &lt;!&ndash; Explain modal &ndash;&gt;-->
+<!--  <div class="portfolio-modal mfp-hide" id="portfolio-modal-1">-->
+<!--    <div class="portfolio-modal-dialog bg-white">-->
+<!--      <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">-->
+<!--        <i class="fa fa-3x fa-times"></i>-->
+<!--      </a>-->
+<!--      <div class="container text-center">-->
+<!--        <div class="row">-->
+<!--          <div class="col-lg-8 mx-auto">-->
+<!--            <h3 class="text-secondary text-uppercase mb-0">Explain the vulnerability</h3>-->
+<!--            <hr class="star-dark mb-5">-->
+<!--            <img class="img-fluid mb-5" src="img/portfolio/lesson.png" alt="">-->
+<!--            <p class="mb-5">Teaching is now a first class citizen of WebGoat, we explain explain the vulnerability. Instead of 'just hacking' we now focus on explaining from the beginning what for example a SQL injection is.-->
+<!--            </p>-->
+<!--            <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">-->
+<!--              <i class="fa fa-close"></i>-->
+<!--              Close</a>-->
+<!--          </div>-->
+<!--        </div>-->
+<!--      </div>-->
+<!--    </div>-->
+<!--  </div>-->
+
+<!--  &lt;!&ndash; Assignment modal &ndash;&gt;-->
+<!--  <div class="portfolio-modal mfp-hide" id="portfolio-modal-2">-->
+<!--    <div class="portfolio-modal-dialog bg-white">-->
+<!--      <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">-->
+<!--        <i class="fa fa-3x fa-times"></i>-->
+<!--      </a>-->
+<!--      <div class="container text-center">-->
+<!--        <div class="row">-->
+<!--          <div class="col-lg-8 mx-auto">-->
+<!--            <h3 class="text-secondary text-uppercase mb-0">Learn by doing</h3>-->
+<!--            <hr class="star-dark mb-5">-->
+<!--            <img class="img-fluid mb-5" src="img/portfolio/assignment-example.png" alt="">-->
+<!--            <p class="mb-5">During the explanation of a vulnerability we build assignments which will help you understand how it works.</p>-->
+<!--            <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">-->
+<!--              <i class="fa fa-close"></i>-->
+<!--              Close</a>-->
+<!--          </div>-->
+<!--        </div>-->
+<!--      </div>-->
+<!--    </div>-->
+<!--  </div>-->
+
+<!--  &lt;!&ndash; Mitigation modal &ndash;&gt;-->
+<!--  <div class="portfolio-modal mfp-hide" id="portfolio-modal-3">-->
+<!--    <div class="portfolio-modal-dialog bg-white">-->
+<!--      <a class="close-button d-none d-md-block portfolio-modal-dismiss" href="#">-->
+<!--        <i class="fa fa-3x fa-times"></i>-->
+<!--      </a>-->
+<!--      <div class="container text-center">-->
+<!--        <div class="row">-->
+<!--          <div class="col-lg-8 mx-auto">-->
+<!--            <h3 class="text-secondary text-uppercase mb-0">Explain mitigations</h3>-->
+<!--            <hr class="star-dark mb-5">-->
+<!--            <img class="img-fluid mb-5" src="img/portfolio/mitigation-example.png" alt="">-->
+<!--            <p class="mb-5">At the end of each lesson you will receive an overview of possible mitigations which will help you during your development work.</p>-->
+<!--            <a class="btn btn-primary btn-lg rounded-pill portfolio-modal-dismiss" href="#">-->
+<!--              <i class="fa fa-close"></i>-->
+<!--              Close</a>-->
+<!--          </div>-->
+<!--        </div>-->
+<!--      </div>-->
+<!--    </div>-->
+<!--  </div>-->
+
+<!--  &lt;!&ndash; Bootstrap core JavaScript &ndash;&gt;-->
+<!--  <script src="vendor/jquery/jquery.min.js"></script>-->
+<!--  <script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>-->
+
+<!--  &lt;!&ndash; Plugin JavaScript &ndash;&gt;-->
+<!--  <script src="vendor/jquery-easing/jquery.easing.min.js"></script>-->
+<!--  <script src="vendor/magnific-popup/jquery.magnific-popup.min.js"></script>-->
+
+<!--  &lt;!&ndash; Custom scripts for this template &ndash;&gt;-->
+<!--  <script src="js/freelancer.min.js"></script>-->
+
+<!--</body>-->
+
+<!--</html>-->

pom.xml

@@ -6,7 +6,7 @@
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>v8.1.0</version>
+    <version>${revision}</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@@ -15,13 +15,13 @@
 
     <organization>
         <name>OWASP</name>
-        <url>https://webgoat.github.io/</url>
+        <url>https://github.com/WebGoat/WebGoat/</url>
     </organization>
 
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.2.2.RELEASE</version>
+        <version>2.4.0</version>
     </parent>
 
     <licenses>
@@ -127,7 +127,6 @@
         <commons-lang3.version>3.4</commons-lang3.version>
         <commons-io.version>2.6</commons-io.version>
         <guava.version>18.0</guava.version>
-        <junit.version>4.12</junit.version>
         <lombok.version>1.18.4</lombok.version>
         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
@@ -135,6 +134,7 @@
         <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
         <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
         <maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version>
+        <revision>v8.2.0-SNAPSHOT</revision>
     </properties>
 
     <modules>
@@ -147,6 +147,10 @@
     </modules>
 
     <dependencies>
+	    <dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-validation</artifactId>
+		</dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
@@ -166,6 +170,22 @@
 
 <build>
 	<plugins>
+	<plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>flatten-maven-plugin</artifactId>
+        <version>1.2.5</version>
+        <configuration>
+        </configuration>
+        <executions>
+          <execution>
+            <id>flatten</id>
+            <phase>process-resources</phase>
+            <goals>
+              <goal>flatten</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
 		<plugin>
 			<groupId>org.apache.maven.plugins</groupId>
 			<artifactId>maven-compiler-plugin</artifactId>

scripts/deploy-webgoat.sh

@@ -1,32 +1,6 @@
 #!/usr/bin/env bash
 
 docker login -u $DOCKER_USER -p $DOCKER_PASS
-export REPO=webgoat/webgoat-8.0
-
-cd webgoat-server
-ls target/
-
-if [ ! -z "${TRAVIS_TAG}" ]; then
-  # If we push a tag to master this will update the LATEST Docker image and tag with the version number
-  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
-  docker push $REPO
-else
-  echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
-fi
-
-
-export REPO=webgoat/webwolf
-cd ..
-cd webwolf
-ls target/
-
-if [ ! -z "${TRAVIS_TAG}" ]; then
-  # If we push a tag to master this will update the LATEST Docker image and tag with the version number
-  docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
-  docker push $REPO
-else
-  echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
-fi
 
 export REPO=webgoat/goatandwolf
 cd ..

webgoat-container/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
 
     <build>

webgoat-container/src/main/java/org/owasp/webgoat/AjaxAuthenticationEntryPoint.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software

webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java

@@ -4,7 +4,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java

@@ -18,7 +18,7 @@ import javax.servlet.http.HttpServletResponse;
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software

webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java

@@ -3,7 +3,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java

@@ -34,8 +34,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 
 public abstract class AssignmentEndpoint {
 
-    @Autowired
-    private UserTrackerRepository userTrackerRepository;
     @Autowired
     private WebSession webSession;
     @Autowired

webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  *
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java

@@ -11,7 +11,7 @@ import java.util.List;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java

@@ -9,7 +9,7 @@ import lombok.Getter;
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java

@@ -4,7 +4,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * 
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software

webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItemType.java

@@ -4,7 +4,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * 
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software

webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
@@ -40,6 +40,7 @@ import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.users.LessonTracker;
 import org.owasp.webgoat.users.UserTracker;
 import org.owasp.webgoat.users.UserTrackerRepository;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -65,6 +66,12 @@ public class LessonMenuService {
     private final WebSession webSession;
     private UserTrackerRepository userTrackerRepository;
 
+    @Value("#{'${exclude.categories}'.split(',')}")
+    private List<String> excludeCategories;
+
+    @Value("#{'${exclude.lessons}'.split(',')}")
+    private List<String> excludeLessons;
+    
     /**
      * Returns the lesson menu which is used to build the left nav
      *
@@ -79,6 +86,9 @@ public class LessonMenuService {
         UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
 
         for (Category category : categories) {
+        	if (excludeCategories.contains(category.name())) { 
+        		continue;
+        	}
             LessonMenuItem categoryItem = new LessonMenuItem();
             categoryItem.setName(category.getName());
             categoryItem.setType(LessonMenuItemType.CATEGORY);
@@ -86,6 +96,9 @@ public class LessonMenuService {
             List<Lesson> lessons = course.getLessons(category);
             lessons = lessons.stream().sorted(Comparator.comparing(l -> l.getTitle())).collect(Collectors.toList());
             for (Lesson lesson : lessons) {
+            	if (excludeLessons.contains(lesson.getName())) {
+            		continue;
+            	}
                 LessonMenuItem lessonItem = new LessonMenuItem();
                 lessonItem.setName(lesson.getTitle());
                 lessonItem.setLink(lesson.getLink());

webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software

webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java

@@ -2,7 +2,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java

@@ -15,7 +15,7 @@ import static java.util.stream.Collectors.toList;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java

@@ -15,7 +15,7 @@ import java.sql.SQLException;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see
  * http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
  * License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later

webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java

@@ -17,7 +17,7 @@ import java.util.stream.Collectors;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java

@@ -8,6 +8,7 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.ArrayList;
+import java.util.Comparator;
 import java.util.List;
 import java.util.stream.Collectors;
 
@@ -45,6 +46,15 @@ public class Scoreboard {
             UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
             rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
         }
+        /* sort on number of captured flags to present an ordered ranking */
+        rankings.sort(new Comparator<Ranking>() {
+
+			@Override
+			public int compare(Ranking o1, Ranking o2) {
+				
+				return o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size();
+			}
+		});
         return rankings;
     }
 

webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java

@@ -20,7 +20,7 @@ import java.util.stream.Collectors;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/resources/application-webgoat.properties

@@ -50,3 +50,9 @@ spring.jackson.serialization.write-dates-as-timestamps=false
 
 #For static file refresh ... and faster dev :D
 spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
+
+exclude.categories=${EXCLUDE_CATEGORIES:none,none}
+#exclude based on the enum of the Category
+
+exclude.lessons=${EXCLUDE_LESSONS:none,none}
+#exclude based on the class name of a lesson e.g.: LessonTemplate

webgoat-container/src/main/resources/static/css/main.css

@@ -104,24 +104,15 @@ img {
     font-weight: 700;
 }
 
-#header .toggle-navigation button:hover,
-#header .toggle-navigation button:active,
 #header button#toggle-mail:hover,
 #header button#toggle-mail:active {
     background: #e84c3d;
 }
 
-#header .toggle-navigation button:hover i,
 #header button#toggle-mail:hover i {
     color: #F6F6F6;
 }
 
-#header .toggle-navigation.toggle-left {
-    margin-top: 5px;
-    margin-left: 20px;
-    display: inline-block;
-}
-
 #header .btn-default {
     padding: 3px 9px;
     background: #F6F6F6;
@@ -157,7 +148,7 @@ img {
 
 #header #lesson-title-wrapper {
     display: inline-block;
-    margin: 0 0 0 20px;
+    margin: 0 0 0 30px;
 }
 
 #header .pull-right {
@@ -212,14 +203,6 @@ img {
     font-family: 'Source Sans Pro', Arial, sans-serif;
 }
 
-.main-content-toggle-left {
-    margin-left: 0;
-}
-
-.main-content-toggle-right {
-    margin-right: 240px;
-}
-
 /*==========================================================================
  lesson content / wrapper
  ========================================================================= */
@@ -797,27 +780,10 @@ fieldset[disabled] .btn-warning.active {
         padding-left: 0;
     }
 
-    #header .toggle-navigation.toggle-left {
-        float: left;
-    }
-
-    .sidebar {
-        margin-left: -240px;
-    }
-
-    .sidebar-toggle {
-        margin-left: 0;
-        width: 100%;
-    }
-
     .main-content-wrapper {
         margin-left: 0;
     }
 
-    .main-content-toggle-left {
-        margin-left: 660px;
-    }
-
     .sidebarRight {
         top: 160px;
         width: 100%;
@@ -931,10 +897,6 @@ cookie-container {
     overflow-x: hidden;
 }
 
-.sidebar-toggle {
-    margin-left: -240px;
-}
-
 #menu-container ul,
 #menu-container ul ul {
     margin: -2px 0 0;
@@ -1060,10 +1022,9 @@ cookie-container {
     display: inline-block;
     background-color: #555;
     border-radius: 8px;
-    min-width: 20px;
+    min-width: 25px;
     text-align: center;
     font-weight: bold;
-    padding-top: 2px;
 }
 
 .attack-link.solved-false {
@@ -1094,21 +1055,14 @@ cookie-container {
     margin: 3px;
 }
 
-@keyframes blink {
-    50% {
-        border-color: white;
-    }
-}
-
 .cur-page {
-    animation: blink 1.5s 2 forwards;
+    border: 3px solid #000;
-    border: 3px solid blue;
+    color:#aaa;
-    color: #aaa;
-    background-color: lightsalmon;
 }
 
 span.show-next-page, span.show-prev-page {
-    font-size: 1.3em;
+    font-size: 1.1em;
+    align-content: space-evenly;
 }
 
 .show-prev-page {
@@ -1119,6 +1073,10 @@ span.show-next-page, span.show-prev-page {
     cursor: pointer;
 }
 
+.no-underline:hover {
+    text-decoration: none;
+}
+
 /* attack ... */
 
 .attack-feedback {
@@ -1227,7 +1185,7 @@ div.scoreboard-username {
     color: aliceblue;
     padding: 4px;
     padding-left: 8px;
-    font-size: x-large;
+    font-size: medium;
     border-radius: 6px;
 }
 
@@ -1245,7 +1203,7 @@ div.captured-flag {
     background-color: #444;
     color: white;
     padding: 4px;
-    font-size: x-large;
+    font-size: medium;
     display: inline-block;
 }
 
@@ -1258,13 +1216,6 @@ div.captured-flag {
     color: red
 }
 
-.appseceu-banner {
-    background: url('img/owasp_logo.jpg') no-repeat 0px 0px;
-    height: 117px;
-    width: 1268px;
-    margin-bottom: 20px;
-}
-
 #content {
     position: relative;
 }

webgoat-container/src/main/resources/static/js/application.js

@@ -3,8 +3,6 @@ var app = function() {
     var init = function() {
 
         tooltips();
-        toggleMenuLeft();
-        toggleMenuRight();
         // menu is handled by angular
         //menu();
         togglePanel();
@@ -28,38 +26,6 @@ var app = function() {
 
     };
 
-    var toggleMenuLeft = function() {
-        $('#toggle-left').bind('click', function(e) {
-            if (!$('.sidebarRight').hasClass('.sidebar-toggle-right')) {
-                $('.sidebarRight').removeClass('sidebar-toggle-right');
-                $('.main-content-wrapper').removeClass('main-content-toggle-right');
-            }
-            $('.sidebar').toggleClass('sidebar-toggle');
-            $('.main-content-wrapper').toggleClass('main-content-toggle-left');
-            e.stopPropagation();
-        });
-    };
-
-    var toggleMenuRight = function() {
-        $('#toggle-right').bind('click', function(e) {
-
-            if (!$('.sidebar').hasClass('.sidebar-toggle')) {
-                $('.sidebar').addClass('sidebar-toggle');
-                $('.main-content-wrapper').addClass('main-content-toggle-left');
-            }
-            
-            $('.sidebarRight').toggleClass('sidebar-toggle-right animated bounceInRight');
-            $('.main-content-wrapper').toggleClass('main-content-toggle-right');
-
-            if ( $(window).width() < 660 ) {
-                $('.sidebar').removeClass('sidebar-toggle');
-                $('.main-content-wrapper').removeClass('main-content-toggle-left main-content-toggle-right');
-             };
-
-            e.stopPropagation();
-        });
-    };
-
     var closePanel = function() {
         $('.actions > .fa-times').click(function() {
             $(this).parent().parent().parent().fadeOut();
@@ -67,17 +33,6 @@ var app = function() {
 
     }
 
-    /*
-    var menu = function() {
-        $("#leftside-navigation .sub-menu a").click(function(e) {
-            $("#leftside-navigation ul ul").slideUp();
-            if (!$(this).next().is(":visible")) {
-                $(this).next().slideDown();
-            }
-              e.stopPropagation();
-        });
-    };
-    */
     //End functions
 
     //Dashboard functions

webgoat-container/src/main/resources/static/js/goatApp/templates/paging_controls.html

@@ -1,9 +1,9 @@
 <div>
-    <div class="page-nav-wrapper"><span class="glyphicon-class glyphicon glyphicon-circle-arrow-left show-prev-page"></span></div>
     <div class="page-link-wrapper">
+        <span class="glyphicon-class glyphicon glyphicon-circle-arrow-left show-prev-page"></span>
         <% var baseUrl = overview.baseUrl; %>
         <% _.each(overview.pages, function(page,index) { %>
-            <a href="<%=overview.baseUrl%>/<%=index%>"  alt="Page <%=index++ %>">
+            <a href="<%=overview.baseUrl%>/<%=index%>"  alt="Page <%=index++ %>" class="no-underline">
             <% if (page.content === 'assignment') { %>
                 <div class="<%=page.pageClass%> <%=page.solvedClass%> <%=page.curPageClass%>"><%=index++%></div>
             <% } else { %>
@@ -11,6 +11,6 @@
             <% } %>
             </a>
         <% }); %>
+        <span class="glyphicon-class glyphicon glyphicon-circle-arrow-right show-next-page"></span>
     </div>
-    <div class="page-nav-wrapper"><span class="glyphicon-class glyphicon glyphicon-circle-arrow-right show-next-page"></span></div>
 </div>

webgoat-container/src/main/resources/static/js/goatApp/templates/scoreboard.html

@@ -1,9 +1,7 @@
-<div class="scoreboard-title">WebGoat Challenge</div>
-<div class="appseceu-banner"></div>
 <table class="scoreboard-table">
     <% _.each(rankings, function(userRanking, index) { %>
     <tr>
-        <th class="username"> <div class="scoreboard-username"><%= index%> <%=userRanking.username %> </div></th>
+        <th class="username"> <div class="scoreboard-username"><%= index+1%> - <%=userRanking.username %> </div></th>
         <td class="user-flags"> <% _.each(userRanking.flagsCaptured, function(flag) { %>
 
              <div class="captured-flag">

webgoat-container/src/main/resources/static/js/goatApp/view/HelpControlsView.js

@@ -22,18 +22,7 @@ function($,_,Backbone) {
            $('#show-hints-button').hide();
         },
 
-		render:function(title) {
+		render:function() {
-			$('#show-source-button').hide();
-			$('#show-solution-button').hide();
-			$('#show-plan-button').hide();
-
-			if (this.hasSource) {
-				this.$el.find('#show-source-button').unbind().on('click',_.bind(this.showSource,this)).show();
-			}
-			if (this.hasSolution) {
-				this.$el.find('#show-solution-button').unbind().on('click',_.bind(this.showSolution,this)).show();
-			}
-
 			this.$el.find('#restart-lesson-button').unbind().on('click',_.bind(this.restartLesson,this)).show();
 		},
 

webgoat-container/src/main/resources/static/js/goatApp/view/MenuView.js

@@ -108,7 +108,9 @@ define(['jquery',
 		},
 
 		onLessonClick: function (elementId) {
+			if (this.curLessonLinkId) {
 				$('#'+this.curLessonLinkId).removeClass('selected').parent().removeClass('selected');
+			}
 			//update
 			$('#'+elementId).addClass('selected').parent().addClass('selected');
 			this.curLessonLinkId = elementId;

webgoat-container/src/main/resources/templates/login.html

@@ -13,8 +13,6 @@
         <div class="brand">
             <a th:href="@{/start.mvc}" class="logo"><span>Web</span>Goat</a>
         </div>
-        <div class="toggle-navigation toggle-left">
-        </div>
         <div class="lessonTitle">
         </div>
 

webgoat-container/src/main/resources/templates/main_new.html

@@ -37,12 +37,6 @@
             <a th:href="@{/welcome.mvc}" class="logo"><span>Web</span>Goat</a>
         </div>
         <!--logo end-->
-        <div class="toggle-navigation toggle-left">
-            <button type="button" class="btn btn-default" id="toggle-menu" data-toggle="tooltip" data-placement="right"
-                    title="Toggle Navigation">
-                <i class="fa fa-bars"></i>
-            </button>
-        </div><!--toggle navigation end-->
         <div id="lesson-title-wrapper">
 
         </div><!--lesson title end-->
@@ -109,14 +103,10 @@
 
     <!--main content start-->
     <section class="main-content-wrapper">
-        <section id="main-content"> <!--ng-controller="goatLesson"-->
+        <section id="main-content">
             <div id="lesson-page" class="pages">
                 <div class="row">
                     <div class="col-md-8">
-                        <!--<div class="col-md-12" align="left">-->
-                        <!---->
-                        <!--&lt;!&ndash; hints moved into lesson template &ndash;&gt;-->
-                        <!--</div>-->
                         <div class="col-md-12" align="left">
                             <div id="lesson-content-wrapper" class="panel">
                                 <div class="" id="error-notification-container">
@@ -126,10 +116,6 @@
                                     </div>
                                 </div>
                                 <div class="" id="help-controls">
-                                    <button class="btn btn-primary btn-xs btn-danger help-button"
-                                            id="show-source-button">
-                                        <i class="fa fa-code"></i>
-                                    </button>
                                     <button class="btn btn-primary btn-xs btn-danger help-button"
                                             id="show-hints-button" th:text="#{show.hints}">Show hints
                                     </button>

webgoat-container/src/main/resources/templates/registration.html

@@ -13,8 +13,6 @@
         <div class="brand">
             <a th:href="@{/start.mvc}" class="logo"><span>Web</span>Goat</a>
         </div>
-        <div class="toggle-navigation toggle-left">
-        </div>
         <div class="lessonTitle">
         </div>
 

webgoat-container/src/main/resources/templates/scoreboard.html

@@ -7,14 +7,6 @@
     <meta http-equiv="Cache-Control" CONTENT="no-cache"/>
     <meta http-equiv="Cache-Control" CONTENT="no-store"/>
 
-    <!--[if lt IE 7]>
-    <id class="no-js lt-ie9 lt-ie8 lt-ie7"/> <![endif]-->
-    <!--[if IE 7]>
-    <id class="no-js lt-ie9 lt-ie8"/> <![endif]-->
-    <!--[if IE 8]>
-    <id class="no-js lt-ie9"/> <![endif]-->
-    <!--[if gt IE 8]><!-->
-
     <!--  CSS -->
     <link rel="shortcut icon" th:href="@{/images/favicon.ico}" type="image/x-icon"/>
 
@@ -28,13 +20,35 @@
     <meta http-equiv="Content-Type" content="text/id; charset=ISO-8859-1"/>
     <title>WebGoat</title>
 </head>
-<body class="scoreboard-page">
+<!--  <body class="scoreboard-page"> -->
+<body>
+<header id="header">
+        <!--logo start-->
+        <div class="brand">
+            <a th:href="@{/welcome.mvc}" class="logo"><span>Web</span>Goat</a>
+        </div>
+        <!--logo end-->
+        <div id="lesson-title-wrapper">
+			<h1 id="lesson-title">WebGoat challenges ranking</h1>
+        </div><!--lesson title end-->
+        <div class="user-nav pull-right" id="user-and-info-nav" style="margin-right: 75px;">
+        </div>
+    </header>
+<section id="container">
+<!--main content start-->
+    <section class="main-content-wrapper">
+        <section id="main-content">
 
 <div id="scoreboard-wrapper">
     <div id="scoreboard">
         <!-- will use _ template here -->
     </div>
 </div>
+
+</section>
+</section>
+</section>
+
 </body>
 
 

webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java

@@ -23,7 +23,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -53,12 +53,6 @@ public class LabelServiceTest {
 
     @Autowired
     public MockMvc mockMvc;
-    @MockBean
-    private Course course;
-    @MockBean
-    private UserService userService;
-    @MockBean
-    private LessonTrackerInterceptor interceptor;
 
     @Test
     @WithMockUser(username = "guest", password = "guest")

webgoat-container/src/test/java/org/owasp/webgoat/service/LessonMenuServiceTest.java

@@ -47,6 +47,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
+import java.util.Arrays;
+
 @RunWith(MockitoJUnitRunner.class)
 public class LessonMenuServiceTest {
 
@@ -64,7 +66,7 @@ public class LessonMenuServiceTest {
 
     @Before
     public void setup() {
-        this.mockMvc = standaloneSetup(new LessonMenuService(course, webSession, userTrackerRepository)).build();
+        this.mockMvc = standaloneSetup(new LessonMenuService(course, webSession, userTrackerRepository, Arrays.asList("none"), Arrays.asList("none"))).build();
     }
 
     @Test

webgoat-container/src/test/java/org/owasp/webgoat/service/LessonProgressServiceTest.java

@@ -30,7 +30,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/test/java/org/owasp/webgoat/session/CourseTest.java

@@ -5,7 +5,7 @@ package org.owasp.webgoat.session;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/test/java/org/owasp/webgoat/session/LessonTrackerTest.java

@@ -18,7 +18,7 @@ import static org.mockito.Mockito.when;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-integration-tests/pom.xml

@@ -6,10 +6,21 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
 
     <dependencies>
+    	<dependency>
+            <groupId>org.seleniumhq.selenium</groupId>
+	    <artifactId>selenium-java</artifactId>
+	    <scope>test</scope>
+	</dependency>
+	<dependency>
+    	<groupId>io.github.bonigarcia</groupId>
+    	<artifactId>webdrivermanager</artifactId>
+    	<version>4.2.2</version>
+    	<scope>test</scope>
+	</dependency>
         <dependency>
             <groupId>org.owasp.webgoat</groupId>
             <artifactId>webgoat-server</artifactId>

webgoat-integration-tests/src/test/java/org/owasp/webgoat/CSRFTest.java

@@ -1,8 +1,15 @@
 package org.owasp.webgoat;
 
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
+import io.restassured.RestAssured;
-import static org.junit.jupiter.api.DynamicTest.dynamicTest;
+import io.restassured.http.ContentType;
+import lombok.Data;
+import lombok.SneakyThrows;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DynamicTest;
+import org.junit.jupiter.api.TestFactory;
+import org.owasp.webgoat.lessons.Assignment;
 
 import java.io.IOException;
 import java.nio.file.Files;
@@ -12,14 +19,9 @@ import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
 
-import org.junit.jupiter.api.AfterEach;
+import static org.assertj.core.api.Assertions.assertThat;
-import org.junit.jupiter.api.BeforeEach;
+import static org.junit.jupiter.api.Assertions.assertEquals;
-import org.junit.jupiter.api.DynamicTest;
+import static org.junit.jupiter.api.DynamicTest.dynamicTest;
-import org.junit.jupiter.api.TestFactory;
-
-import io.restassured.RestAssured;
-import io.restassured.http.ContentType;
-import lombok.SneakyThrows;
 
 public class CSRFTest extends IntegrationTest {
 
@@ -65,10 +67,10 @@ public class CSRFTest extends IntegrationTest {
     @TestFactory
     Iterable<DynamicTest> testCSRFLesson() {
         return Arrays.asList(
-    			dynamicTest("assignement 3",()-> checkAssignment3(callTrickHtml("csrf3.html"))),
+                dynamicTest("assignement 3", () -> checkAssignment3(callTrickHtml("csrf3.html"))),
-    			dynamicTest("assignement 4",()-> checkAssignment4(callTrickHtml("csrf4.html"))),
+                dynamicTest("assignement 4", () -> checkAssignment4(callTrickHtml("csrf4.html"))),
-    			dynamicTest("assignement 7",()-> checkAssignment7(callTrickHtml("csrf7.html"))),
+                dynamicTest("assignement 7", () -> checkAssignment7(callTrickHtml("csrf7.html"))),
-    			dynamicTest("assignement 8",()-> checkAssignment8(callTrickHtml("csrf8.html")))
+                dynamicTest("assignement 8", () -> checkAssignment8(callTrickHtml("csrf8.html")))
         );
     }
 
@@ -84,8 +86,8 @@ public class CSRFTest extends IntegrationTest {
 
         //remove any left over html
         Path webWolfFilePath = Paths.get(webwolfFileDir);
-        if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)).toFile().exists()) {
+        if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)).toFile().exists()) {
-        	Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),htmlName)));
+            Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(), htmlName)));
         }
 
         //upload trick html
@@ -105,10 +107,10 @@ public class CSRFTest extends IntegrationTest {
                 .relaxedHTTPSValidation()
                 .cookie("JSESSIONID", getWebGoatCookie())
                 .cookie("WEBWOLFSESSION", getWebWolfCookie())
-    	        .get(webWolfUrl("/files/"+getWebgoatUser()+"/"+htmlName))
+                .get(webWolfUrl("/files/" + getWebgoatUser() + "/" + htmlName))
                 .then()
                 .extract().response().getBody().asString();
-    	result = result.substring(8+result.indexOf("action=\""));
+        result = result.substring(8 + result.indexOf("action=\""));
         result = result.substring(0, result.indexOf("\""));
 
         return result;
@@ -164,11 +166,11 @@ public class CSRFTest extends IntegrationTest {
                 .cookie("JSESSIONID", getWebGoatCookie())
                 .header("Referer", webWolfUrl("/files/fake.html"))
                 .contentType(ContentType.TEXT)
-            	.body("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!"+ "=\"}")
+                .body("{\"name\":\"WebGoat\",\"email\":\"webgoat@webgoat.org\",\"content\":\"WebGoat is the best!!" + "=\"}")
                 .post(goatURL)
                 .then()
                 .extract().asString();
-    	flag = flag.substring(9+flag.indexOf("flag is:"));
+        flag = flag.substring(9 + flag.indexOf("flag is:"));
         flag = flag.substring(0, flag.indexOf("\""));
 
         params.clear();
@@ -184,8 +186,8 @@ public class CSRFTest extends IntegrationTest {
 
         Map<String, Object> params = new HashMap<>();
         params.clear();
-        params.put("username", "csrf-"+getWebgoatUser());
+        params.put("username", "csrf-" + getWebgoatUser());
-        params.put("password","password");
+        params.put("password", "password");
 
         //login and get the new cookie
         String newCookie = RestAssured.given()
@@ -217,9 +219,28 @@ public class CSRFTest extends IntegrationTest {
                 .statusCode(200)
                 .extract().path("lessonCompleted");
 
-    	//vaidate the result
+        assertThat(result).isTrue();
-    	assertEquals(true, result);
 
+        login();
+        startLesson("CSRF", false);
+
+        Overview[] assignments = RestAssured.given()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/service/lessonoverview.mvc"))
+                .then()
+                .extract()
+                .jsonPath()
+                .getObject("$", Overview[].class);
+		assertThat(assignments)
+                .filteredOn(a -> a.getAssignment().getName().equals("CSRFLogin"))
+                .extracting(o -> o.solved)
+                .containsExactly(true);
+    }
+
+    @Data
+    private static class Overview {
+        Assignment assignment;
+        boolean solved;
     }
 
     /**
@@ -230,7 +251,7 @@ public class CSRFTest extends IntegrationTest {
         RestAssured.given()
                 .when()
                 .relaxedHTTPSValidation()
-                    .formParam("username", "csrf-"+getWebgoatUser())
+                .formParam("username", "csrf-" + getWebgoatUser())
                 .formParam("password", "password")
                 .formParam("matchingPassword", "password")
                 .formParam("agree", "agree")

webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java

@@ -70,4 +70,45 @@ public class ChallengeTest extends IntegrationTest {
         assertTrue(capturefFlags.contains("Admin lost password"));
     }
 	
+	@Test
+    public void testChallenge5() {
+    	startLesson("Challenge5");      
+    	
+    	Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("username_login", "Larry");
+        params.put("password_login", "1' or '1'='1");
+       
+        String result = 
+        		RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .formParams(params)
+                .post(url("/WebGoat/challenge/5"))
+                .then()
+                .statusCode(200)
+                .extract().asString();
+        
+        String flag = result.substring(result.indexOf("flag")+6,result.indexOf("flag")+42);
+    	params.clear();
+       	params.put("flag", flag);
+        checkAssignment(url("/WebGoat/challenge/flag"), params, true);
+         
+  
+        checkResults("/challenge/5");      
+        
+        List<String> capturefFlags = 
+        		RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/WebGoat/scoreboard-data"))
+                .then()
+                .statusCode(200)
+                .extract().jsonPath()
+                .get("find { it.username == \"" + getWebgoatUser() + "\" }.flagsCaptured");
+        assertTrue(capturefFlags.contains("Without password"));
+    }
+    
 }

webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java

@@ -3,7 +3,7 @@ package org.owasp.webgoat;
 import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
 import org.hamcrest.CoreMatchers;
-import org.junit.Assert;
+import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.Test;
 
 import java.util.HashMap;
@@ -38,7 +38,7 @@ public class GeneralLessonTest extends IntegrationTest {
     @Test
     public void httpProxies() {
         startLesson("HttpProxies");
-        Assert.assertThat(RestAssured.given()
+        MatcherAssert.assertThat(RestAssured.given()
                 .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
                 .contentType(ContentType.JSON)
                 .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
@@ -64,11 +64,16 @@ public class GeneralLessonTest extends IntegrationTest {
     
     @Test
     public void vulnerableComponents() {
-    	String solution = "<contact>\n" + 
+    	String solution = "<contact class='dynamic-proxy'>\n" + 
-    			"    <java.lang.Integer>1</java.lang.Integer>\n" + 
+    			"<interface>org.owasp.webgoat.vulnerable_components.Contact</interface>\n" + 
-    			"    <firstName>Bruce</firstName>\n" + 
+    			"  <handler class='java.beans.EventHandler'>\n" + 
-    			"    <lastName>Mayhew</lastName>\n" + 
+    			"    <target class='java.lang.ProcessBuilder'>\n" + 
-    			"    <email>webgoat@owasp.org</email>\n" + 
+    			"      <command>\n" + 
+    			"        <string>calc.exe</string>\n" + 
+    			"      </command>\n" + 
+    			"    </target>\n" + 
+    			"    <action>start</action>\n" + 
+    			"  </handler>\n" + 
     			"</contact>";
     	startLesson("VulnerableComponents");
         Map<String, Object> params = new HashMap<>();
@@ -109,7 +114,7 @@ public class GeneralLessonTest extends IntegrationTest {
         checkResults("/auth-bypass/");
 
         startLesson("HttpProxies");
-        Assert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
+        MatcherAssert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
                 .contentType(ContentType.JSON)
                 .get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then()
                 .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));

webgoat-integration-tests/src/test/java/org/owasp/webgoat/IDORTest.java

@@ -9,7 +9,7 @@ import java.util.HashMap;
 import java.util.Map;
 
 import org.hamcrest.CoreMatchers;
-import org.junit.Assert;
+import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DynamicTest;
@@ -53,7 +53,7 @@ public class IDORTest extends IntegrationTest {
     }
     
     private void profile() {
-    	Assert.assertThat(
+    	MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -70,7 +70,7 @@ public class IDORTest extends IntegrationTest {
         params.put("url", "WebGoat/IDOR/profile/2342384");
         checkAssignment(url("/WebGoat/IDOR/profile/alt-path"), params, true);
         
-        Assert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -80,7 +80,7 @@ public class IDORTest extends IntegrationTest {
                         .statusCode(200)
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
         
-        Assert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()

webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java

@@ -4,10 +4,7 @@ import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
 import lombok.Getter;
 import org.hamcrest.CoreMatchers;
-import org.junit.After;
+import org.hamcrest.MatcherAssert;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
@@ -49,7 +46,6 @@ public abstract class IntegrationTest {
 
     private static boolean started = false;
 
-    @BeforeClass
     @BeforeAll
     public static void beforeAll() {
         if (WG_SSL) {
@@ -91,7 +87,6 @@ public abstract class IntegrationTest {
         return WEBWOLF_URL + url;
     }
 
-    @Before
     @BeforeEach
     public void login() {
 
@@ -143,7 +138,6 @@ public abstract class IntegrationTest {
                 .cookie("WEBWOLFSESSION");
     }
 
-    @After
     @AfterEach
     public void logout() {
         RestAssured.given()
@@ -193,7 +187,7 @@ public abstract class IntegrationTest {
      * @param expectedResult
      */
     public void checkAssignment(String url, Map<String, ?> params, boolean expectedResult) {
-        Assert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -215,7 +209,7 @@ public abstract class IntegrationTest {
      * @param expectedResult
      */
     public void checkAssignmentWithPUT(String url, Map<String, ?> params, boolean expectedResult) {
-        Assert.assertThat(
+    	MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -231,7 +225,7 @@ public abstract class IntegrationTest {
     public void checkResults(String prefix) {
         checkResults();
 
-        Assert.assertThat(RestAssured.given()
+        MatcherAssert.assertThat(RestAssured.given()
                 .when()
                 .relaxedHTTPSValidation()
                 .cookie("JSESSIONID", getWebGoatCookie())
@@ -242,7 +236,7 @@ public abstract class IntegrationTest {
     }
 
     public void checkResults() {
-        Assert.assertThat(RestAssured.given()
+    	MatcherAssert.assertThat(RestAssured.given()
                 .when()
                 .relaxedHTTPSValidation()
                 .cookie("JSESSIONID", getWebGoatCookie())
@@ -252,7 +246,7 @@ public abstract class IntegrationTest {
     }
 
     public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
-        Assert.assertThat(
+    	MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -266,7 +260,7 @@ public abstract class IntegrationTest {
     }
 
     public void checkAssignmentWithGet(String url, Map<String, ?> params, boolean expectedResult) {
-        Assert.assertThat(
+    	MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()

webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java

@@ -12,7 +12,7 @@ import java.util.HashMap;
 import java.util.Map;
 
 import org.hamcrest.CoreMatchers;
-import org.junit.Assert;
+import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.Test;
 import org.owasp.webgoat.jwt.JWTSecretKeyEndpoint;
 
@@ -86,7 +86,7 @@ public class JWTLessonTest extends IntegrationTest {
     	
     	String secret = getSecretToken(accessToken);
     	
-        Assert.assertThat(
+    	MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -126,7 +126,7 @@ public class JWTLessonTest extends IntegrationTest {
         		.concat(new String(Base64.getUrlEncoder().encode(bodyObject.toString().getBytes())).toString())
         		.concat(".").replace("=", "");
         
-        Assert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -154,7 +154,7 @@ public class JWTLessonTest extends IntegrationTest {
 				.concat(new String(Base64.getUrlEncoder().encode(body.getBytes())).toString())
 				.concat(".").replace("=", "");
 
-		Assert.assertThat(RestAssured.given()
+		MatcherAssert.assertThat(RestAssured.given()
 				.when().relaxedHTTPSValidation()
 				.cookie("JSESSIONID", getWebGoatCookie())
 				.header("Authorization","Bearer "+replacedToken)
@@ -180,7 +180,7 @@ public class JWTLessonTest extends IntegrationTest {
 				.claim("Role", new String[] {"Manager", "Project Administrator"})
 				.signWith(SignatureAlgorithm.HS256, "deletingTom").compact();
 		
-		Assert.assertThat(RestAssured.given()
+		MatcherAssert.assertThat(RestAssured.given()
 				.when().relaxedHTTPSValidation()
 				.cookie("JSESSIONID", getWebGoatCookie())
 				.post(url("/WebGoat/JWT/final/delete?token="+token))

webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java

@@ -10,7 +10,7 @@ import java.util.Arrays;
 import java.util.Map;
 
 import org.hamcrest.CoreMatchers;
-import org.junit.Assert;
+import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.DynamicTest;
@@ -49,7 +49,7 @@ public class PathTraversalTest extends IntegrationTest {
     }
     
     public void assignment1() throws IOException {
-        Assert.assertThat(
+    	MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -63,7 +63,7 @@ public class PathTraversalTest extends IntegrationTest {
     }
 
     public void assignment2() throws IOException {
-        Assert.assertThat(
+    	MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -77,7 +77,7 @@ public class PathTraversalTest extends IntegrationTest {
     }
 
     public void assignment3() throws IOException {
-        Assert.assertThat(
+    	MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()

webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java

@@ -2,6 +2,8 @@ package org.owasp.webgoat;
 
 import io.restassured.RestAssured;
 import io.restassured.response.Response;
+import lombok.extern.log4j.Log4j;
+
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
 
@@ -18,26 +20,37 @@ public class ProgressRaceConditionTest extends IntegrationTest {
 
     @Test
     public void runTests() throws InterruptedException {
+    	int NUMBER_OF_CALLS = 40;
+    	int NUMBER_OF_PARALLEL_THREADS = 5;
         startLesson("Challenge1");
 
-        Callable<Response> call = () ->
+        Callable<Response> call = () -> {
-                RestAssured.given()
+        		//System.out.println("thread "+Thread.currentThread().getName());
+                return RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
                         .cookie("JSESSIONID", getWebGoatCookie())
                         .formParams(Map.of("flag", "test"))
                         .post(url("/challenge/flag/"));
-        ExecutorService executorService = Executors.newFixedThreadPool(20);
+                
-        List<? extends Callable<Response>> flagCalls = IntStream.range(0, 20).mapToObj(i -> call).collect(Collectors.toList());
+        };
+        ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS); 
+        List<? extends Callable<Response>> flagCalls = IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
         var responses = executorService.invokeAll(flagCalls);
 
         //A certain amount of parallel calls should fail as optimistic locking in DB is applied
-        Assertions.assertThat(responses.stream().filter(r -> {
+        long countStatusCode500 = responses.stream().filter(r -> {
             try {
-                return r.get().getStatusCode() == 500;
+            	//System.err.println(r.get().getStatusCode());
+                return r.get().getStatusCode() != 200;
             } catch (InterruptedException | ExecutionException e) {
+            	//System.err.println(e);
                 throw new IllegalStateException(e);
             }
-        }).count()).isGreaterThan(8);
+        }).count();
+        System.out.println("counted status 500: "+countStatusCode500);
+        Assertions.assertThat(countStatusCode500).isLessThanOrEqualTo((NUMBER_OF_CALLS - (NUMBER_OF_CALLS/NUMBER_OF_PARALLEL_THREADS)));
+        Assertions.assertThat(countStatusCode500).isGreaterThan((NUMBER_OF_CALLS/NUMBER_OF_PARALLEL_THREADS)); 
+    	
     }
 }

webgoat-integration-tests/src/test/java/org/owasp/webgoat/SSRFTest.java

@@ -0,0 +1,30 @@
+package org.owasp.webgoat;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+public class SSRFTest extends IntegrationTest {
+    
+    @Test
+    public void runTests() throws IOException {
+        startLesson("SSRF");
+        
+        Map<String, Object> params = new HashMap<>();
+        params.clear();
+        params.put("url", "images/jerry.png");
+        
+        checkAssignment(url("/WebGoat/SSRF/task1"),params,true);
+        params.clear();
+        params.put("url", "http://ifconfig.pro");
+        
+        checkAssignment(url("/WebGoat/SSRF/task2"),params,true);
+        
+        checkResults("/SSRF/");
+    
+    }
+    
+    
+}

webgoat-integration-tests/src/test/java/org/owasp/webgoat/SeleniumTest.java

@@ -0,0 +1,111 @@
+package org.owasp.webgoat;
+
+import java.util.concurrent.TimeUnit;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.openqa.selenium.By;
+import org.openqa.selenium.WebDriver;
+import org.openqa.selenium.firefox.FirefoxBinary;
+import org.openqa.selenium.firefox.FirefoxDriver;
+import org.openqa.selenium.firefox.FirefoxOptions;
+
+import io.github.bonigarcia.wdm.WebDriverManager;
+import io.github.bonigarcia.wdm.config.DriverManagerType;
+
+public class SeleniumTest extends IntegrationTest {
+
+	static {
+		try {
+			WebDriverManager.getInstance(DriverManagerType.FIREFOX).setup();
+		} catch (Exception e) {
+			//sometimes a 403 cause an ExceptionInInitializerError
+		}
+	}
+	private WebDriver driver;
+
+	@BeforeEach
+	public void setUpAndLogin() {
+		try {
+			FirefoxBinary firefoxBinary = new FirefoxBinary();
+			firefoxBinary.addCommandLineOptions("--headless");
+
+			FirefoxOptions firefoxOptions = new FirefoxOptions();
+			firefoxOptions.setBinary(firefoxBinary);
+			driver = new FirefoxDriver(firefoxOptions);
+			driver.get(url("/login"));
+			driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
+			// Login
+			driver.findElement(By.name("username")).sendKeys(getWebgoatUser());
+			driver.findElement(By.name("password")).sendKeys("password");
+			driver.findElement(By.className("btn")).click();
+
+			// Check if user exists. If not, create user.
+			if (driver.getCurrentUrl().equals(url("/login?error"))) {
+				driver.get(url("/registration"));
+				driver.findElement(By.id("username")).sendKeys(getWebgoatUser());
+				driver.findElement(By.id("password")).sendKeys("password");
+				driver.findElement(By.id("matchingPassword")).sendKeys("password");
+				driver.findElement(By.name("agree")).click();
+				driver.findElement(By.className("btn-primary")).click();
+			}
+		} catch (IllegalStateException e) {
+			System.err.println("Web driver not found here: "+System.getProperty("webdriver.gecko.driver"));
+		}
+
+	}
+
+	@AfterEach
+	public void tearDown() {
+		if (null != driver) {
+			driver.close();
+		}
+	}
+
+	@Test
+	public void sqlInjection() {
+		
+		if (null==driver) return;
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson"));
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
+		driver.findElement(By.id("restart-lesson-button")).click();
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/0"));
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/1"));
+		driver.findElement(By.name("query")).sendKeys(SqlInjectionLessonTest.sql_2);
+		driver.findElement(By.name("query")).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/2"));
+		driver.findElements(By.name("query")).get(1).sendKeys(SqlInjectionLessonTest.sql_3);
+		driver.findElements(By.name("query")).get(1).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
+		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
+		driver.findElements(By.name("query")).get(2).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/3"));
+		driver.findElements(By.name("query")).get(2).clear();
+		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_add);
+		driver.findElements(By.name("query")).get(2).submit();
+		driver.findElements(By.name("query")).get(2).clear();
+		driver.findElements(By.name("query")).get(2).sendKeys(SqlInjectionLessonTest.sql_4_drop);
+		driver.findElements(By.name("query")).get(2).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/4"));
+		driver.findElements(By.name("query")).get(3).sendKeys(SqlInjectionLessonTest.sql_5);
+		driver.findElements(By.name("query")).get(3).submit();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/8"));
+		driver.findElement(By.name("account")).sendKeys("Smith'");
+		driver.findElement(By.name("operator")).sendKeys("OR");
+		driver.findElement(By.name("injection")).sendKeys("'1'='1");
+		driver.findElement(By.name("Get Account Info")).click();
+
+		driver.get(url("/start.mvc#lesson/SqlInjection.lesson/9"));
+		driver.findElement(By.name("userid")).sendKeys(SqlInjectionLessonTest.sql_10_userid);
+		driver.findElement(By.name("login_count")).sendKeys(SqlInjectionLessonTest.sql_10_login_count);
+		driver.findElements(By.name("Get Account Info")).get(1).click();
+	}
+
+}

webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionLessonTest.java

@@ -7,24 +7,24 @@ import org.junit.jupiter.api.Test;
 
 public class SqlInjectionLessonTest extends IntegrationTest {
 
-    private static final String sql_2 = "select department from employees where last_name='Franco'";
+    public static final String sql_2 = "select department from employees where last_name='Franco'";
-    private static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
+    public static final String sql_3 = "update employees set department='Sales' where last_name='Barnett'";
-    private static final String sql_4_drop = "alter table employees drop column phone";
+    public static final String sql_4_drop = "alter table employees drop column phone";
-    private static final String sql_4_add = "alter table employees add column phone varchar(20)";
+    public static final String sql_4_add = "alter table employees add column phone varchar(20)";
-    private static final String sql_5 = "grant alter table to UnauthorizedUser";
+    public static final String sql_5 = "grant alter table to UnauthorizedUser";
-    private static final String sql_9_account = " ' ";
+    public static final String sql_9_account = " ' ";
-    private static final String sql_9_operator = "or";
+    public static final String sql_9_operator = "or";
-    private static final String sql_9_injection = "'1'='1";
+    public static final String sql_9_injection = "'1'='1";
-    private static final String sql_10_login_count = "2";
+    public static final String sql_10_login_count = "2";
-    private static final String sql_10_userid = "1 or 1=1";
+    public static final String sql_10_userid = "1 or 1=1";
 
-    private static final String sql_11_a = "Smith' or '1' = '1";
+    public static final String sql_11_a = "Smith' or '1' = '1";
-    private static final String sql_11_b = "3SL99A'  or '1'='1";
+    public static final String sql_11_b = "3SL99A'  or '1'='1";
 
-    private static final String sql_12_a = "Smith";
+    public static final String sql_12_a = "Smith";
-    private static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith";
+    public static final String sql_12_b = "3SL99A' ; update employees set salary= '100000' where last_name='Smith";
 
-    private static final String sql_13 = "%update% '; drop table access_log ; --'";
+    public static final String sql_13 = "%update% '; drop table access_log ; --'";
 
     @Test
     public void runTests() {

webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java

@@ -59,7 +59,7 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
                 .get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown"))
                 .then()
                 .statusCode(500)
-                .body("message", containsString("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by"));
+                .body("trace", containsString("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by"));
 
         params.clear();
         params.put("ip", "104.130.219.202");

webgoat-integration-tests/src/test/java/org/owasp/webgoat/WebWolfTest.java

@@ -1,6 +1,6 @@
 package org.owasp.webgoat;
 
-import static org.junit.Assert.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.IOException;
 import java.util.HashMap;

webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java

@@ -31,6 +31,21 @@ public class XXETest extends IntegrationTest {
         checkResults("xxe/");
     }
 
+    /*
+     * This test is to verify that all is secure when XXE security patch is applied.
+     */
+    @Test
+    public void xxeSecure() throws IOException {
+        startLesson("XXE");
+        webGoatHomeDirectory = getWebGoatServerPath();
+        webwolfFileDir = getWebWolfServerPath();
+        RestAssured.given().when().relaxedHTTPSValidation()
+		.cookie("JSESSIONID", getWebGoatCookie()).get(url("/xxe/applysecurity"));
+        checkAssignment(url("/WebGoat/xxe/simple"), ContentType.XML, xxe3, false);
+        checkAssignment(url("/WebGoat/xxe/content-type"), ContentType.XML, xxe4, false);
+        checkAssignment(url("/WebGoat/xxe/blind"), ContentType.XML, "<comment><text>" + getSecret() + "</text></comment>", false);
+    }
+    
     /**
      * This performs the steps of the exercise before the secret can be committed in the final step.
      *
@@ -68,7 +83,9 @@ public class XXETest extends IntegrationTest {
                 .then()
                 .extract().response().getBody().asString();
         result = result.replace("%20", " ");
+        if (-1 != result.lastIndexOf("WebGoat 8.0 rocks... (")) {
         	result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33);
+        }
         return result;
     }
 }

webgoat-lessons/auth-bypass/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
 
 </project>

webgoat-lessons/bypass-restrictions/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
 </project>

webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/bypass_restrictions/BypassRestrictionsFieldRestrictions.java

@@ -34,7 +34,7 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
 
     @PostMapping("/BypassRestrictions/FieldRestrictions")
     @ResponseBody
-    public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) {
+    public AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput, @RequestParam String readOnlyInput) {
         if (select.equals("option1") || select.equals("option2")) {
             return failed(this).build();
         }
@@ -47,6 +47,9 @@ public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint {
         if (shortInput.length() <= 5) {
             return failed(this).build();
         }
+        if ("change".equals(readOnlyInput)) {
+            return failed(this).build();
+        }
         return success(this).build();
     }
 }

webgoat-lessons/bypass-restrictions/src/main/resources/css/bypass-restrictions.css

@@ -0,0 +1,5 @@
+.bypass-input-container {
+    position: relative;
+    padding: 7px;
+    margin-top: 7px;
+}

webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html

@@ -1,45 +1,64 @@
 <!DOCTYPE html>
 
-<html xmlns:th="http://www.thymeleaf.org">
+<html xmlns:th="http://www.thymeleaf.org" xmlns="http://www.w3.org/1999/html">
 
-    <div class="lesson-page-wrapper">
+<div class="lesson-page-wrapper">
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
     <div class="adoc-content" th:replace="doc:BypassRestrictions_Intro.adoc"></div>
-    </div>
+</div>
 
-    <div class="lesson-page-wrapper">
+<div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
     <div class="adoc-content" th:replace="doc:BypassRestrictions_FieldRestrictions.adoc"></div>
+    <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <div class="container-fluid">
             <form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
                   method="POST"
                   action="/WebGoat/BypassRestrictions/FieldRestrictions">
 
-                <div>Select field with two possible values</div>
+                <div class="bypass-input-container"><b>Select field with two possible value</b>
+                    <div class="input-group">
                         <select name="select">
                             <option value="option1">Option 1</option>
                             <option value="option2">Option 2</option>
                         </select>
-                <div>Radio button with two possible values</div>
+                    </div>
-                <input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br />
+                </div>
-                <input type="radio" name="radio" value="option2" /> Option 2<br />
+                <div class="bypass-input-container"><b>Radio button with two possible values</b>
-                <div>Checkbox: value either on or off</div>
+                    <div class="input-group">
-                <input type="checkbox" name="checkbox" checked="checked"/> Checkbox
+                        <input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br/>
-                <div>Input restricted to max 5 characters</div>
+                        <input type="radio" name="radio" value="option2"/> Option 2<br/>
-                <input type="text" value="12345" name="shortInput" maxlength="5"/>
+                    </div>
-                <div>Disabled input field</div>
+                </div>
-                <input type="submit" value="submit"/>
+                <div class="bypass-input-container"><b>Checkbox: value either on or off</b>
-
+                    <div class="input-group">
+                        <input type="checkbox" name="checkbox" checked="checked"> Checkbox</input>
+                    </div>
+                </div>
+                <div class="bypass-input-container"><b>Input restricted to max 5 characters</b>
+                    <div class="input-group"><input type="text" value="12345" name="shortInput" maxlength="5"/>
+                    </div>
+                </div>
+                <div class="bypass-input-container"><b>Readonly input field</b>
+                    <div class="input-group">
+                        <input type="text" value="change" readonly="readonly" name="readOnlyInput"/>
+                    </div>
+                </div>
+                <br>
+                <input type="submit" class="btn btn-primary" value="Submit"/>
             </form>
+        </div>
+        <br/>
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
     </div>
-    </div>
+</div>
 
-    <div class="lesson-page-wrapper">
+<div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:BypassRestrictions_FrontendValidation.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -66,7 +85,8 @@
                 <textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea>
             </div>
             <p></p>
-                <div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)</div>
+            <div><strong>Field 4:</strong> enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)
+            </div>
             <div>
                 <textarea cols="25" name="field4" rows="1">seven</textarea>
             </div>
@@ -85,30 +105,53 @@
             <div>
                 <textarea cols="25" name="field7" rows="1">301-604-4882</textarea>
             </div>
-                <input type="hidden" value="" name="error" />
+            <input type="hidden" value="" name="error"/>
-                <p><button type="submit" class="btn btn-primary">Submit</button></p>
+            <p>
+                <button type="submit" class="btn btn-primary">Submit</button>
+            </p>
         </form>
 
         <script>
-            var regex1=/^[a-z]{3}$/;
+            var regex1 = /^[a-z]{3}$/;
-            var regex2=/^[0-9]{3}$/;
+            var regex2 = /^[0-9]{3}$/;
-            var regex3=/^[a-zA-Z0-9 ]*$/;
+            var regex3 = /^[a-zA-Z0-9 ]*$/;
-            var regex4=/^(one|two|three|four|five|six|seven|eight|nine)$/;
+            var regex4 = /^(one|two|three|four|five|six|seven|eight|nine)$/;
-            var regex5=/^\d{5}$/;
+            var regex5 = /^\d{5}$/;
-            var regex6=/^\d{5}(-\d{4})?$/;
+            var regex6 = /^\d{5}(-\d{4})?$/;
-            var regex7=/^[2-9]\d{2}-?\d{3}-?\d{4}$/;
+            var regex7 = /^[2-9]\d{2}-?\d{3}-?\d{4}$/;
-            var validate = function() {
+            var validate = function () {
-              var msg='JavaScript found form errors';
+                var msg = 'JavaScript found form errors';
-              var err=0;
+                var err = 0;
-              if (!regex1.test(document.frontendValidation.field1.value)) {err+=1; msg+='\n  Value entered for field 1 is not correct';}
+                if (!regex1.test(document.frontendValidation.field1.value)) {
-              if (!regex2.test(document.frontendValidation.field2.value)) {err+=1; msg+='\n  Value entered for field 2 is not correct';}
+                    err += 1;
-              if (!regex3.test(document.frontendValidation.field3.value)) {err+=1; msg+='\n  Value entered for field 3 is not correct';}
+                    msg += '\n  Value entered for field 1 is not correct';
-              if (!regex4.test(document.frontendValidation.field4.value)) {err+=1; msg+='\n  Value entered for field 4 is not correct';}
+                }
-              if (!regex5.test(document.frontendValidation.field5.value)) {err+=1; msg+='\n  Value entered for field 5 is not correct';}
+                if (!regex2.test(document.frontendValidation.field2.value)) {
-              if (!regex6.test(document.frontendValidation.field6.value)) {err+=1; msg+='\n  Value entered for field 6 is not correct';}
+                    err += 1;
-              if (!regex7.test(document.frontendValidation.field7.value)) {err+=1; msg+='\n  Value entered for field 7 is not correct';}
+                    msg += '\n  Value entered for field 2 is not correct';
+                }
+                if (!regex3.test(document.frontendValidation.field3.value)) {
+                    err += 1;
+                    msg += '\n  Value entered for field 3 is not correct';
+                }
+                if (!regex4.test(document.frontendValidation.field4.value)) {
+                    err += 1;
+                    msg += '\n  Value entered for field 4 is not correct';
+                }
+                if (!regex5.test(document.frontendValidation.field5.value)) {
+                    err += 1;
+                    msg += '\n  Value entered for field 5 is not correct';
+                }
+                if (!regex6.test(document.frontendValidation.field6.value)) {
+                    err += 1;
+                    msg += '\n  Value entered for field 6 is not correct';
+                }
+                if (!regex7.test(document.frontendValidation.field7.value)) {
+                    err += 1;
+                    msg += '\n  Value entered for field 7 is not correct';
+                }
                 document.frontendValidation.error.value = err
-              if ( err > 0 ) {
+                if (err > 0) {
                     alert(msg)
                     return false;
                 }
@@ -120,5 +163,5 @@
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
     </div>
-    </div>
+</div>
 </html>

webgoat-lessons/challenge/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
 
 

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java

@@ -15,7 +15,7 @@ import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-lessons/chrome-dev-tools/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
 </project>

webgoat-lessons/cia/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
 </project>

webgoat-lessons/cia/src/main/resources/js/questions_cia.json

@@ -1,5 +1,6 @@
 {
-  "questions": [{
+  "questions": [
+    {
       "text": "How could an intruder harm the security goal of confidentiality?",
       "solutions": {
         "1": "By deleting all the databases.",
@@ -7,29 +8,33 @@
         "3": "By stealing a database where names and emails are stored and uploading it to a website.",
         "4": "Confidentiality can't be harmed by an intruder."
       }
-  }, {
+    },
+    {
       "text": "How could an intruder harm the security goal of integrity?",
       "solutions": {
         "1": "By changing the names and emails of one or more users stored in a database.",
         "2": "By listening to incoming and outgoing network traffic.",
-      "3": "By bypassing authentication mechanisms that are in place to manage database access.",
+        "3": "By bypassing the access control mechanisms used to manage database access.",
-      "4": "Integrity can only be harmed when the intruder has physical access to the database storage."
+        "4": "Integrity can only be harmed when the intruder has physical access to the database."
       }
-  }, {
+    },
+    {
       "text": "How could an intruder harm the security goal of availability?",
       "solutions": {
-      "1": "By exploiting bugs in the systems software to bypass authentication mechanisms for databases.",
+        "1": "By exploiting a software bug that allows the attacker to bypass the normal authentication mechanisms for a database.",
-      "2": "By redirecting emails with sensitive data to other individuals.",
+        "2": "By redirecting sensitive emails to other individuals.",
         "3": "Availability can only be harmed by unplugging the power supply of the storage devices.",
         "4": "By launching a denial of service attack on the servers."
       }
-  }, {
+    },
+    {
       "text": "What happens if at least one of the CIA security goals is harmed?",
       "solutions": {
-      "1": "A system can be considered safe until all the goals are harmed. Harming one goal has no effect on the systems security.",
+        "1": "All three goals must be harmed for the system's security to be compromised; harming just one goal has no effect on the system's security.",
-      "2": "The systems security is compromised even if only one goal is harmed.",
+        "2": "The system's security is compromised even if only one goal is harmed.",
-      "3": "It's not that bad when an attacker reads or changes data, at least some data is still available, hence only when the goal of availability is harmed the security of the system is compromised.",
+        "3": "It is acceptable if an attacker reads or changes data since at least some of the data is still available. The system's security is compromised only if its availability is harmed.",
-      "4": "It shouldn't be a problem if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed."
+        "4": "It is acceptable if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. The system's security is compromised only if its confidentiality is harmed."
       }
-  }]
+    }
+  ]
 }

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc

@@ -1,22 +1,24 @@
 == Availability
 
-Availability is "the property of being accessible and usable on demand by an authorized entity." In other words all the information should be available and accessible for authorized persons whenever it is needed.
+Availability is "the property of being accessible and usable on demand by an authorized entity." In other words, authorized persons should have access to permitted resources at all times.
 
 {nbsp} +
 
 === Examples that compromise availability:
 
-** denial-of-service attacks (Dos)
+** denial-of-service attacks (DOS)
-** server crashes
+** hardware failures
-** even fire or natural disasters
+** fire or other natural disasters
+** software or network misconfigurations
 
 {nbsp} +
 
 === Examples of methods ensuring availability
 
-** intrusion detection systems
+** intrusion detection systems (IDSs)
 ** network traffic control
 ** firewalls
-** physically and geographically isolated location
+** physical security of hardware and underlying infrastructure
-*** fire- and waterproof
+*** protections against fire, water, and other elements
 ** hardware maintenance
+** redundancy

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc

@@ -1,25 +1,25 @@
 == Confidentiality
 
-Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality means to prevent sensitive information from reaching the wrong people, that should not get access to it, while at the same time making sure, that people that are allowed to access it, can get it.
+Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still be able to access the resources they have been granted permissions for. 
 
-While being similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers.
+Although confidentiality is similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
 
 {nbsp} +
 
 === Examples that compromise confidentiality:
 
 ** a hacker gets access to the password database of a company
-** sensitive emails being sent to incorrect individuals
+** a sensitive emails is sent to the incorrect individual
-** a hacker reads sensitive information by intercepting and eavesdropping an information transfer
+** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer
 
 {nbsp} +
 
 === Examples of methods ensuring confidentiality
 
 ** data encryption
-** authentication methods
+** properly implemented authentication and access control
-*** passwords
+*** securely stored passwords
-*** two-factor authentication
+*** multi-factor authentication (MFA)
 *** biometric verification
 ** minimizing the number of places/times the information appears
-** physical security measurements like protected server rooms etc.
+** physical security controls such as properly secured server rooms

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc

@@ -1,6 +1,6 @@
 == Integrity
 
-Integrity is "the property of accuracy and completeness." In other words, integrity means to maintain the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and it must be ensured, that data can not be altered by unauthorized people (per example in a breach of confidentiality).
+Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and unauthorized entities should not be able to alter the data.
 
 {nbsp} +
 
@@ -8,7 +8,7 @@ Integrity is "the property of accuracy and completeness." In other words, integr
 
 ** human error when entering data
 ** errors during data transmission
-** software bugs, hardware failures
+** software bugs and hardware failures
 ** hackers change information that they should not have access to
 
 {nbsp} +
@@ -17,4 +17,5 @@ Integrity is "the property of accuracy and completeness." In other words, integr
 
 ** well functioning authentication methods and access control
 ** checking integrity with hash functions
-** backups, redundancy
+** backups and redundancy
+** auditing and logging

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc

@@ -2,6 +2,6 @@
 
 The CIA Triad (confidentiality, integrity, availability) is a model for information security.
 The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. +
-If only one of those three elements can be breached it can have serious consequences for the parties concerned.
+Serious consequences can result if even one these elements is breached.
 
-The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system or/and organization.
+The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc

@@ -1,3 +1,3 @@
-Now it's time for a quiz! Answer the following question to check, if you understood the topic.
+Now it's time for a quiz! Answer the following question to check if you understood the topic.
 
-Today every system is protected by a firewall. The firewall keeps intruders locked out of the system and guarantees, that the data handled there is safe. Imagine a system that handles personal data and is not protected by a firewall:
+Today, most systems are protected by a firewall.A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:

webgoat-lessons/client-side-filtering/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
 
 </project>

webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/ClientSideFiltering.java

@@ -9,7 +9,7 @@ import org.springframework.stereotype.Component;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-lessons/command-injection/pom.xml

@@ -1,34 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>http-proxies</artifactId>
-    <packaging>jar</packaging>
-    <parent>
-        <groupId>org.owasp.webgoat.lesson</groupId>
-        <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-test</artifactId>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-test</artifactId>
-            <version>4.1.3.RELEASE</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <version>${junit.version}</version>
-            <type>jar</type>
-            <scope>test</scope>
-        </dependency>
-
-    </dependencies>
-
-</project>

webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java

@@ -1,58 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- * For details, please see http://webgoat.github.io
- *
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-@AssignmentPath("/HttpProxies/intercept-request")
-public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
-
-	@RequestMapping(method = RequestMethod.GET)
-	public @ResponseBody
-	AttackResult completed(HttpServletRequest request) throws IOException {
-		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
-            return trackProgress(success().feedback("http-proxies.intercept.success").build());
-		} else {
-            return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
-        }
-	}
-}

webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java

@@ -1,53 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import com.beust.jcommander.internal.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
-
-import java.util.List;
-
-/**
- * ************************************************************************************************
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- *
- * @author WebGoat
- * @version $Id: $Id
- * @since October 12, 2016
- */
-public class HttpProxies extends Lesson {
-    @Override
-    public Category getDefaultCategory() {
-        return Category.GENERAL;
-    }
-
-    @Override
-    public String getTitle() {
-        return "http-proxies.title";
-    }
-
-    @Override
-    public String getId() {
-        return "HttpProxies";
-    }
-}

webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html

@@ -1,50 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
-    <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
-    </div>
-
-    <div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
-	</div>
-
-    <div class="lesson-page-wrapper">
-        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-        <!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
-    </div>
-
-	<div class="lesson-page-wrapper">
-		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-		<!-- include content here. Content will be presented via asciidocs files,
-        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
-	</div>
-
-    <div class="lesson-page-wrapper">
-        <!-- stripped down without extra comments -->
-        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
-        <div class="attack-container">
-            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-            <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
-                  method="POST"
-                  action="/WebGoat/HttpBasics/intercept-request">
-
-                <input type="text" value="doesn't matter really" name="changeMe" />
-                <input type="submit" value="Submit" />
-
-            </form>
-            <div class="attack-feedback"></div>
-            <div class="attack-output"></div>
-        </div>
-    </div>
-</html>

webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,4 +0,0 @@
-http-proxies.title=HTTP Proxies
-
-http-proxies.intercept.success=Well done, you tampered the request as expected
-http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!

webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc

@@ -1,20 +0,0 @@
-
-== HTTP Proxy Overview
-
-Many times proxies are used as a way of accessing otherwise blocked content.  A user might connect to server A, which relays content from server B
- ... Because Server B is blocked within the user's network. That's not the use case we will be dealing with here, but the concept is the same.
-HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
-use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
-relationship to proxies.
-
-=== Proxy Capabilities
-
-Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses.  You can also use the proxy to
-modify (tamper) the requests and responses.  Proxies also have automated or semi-automated functions that allow  you to gain efficiency in testing and
-analyzing the security of a website.
-
-=== Other Uses for Proxies
-
-ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment.  This lesson does
-not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
-CI/CD with Jenkins, Maven or other build processes.

webgoat-lessons/cross-site-scripting/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.1.0</version>
+        <version>${revision}</version>
     </parent>
     <dependencies>
         <dependency>

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson5a.java

@@ -30,11 +30,17 @@ import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
 
+import java.util.function.Predicate;
+import java.util.regex.Pattern;
+
 
 @RestController
 @AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
 public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 
+    public static final Predicate<String> XSS_PATTERN = Pattern.compile(
+            ".*<script>(console\\.log|alert)\\(.*\\);?</script>.*"
+            , Pattern.CASE_INSENSITIVE).asMatchPredicate();
     @Autowired
     UserSessionData userSessionData;
 
@@ -45,13 +51,13 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
                                   @RequestParam Integer QTY4, @RequestParam String field1,
                                   @RequestParam String field2) {
 
-        if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) {
+        if (XSS_PATTERN.test(field2)) {
             return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build();
         }
 
         double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
 
-        userSessionData.setValue("xss-reflected1-complete", (Object) "false");
+        userSessionData.setValue("xss-reflected1-complete", "false");
         StringBuffer cart = new StringBuffer();
         cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
         cart.append("<p>We have charged credit card:" + field1 + "<br />");
@@ -60,11 +66,10 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 
         //init state
         if (userSessionData.getValue("xss-reflected1-complete") == null) {
-            userSessionData.setValue("xss-reflected1-complete", (Object) "false");
+            userSessionData.setValue("xss-reflected1-complete", "false");
         }
 
-        if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
+        if (XSS_PATTERN.test(field1)) {
-            //return )
             userSessionData.setValue("xss-reflected-5a-complete", "true");
             if (field1.toLowerCase().contains("console.log")) {
                 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build();
@@ -73,7 +78,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
             }
         } else {
             userSessionData.setValue("xss-reflected1-complete", "false");
-            return success(this)
+            return failed(this)
                     .feedback("xss-reflected-5a-failure")
                     .output(cart.toString())
                     .build();

webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html

@@ -48,9 +48,8 @@
 			<form class="attack-form" accept-charset="UNKNOWN"
 				  method="GET" name="xss-5a"
 				  action="/WebGoat/CrossSiteScripting/attack5a">
-				<hr width="90%" />
 				<center>
-					<h1>Shopping Cart</h1>
+					<h4>Shopping Cart</h4>
 				</center>
 				<table width="90%" cellspacing="0" cellpadding="2" border="1"
 					   align="center">
@@ -92,18 +91,9 @@
 					</tr>
 					</tbody>
 				</table>
-				<br />
+				<table width="90%" cellspacing="0" cellpadding="2"
-				<table width="90%" cellspacing="0" cellpadding="2" border="0"
 					   align="center">
 					<tbody>
-					<tr>
-						<td>The total charged to your credit card:</td>
-						<td>$0.00</td>
-						<td><input name="SUBMIT" value="UpdateCart" type="SUBMIT" /></td>
-					</tr>
-					<tr>
-						<td colspan="2">&nbsp;</td>
-					</tr>
 					<tr>
 						<td>Enter your credit card number:</td>
 						<td><input name="field1" value="4128 3214 0002 1999"
@@ -113,8 +103,9 @@
 						<td>Enter your three digit access code:</td>
 						<td><input name="field2" value="111" type="TEXT" /></td>
 					</tr>
+					<br/>
 					<tr>
-						<td colspan="2" align="center"><input name="SUBMIT"
+						<td colspan="3" align="center"><input name="SUBMIT" class="btn btn-primary"
 															  value="Purchase" type="SUBMIT" /></td>
 					</tr>
 					</tbody>

webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties

@@ -2,10 +2,10 @@
 xss.title=Cross Site Scripting
 xss-stored.title=Cross Site Scripting (stored)
 xss-mitigation.title=Cross Site Scripting (mitigation)
-xss-reflected-5a-success-alert=Well done, but alerts are not very impressive are they? Please continue.
+xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment.
-xss-reflected-5a-success-console=Well done, but console logs are not very impressive are they? Please continue.
+xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment.
 xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
-xss-reflected-5a-failure=Try again. We do want to see this specific JavaScript (in case you are trying to do something more fancy).
+xss-reflected-5a-failure=Try again. We do want to see a specific JavaScript mentioned in the goal of the assignment (in case you are trying to do something fancier).
 xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
 xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
 xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted?

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc

@@ -1,8 +1,6 @@
 == What is XSS?
 
-Cross-Site Scripting (also commonly known as XSS) is a vulnerability/flaw that combines ...
+Cross-Site Scripting (also commonly known as XSS) is a vulnerability/flaw that combines the allowance of html/script tags as input that are rendered into a browser without encoding or sanitization
-# the allowance of html/script tags as input that are ...
-# rendered into a browser without encoding or sanitization
 
 === Cross-Site Scripting (XSS) is the most prevalent and pernicious web application security issue
 
@@ -11,12 +9,12 @@ coverage of fixes also tends to be a problem. We will talk more about the defens
 
 === XSS has significant impact
 
-Especially as 'Rich Internet Applications' are more and more common place, privileged function calls linked to via JavaScript may be compromised.
+Especially as 'Rich Internet Applications' are more and more commonplace, privileged function calls linked to via JavaScript may be compromised.
 And if not properly protected, sensitive data (such as your authentication cookies) can be stolen and used for someone else's purpose.
 
 
 ==== Quick examples:
-* From the JavaScript console in the developer tools of the browser (chrome, Firefox)
+* From the JavaScript console in the developer tools of the browser (Chrome, Firefox)
 +
 ----
 alert("XSS Test");

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc

@@ -1,8 +1,8 @@
 == Try It! Reflected XSS
 
-Identify which field is susceptible to XSS
+The goal of the assignment is to identify which field is susceptible to XSS.
 
-It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response.
+It is always a good practice to validate all input on the server-side. XSS can occur when unvalidated user input gets used in an HTTP response.
 In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
 
-An easy way to find out if a field is vulnerable to an XSS attack is to use the _alert()_ or _console.log()_ methods. Use one of them to find out which field is vulnerable.
+An easy way to find out if a field is vulnerable to an XSS attack is to use the `alert()` or `console.log()` methods. Use one of them to find out which field is vulnerable.