css and xss updates

webgoat-container/src/main/resources/static/css/lessons.css

@@ -0,0 +1,33 @@
+/*  css for lessons */
+/* not efficient loading, but at least easier to maintain */
+
+.hidden-menu-item {
+    display:none;
+    visibility:hidden;
+}
+
+#ac-menu li {
+    list-style-type: none;
+    background-color: #aaa;
+    width: auto;
+    max-width: 20%;
+}
+
+#ac-menu li:hover {
+    color: white;
+    background-color: #333;
+}
+
+#ac-menu div {
+    margin-bottom: -60px;
+    margin-top: -10px;
+}
+
+#ac-menu h3 {
+    color:white;
+    background-color:#666;
+}
+
+#ac-menu-wrapper {
+    border-bottom: 2px solid #444;
+}

webgoat-container/src/main/resources/templates/main_new.html

@@ -17,11 +17,13 @@
 
     <!--  CSS -->
     <link rel="shortcut icon" th:href="@{/images/favicon.ico}" type="image/x-icon"/>
+
     <link rel="stylesheet" type="text/css" th:href="@{/css/main.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/animate.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/coderay.css}"/>
+    <link rel="stylesheet" type="text/css" th:href="@{/css/lessons.css}"/>
     <!--  end of CSS -->
 
     <!-- JS -->

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java

@@ -52,7 +52,7 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
     AttackResult completed(@RequestParam Integer param1,
                            @RequestParam Integer param2, HttpServletRequest request)  throws IOException {
 
-        UserSessionData userSessionData = getUserSessionData();
+            UserSessionData userSessionData = getUserSessionData();
         SecureRandom number = new SecureRandom();
         userSessionData.setValue("randValue",number.nextInt());
 

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/StoredXssComments.java

@@ -49,7 +49,9 @@
 
 import static org.springframework.http.MediaType.ALL_VALUE;
 import java.io.IOException;
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.List;
 import java.util.Map;
 
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
@@ -65,6 +67,7 @@ public class StoredXssComments extends AssignmentEndpoint {
     private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
     private static final String phoneHomeString = "<script>webgoat.customjs.phoneHome()</script>";
 
+
     static {
         comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
         comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe"));
@@ -76,7 +79,11 @@ public class StoredXssComments extends AssignmentEndpoint {
     @ResponseBody
     public Collection<Comment> retrieveComments() {
         Collection<Comment> allComments = Lists.newArrayList();
-        // no filtering applied here at render
+        Collection<Comment> newComments = userComments.get(webSession.getUserName());
+        if (newComments != null) {
+            allComments.addAll(newComments);
+        }
+
         allComments.addAll(comments);
 
         return allComments;
@@ -89,10 +96,10 @@ public AttackResult createNewComment (@RequestBody String commentStr)  throws IO
         Comment comment = parseJson(commentStr);
 
         EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
-        comments.add(comment);
         comment.setDateTime(DateTime.now().toString(fmt));
         comment.setUser(webSession.getUserName());
 
+        comments.add(comment);
         userComments.put(webSession.getUserName(), comments);
 
         if (comment.getText().contains(phoneHomeString)) {

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc

@@ -29,5 +29,6 @@ javascript:alert(document.cookie);
 ----
 
 == Try It!  Using Chrome or Firefox 
-Type in `javascript:alert(document.cookie);` in the URL bar.  *NOTE:* If you /cut/paste you'll need to add the `javascript:` back in.
-Try it on a different tab (with WebGoat open in that tab).
+
+* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat)
+* Then, in the address bar on each tab, type `javascript:alert(document.cookie);` *NOTE:* If you /cut/paste you'll need to add the `javascript:` back in.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc

@@ -7,4 +7,4 @@ Why is that?
 That is because there is no link that would tigger that XSS.
 You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to):
 
-link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my javascript here')</script>4128+3214+0002+1999&field2=111
+link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('myjavascripthere')</script>4128+3214+0002+1999&field2=111