WebGoat · nbaars · Nov 7, 2024 · Oct 30, 2024 · Nov 7, 2024 · Nov 7, 2024
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -26,7 +26,7 @@ jobs:
                     distribution: 'temurin'
                     java-version: '21'
             -   name: Pre-commit checks
-                uses: pre-commit/[email protected].0
+                uses: pre-commit/[email protected].1
             -   name: pre-commit-ci-lite
                 uses: pre-commit-ci/[email protected]
                 if: always()

diff --git a/pom.xml b/pom.xml
@@ -93,7 +93,7 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <thymeleaf.version>3.1.2.RELEASE</thymeleaf.version>
-    <waittimeForServerStart>30</waittimeForServerStart>
+    <waittimeForServerStart>60</waittimeForServerStart>
     <webdriver.version>5.9.2</webdriver.version>
     <webgoat.context>/</webgoat.context>
     <webgoat.sslenabled>false</webgoat.sslenabled>

diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
@@ -19,7 +19,7 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
-@RequestMapping("/JWT/jku")
+@RequestMapping("/JWT/")
 @RestController
 @AssignmentHints({
   "jwt-jku-hint1",
@@ -30,7 +30,7 @@
 })
 public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
 
-  @PostMapping("/follow/{user}")
+  @PostMapping("jku/follow/{user}")
   public @ResponseBody String follow(@PathVariable("user") String user) {
     if ("Jerry".equals(user)) {
       return "Following yourself seems redundant";
@@ -39,7 +39,7 @@ public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
     }
   }
 
-  @PostMapping("/delete")
+  @PostMapping("jku/delete")
   public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
     if (StringUtils.isEmpty(token)) {
       return failed(this).feedback("jwt-invalid-token").build();

diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
@@ -52,7 +52,7 @@
   "jwt-kid-hint5",
   "jwt-kid-hint6"
 })
-@RequestMapping("/JWT/kid")
+@RequestMapping("/JWT/")
 public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
 
   private final LessonDataSource dataSource;
@@ -61,7 +61,7 @@ private JWTHeaderKIDEndpoint(LessonDataSource dataSource) {
     this.dataSource = dataSource;
   }
 
-  @PostMapping("/follow/{user}")
+  @PostMapping("kid/follow/{user}")
   public @ResponseBody String follow(@PathVariable("user") String user) {
     if ("Jerry".equals(user)) {
       return "Following yourself seems redundant";
@@ -70,7 +70,7 @@ private JWTHeaderKIDEndpoint(LessonDataSource dataSource) {
     }
   }
 
-  @PostMapping("/delete")
+  @PostMapping("kid/delete")
   public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
     if (StringUtils.isEmpty(token)) {
       return failed(this).feedback("jwt-invalid-token").build();

diff --git a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
@@ -22,6 +22,8 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
+import static org.springframework.util.StringUtils.hasText;
+
 import com.google.common.collect.Maps;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -117,7 +119,7 @@ public ModelAndView changePassword(
       BindingResult bindingResult,
       @CurrentUsername String username) {
     ModelAndView modelAndView = new ModelAndView();
-    if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
+    if (!hasText(form.getPassword())) {
       bindingResult.rejectValue("password", "not.empty");
     }
     if (bindingResult.hasErrors()) {

diff --git a/src/main/resources/lessons/authbypass/html/AuthBypass.html b/src/main/resources/lessons/authbypass/html/AuthBypass.html
@@ -23,7 +23,7 @@
             <form class="attack-form" accept-charset="UNKNOWN" id="verify-account-form"
                   method="POST" name="form"
                   successCallback="onBypassResponse"
-                  action="auth-bypass/verify-account">
+                  th:action="@{/auth-bypass/verify-account}">
                 <p>Verify Your Account by answering the questions below:</p>
 
                 <p>What is the name of your favorite teacher?</p>
@@ -43,7 +43,7 @@
             <form class="attack-form" accept-charset="UNKNOWN" id="change-password-form"
                   method="POST" name="form"
                   successCallback="onBypassResponse"
-                  action="auth-bypass/verify-account"
+                  th:action="@{/auth-bypass/verify-account}"
                   style="display:none"><!-- start off hidden -->
                 <p>Please provide a new password for your account</p>
 

diff --git a/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html b/src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html
@@ -18,7 +18,7 @@
         <div class="container-fluid">
             <form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions"
                   method="POST"
-                  action="BypassRestrictions/FieldRestrictions">
+                  th:action="@{/BypassRestrictions/FieldRestrictions}">
 
                 <div class="bypass-input-container"><b>Select field with two possible value</b>
                     <div class="input-group">

diff --git a/src/main/resources/lessons/challenges/html/Challenge1.html b/src/main/resources/lessons/challenges/html/Challenge1.html
@@ -17,7 +17,7 @@
                 <div class="panel-body">
                     <form class="attack-form" accept-charset="UNKNOWN"
                           method="POST" name="form"
-                          action="challenge/1"
+                          th:action="@{/challenge/1}"
                           style="width: 200px;">
 
                         <div class="form-group">
@@ -37,7 +37,7 @@
             </div>
         </div>
 
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/1">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/1}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

diff --git a/src/main/resources/lessons/challenges/html/Challenge5.html b/src/main/resources/lessons/challenges/html/Challenge5.html
@@ -25,7 +25,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="challenge/5" role="form">
+                                          th:action="@{/challenge/5}" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
                                                    class="form-control" placeholder="Username" value=""/>
@@ -66,7 +66,7 @@
             </div>
         </div>
         <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/5">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/5}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

diff --git a/src/main/resources/lessons/challenges/html/Challenge6.html b/src/main/resources/lessons/challenges/html/Challenge6.html
@@ -29,7 +29,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="challenge/6" role="form">
+                                          th:action="@{/challenge/6}" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
                                                    class="form-control" placeholder="Username" value=""/>
@@ -64,7 +64,7 @@
                                     </form>
                                     <form id="register-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="PUT" name="form"
-                                          action="challenge/6" style="display: none;" role="form">
+                                          th:action="@{/challenge/6}" style="display: none;" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_reg" id="username" tabindex="1"
                                                    class="form-control" placeholder="Username" value=""/>
@@ -99,7 +99,7 @@
             </div>
         </div>
         <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/6">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/6}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

diff --git a/src/main/resources/lessons/challenges/html/Challenge7.html b/src/main/resources/lessons/challenges/html/Challenge7.html
@@ -28,7 +28,7 @@ <h2 class="text-center">Forgot Password?</h2>
 
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="challenge/7" role="form">
+                                          th:action="@{/challenge/7}" role="form">
 
                                         <div class="form-group">
                                             <div class="input-group">
@@ -57,7 +57,7 @@ <h2 class="text-center">Forgot Password?</h2>
             </div>
         </div>
         <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/7">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/7}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

diff --git a/src/main/resources/lessons/challenges/html/Challenge8.html b/src/main/resources/lessons/challenges/html/Challenge8.html
@@ -231,7 +231,7 @@ <h4>Rating breakdown</h4>
         </div>
 
         <br/>
-        <form class="attack-form" method="POST" name="form" action="challenge/flag/8">
+        <form class="attack-form" method="POST" name="form" th:action="@{/challenge/flag/8}">
             <div class="form-group">
                 <div class="input-group">
                     <div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

diff --git a/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html b/src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html
@@ -24,7 +24,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="DOMFollowUp"
-              action="ChromeDevTools/dummy">
+              th:action="@{/ChromeDevTools/dummy}">
             <input name="successMessage" value="" type="TEXT" />
             <input name="submitMessage" value="Submit" type="SUBMIT"/>
         </form>
@@ -45,7 +45,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="ChromeDevTools/network">
+              th:action="@{/chromeDevTools/network}">
             <script>
                 // sample custom javascript in the recommended way ...
                 // a namespace has been assigned for it, but you can roll your own if you prefer
@@ -66,7 +66,7 @@
 
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="ChromeDevTools/network">
+              th:action="@{/chromeDevTools/network}">
             <table>
                 <tr>
                     <td>What is the number you found:   </td>

diff --git a/src/main/resources/lessons/cia/html/CIA.html b/src/main/resources/lessons/cia/html/CIA.html
@@ -29,7 +29,7 @@
         <div class="container-fluid">
             <form id="quiz-form" class="attack-form" accept-charset="UNKNOWN"
                   method="POST" name="form"
-                  action="cia/quiz" role="form">
+                  th:action="@{/cia/quiz}" role="form">
                 <div id="q_container"></div>
                 <br />
                 <input name="Quiz_solutions" value="Submit answers" type="SUBMIT"/>

diff --git a/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html b/src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html
@@ -14,7 +14,7 @@
         <input type="hidden" id="user_id" value="102"/>
         <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
         <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form"
-              action="clientSideFiltering/attack1">
+              th:action="@{/clientSideFiltering/attack1}">
             <link rel="stylesheet" type="text/css"
                   th:href="@{/lesson_css/clientSideFiltering-stage1.css}"/>
             <script th:src="@{/lesson_js/clientSideFiltering.js}"

diff --git a/src/main/resources/lessons/cryptography/html/Cryptography.html b/src/main/resources/lessons/cryptography/html/Cryptography.html
@@ -28,7 +28,7 @@
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			Now suppose you have intercepted the following header:<br/>
 			<div id="basicauthtoken" ></div><br/>
-			<form class="attack-form" method="POST" name="form"	action="crypto/encoding/basic-auth">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/encoding/basic-auth}">
 			Then what was the username
 			<input name="answer_user" value="" type="TEXT"/>
 			and what was the password:
@@ -45,7 +45,7 @@
 		<!-- 3. assignment xor -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<form class="attack-form" method="POST" name="form"	action="crypto/encoding/xor">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/encoding/xor}">
 			Suppose you found the database password encoded as {xor}Oz4rPj0+LDovPiwsKDAtOw==<br/>
 			What would be the actual password
 			<input name="answer_pwd1" value="" type="TEXT"/><br/>
@@ -62,7 +62,7 @@
 		<!-- 4. weak hashing exercise -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<form class="attack-form" method="POST" name="form"	action="crypto/hashing">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/hashing}">
 			Which password belongs to this hash: <div id="md5token" ></div>
 			<input name="answer_pwd1" value="" type="TEXT"/><br/>
 			Which password belongs to this hash: <div id="sha256token" ></div>
@@ -87,7 +87,7 @@
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			Now suppose you have the following private key:<br/>
 			<pre><div id="privatekey" ></div></pre><br/>
-			<form class="attack-form" method="POST" name="form"	action="crypto/signing/verify">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/signing/verify}">
 			Then what was the modulus of the public key
 			<input name="modulus" value="" type="TEXT"/>
 			and now provide a signature for us based on that modulus
@@ -110,7 +110,7 @@
 		<!-- 8. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-			<form class="attack-form" method="POST" name="form"	action="crypto/secure/defaults">
+			<form class="attack-form" method="POST" name="form"	th:action="@{/crypto/secure/defaults}">
 			What is the unencrypted message<br/>
 			<input name="secretText" value="" type="TEXT"/><br/>
 			and what is the name of the file that stored the password <br/>

diff --git a/src/main/resources/lessons/csrf/html/CSRF.html b/src/main/resources/lessons/csrf/html/CSRF.html
@@ -17,7 +17,7 @@
           method="POST" name="form1"
           target="_blank"
           successCallback=""
-          action="csrf/basic-get-flag">
+          th:action="@{/csrf/basic-get-flag}">
         <input name="csrf" type="hidden" value="false"/>
         <input type="submit" name="submit"/>
 
@@ -35,7 +35,7 @@
         <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
               method="POST" name="form2"
               successCallback=""
-              action="csrf/confirm-flag-1">
+              th:action="@{/csrf/confirm-flag-1}">
 
             Confirm Flag Value:
             <input type="text" length="6" name="confirmFlagVal" value=""/>
@@ -93,7 +93,7 @@ <h6 class="text-muted time">24 days ago</h6>
                             <form class="attack-form" accept-charset="UNKNOWN" id="csrf-review"
                                   method="POST" name="review-form"
                                   successCallback=""
-                                  action="csrf/review">
+                                  th:action="@{/csrf/review}">
                                 <input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review"
                                        type="text"/>
                                 <input class="form-control" id="reviewStars" name="stars" type="text"/>
@@ -146,7 +146,7 @@ <h6 class="text-muted time">24 days ago</h6>
                             <form class="attack-form" accept-charset="UNKNOWN" id="csrf-feedback"
                                   method="POST"
                                   prepareData="feedback"
-                                  action="csrf/feedback/message"
+                                  th:action="@{/csrf/feedback/message}"
                                   contentType="application/json">
                                 <div class="row">
                                     <div class="col-md-6">
@@ -212,7 +212,7 @@ <h6 class="text-muted time">24 days ago</h6>
         </div>
         <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-feedback"
               method="POST" name="form2"
-              action="csrf/feedback">
+              th:action="@{/csrf/feedback}">
 
             Confirm Flag Value:
             <input type="text" length="6" name="confirmFlagVal" value=""/>
@@ -236,7 +236,7 @@ <h6 class="text-muted time">24 days ago</h6>
         </div>
         <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-login"
               method="POST" name="form2"
-              action="csrf/login">
+              th:action="@{/csrf/login}">
 
             Press the button below when your are logged in as the other user<br/>
 

diff --git a/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html b/src/main/resources/lessons/deserialization/html/InsecureDeserialization.html
@@ -25,7 +25,7 @@
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <form class="attack-form" accept-charset="UNKNOWN" name="task"
                   method="POST"
-                  action="InsecureDeserialization/task">
+                  th:action="@{/InsecureDeserialization/task}">
 
                 <input type="textarea" rows="4" cols="40" value="" name="token" placeholder="token"/>
                 <input type="submit" value="Submit" />

diff --git a/src/main/resources/lessons/hijacksession/templates/hijackform.html b/src/main/resources/lessons/hijacksession/templates/hijackform.html
@@ -1,7 +1,7 @@
 <div class="row">
 	<div class="col-md-4">
 		<form class="attack-form" accept-charset="UNKNOWN" method="POST"
-			action="HijackSession/login">
+			th:action="@{/HijackSession/login}">
 			<div style="padding: 20px;" id="password-login">
 				<h4 style="border-bottom: 1px solid #c5c5c5;">Account Access</h4>
 				<fieldset>

diff --git a/src/main/resources/lessons/htmltampering/html/HtmlTampering.html b/src/main/resources/lessons/htmltampering/html/HtmlTampering.html
@@ -13,7 +13,7 @@
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN" id="task" name="task"
               method="POST"
-              action="HtmlTampering/task">
+              th:action="@{/HtmlTampering/task}">
             <script>
                 var regex = /^2999.99$/;
                 var price = 2999.99;

diff --git a/src/main/resources/lessons/httpbasics/html/HttpBasics.html b/src/main/resources/lessons/httpbasics/html/HttpBasics.html
@@ -21,10 +21,10 @@
             <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
 			<form class="attack-form" accept-charset="UNKNOWN"
 				method="POST" name="form"
-				action="HttpBasics/attack1">
+				th:action="@{/HttpBasics/attack1}">
 				<div id="lessonContent">
 					<form accept-charset="UNKNOWN" method="POST" name="form"
-						action="#attack/307/100">
+						th:action="@{/#attack/307/100}">
 						Enter Your Name: <input name="person" value="" type="TEXT"/><input
 							name="SUBMIT" value="Go!" type="SUBMIT"/>
 					</form>
@@ -51,7 +51,7 @@
                 <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
 				<form class="attack-form" accept-charset="UNKNOWN"
 					method="POST" name="form"
-					action="HttpBasics/attack2">
+					th:action="@{/HttpBasics/attack2}">
 					<script>
 					    // sample custom javascript in the recommended way ...
 					    // a namespace has been assigned for it, but you can roll your own if you prefer