See the comments below.

Add a comment with a JavaScript payload. Again ... you want to call the _webgoat.customjs.phoneHome_ function.

As an attacker (offensive security), keep in mind that most apps are not going to have such a straight-forwardly named compromise.
Also, you may have to find a way to load your own JavaScript dynamically to fully achieve goals of extracting data.