refacrired

* renamed README

* rename

.editorconfig

@@ -0,0 +1,16 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+max_line_length = 120
+tab_width = 4
+ij_continuation_indent_size = 8
+ij_formatter_off_tag = @formatter:off
+ij_formatter_on_tag = @formatter:on
+ij_formatter_tags_enabled = false
+ij_wrap_on_typing = true
+ij_java_names_count_to_use_import_on_demand = 999

.github/FUNDING.yml

@@ -0,0 +1 @@
+custom: https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat

.github/lock.yml

@@ -0,0 +1,10 @@
+---
+daysUntilLock: 365
+skipCreatedBefore: false
+exemptLabels: []
+lockLabel: false
+lockComment: >
+  This thread has been automatically locked because it has not had
+  recent activity after it was closed. :lock: Please open a new issue
+  for regressions or related bugs.
+setLockReason: false

.github/stale.yml

@@ -0,0 +1,10 @@
+---
+daysUntilStale: 90
+daysUntilClose: 14
+onlyLabels:
+  - waiting-for-input
+  - wontfix
+staleLabel: stale
+markComment: >
+  This issue has been automatically marked as `stale` because it has not had recent activity. :calendar: It will be _closed automatically_ in one week if no further activity occurs.
+closeComment: false

.github/workflows/branch_build.yml

@@ -0,0 +1,54 @@
+name: "Branch build"
+on:
+  push:
+    branches-ignore:
+      - main
+      - develop
+      - release/*
+jobs:
+  install-notest:
+    if: "github.repository != 'WebGoat/WebGoat'"
+    runs-on: ubuntu-latest
+    name: "Package and linting"
+    steps:
+      - uses: actions/checkout@v2
+      - name: set up JDK 17
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'temurin'
+          java-version: 17
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2.1.7
+        with:
+          path: ~/.m2
+          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ubuntu-latest-m2
+      - name: Test with Maven
+        run: mvn install -DskipTests
+
+  testing:
+    if: "github.repository != 'WebGoat/WebGoat'"
+    needs: install-notest
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        args:
+          - mvn -pl '!webgoat-integration-tests' test
+          - mvn -pl webgoat-integration-tests test
+    steps:
+      - uses: actions/checkout@v2
+      - name: set up JDK 17
+        uses: actions/setup-java@v2
+        with:
+          distribution: 'temurin'
+          java-version: 17
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2.1.7
+        with:
+          path: ~/.m2
+          key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ubuntu-latest-m2
+      - name: Test with Maven
+        run: ${{ matrix.args }}

.github/workflows/pr_build.yml

@@ -1,4 +1,4 @@
-name: "Build"
+name: "Pull request build"
 on:
   pull_request:
     paths-ignore:
@@ -9,8 +9,7 @@ on:
       - 'docs/**'
   push:
     branches:
-      - master
+      - main
-      - develop
       - release/*
     tags-ignore:
       - '*'
@@ -27,32 +26,20 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        java: [15]
+        java: [17]
     steps:
       - uses: actions/checkout@v2
       - name: Set up JDK ${{ matrix.java }}
         uses: actions/setup-java@v2
         with:
-          distribution: 'zulu'
+          distribution: 'temurin'
           java-version: ${{ matrix.java }}
           architecture: x64
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.7
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2
       - name: Build with Maven
-        run: mvn clean install
+        run: mvn package
-
-  notify-slack:
-    if: github.event_name == 'push' && (success() || failure())
-    needs:
-      - build
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Slack workflow notification"
-        uses: Gamesight/slack-workflow-status@master
-        with:
-          repo_token: ${{secrets.GITHUB_TOKEN}}
-          slack_webhook_url: ${{secrets.SLACK_WEBHOOK_URL}}

.github/workflows/rebase.yml

@@ -1,19 +0,0 @@
-name: "Automatic Rebase"
-on:
-  issue_comment:
-    types: [created]
-jobs:
-  rebase:
-    name: Rebase
-    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && github.event.comment.author_association == 'MEMBER'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the latest code
-        uses: actions/checkout@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
-      - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.4
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -5,6 +5,7 @@ on:
       - v*
 jobs:
   release:
+    if: github.repository == 'WebGoat/WebGoat'
     name: Release WebGoat
     runs-on: ubuntu-latest
     environment:
@@ -24,7 +25,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v2.1.5
+        uses: actions/cache@v2.1.7
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -38,7 +39,7 @@ jobs:
       - name: Build with Maven
         run: |
           mvn versions:set -DnewVersion=${{ env.WEBGOAT_MAVEN_VERSION }}
-          mvn clean install -DskipTests
+          mvn install -DskipTests
 
       - name: "Create release"
         uses: softprops/action-gh-release@v1
@@ -93,7 +94,7 @@ jobs:
           context: ./docker
           file: docker/Dockerfile
           push: true 
-          platforms: linux/amd64, linux/arm64
+          platforms: linux/amd64, linux/arm64, linux/arm/v7
           tags: |
             webgoat/goatandwolf:${{ env.WEBGOAT_TAG_VERSION }}
             webgoat/goatandwolf:latest
@@ -103,6 +104,7 @@ jobs:
       - name: "Image digest"
         run: echo ${{ steps.docker_build.outputs.digest }}
   new_version:
+    if: github.repository == 'WebGoat/WebGoat'
     name: Update development version
     needs: [ release ]
     runs-on: ubuntu-latest

.github/workflows/welcome.yml

@@ -7,6 +7,7 @@ on:
 
 jobs:
   greeting:
+    if: github.repository == 'WebGoat/WebGoat'
     runs-on: ubuntu-latest
     steps:
       - uses: actions/first-interaction@v1.1.0

CODE_OF_CONDUCT.md

@@ -0,0 +1,60 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+- The use of sexualized language or imagery and unwelcome sexual attention or advances
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic address, without explicit permission
+- Misusing the context of the WebGoat project for commercial goals (e.g. adding sales pitches to the codebase or to communication channels used by the project, such as Slack).
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Disclaimer
+
+The WebGoat project and its materials are conceived for educational and research purposes only.
+
+Refrain from violating the laws in your country by carefully consulting them before executing any tests against web applications or other assets utilizing the WebGoat (or Webwolf) materials.
+
+The WebGoat project is also NOT supporting unethical activities in any way. If you come across such requests, please reach out to the project leaders and raise this to them.
+
+Neither OWASP, the WebGoat project leaders, authors or anyone else involved in this project is going to take responsibility for your actions.
+
+The intention of the WebGoat is not to encourage hacking or malicious activities! Instead, the goal of the project is to learn different hacking techniques and offer ways to reduce or mitigate that risk.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community includes using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at nanne.baars@owasp.org.
+
+All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org "Contributor Covenant homepage"), [version 1.4](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html "Code of Conduct version 1.4").
+
+For answers to common questions about this code of conduct, see [the Contributor Covenant FAQ](https://www.contributor-covenant.org/faq)

CONTRIBUTING.md

@@ -0,0 +1,98 @@
+# Contributing
+[![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
+![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
+![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
+
+This document describes how you can contribute to WebGoat. Please read it carefully.
+
+**Table of Contents**
+
+* [How to Contribute to the Project](#how-to-contribute-to-the-project)
+* [How to set up your Contributor Environment](#how-to-set-up-your-contributor-environment)
+* [How to get your PR Accepted](#how-to-get-your-pr-accepted)
+
+## How to Contribute to the project
+
+There are a couple of ways on how you can contribute to the project:
+
+* **File [issues](https://github.com/WebGoat/WebGoat/issues "Webgoat Issues")** for missing content or errors. Explain what you think is missing and give a suggestion as to where it could be added.
+* **Create a [pull request (PR)](https://github.com/WebGoat/WebGoat/pulls "Create a pull request")**. This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos.
+* **Help out financially** by donating via [OWASP donations](https://owasp.org/donate/?reponame=www-project-webgoat&title=OWASP+WebGoat).
+
+## How to get your PR accepted
+
+Your PR is valuable to us, and to make sure we can integrate it smoothly, we have a few items for you to consider. In short:
+The minimum requirements for code contributions are:
+
+1. The code _must_ be compliant with the configured Checkstyle and PMD rules.
+2. All new and changed code _should_ have a corresponding unit and/or integration test.
+3. New and changed lessons _must_ have a corresponding integration test.
+4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit.
+
+Additionally, the following guidelines can help:
+
+### Keep your pull requests limited to a single issue
+
+Pull requests should be as small/atomic as possible. Large, wide-sweeping changes in a pull request will be **rejected**, with comments to isolate the specific code in your pull request. Some examples:
+
+* If you are making spelling corrections in the docs, don't modify other files.
+* If you are adding new functions don't '*cleanup*' unrelated functions. That cleanup belongs in another pull request.
+
+
+### Write a good commit message
+
+* Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
+
+* If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.
+
+  For example: `Fix #545` or `Closes #10`
+
+## How to set up your Contributor Environment
+
+1. Create a GitHub account. Multiple different GitHub subscription plans are available, but you only need a free one. Follow [these steps](https://help.github.com/en/articles/signing-up-for-a-new-github-account "Signing up for a new GitHub account") to set up your account.
+2. Fork the repository. Creating a fork means creating a copy of the repository on your own account, which you can modify without any impact on this repository. GitHub has an [article that describes all the needed steps](https://help.github.com/en/articles/fork-a-repo "Fork a repo").
+3. Clone your own repository to your host computer so that you can make modifications. If you followed the GitHub tutorial from step 2, you have already done this.
+4. Go to the newly cloned directory "WebGoat" and add the remote upstream repository:
+
+    ```bash
+    $ git remote -v
+    origin git@github.com:<your Github handle>/WebGoat.git (fetch)
+    origin git@github.com:<your Github handle>/WebGoat.git (push)
+
+    $ git remote add upstream git@github.com:WebGoat/WebGoat.git
+
+    $ git remote -v
+    origin git@github.com:<your Github handle>/WebGoat.git (fetch)
+    origin git@github.com:<your Github handle>/WebGoat.git (push)
+    upstream git@github.com:OWASP/WebGoat.git (fetch)
+    upstream git@github.com:OWASP/WebGoat.git (push)
+    ```
+
+    See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")".
+5. Choose what to work on, based on any of the outstanding [issues](https://github.com/WebGoat/WebGoat/issues "WebGoat Issues").
+6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66`
+7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/).
+8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub.
+9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/WebGoat> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer.
+10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR.
+11. When starting on a new PR in the future, make sure to always keep your local repo up to date:
+
+    ```bash
+    $ git fetch upstream
+    $ git merge upstream/develop
+    ```
+
+    See also the following article for further explanation on "[How to Keep a Downstream git Repository Current with Upstream Repository Changes](https://medium.com/sweetmeat/how-to-keep-a-downstream-git-repository-current-with-upstream-repository-changes-10b76fad6d97 "How to Keep a Downstream git Repository Current with Upstream Repository Changes")".
+
+If at any time you want to work on a different issue, you can simply switch to a different branch, as explained in step 5.
+
+> Tip: Don't try to work on too many issues at once though, as it will be a lot more difficult to merge branches the longer they are open.
+
+## What not to do
+
+Although we greatly appreciate any and all contributions to the project, there are a few things that you should take into consideration:
+
+* The WebGoat project should not be used as a platform for advertisement for commercial tools, companies or individuals. Write-ups should be written with free and open-source tools in mind and commercial tools are typically not accepted, unless as a reference in the security tools section.
+* Unnecessary self-promotion of tools or blog posts is frowned upon. If you have a relation with on of the URLs or tools you are referencing, please state so in the PR so that we can verify that the reference is in line with the rest of the guide.
+
+Please be sure to take a careful look at our [Code of Conduct](https://github.com/WebGoat/WebGoat/blob/master/CODE_OF_CONDUCT.md) for all the details.

CREATE_RELEASE.md

@@ -23,7 +23,7 @@ git flow release publish
 
 git flow release finish <version>
 git push origin develop
-git push origin master
+git push origin main
 git push --tags
 ```
 

PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1 @@
+Thank you for submitting a pull request to the WebGoat!

README.md

@@ -1,11 +1,11 @@
 # WebGoat 8: A deliberately insecure Web Application
 
-[![Build](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml/badge.svg)](https://github.com/WebGoat/WebGoat/actions/workflows/build.yml)
+[![Pull request build](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml/badge.svg?branch=develop)](https://github.com/WebGoat/WebGoat/actions/workflows/pr_build.yml)
-[![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
+[![java-jdk](https://img.shields.io/badge/java%20jdk-17-green.svg)](https://jdk.java.net/)
-[![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
+[![OWASP Labs](https://img.shields.io/badge/OWASP-Lab%20project-f7b73c.svg)](https://owasp.org/projects/)
-[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
+[![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
 
 # Introduction
 
@@ -29,6 +29,8 @@ first thing that all hackers claim.*
 
 # Installation instructions:
 
+For more details check [the Contribution guide](/CONTRIBUTING.md)
+
 ## 1. Run using Docker
 
 Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/goatandwolf).
@@ -37,7 +39,7 @@ The easiest way to start WebGoat as a Docker container is to use the all-in-one
 
 ```shell
 
-docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.1
+docker run -it -p 127.0.0.1:80:8888 -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:v8.2.2
 ```
 
 The landing page will be located at: http://localhost  
@@ -54,8 +56,8 @@ WebWolf will be located at: http://localhost:9090/WebWolf
 Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```shell
-java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.1.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001]
+java -Dfile.encoding=UTF-8 -jar webgoat-server-8.2.2.jar [--server.port=8080] [--server.address=localhost] [--hsqldb.port=9001]
-java -Dfile.encoding=UTF-8 -jar webwolf-8.2.1.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001]
+java -Dfile.encoding=UTF-8 -jar webwolf-8.2.2.jar [--server.port=9090] [--server.address=localhost] [--hsqldb.port=9001]
 ```
 
 WebGoat will be located at: http://localhost:8080/WebGoat and   
@@ -65,7 +67,7 @@ WebWolf will be located at: http://localhost:9090/WebWolf (change ports if neces
 
 ### Prerequisites:
 
-* Java 15
+* Java 17
 * Maven > 3.2.1
 * Your favorite IDE
 * Git, or Git support in your IDE
@@ -106,7 +108,7 @@ For instance running as a jar on a Linux/macOS it will look like this:
 ```Shell
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-java -jar webgoat-server/target/webgoat-server-v8.2.0-SNAPSHOT.jar
+java -jar webgoat-server/target/webgoat-server-v8.2.2-SNAPSHOT.jar
 ```
 Or in a docker run it would (once this version is pushed into docker hub) look like this:
 ```Shell

RELEASE_NOTES.md

@@ -1,5 +1,11 @@
 # WebGoat release notes 
 
+## Unreleased
+
+### New functionality
+
+- Update the Docker startup script, it is now possible to pass `skip-nginx` or set `SKIP_NGINX` as environment variable.
+
 ## Version 8.2.2
 
 ### New functionality

docker/Dockerfile

@@ -1,22 +1,22 @@
-FROM openjdk:16-slim
+FROM eclipse-temurin:17_35-jdk-focal
-
-ARG webgoat_version=8.2.1-SNAPSHOT
-ENV webgoat_version_env=${webgoat_version}
 
 RUN apt-get update
 RUN useradd -ms /bin/bash webgoat
 RUN apt-get -y install apt-utils nginx
+RUN chgrp -R 0 /home/webgoat
+RUN chmod -R g=u /home/webgoat
 
 USER webgoat
 
 COPY --chown=webgoat nginx.conf /etc/nginx/nginx.conf
 COPY --chown=webgoat index.html /usr/share/nginx/html/
-COPY --chown=webgoat target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
+COPY --chown=webgoat target/webgoat-server-*.jar /home/webgoat/webgoat.jar
-COPY --chown=webgoat target/webwolf-${webgoat_version}.jar /home/webgoat/webwolf.jar
+COPY --chown=webgoat target/webwolf-*.jar /home/webgoat/webwolf.jar
 COPY --chown=webgoat start.sh /home/webgoat
+RUN chmod +x /home/webgoat/start.sh
 
 EXPOSE 8080
 EXPOSE 9090
 
 WORKDIR /home/webgoat
-ENTRYPOINT /bin/bash /home/webgoat/start.sh $webgoat_version_env
+ENTRYPOINT ["./start.sh"]

docker/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>

docker/start.sh

@@ -1,26 +1,72 @@
 #!/bin/bash
 
 cd /home/webgoat 
-service nginx start
-sleep 1
-echo "Starting WebGoat..."
 
-java \
+function should_start_nginx() {
- -Duser.home=/home/webgoat \
+  if [[ -v "${SKIP_NGINX}" ]]; then
- -Dfile.encoding=UTF-8 \
+    return 1
- --add-opens java.base/java.util=ALL-UNNAMED \
+  else
- --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
+    for i in "${commandline_args[@]}" ; do [[ $i == "skip-nginx" ]] && return 1 ; done
- --add-opens java.base/java.text=ALL-UNNAMED \
+  fi
- --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
+  return 0
- --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
+}
- --add-opens java.base/java.io=ALL-UNNAMED \
- -jar webgoat.jar --webgoat.build.version="$1" --server.address=0.0.0.0 > webgoat.log &
 
-sleep 10
+function nginx() {
+  if should_start_nginx; then
+    echo "Starting nginx..."
+    service nginx start
+  fi
+}
+
+function webgoat() {
+  echo "Starting WebGoat...."
+  java \
+   -Duser.home=/home/webgoat \
+   -Dfile.encoding=UTF-8 \
+   --add-opens java.base/java.lang=ALL-UNNAMED \
+   --add-opens java.base/java.util=ALL-UNNAMED \
+   --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
+   --add-opens java.base/java.text=ALL-UNNAMED \
+   --add-opens java.desktop/java.beans=ALL-UNNAMED \
+   --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
+   --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
+   --add-opens java.base/java.io=ALL-UNNAMED \
+   -jar webgoat.jar --server.address=0.0.0.0 > webgoat.log
+}
+
+function webwolf() {
+  echo "Starting WebWolf..."
+  java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --server.address=0.0.0.0 > webwolf.log
+}
+
+function write_start_message() {
+  until $(curl --output /dev/null --silent --head --fail http://0.0.0.0:8080/WebGoat/health); do
+    sleep 2
+  done
+  echo "
+    __          __       _        _____                   _
+    \ \        / /      | |      / ____|                 | |
+     \ \  /\  / /  ___  | |__   | |  __    ___     __ _  | |_
+      \ \/  \/ /  / _ \ | '_ \  | | |_ |  / _ \   / _' | | __|
+       \  /\  /  |  __/ | |_) | | |__| | | (_) | | (_| | | |_
+        \/  \/    \___| |_.__/   \_____|  \___/   \__,_|  \__|
+  " >> webgoat.log
+  echo "WebGoat and WebWolf successfully started..." >> webgoat.log
+  pidof nginx >/dev/null && echo "Browse to http://localhost to get started" >> webgoat.log ||  echo "Browse to http://localhost:8080/WebGoat or http://localhost:9090/WebWolf to get started" >> webgoat.log
+}
+
+function tail_log_file() {
+  touch webgoat.log
+  tail -300f webgoat.log
+}
+
+commandline_args=("$@")
+
+nginx
+webgoat &
+webwolf &
+write_start_message &
+tail_log_file
 
-echo "Starting WebWolf..."
-java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
 
-echo "Browse to http://localhost to get started" >> webgoat.log
 
-tail -300f webgoat.log

platformQuickStarts/helm/Readme.md

@@ -0,0 +1,54 @@
+# Helm chart deployment on OpenShift K8S clusters
+
+This helm chart can be used on a OpenShift Code Ready Container environment or an OpenShift Cloud Container environment.
+
+With the OpenShift CRC (Code Ready Container) cluster you run an entire environment on your local machine. (> 4 vCPU, >8GB mem)
+
+See the Red Hat documentation for general understanding of OpenShift. Make sure helm is installed as well.
+
+https://developers.redhat.com/developer-sandbox
+
+## CRC commands
+
+    crc config set cpus 6
+    crc config set memory 12288
+    crc setup
+    crc start
+    eval $(crc oc-env)
+    oc login -u developer https://api.crc.testing:6443
+    oc new-project demo-project
+
+The example without modification uses *demo-project* as the project/namespace for installing WebGoat and WebWolf.
+
+
+## Helm install this example on your local Code Ready Container environment
+
+    helm install goat1 ./webgoat
+
+## Helm install on single node Developer Sandbox (cloud)
+
+    oc login --token=sha256~phDWy6Wm_oJQW6kmOHEbLkRdDIXU6b70hRVmdSYWolM --server=https://api.sandbox-m2.rz9k.p1.openshiftapps.com:6443 
+    helm install --set namespace=renezubcevic-dev --set accessMode=ReadWriteOnce --set urlpostfix=.apps.sandbox-m2.rz9k.p1.openshiftapps.com goat1 ./webgoat
+
+A code ready container looks the same for all developers on their local machine, but a developer sandbox requires other credentials from your account in the cloud and different namespace and urlpostfix and also a different access mode for the persistent storage.
+Of course the token here is a fake.
+
+## uninstall 
+
+    helm uninstall goat1
+
+The URL on a Code Ready Container is build from router name + namespace + default extension .apps-crc.testing:
+
++ [https://webgoat-1-goat-demo-project.apps-crc.testing/WebGoat](https://webgoat-1-goat-demo-project.apps-crc.testing/WebGoat)
++ [http://webwolf-1-wolf-demo-project.apps-crc.testing/WebWolf](http://webwolf-1-wolf-demo-project.apps-crc.testing/WebWolf)
+
+## Explanation
+
+deployment.yaml contains two K8S deployment elements. Both use the same Persistent Volume Claim and use the same Volume mapping. 
+They both use the same image but with other entrypoint and command arguments. The java.io.dir is also mapped to this persistent volume mapping. The number of pods is 1 for both WebGoat and WebWolf. WebGoat uses the WEBWOLF_HOST parameter to know where the external address of WebWolf is defined. WebWolf uses WEBGOAT_HOST to define the internal service address to WebGoat for connecting to the HSQL database
+
+persistent-storage-claim.yaml contains the OpenShift K8S extension for requestig a volume with Read-Write access that will survive any pod replacements.
+
+service.yaml defines the service ports for both WebGoat and WebWolf
+
+route-goat defines an https endpoint toward the 8080 port. route-wolf defines an http port towards the 9090 port.

platformQuickStarts/helm/modsec/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

platformQuickStarts/helm/modsec/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: modsec
+description: ModSecurity Core Rule Set
+ 
+type: application
+ 
+version: 0.1.0
+ 
+appVersion: "latest"

platformQuickStarts/helm/modsec/templates/configmap-modsec.yaml

@@ -0,0 +1,18 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ .Values.modsec_server.name }}-configmap-modsec
+  namespace: {{ .Values.namespace }}
+  labels:
+    app.kubernetes.io/part-of: {{ .Values.modsec_server.name }} 
+data:
+  PARANOIA: '1'
+  EXECUTING_PARANOIA: '2'
+  ANOMALYIN: '5'
+  ANOMALYOUT: '5'
+  ALLOWED_METHODS: 'GET POST'
+  ALLOWED_REQUEST_CONTENT_TYPE: "text/xml|application/xml|text/plain"
+  MAX_FILE_SIZE: '5242880'
+  PORT: '8001'
+  RESTRICTED_EXTENSIONS: '.conf/'
+  BACKEND: 'http://{{ .Values.webgoat_server.name }}-service:8080' 

platformQuickStarts/helm/modsec/templates/deployment.yaml

@@ -0,0 +1,45 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ .Values.modsec_server.name }}
+  namespace: {{ .Values.namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.modsec_server.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.modsec_server.name }} 
+    spec:
+      containers:
+        - resources:
+            limits:
+              memory: "2Gi"
+              cpu: "1"
+            requests:
+              memory: "1Gi"
+              cpu: "0.5"
+          name: modsec
+          ports:
+            - containerPort: 8001
+              protocol: TCP
+          image: {{ .Values.modsec_server.image }}
+          imagePullPolicy: Always
+          terminationMessagePolicy: File
+          envFrom:
+            - configMapRef:
+                name: {{ .Values.modsec_server.name }}-configmap-modsec
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      dnsPolicy: ClusterFirst
+      securityContext: {}
+      schedulerName: default-scheduler
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 25%
+      maxSurge: 25%
+  revisionHistoryLimit: 10
+  progressDeadlineSeconds: 600

platformQuickStarts/helm/modsec/templates/route-modsec.yml

@@ -0,0 +1,16 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    app: {{ .Values.modsec_server.name }}
+  name: {{ .Values.modsec_server.name }}-modsec
+  namespace: {{ .Values.namespace }}
+spec:
+  path: /
+  port:
+    targetPort: 8001
+  to:
+    kind: Service
+    name: {{ .Values.modsec_server.name }}-service
+    weight: 100
+  wildcardPolicy: None

platformQuickStarts/helm/modsec/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ .Values.modsec_server.name }}
+  name: {{ .Values.modsec_server.name }}-service
+  namespace: {{ .Values.namespace }}
+spec:
+  ports:
+  - name: 8001-tcp
+    port: 8001
+    protocol: TCP
+    targetPort: 8001
+  selector:
+    app: {{ .Values.modsec_server.name }}
+  sessionAffinity: None

platformQuickStarts/helm/modsec/values.yaml

@@ -0,0 +1,13 @@
+namespace: demo-project
+urlpostfix: .apps-crc.testing
+accessMode: ReadWriteMany
+ 
+modsec_server:
+  name: modsec-1
+  #image: docker.io/franbuehler/modsecurity-crs-rp
+  #image: docker.io/owasp/modsecurity-crs
+  image: docker.io/chrira/modsecurity-crs-rp:openshift
+
+webgoat_server:
+  name: webgoat-1
+

platformQuickStarts/helm/webgoat/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

platformQuickStarts/helm/webgoat/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: webgoat
+description: WebGoat Learning Environment
+ 
+type: application
+ 
+version: 0.1.0
+ 
+appVersion: "8.2.3-SNAPSHOT"

platformQuickStarts/helm/webgoat/templates/configmap.yaml

@@ -0,0 +1,14 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ .Values.webgoat_server.name }}-configmap
+  namespace: {{ .Values.namespace }}
+  labels:
+    app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }} 
+data:
+  TZ: 'Europe/Amsterdam'
+  EXCLUDE_CATEGORIES: 'CLIENT_SIDE'
+  EXCLUDE_LESSONS: 'SqlInjectionAdvanced'
+  WEBWOLF_HOST: '{{ .Values.webgoat_server.name }}-wolf-{{ .Values.namespace }}{{ .Values.urlpostfix }}'
+  WEBWOLF_PORT: '80'
+  WEBGOAT_HOST: {{ .Values.webgoat_server.name }}-service

platformQuickStarts/helm/webgoat/templates/deployment.yaml

@@ -0,0 +1,91 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  labels:
+    app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }} 
+  name: {{ .Values.webgoat_server.name }}
+  namespace: {{ .Values.namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Values.webgoat_server.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.webgoat_server.name }} 
+    spec:
+      volumes:
+        - name: webgoat-volume-1
+          persistentVolumeClaim:
+            claimName: {{ .Values.webgoat_server.name }}-pvc 
+      containers:
+        - resources:
+            limits:
+              memory: "1Gi"
+              cpu: "500m"
+            requests:
+              memory: "200Mi"
+              cpu: "100m"
+          name: webgoat
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+            - containerPort: 9090
+              protocol: TCP
+          #livenessProbe:
+          #  failureThreshold: 3
+          #  periodSeconds: 10
+          #  httpGet:
+          #    path: /WebGoat
+          #    port: 8080
+          #readinessProbe:
+          #  failureThreshold: 3
+          #  periodSeconds: 10
+          #  initialDelaySeconds: 60
+          ##  httpGet:
+           #   path: /WebGoat
+           #   port: 8080
+          image: {{ .Values.webgoat_server.image }}
+          command:
+            - 'java'
+          args: ["-Duser.home=/home/webgoat",
+                 "--add-opens","java.base/java.lang=ALL-UNNAMED",
+                 "--add-opens","java.base/java.util=ALL-UNNAMED",
+                 "--add-opens","java.base/java.lang.reflect=ALL-UNNAMED",
+                 "--add-opens","java.base/java.text=ALL-UNNAMED",
+                 "--add-opens","java.desktop/java.beans=ALL-UNNAMED",
+                 "--add-opens","java.desktop/java.awt.font=ALL-UNNAMED",
+                 "--add-opens","java.base/sun.nio.ch=ALL-UNNAMED",
+                 "--add-opens","java.base/java.io=ALL-UNNAMED",
+                 "-Djava.io.tmpdir=/home/webgoat/.webgoat-{{ .Chart.AppVersion }}",
+                 "-Dfile.encoding=UTF-8",
+                 "-Drunning.in.docker=true",
+                 "-Dwebgoat.host=0.0.0.0",
+                 "-Dwebwolf.landingpage.url=http://{{ .Values.webgoat_server.name }}-wolf-{{ .Values.namespace }}{{ .Values.urlpostfix }}/landing",
+                 "-Dwebwolf.mail.url=http://{{ .Values.webgoat_server.name }}-wolf-{{ .Values.namespace }}{{ .Values.urlpostfix }}/mail",
+                 "-jar","/home/webgoat/webgoat.jar",
+                 "--server.address=0.0.0.0"
+                 ]
+          imagePullPolicy: Always
+          volumeMounts:
+            - name: webgoat-volume-1
+              mountPath: /home/webgoat/.webgoat-{{ .Chart.AppVersion }} 
+          terminationMessagePolicy: File
+          envFrom:
+            - configMapRef:
+                name: {{ .Values.webgoat_server.name }}-configmap 
+            - secretRef:
+                name: {{ .Values.webgoat_server.name }}-secret      
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      dnsPolicy: ClusterFirst
+      securityContext: {}
+      schedulerName: default-scheduler
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 25%
+      maxSurge: 25%
+  revisionHistoryLimit: 10
+  progressDeadlineSeconds: 600

platformQuickStarts/helm/webgoat/templates/persistent-storage-claim

@@ -0,0 +1,13 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: '{{ .Values.webgoat_server.name }}-pvc'
+  namespace: '{{ .Values.namespace }}'
+spec:
+  accessModes:
+    - '{{ .Values.accessMode }}'
+  resources:
+    requests:
+      storage: 1Gi
+  #volumeName: pv0028
+  volumeMode: Filesystem

platformQuickStarts/helm/webgoat/templates/route-goat.yml

@@ -0,0 +1,36 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    app: {{ .Values.webgoat_server.name }}
+  name: {{ .Values.webgoat_server.name }}-goat
+  namespace: {{ .Values.namespace }}
+spec:
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+  path: /WebGoat
+  port:
+    targetPort: 8080
+  to:
+    kind: Service
+    name: {{ .Values.webgoat_server.name }}-service
+    weight: 100
+  wildcardPolicy: None
+---
+  apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  labels:
+    app: {{ .Values.webgoat_server.name }}
+  name: {{ .Values.webgoat_server.name }}-wolf
+  namespace: {{ .Values.namespace }}
+spec:
+  path: /
+  port:
+    targetPort: 9090
+  to:
+    kind: Service
+    name: {{ .Values.webgoat_server.name }}-wolfservice
+    weight: 100
+  wildcardPolicy: None

platformQuickStarts/helm/webgoat/templates/secrets.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.webgoat_server.name }}-secret
+  namespace: {{ .Values.namespace }}
+stringData:
+  ADMIN_PASSWORD: admin

platformQuickStarts/helm/webgoat/templates/service.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ .Values.webgoat_server.name }}
+    app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }}
+  name: {{ .Values.webgoat_server.name }}-service
+  namespace: {{ .Values.namespace }}
+spec:
+  ports:
+  - name: 8080-tcp
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: {{ .Values.webgoat_server.name }}
+  sessionAffinity: None
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ .Values.webgoat_server.name }}
+    app.kubernetes.io/part-of: {{ .Values.webgoat_server.name }}
+  name: {{ .Values.webgoat_server.name }}-wolfservice
+  namespace: {{ .Values.namespace }}
+spec:
+  ports:
+  - name: 9090-tcp
+    port: 9090
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    app: {{ .Values.webgoat_server.name }}
+  sessionAffinity: None

platformQuickStarts/helm/webgoat/values.yaml

@@ -0,0 +1,11 @@
+namespace: demo-project
+urlpostfix: .apps-crc.testing
+accessMode: ReadWriteMany
+ 
+webgoat_server:
+  name: webgoat-1
+  image: docker.io/webgoat/webgoat:latest
+
+webwolf_server:
+  name: webwolf-1
+  image: docker.io/webgoat/webgoat:latest

pom.xml

@@ -6,28 +6,24 @@
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>8.2.1-SNAPSHOT</version>
+    <version>8.2.3-SNAPSHOT</version>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.5.4</version>
+    </parent>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
     <inceptionYear>2006</inceptionYear>
     <url>https://github.com/WebGoat/WebGoat</url>
 
-    <prerequisites>
-        <maven>3.2.5</maven>
-    </prerequisites>
-
     <organization>
         <name>OWASP</name>
         <url>https://github.com/WebGoat/WebGoat/</url>
     </organization>
 
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.4.3</version>
-    </parent>
-
     <licenses>
         <license>
             <name>GNU General Public License, version 2</name>
@@ -60,6 +56,11 @@
             <name>René Zubcevic</name>
             <email>rene.zubcevic@owasp.org</email>
         </developer>
+        <developer>
+            <id>aolle</id>
+            <name>Àngel Ollé Blázquez</name>
+            <email>angel@olleb.com</email>
+        </developer>
         <developer>
             <id>jwayman</id>
             <name>Jeff Wayman</name>
@@ -110,35 +111,28 @@
         <url>https://github.com/WebGoat/WebGoat/issues</url>
     </issueManagement>
 
-    <ciManagement>
-        <system>Travis CI</system>
-        <url>https://travis-ci.org/WebGoat/WebGoat</url>
-    </ciManagement>
-
     <properties>
         <!-- Use UTF-8 Encoding -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-        <maven.compiler.source>15</maven.compiler.source>
+        <maven.compiler.source>17</maven.compiler.source>
-        <maven.compiler.target>15</maven.compiler.target>
+        <maven.compiler.target>17</maven.compiler.target>
-
-        <!-- This build number will be ubdated by Travis-CI -->
-        <build.number>build</build.number>
 
         <!-- Shared properties with plugins and version numbers across submodules-->
-        <activation.version>1.1.1</activation.version>
+        <asciidoctorj.version>2.5.2</asciidoctorj.version>
         <commons-collections.version>3.2.1</commons-collections.version>
-        <commons-lang3.version>3.4</commons-lang3.version>
+        <commons-lang3.version>3.12.0</commons-lang3.version>
         <commons-io.version>2.6</commons-io.version>
         <guava.version>30.1-jre</guava.version>
         <lombok.version>1.18.20</lombok.version>
+        <wiremock.version>2.27.2</wiremock.version>
         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
         <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
         <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
         <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
-        <maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version>
+        <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
-        <java.version>15</java.version>
+        <java.version>17</java.version>
     </properties>
 
     <modules>

webgoat-container/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <build>
@@ -17,13 +17,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <configuration>
+                <version>${maven-surefire-plugin.version}</version>
-                    <forkCount>0</forkCount>
-                    <reuseForks>true</reuseForks>
-                    <argLine>
-                        --illegal-access=permit
-                    </argLine>
-                </configuration>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -54,11 +48,6 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <groupId>javax.activation</groupId>
-            <artifactId>activation</artifactId>
-            <version>${activation.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
@@ -70,7 +59,7 @@
         <dependency>
             <groupId>org.asciidoctor</groupId>
             <artifactId>asciidoctorj</artifactId>
-            <version>2.4.3</version>
+            <version>${asciidoctorj.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>

webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java

@@ -58,7 +58,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     protected void configure(HttpSecurity http) throws Exception {
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
                 .authorizeRequests()
-                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc").permitAll()
+                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc", "/actuator/**").permitAll()
                 .anyRequest().authenticated();
         security.and()
                 .formLogin()

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java

@@ -48,6 +48,7 @@ public enum Category {
     XSS("(A7) Cross-Site Scripting (XSS)", 307),
     INSECURE_DESERIALIZATION("(A8) Insecure Deserialization", 308),
     VULNERABLE_COMPONENTS("(A9) Vulnerable Components", 309),
+    SESSION_MANAGEMENT("(A10) Session Management Flaws", 310),
     
     REQUEST_FORGERIES("(A8:2013) Request Forgeries", 318),
 
@@ -66,7 +67,6 @@ public enum Category {
     DOS("Denial of Service", 1500),
     MALICIOUS_EXECUTION("Malicious Execution", 1600),
     CLIENT_SIDE("Client side", 1700),
-    SESSION_MANAGEMENT("Session Management Flaws", 1800),
     WEB_SERVICES("Web Services", 1900),
     ADMIN_FUNCTIONS("Admin Functions", 2000),
     CHALLENGE("Challenges", 3000);

webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java

@@ -34,15 +34,14 @@ public class WebGoatUser implements UserDetails {
     }
 
     public WebGoatUser(String username, String password) {
-        this.username = username;
+        this(username, password, ROLE_USER);
-        this.password = password;
-        createUser();
     }
 
     public WebGoatUser(String username, String password, String role) {
         this.username = username;
         this.password = password;
         this.role = role;
+        createUser();
     }
 
 

webgoat-container/src/main/resources/application-webgoat.properties

@@ -42,8 +42,8 @@ webgoat.default.language=en
 webwolf.host=${WEBWOLF_HOST:127.0.0.1}
 webwolf.port=${WEBWOLF_PORT:9090}
 webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
-webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
+webwolf.landingpage.url=http://${webwolf.host}:${webwolf.port}/landing
-webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
+webwolf.mail.url=http://${webwolf.host}:${webwolf.port}/mail
 
 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false
@@ -55,4 +55,8 @@ exclude.categories=${EXCLUDE_CATEGORIES:none,none}
 #exclude based on the enum of the Category
 
 exclude.lessons=${EXCLUDE_LESSONS:none,none}
-#exclude based on the class name of a lesson e.g.: LessonTemplate
+#exclude based on the class name of a lesson e.g.: LessonTemplate
+
+management.health.db.enabled=true
+management.endpoint.health.show-details=always
+management.endpoints.web.exposure.include=health,configprops

webgoat-container/src/main/resources/static/css/lessons.css

@@ -1,33 +0,0 @@
-/*  css for lessons */
-/* not efficient loading, but at least easier to maintain */
-
-.hidden-menu-item {
-    display:none;
-    visibility:hidden;
-}
-
-#ac-menu li {
-    list-style-type: none;
-    background-color: #aaa;
-    width: auto;
-    max-width: 20%;
-}
-
-#ac-menu li:hover {
-    color: white;
-    background-color: #333;
-}
-
-#ac-menu div {
-    margin-bottom: -60px;
-    margin-top: -10px;
-}
-
-#ac-menu h3 {
-    color:white;
-    background-color:#666;
-}
-
-#ac-menu-wrapper {
-    border-bottom: 2px solid #444;
-}

webgoat-container/src/main/resources/templates/login.html

@@ -2,6 +2,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
 <head>
     <title th:text="#{login.page.title}">Login Page</title>
+    <link rel="shortcut icon" th:href="@{/css/img/favicon.ico}" type="image/x-icon"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>

webgoat-container/src/main/resources/templates/main_new.html

@@ -8,14 +8,13 @@
     <meta http-equiv="Cache-Control" CONTENT="no-store"/>
 
     <!--  CSS -->
-    <link rel="shortcut icon" th:href="@{/images/favicon.ico}" type="image/x-icon"/>
+    <link rel="shortcut icon" th:href="@{/css/img/favicon.ico}" type="image/x-icon"/>
 
     <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/coderay.css}"/>
-    <link rel="stylesheet" type="text/css" th:href="@{/css/lessons.css}"/>
 <!--    <link rel="stylesheet" type="text/css" th:href="@{/css/asciidoctor-default.css}"/>-->
 
     <!--  end of CSS -->

webgoat-integration-tests/pom.xml

@@ -6,21 +6,21 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
     <dependencies>
-    	<dependency>
+        <dependency>
             <groupId>org.seleniumhq.selenium</groupId>
-	    <artifactId>selenium-java</artifactId>
+            <artifactId>selenium-java</artifactId>
-	    <scope>test</scope>
+            <scope>test</scope>
-	</dependency>
+        </dependency>
-	<dependency>
+        <dependency>
-    	<groupId>io.github.bonigarcia</groupId>
+            <groupId>io.github.bonigarcia</groupId>
-    	<artifactId>webdrivermanager</artifactId>
+            <artifactId>webdrivermanager</artifactId>
-    	<version>4.3.1</version>
+            <version>4.3.1</version>
-    	<scope>test</scope>
+            <scope>test</scope>
-	</dependency>
+        </dependency>
         <dependency>
             <groupId>org.owasp.webgoat</groupId>
             <artifactId>webgoat-server</artifactId>
@@ -43,16 +43,16 @@
             <artifactId>webwolf</artifactId>
             <version>${project.version}</version>
         </dependency>
-		<dependency>
+        <dependency>
-			<groupId>org.springframework.boot</groupId>
+            <groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-test</artifactId>
+            <artifactId>spring-boot-starter-test</artifactId>
-			<scope>test</scope>
+            <scope>test</scope>
-		</dependency>
+        </dependency>
-		<dependency>
+        <dependency>
-			<groupId>io.rest-assured</groupId>
+            <groupId>io.rest-assured</groupId>
-			<artifactId>rest-assured</artifactId>
+            <artifactId>rest-assured</artifactId>
-			<scope>test</scope>
+            <scope>test</scope>
-		</dependency>
+        </dependency>
     </dependencies>
 
     <build>
@@ -62,14 +62,12 @@
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>${maven-surefire-plugin.version}</version>
                 <configuration>
-                    <forkCount>0</forkCount>
+                    <!-- Otherwise test will fail with JDK16 -->
-                    <reuseForks>true</reuseForks>
                     <argLine>
-                        --illegal-access=permit
+                        --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED
                     </argLine>
                 </configuration>
             </plugin>
         </plugins>
     </build>
-
 </project>

webgoat-integration-tests/src/test/java/org/owasp/webgoat/AccessControlTest.java

@@ -1,54 +1,87 @@
 package org.owasp.webgoat;
 
 
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import org.apache.http.HttpStatus;
+import org.junit.jupiter.api.Test;
+
 import java.util.HashMap;
 import java.util.Map;
 
-import org.junit.jupiter.api.Test;
-
-import io.restassured.RestAssured;
-import io.restassured.http.ContentType;
-import lombok.Data;
-
 public class AccessControlTest extends IntegrationTest {
-	
+
-	@Test
+    @Test
     public void testLesson() {
-    	startLesson("MissingFunctionAC");      
+        startLesson("MissingFunctionAC");
-    	
+        assignment1();
-    	Map<String, Object> params = new HashMap<>();
+        assignment2();
-        params.clear();
+        assignment3();
-        params.put("hiddenMenu1", "Users");
+
-        params.put("hiddenMenu2", "Config");
+        checkResults("/access-control");
-       
+    }
-    	
+
-        checkAssignment(url("/WebGoat/access-control/hidden-menu"), params, true);
+    private void assignment3() {
-        String userHash = 
+        //direct call should fail if user has not been created
+        RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .contentType(ContentType.JSON)
+                .get(url("/WebGoat/access-control/users-admin-fix"))
+                .then()
+                .statusCode(HttpStatus.SC_FORBIDDEN);
+
+        //create user
+        var userTemplate = """
+                {"username":"%s","password":"%s","admin": "true"}
+                """;
+        RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .contentType(ContentType.JSON)
+                .body(String.format(userTemplate, getWebgoatUser(), getWebgoatUser()))
+                .post(url("/WebGoat/access-control/users"))
+                .then()
+                .statusCode(HttpStatus.SC_OK);
+
+        //get the users
+        var userHash =
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
                         .cookie("JSESSIONID", getWebGoatCookie())
-                        .contentType(ContentType.JSON) 
+                        .contentType(ContentType.JSON)
-                        .get(url("/WebGoat/users"))
+                        .get(url("/WebGoat/access-control/users-admin-fix"))
                         .then()
                         .statusCode(200)
                         .extract()
                         .jsonPath()
-                        .get("find { it.username == \"" + getWebgoatUser() + "\" }.userHash");
+                        .get("find { it.username == \"Jerry\" }.userHash");
-        
+
-    	params.clear();
+        checkAssignment(url("/WebGoat/access-control/user-hash-fix"), Map.of("userHash", userHash), true);
-       	params.put("userHash", userHash);
-        checkAssignment(url("/WebGoat/access-control/user-hash"), params, true);
-         
-  
-        checkResults("/access-control");        
     }
-    
+
-	@Data
+    private void assignment2() {
-    public class Item {
+        var userHash =
-        private String username;
+                RestAssured.given()
-        private boolean admin;
+                        .when()
-        private String userHash;
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .contentType(ContentType.JSON)
+                        .get(url("/WebGoat/access-control/users"))
+                        .then()
+                        .statusCode(200)
+                        .extract()
+                        .jsonPath()
+                        .get("find { it.username == \"Jerry\" }.userHash");
+
+        checkAssignment(url("/WebGoat/access-control/user-hash"), Map.of("userHash", userHash), true);
+    }
+
+    private void assignment1() {
+        var params = Map.of("hiddenMenu1", "Users", "hiddenMenu2", "Config");
+        checkAssignment(url("/WebGoat/access-control/hidden-menu"), params, true);
     }
-    
 }

webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java

@@ -210,7 +210,7 @@ public class JWTLessonTest extends IntegrationTest {
 	private void quiz() { 
 		Map<String, Object> params = new HashMap<>();
 		params.put("question_0_solution", "Solution 1");
-		params.put("question_1_solution", "Solution 3");
+		params.put("question_1_solution", "Solution 2");
 
 		checkAssignment(url("/WebGoat/JWT/quiz"), params, true);
 	}

webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java

@@ -24,9 +24,8 @@ import java.util.zip.ZipOutputStream;
 
 import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 
-public class PathTraversalTest extends IntegrationTest {
+class PathTraversalITTest extends IntegrationTest {
 
-    //the JUnit5 way
     @TempDir
     Path tempDir;
 
@@ -35,8 +34,7 @@ public class PathTraversalTest extends IntegrationTest {
     @BeforeEach
     @SneakyThrows
     public void init() {
-        fileToUpload = Files.createFile(
+        fileToUpload = Files.createFile(tempDir.resolve("test.jpg")).toFile();
-                tempDir.resolve("test.jpg")).toFile();
         Files.write(fileToUpload.toPath(), "This is a test".getBytes());
         startLesson("PathTraversal");
     }
@@ -52,7 +50,7 @@ public class PathTraversalTest extends IntegrationTest {
         );
     }
 
-    public void assignment1() throws IOException {
+    private void assignment1() throws IOException {
         MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
@@ -66,7 +64,7 @@ public class PathTraversalTest extends IntegrationTest {
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
     }
 
-    public void assignment2() throws IOException {
+    private void assignment2() throws IOException {
         MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
@@ -80,7 +78,7 @@ public class PathTraversalTest extends IntegrationTest {
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
     }
 
-    public void assignment3() throws IOException {
+    private void assignment3() throws IOException {
         MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
@@ -93,7 +91,7 @@ public class PathTraversalTest extends IntegrationTest {
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
     }
 
-    public void assignment4() throws IOException {
+    private void assignment4() throws IOException {
         var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret";
         RestAssured.given().urlEncodingEnabled(false)
                 .when()
@@ -102,17 +100,17 @@ public class PathTraversalTest extends IntegrationTest {
                 .get(uri)
                 .then()
                 .statusCode(200)
-                .content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
+                .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
 
         checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true);
     }
 
-    public void assignment5() throws IOException {
+    private void assignment5() throws IOException {
-        var webGoatHome = System.getProperty("user.dir") + "/target/.webgoat/PathTraversal/" + getWebgoatUser();
+        var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser();
         webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows
 
         var webGoatDirectory = new File(webGoatHome);
-        var zipFile = new File(webGoatDirectory, "upload.zip");
+        var zipFile = new File(tempDir.toFile(), "upload.zip");
         try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) {
             ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg");
             zos.putNextEntry(e);
@@ -132,7 +130,7 @@ public class PathTraversalTest extends IntegrationTest {
     }
 
     @AfterEach
-    public void shutdown() {
+    void shutdown() {
         //this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete
         checkResults("/PathTraversal");
     }

webgoat-integration-tests/src/test/java/org/owasp/webgoat/SessionManagementTest.java

@@ -0,0 +1,47 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat;
+
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+class SessionManagementTest extends IntegrationTest {
+    
+    private static final String HIJACK_LOGIN_CONTEXT_PATH = "/WebGoat/HijackSession/login";
+
+
+    @Test
+    void hijackSessionTest() {
+        startLesson("HijackSession");
+        
+        checkAssignment(HIJACK_LOGIN_CONTEXT_PATH, Map.of("username", "webgoat", "password", "webgoat"), false);
+    }
+}

webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java

@@ -16,7 +16,7 @@ public class XSSTest extends IntegrationTest {
 
         Map<String, Object> params = new HashMap<>();
         params.clear();
-        params.put("answer_xss_1", "yes");
+        params.put("checkboxAttack1", "value");
         checkAssignment(url("/CrossSiteScripting/attack1"), params, true);
 
         params.clear();

webgoat-integration-tests/src/test/resources/application-inttest.properties

@@ -1,9 +1,9 @@
 #In order to run tests a known temp directory is preferred
 #that is why these values are used
 
-webgoat.user.directory=${user.dir}/target/.webgoat
+webgoat.user.directory=${java.io.tmpdir}/webgoat
-webgoat.server.directory=${user.dir}/target/.webgoat
+webgoat.server.directory=${java.io.tmpdir}/webgoat
-webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver
+webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
 
 #database will get deleted for every mvn clean install
 #as these extra properties are read by WebGoat and WebWolf the drop of the tables 

webgoat-lessons/auth-bypass/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 </project>

webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc

@@ -1,15 +1,15 @@
 
 == 2FA Password Reset
 
-A recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass) is a great example of authentication bypass. He was unable to receive an SMS with a code, so he opted for the provided
+An excellent example of authentication bypass is a recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass). He could not receive an SMS with a code, so he opted for
-alternative method, which involved security questions.  Using a proxy, removed the parameters entirely ... and won.
+an alternative method, which involved security questions.  Using a proxy, removed the parameters entirely and won.
 
 image::images/paypal-2fa-bypass.png[Paypal 2FA bypass,1397,645,style="lesson-image"]
 
 
 === The Scenario
 
-You are resetting your password, but doing it from a location or device that your provider does not recognize. So you need to answer the security questions you set up.  The other issue is
+You reset your password, but do it from a location or device that your provider does not recognize. So you need to answer the security questions you set up.  The other issue is
-that those security questions are also stored on another device (not with you) and you don't remember them.
+Those security questions are also stored on another device (not with you), and you don't remember them.
 
-You have already provided your username/email and opted for the alternative verification method.
+You have already provided your username/email and opted for the alternative verification method.

webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc

@@ -1,15 +1,15 @@
 == Authentication Bypasses
 
-Authentication Bypasses happen in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
+Authentication Bypasses happen in many ways but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
 
 === Hidden inputs
 
-The simplest form is a reliance on a hidden input that is in the web page/DOM.
+The simplest form is a reliance on a hidden input in the web page/DOM.
 
 === Removing Parameters
 
-Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove the parameter from the submission altogether to see what happens.
+Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove it from the submission altogether to see what happens.
 
 === Forced Browsing
 
-If an area of a site is not protected properly by configuration, that area of the site may be accessed by guessing/brute-forcing.
+If an area of a site is not appropriately protected by configuration, that area of the site may be accessed by guessing/brute-forcing.

webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc

@@ -1,7 +1,7 @@
 === More Content, Video too ...
 
-You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though.
+You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this, though.
 
 video::video/sample-video.m4v[width=480,start=5]
 
-see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax
+see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax

webgoat-lessons/bypass-restrictions/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>

webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc

@@ -1,6 +1,6 @@
 == Field Restrictions
-In most browsers, client has complete or almost complete control over HTML part
+In most browsers, the client has complete or almost complete control over the HTML part
 of the webpage. They can alter values or restrictions to fit their preference.
 
 === Task
-Send a request that bypasses restrictions of all four of these fields
+Send a request that bypasses restrictions of all four of these fields.

webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc

@@ -1,7 +1,7 @@
 == Validation
 
-Often, there is some mechanism in place to prevent users from sending altered
+There is often some mechanism in place to prevent users from sending altered
-field values to server, such as validation before sending. Most of popular browsers
+field values to the server, such as validation before sending. Most popular browsers
 such as Chrome don't allow editing scripts during runtime. We will have to circumvent
 the validation some other way.
 

webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc

@@ -1,11 +1,10 @@
 == Concept
 
-Users have a great degree of control over the front-end of the web application.
+Users have a great degree of control over the web application's front-end.
-They can alter HTML code, sometimes also scripts. This is why
+They can alter HTML code, sometimes also scripts. Applications that require a certain input format should also validate on the server-side.
-apps that require certain format of input should also validate on server-side.
 
 == Goals
 
 * The user should have a basic knowledge of HTML
-* The user should be able to tamper a request before sending (with proxy or other tool)
+* The user should be able to tamper with a request before sending (with proxy or other tools)
 * The user will be able to tamper with field restrictions and bypass client-side validation

webgoat-lessons/challenge/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge7/Assignment7.java

@@ -46,7 +46,7 @@ public class Assignment7 extends AssignmentEndpoint {
 
     @Autowired
     private RestTemplate restTemplate;
-    @Value("${webwolf.url.mail}")
+    @Value("${webwolf.mail.url}")
     private String webWolfMailURL;
 
     @GetMapping("/challenge/7/reset-password/{link}")

webgoat-lessons/chrome-dev-tools/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>

webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment.adoc

@@ -1,8 +1,8 @@
 == Try It! Using the console
 
 Let us try it. Use the console in the dev tools and call the javascript function *webgoat.customjs.phoneHome()*. +
-You should get a response in the console. Your result should look something like:
+You should get a response in the console. Your result should look something like this:
 `phone home said
 {"lessonCompleted:true, ... ,"output":"phone home response is..."`
 Paste the random number, after that, in the text field below.
-(Make sure you got the most recent number, since it is randomly generated each time you call the function)
+(Make sure you got the most recent number since it is randomly generated each time you call the function)

webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_Assignment_Network.adoc

@@ -1,6 +1,6 @@
 == Try It! Working with the Network tab
 
-In this assignment you need to find a specific HTTP request and read a randomized number from it.
+In this assignment, you need to find a specific HTTP request and read a randomized number.
-To start click the first button, this wil generate an HTTP request. Try to find the specific HTTP request.
+To start, click the first button. This will generate an HTTP request. Try to find the specific HTTP request.
 The request should contain a field: `networkNum:`
-Copy the number which is displayed afterwards, into the input field below and click on the check button.
+Copy the number displayed afterward into the input field below and click on the check button.

webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_console.adoc

@@ -1,17 +1,17 @@
 == The Console tab
 
-In the console tab you can see anything, which a loaded JavaScript file may have printed out to it.
+In the console tab, you can see anything that a loaded JavaScript file may have printed out.
 Do not worry if you see something in red. While that is an error, it has probably resolved itself.
-Through the console tab, it is also possible for you to run your own line of JavaScript code.
+Through the console tab, it is also possible for you to run your line of JavaScript code.
 
-Start by clearing console using the shortcut `CTRL+L`.
+Start by clearing the console using the shortcut `CTRL+L.`
 
-To run your own JavaScript, simply click inside of the console and write something like:
+To run your JavaScript, click inside of the console and write something like:
-`console.log("Hello WebGoat!");` Hit enter. Hello WebGoat should now appear in your console.
+`console.log("Hello WebGoat!");` Hit enter. `Hello WebGoat` should now appear in your console.
-The console also allows you to do some basic arithmetic. If you type for example `1+3` and hit
+The console also allows you to do some basic arithmetic. If you type, for example, `1+3` and hit
-enter the console should display 4.
+enter, the console should display 4.
 
 Note: You may see an `undefined` in the console. You can safely  ignore this statement,
-it only means, that the JavaScript function you have called did not return anything, therefore `undefined`.
+it only means that the JavaScript function you have called did not return anything, therefore `undefined.`
 
-image::images/ChromeDev_Console_Ex.jpg[DeveloperToolsConsoleExample,500,500,style="lesson-image"]
+image::images/ChromeDev_Console_Ex.jpg[DeveloperToolsConsoleExample,500,500,style="lesson-image"]

webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_elements.adoc

@@ -1,22 +1,22 @@
 == The Elements Tab
 
-The elements tab allows you to look at the HTML and CSS code, that are used to define and style the website.
+The elements tab allows you to look at the HTML and CSS code used to define and style the website.
 
 === HTML source
 
-If you hover over one line you can see that a part of the website turns blue. That means that
+If you hover over one line, you can see that a part of the website turns blue. That means that
 this particular HTML line defines this section of the website.
-The elements tab allows you to make changes to every single HTML element. For example if you click inside
+The elements tab allows you to make changes to every single HTML element. For example, if you click inside
-a paragraph (<p>...</p>) Tag you can edit the content of the website. If you have made your changes and then click enter
+a paragraph (<p>...</p>) Tag,  you can edit the content of the website. If you have made your changes and then click enter
-Chrome will actually update the website to show your edits. You can also change the HTML Tag used,
+Chrome will update the website to show your edits. You can also change the HTML Tag used,
-the classes and id's a tag has and much more.
+the classes and id's a tag has, and much more.
 
 image::images/ChromeDev_Elements.jpg[DeveloperToolsElements,500,350,style="lesson-image"]
 
 === CSS source
 
-Underneath the HTML source, you can find information about the CSS which is used to style the
+You can find information about the CSS used to style the
-Website. Like the HTML, you can also edit the CSS and therefore adjust the styling of the website.
+website under the HTML source. Like the HTML, you can also edit the CSS and, therefore, adjust the website's styling.
-You can edit specific values, or turn off individual styling.
+You can edit specific values or turn off individual styling.
 
-image::images/ChromeDev_Elements_CSS.jpg[DeveloperToolsElementsCSS,500,350,style="lesson-image"]
+image::images/ChromeDev_Elements_CSS.jpg[DeveloperToolsElementsCSS,500,350,style="lesson-image"]

webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_intro.adoc

@@ -1,19 +1,19 @@
 == Google Chrome Developer Tools
 
-To complete certain assignments you sometimes may have to look at the JavaScript
+To complete certain assignments, you sometimes may have to look at the JavaScript
 source code or run a JavaScript command on your own.
-To do that Google Chrome has a set of tools which allows you to do that and much much more.
+To do that, Google Chrome has a set of tools that allow you to do that and much more.
-While these tools are not specific to Google Chrome, almost every modern browser has a set
+While these tools are not specific to Google Chrome, almost every modern browser has a bunch
-of their own, our introduction will focus on the ones found in Google Chrome.
+of its own. Our introduction will focus on the ones found in Google Chrome.
-You can however still use the browser of your choice, like Firefox or Safari, although some steps of this tutorial
+You can, however still use the browser of your choice, like Firefox or Safari, although some steps of this tutorial
-may be different for you.
+maybe different for you.
 
-Keep in mind that the following tutorial, is not there to teach everything there is about these tools.
+Keep in mind that the following tutorial is not there to teach everything about these tools.
-This tutorial will only focus on the essential knowledge you need to complete certain assignments.
+This tutorial will only focus on the essential knowledge to complete specific assignments.
-Also if you are already familiar with these Tools you can safely skip these lessons.
+Also, if you are already familiar with these tools, you can safely skip these lessons.
 
-To get started, *open the developer tools*. There are multiple ways to open them:
+To get started: *open the developer tools*. There are multiple ways to open them:
 
-1. Right click anywhere in the browser window and select the option _"Inspect"_.
+1. Right-click anywhere in the browser window and select the option _"Inspect"_.
 2. Go to the browser menu (three dots in the top right corner), then go to _"More tools"_ and select the option _"Developer tools"_.
-3. Use the keyboard shortcut _Ctrl + Shift + I_
+3. Use the keyboard shortcut _Ctrl + Shift + I_

webgoat-lessons/chrome-dev-tools/src/main/resources/lessonPlans/en/ChromeDevTools_sources.adoc

@@ -1,16 +1,16 @@
 == The Sources tab
 
-In the sources tab you can check out the file system and view all the HTML, CSS and JavaScript files that are used, to
+In the sources tab, you can check out the file system and view all the HTML, CSS, and JavaScript files used to
-create the website. Simply click on a file to view its contents.
+create the website. Click on a file to view its contents.
 
 image::images/ChromeDev_Sources.jpg[DeveloperToolsSources,400,500,style="lesson-image"]
 
 == The Network tab
 
-In the Network tab you can view HTTP requests and responses the website has performed.
+In the Network tab, you can view HTTP requests and responses the website has performed.
-If you want more detailed information on a particular request, just click on it.
+Just click on it if you want more detailed information on a particular request.
-In the Timeline above the blue dots represent when these requests and responses have been performed.
+The "Timeline" above the blue dots represents when these requests and responses have been performed.
-You can also see the Requests done in a specific time frame, simply by clicking and dragging on the timeline. Now the window
+You can also see the Requests done in a specific time frame simply by clicking and dragging on the timeline. The window
-below, will only show the requests and responses done in that particular time frame.
+below will only show the requests and responses done in that time frame.
 
-image::images/ChromeDev_Network.jpg[DeveloperToolsNetwork,400,500,style="lesson-image"]
+image::images/ChromeDev_Network.jpg[DeveloperToolsNetwork,400,500,style="lesson-image"]

webgoat-lessons/cia/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 </project>

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc

@@ -19,6 +19,6 @@ Availability is "the property of being accessible and usable on demand by an aut
 ** network traffic control
 ** firewalls
 ** physical security of hardware and underlying infrastructure
-*** protections against fire, water, and other elements
+*** protection against fire, water, and other elements
 ** hardware maintenance
 ** redundancy

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc

@@ -1,15 +1,15 @@
 == Confidentiality
 
-Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still be able to access the resources they have been granted permissions for. 
+Confidentiality is "the property that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still access the resources they have been granted permissions for.
 
-Although confidentiality is similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
+Although confidentiality is similar to "privacy," these two words are not interchangeable. Instead, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities.
 
 {nbsp} +
 
 === Examples that compromise confidentiality:
 
 ** a hacker gets access to the password database of a company
-** a sensitive emails is sent to the incorrect individual
+** a sensitive email is sent to the incorrect individual
 ** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer
 
 {nbsp} +
@@ -22,4 +22,4 @@ Although confidentiality is similar to "privacy", these two words are not interc
 *** multi-factor authentication (MFA)
 *** biometric verification
 ** minimizing the number of places/times the information appears
-** physical security controls such as properly secured server rooms
+** physical security controls such as properly secured server rooms

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc

@@ -1,6 +1,6 @@
 == Integrity
 
-Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and unauthorized entities should not be able to alter the data.
+Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not change during transit, and unauthorized entities should not alter the data.
 
 {nbsp} +
 
@@ -13,9 +13,9 @@ Integrity is "the property of accuracy and completeness." In other words, integr
 
 {nbsp} +
 
-=== Examples of methods ensuring integrity
+=== Examples of methods ensuring the integrity
 
 ** well functioning authentication methods and access control
 ** checking integrity with hash functions
 ** backups and redundancy
-** auditing and logging
+** auditing and logging

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc

@@ -1,7 +1,7 @@
 == The CIA Triad
 
 The CIA Triad (confidentiality, integrity, availability) is a model for information security.
-The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. +
+The three elements of the triad are considered the most crucial information security components and should guarantee in any secure system. +
-Serious consequences can result if even one these elements is breached.
+Serious consequences can result if even one of these elements is breached.
 
-The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.
+The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization.

webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc

@@ -1,3 +1,3 @@
 Now it's time for a quiz! Answer the following question to check if you understood the topic.
 
-Today, most systems are protected by a firewall.A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:
+Today, most systems are protected by a firewall. A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall:

webgoat-lessons/client-side-filtering/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
 
 </project>

webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_assignment.adoc

@@ -2,4 +2,4 @@
 
 You are logged in as Moe Stooge, CSO of Goat Hills Financial. You have access to everyone in the company's information,
 except the CEO, Neville Bartholomew.  Or at least you should not have access to the CEO's information. For this assignment,
-examine the contents of the page to see what extra information you can find.
+examine the page's contents to see what extra information you can find.

webgoat-lessons/client-side-filtering/src/main/resources/lessonPlans/en/ClientSideFiltering_plan.adoc

@@ -1,6 +1,6 @@
 == Client side filtering
 
-It is always a good practice to send to the client only information which they are supposed
+It is always a good practice to send only information to the client they are supposed
 to have access to.  In this lesson, too much information is being sent to the client, creating
-a serious access control problem. For this exercise, your mission is exploit the extraneous information being returned
+a serious access control problem. For this exercise, your mission is to exploit the extraneous information returned
-by the server to discover information to which you should not have access.
+by the server to discover information to which you should not have access.

webgoat-lessons/cross-site-scripting/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.1-SNAPSHOT</version>
+        <version>8.2.3-SNAPSHOT</version>
     </parent>
     <dependencies>
         <dependency>
@@ -16,28 +16,4 @@
             <version>1.14.2</version>
         </dependency>
     </dependencies>
-    <build>
-       <plugins>
-           <plugin>
-               <groupId>org.asciidoctor</groupId>
-               <artifactId>asciidoctor-maven-plugin</artifactId>
-               <version>1.5.3</version>
-
-               <executions>
-                   <execution>
-                       <id>output-html</id>
-                       <phase>generate-resources</phase>
-                       <goals>
-                           <goal>process-asciidoc</goal>
-                       </goals>
-                       <configuration>
-                           <backend>html</backend>
-                           <sourceDirectory>src/main/resources/lessonPlans/en/</sourceDirectory>
-                       </configuration>
-                   </execution>
-
-               </executions>
-           </plugin>
-       </plugins>
-   </build>
 </project>

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java

@@ -36,8 +36,8 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
 
     @PostMapping("/CrossSiteScripting/attack1")
     @ResponseBody
-    public AttackResult completed(@RequestParam String answer_xss_1) {
+    public AttackResult completed(@RequestParam(value = "checkboxAttack1", required = false) String checkboxValue) {
-        if (answer_xss_1.toString().toLowerCase().equals("yes")) {
+        if (checkboxValue != null) {
             return success(this).build();
         } else {
             return failed(this).feedback("xss.lesson1.failure").build();

webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html

@@ -15,8 +15,7 @@
 				  action="/WebGoat/CrossSiteScripting/attack1">
 				<table>
 					<tr>
-						<td>Were the cookies the same on each tab?</td>
+						<td><input type="checkbox" name="checkboxAttack1"> The cookies are the same on each tab </td>
-						<td><input name="answer_xss_1" value="" type="TEXT" /></td>
 						<td><input
 								name="answer" value="Submit" type="SUBMIT"/></td>
 						<td></td>

webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties

@@ -17,7 +17,7 @@ xss-reflected-6a-hint-1=To search through the client side code, use the develope
 xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes.
 xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution.
 xss-reflected-6a-hint-4=Still did not find it? Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
-xss.lesson1.failure=Are you sure? Try using a tab from a different site.
+xss.lesson1.failure=The cookies should be the same on both tabs. Ensure that the tabs are from the same site.
 xss-dom-message-success=Correct, I hope you did not cheat, using the console!
 xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
 xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingMitigation_plan.adoc

@@ -1,7 +1,7 @@
 == Concept 
 
 After learning what Cross-Site Scripting (XSS) is and how it works,
-you will know learn how you can defend against it.
+you will know to learn how you can defend against it.
 
 == Goals
 

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScriptingStored_plan.adoc

@@ -1,8 +1,8 @@
 == Concept 
 
-After taking a look at Reflected XSS in the previous lesson. We are now gonna take a closer look at another form of Cross-Site Scripting Attack: Stored XSS.
+After looking at Reflected XSS in the previous lesson, we are now going to take a closer look at another form of Cross-Site Scripting Attack: Stored XSS.
 
 == Goals
 * The user will learn what Stored XSS is
 * The user will demonstrate knowledge on:
-** Stored XSS injection
+** Stored XSS injection

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc

@@ -1,16 +1,15 @@
 == What is XSS?
 
-Cross-Site Scripting (also commonly known as XSS) is a vulnerability/flaw that combines the allowance of html/script tags as input that are rendered into a browser without encoding or sanitization
+Cross-Site Scripting (also known as XSS) is a vulnerability/flaw that combines the allowance of HTML/script tags as input that renders into a browser without encoding or sanitization.
 
 === Cross-Site Scripting (XSS) is the most prevalent and pernicious web application security issue
 
-While there is a simple well-known defense for this attack, there are still many instances of it on the web.  In terms of fixing it,
+While there is a simple well-known defense for this attack, there are still many instances on the web.  Coverage of fixes also tends to be a problem in terms of fixing it. We will talk more about the defense in a little bit.
-coverage of fixes also tends to be a problem. We will talk more about the defense in a little bit.
 
 === XSS has significant impact
 
 Especially as 'Rich Internet Applications' are more and more commonplace, privileged function calls linked to via JavaScript may be compromised.
-And if not properly protected, sensitive data (such as your authentication cookies) can be stolen and used for someone else's purpose.
+And if not adequately protected, sensitive data (such as your authentication cookies) can be stolen and used for someone else's purpose.
 
 
 ==== Quick examples:
@@ -20,7 +19,7 @@ And if not properly protected, sensitive data (such as your authentication cooki
 alert("XSS Test");
 alert(document.cookie);
 ----
-* Any data field that is returned to the client is potentially injectable
+* Any data field returned to the client is potentially injectable
 +
 ----
 <script>alert("XSS Test")</script>
@@ -28,5 +27,6 @@ alert(document.cookie);
 
 == Try It!  Using Chrome or Firefox
 
-* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat)
+* Open a second tab and use the same URL as this page you are currently on (or any URL within this instance of WebGoat).
-* Then, on that second that open the browser developer tools and open the javascript console. And type:  `alert(document.cookie);` .
+* On the second tab, open the JavaScript console in the developer tools  and type:  `alert(document.cookie);`.
+* The cookies should be the same on each tab.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content2.adoc

@@ -4,11 +4,11 @@
 
 * Input fields that echo user data
 
-* Error messages that return user supplied text
+* Error messages that return user-supplied text
 
-* Hidden fields that contain user supplied data
+* Hidden fields that contain user-supplied data
 
-* Any page that displays user supplied data
+* Any page that displays user-supplied data
 ** Message boards
 ** Free form comments
 

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content4.adoc

@@ -4,14 +4,13 @@
 * Malicious content from a user request is displayed to the user in a web browser
 * Malicious content is written into the page after from server response
 * Social engineering is required
-* Runs with browser privileges inherited from user in browser
+* Runs with browser privileges inherited from the user in a browser
 
 === DOM-based (also technically reflected)
-* Malicious content from a user request is used by client-side scripts to write HTML to it own page
+* Client-side scripts use malicious content from a user request to write HTML to its page
-* Similar to reflected XSS 
+* Similar to reflected XSS
-* Runs with browser privileges inherited from user in browser
+* Runs with browser privileges inherited from the user in a browser
 
 === Stored or persistent
-* Malicious content is stored on the server ( in a database, file system, or other object ) and later displayed to users in a web browser
+* Malicious content is stored on the server ( in a database, file system, or other objects) and later displayed to users in a web browser
 * Social engineering is not required
-

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5.adoc

@@ -1,7 +1,7 @@
 == Reflected XSS scenario
 
-* Attacker sends a malicious URL to victim 
+* Attacker sends a malicious URL to the victim
-* Victim clicks on the link that loads malicious web page
+* Victim clicks on the link that loads a malicious web page
 * The malicious script embedded in the URL executes in the victim’s browser
 ** The script steals sensitive information, like the session id, and releases it to the attacker
 

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc

@@ -1,8 +1,8 @@
 == Try It! Reflected XSS
 
-The goal of the assignment is to identify which field is susceptible to XSS.
+The assignment's goal is to identify which field is susceptible to XSS.
 
-It is always a good practice to validate all input on the server-side. XSS can occur when unvalidated user input gets used in an HTTP response.
+It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input gets used in an HTTP response.
 In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
 
-An easy way to find out if a field is vulnerable to an XSS attack is to use the `alert()` or `console.log()` methods. Use one of them to find out which field is vulnerable.
+An easy way to find out if a field is vulnerable to an XSS attack is to use the `alert()` or `console.log()` methods. Use one of them to find out which field is vulnerable.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc

@@ -1,10 +1,10 @@
 == Self XSS or reflected XSS?
 
-You should have been able to execute script with the last example. At this point, it would be considered 'self XSS' though.
+You should have been able to execute the script with the last example. At this point, it is considered 'self XSS,' though.
 
 Why is that?
 
-That is because there is no link that would trigger that XSS.
+That is because no link triggers that XSS.
 You can try it yourself to see what happens ... go to:
 
 link:/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111["/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111",window=_blank]

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc

@@ -1,14 +1,14 @@
 == Reflected and DOM-Based XSS
 
-DOM-based XSS is another form of reflected XSS. Both are triggered by sending a link with inputs that are reflected to the browser.
+DOM-based XSS is another form of reflected XSS. Both are triggered by sending a link with inputs reflected in the browser.
-The difference between DOM and 'traditional' reflected XSS is that, with DOM, the payload will never go to the server.  It will only ever be processed by the client.
+The difference between DOM and 'traditional' reflected XSS is that, with DOM, the payload will never go to the server.  The client will only ever process it.
 
 
-* Attacker sends a malicious URL to victim
+* Attacker sends a malicious URL to the victim
 * Victim clicks on the link
 * That link may load a malicious web page or a web page they use (are logged into?) that has a vulnerable route/handler
-* If it's a  malicious web page, it may use it's own JavaScript to attack another page/url with a vulnerable route/handler
+* If it's a  malicious web page, it may use its own JavaScript to attack another page/URL with a vulnerable route/handler
-* The vulnerable page renders the payload and executes attack in the user's context on that page/site
+* The vulnerable page renders the payload and executes an attack in the user's context on that page/site
 * Attacker's malicious script may run commands with the privileges of local account
 
-*Victim does not realize attack occurred* ... Malicious attackers don't use <script>alert('xss')</ script>
+*Victim does not realize attack occurred* ... Malicious attackers don't use <script>alert('xss')</ script>

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc

@@ -1,15 +1,15 @@
 == Identify potential for DOM-Based XSS
 
 DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
-Look for a route that takes inputs that are being "reflected" to the page.
+Look for a route that takes inputs that are "reflected" to the page.
 
 For this example, you will want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary JavaScript library).
-Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
+Sometimes, test code gets left in production (and often test code is simple and lacks security or quality controls!).
 
-Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
+Your objective is to find the route and exploit it. First though, what is the base route? As an example, look at the URL for this lesson ...
 it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
 *start.mvc#lesson/*
 The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the JavaScript route handler.
 
 So, what is the route for the test code that stayed in the app during production?
-To answer this question, you have to check the JavaScript source.
+To answer this question, you have to check the JavaScript source.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc

@@ -1,11 +1,11 @@
 == Try It!   DOM-Based XSS
 
-Some attacks are "blind". Fortunately, you have the server running here so you will be able to tell if you are successful.
+Some attacks are "blind." Fortunately, you have the server running here, so you can tell if you are successful.
-Use the route you just found and see if you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat.
+Use the route you just found and see if you can use it to reflect a parameter from the route without encoding to execute an internal function in WebGoat.
-The function you want to execute is ...
+The function you want to execute is:
 
 *webgoat.customjs.phoneHome()*
 
-Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
+Sure, you could use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
 
-Once you do trigger it, a subsequent response will come to your browser's console with a random number. Put that random number in below.
+Once you trigger it, a subsequent response will come to your browser's console with a random number. Put that random number below.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc

@@ -1,8 +1,8 @@
 == Stored XSS
-Stored Cross-Site Scripting is different in that the payload is persisted (stored) as opposed to passed/injected via a link.
+Stored Cross-Site Scripting is different in that the payload is persisted (stored) instead of passed/injected via a link.
 
 == Stored XSS Scenario
-* Attacker posts malicious script to a message board 
+* Attacker posts malicious script to a message board
 * Message is stored in a server database
 * Victim reads the message
 * The malicious script embedded in the message board post executes in the victim’s browser

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc

@@ -2,5 +2,5 @@ See the comments below.
 
 Add a comment with a JavaScript payload. Again ... you want to call the _webgoat.customjs.phoneHome_ function.
 
-As an attacker (offensive security), keep in mind that most apps are not going to have such a straight-forwardly named compromise.
+As an attacker (offensive security), keep in mind that most apps will not have such a straightforwardly named compromise.
-Also, you may have to find a way to load your own JavaScript dynamically to fully achieve goals of extracting data.
+Also, you may have to find a way to load your JavaScript dynamically to achieve the goal of extracting data fully.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7c.adoc

@@ -1,3 +1,3 @@
 Watching in your browser's developer tools or your proxy, the output should include a value starting with 'phoneHome Response is ...."
-Put that value in below to complete this exercise.  Note that, each subsequent call to the _phoneHome_ method will change that value.
+Put that value below to complete this exercise.  Note that each subsequent call to the _phoneHome_ method will change that value.
-You may need to ensure you have the most recent one.
+You may need to ensure you have the most recent one.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc

@@ -2,26 +2,26 @@
 
 
 === Why?
-Hopefully we have covered that by now. Bottom line, you do not want someone else's code running in the context of your users and their logged-in session
+Hopefully, we have covered that by now. Bottom line, you do not want someone else's code running in the context of your users and their logged-in session
 
 === What to encode?
-The basic premise of defending against XSS is *output encoding* any untrusted input that goes to the screen.
+The basic premise of defending against XSS is *output encoding* any untrusted input to the screen.
 That may be changing with more sophisticated attacks, but it is still the best defense we currently have. *AND* ... *context matters*
 
-Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted).
+Another word on 'untrusted input.' If in doubt, treat everything (even data you populated in your DB as untrusted).
-Sometimes data is shared across multiple systems and what you think is your data, may not have been created by you/your team.
+Sometimes data is shared across multiple systems, and what you think is your data may not have been created by you/your team.
 
 === When/Where?
 Encode *as the data is sent to the browser* (not in your persisted data).  In the case of *Single Page Apps (SPA's), you will need to encode
-in the client*. Consult your framework/library for me details, but some resources will be  provided on the next page.
+in the client*. Consult your framework/library for details, but some resources will be provided on the next page.
 
 === How?
 
- * Encode as HTML Entities in HTML Body
+* Encode as HTML Entities in HTML Body
- * Encode as HTML Entities in HTML Attribute
+* Encode as HTML Entities in HTML Attribute
- * Encode for JavaScript if outputting user input to JavaScript (but think about that ... you are outputting user input into JavaScript on your page!!)
+* Encode for JavaScript if outputting user input to JavaScript (but think about that ... you are outputting user input into JavaScript on your page!!)
 
 *DO NOT* try to blacklist/negative filter on strings like '<script>' and so forth.
 
 
-...See the next page for some recommended resources and reading on defending against XSS
+...See the next page for some recommended resources and reading on defending against XSS

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc

@@ -1,10 +1,10 @@
 == What is encoding?
 
-Not trusting user input means validating data for type, length, format and range whenever it passes through a trust boundary,
+Not trusting user input means validating data for type, length, format, and range whenever it passes through a trust boundary,
-say from a web form to an application script, and then encoding it prior to redisplay in a dynamic page.
+say from a web form to an application script, then encode it before redisplay in a dynamic page.
 
 In practice, this means that you need to review every point on your site where user-supplied data is handled and processed and
-ensure that, before being passed back to the user, any values accepted from the client side are checked, filtered and encoded.
+ensure that, before being passed back to the user, any values accepted from the client side are checked, filtered, and encoded.
 
 Client-side validation cannot be relied upon, but user input can be forced down to a minimal alphanumeric set with server-side
 processing before being used by a web application in any way.
@@ -12,7 +12,7 @@ processing before being used by a web application in any way.
 == Escaping
 
 Escaping means that you convert (or mark) key characters of the data to prevent it from being interpreted in a dangerous context.
-In the case of HTML output, you need to convert the < and > characters (among others), to prevent any malicious code from rendering.
+In the case of HTML output, you need to convert the < and > characters (among others) to prevent any malicious code from rendering.
 Escaping these characters involves turning them into their entity equivalents \&lt; and \&gt;,
 which will not be interpreted as HTML tags by a browser.
 
@@ -20,21 +20,21 @@ which will not be interpreted as HTML tags by a browser.
 
 You need to encode special characters like "<" and ">" before they are redisplayed if they are received from user input.
 For example, encoding "<" and ">" ensures a browser will display <script> but not execute it.
-In conjunction to encoding, it is important that your web pages always define their character set so the browser will not interpret
+In conjunction with encoding, your web pages must always define their character set so the browser will not interpret
 special character encodings from other character sets.
 
-Cross site scripting attacks usually occur when you manage to sneak a script (usually javascript) onto someone else's website, where
+Cross-site scripting attacks usually occur when you manage to sneak a script (usually javascript) onto someone else's website, where
 it can run maliciously.
 
 === Relevant XML/HTML special characters
 
 |===
 |Char |Escape string |
-|<	|\&lt;|
+|< |\&lt;|
-|>	|\&gt;|
+|> |\&gt;|
-|"	|\&quot;|
+|" |\&quot;|
-|'	|\&#x27;|
+|' |\&#x27;|
-|&	|\&amp;|
+|& |\&amp;|
 |/  |\&#x2F;|
 
 |===

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc

@@ -1,6 +1,6 @@
 == Reflective XSS
 
-See the HTML file below which passes data to a JSP file.
+See the HTML file below, which passes data to a JSP file.
 
 [source,html]
 -------------------------------------------------------
@@ -49,7 +49,7 @@ Here is the JSP file:
 
 
 As you can see the JSP file prints unfiltered user input which is never a good idea.
-You want people to accesses the page like this:
+You want people to access the page like this:
 
 ----
 http://hostname.com/mywebapp/main.jsp?first_name=John&last_name=Smith
@@ -62,7 +62,7 @@ http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</scri
 
 === It is your turn!
 
-Try to prevent this kind of XSS by escaping the url parameters in the JSP file:
+Try to prevent this kind of XSS by escaping the URL parameters in the JSP file:
 
 
 

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc

@@ -1,7 +1,7 @@
 == Stored XSS
-One way to prevent stored XSS is the usage of https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project[OWASP AntiSamy]. AntiSamy is able to produce a "clean" string based on a modifiable policy file.
+One way to prevent stored XSS is the usage of https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project[OWASP AntiSamy]. AntiSamy can produce a "clean" string based on an adjustable policy file.
 
-See the java class below which saves a comment into a database.
+See the java class below, which saves a comment into a database.
 
 [source,java]
 -------------------------------------------------------
@@ -27,7 +27,7 @@ public class MyCommentDAO {
 -------------------------------------------------------
 
 
-And here is a java class that is using the addComment function
+And here is a Java class that uses the addComment function
 
 [source,java]
 -------------------------------------------------------
@@ -43,7 +43,7 @@ public class AntiSamyController {
 }
 -------------------------------------------------------
 As you can see the Java file stores unfiltered user input into the database.
-You’ll have the whole malicious code stored in your database now.
+You have the whole malicious code stored in your database now.
 
-== It’s your turn!
+== It is your turn!
-Try to prevent this kind of XSS by creating a clean string inside of the saveNewComment() function. Use the "antisamy-slashdot.xml" as policy file for this example:
+Try to prevent this kind of XSS by creating a clean string inside the saveNewComment() function. Use the "antisamy-slashdot.xml" as a policy file for this example: