More CSRF Updates

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/plugin/ForgedReviews.java

@@ -40,6 +40,7 @@
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.WebSession;
@@ -58,6 +59,7 @@
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
 @AssignmentPath("/csrf/review")
+@AssignmentHints({"csrf-review-hint1","csrf-review-hint2","csrf-review-hint3"})
 public class ForgedReviews extends AssignmentEndpoint {
 
     @Autowired

webgoat-lessons/csrf/src/main/resources/html/CSRF.html

@@ -50,7 +50,7 @@
 
     <div class="lesson-page-wrapper">
 
-        <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7b.adoc"></div>-->
+        <div class="adoc-content" th:replace="doc:CSRF_Reviews.adoc"></div>
 
         <!-- comment area -->
         <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
@@ -113,7 +113,9 @@ <h6 class="text-muted time">24 days ago</h6>
 
     </div>
 
-
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:CSRF_Impact_Defense.adocc"></div>
+    </div>
     <!--</div>-->
 
 </html>

webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties

@@ -12,4 +12,8 @@ csrf-same-host=It appears your request is coming from the same host you are subm
 
 csrf-you-forgot-something=There's something missing from your request it appears, so I can't process it.
 
-csrf-review.success=It appears you have submitted correctly from another site. Go reload and see if your post is there.
+csrf-review.success=It appears you have submitted correctly from another site. Go reload and see if your post is there.
+
+csrf-review-hint1=Again, you will need to submit from an external domain/host to trigger this action. While CSRF can often be triggered from the same host (e.g. via persisted payload), this doesn't work that way.
+csrf-review-hint2=Remember, you need to mimic the existing workflow/form.
+csrf-review-hint3=This one has a weak anti-CSRF protection, but you do need to overcome (mimic) it

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Impact_Defense.adoc

@@ -0,0 +1,20 @@
+== CSRF Impact
+
+The impact is limited only by what the logged in user can do (if the site/function/action is not protected properly).
+The areas that are really prone to CSRF attacks are IoT devices and 'smart' appliances.  Sadly, many consumer-grade routers
+have also proven vulnerable to CSRF.
+
+== CSRF Solution
+
+Fortunately, many (web) application frameworks now come with built in support to handle CSRF attacks.  For example, Spring and
+Tomcat have this on by default.  As long as you don't turn it off (like it is in WebGoat), you should be safe from CSRF attacks.
+
+See the following for more information on CSRF protections:
+
+https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet (Prevention/Defense)
+
+https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  (Attack)
+
+https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CSRF_Prevention_Filter / https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CSRF_Prevention_Filter (Tomcat)
+
+https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Reviews.adoc

@@ -0,0 +1,9 @@
+== Post a review on someone else's behalf
+
+The page below simulates a comment/review page.  The difference here is that you have to inititate the submission elsewhere as you might
+with a CSRF attack and like the previous exercise. It's easier than you think. In most cases, the trickier part is
+finding somewhere that you want to execute the CSRF attack. The classic example is account/wire transfers in someone's bank account.
+
+But we're keepoing it simple here.  In this case, you just need to trigger a review submission on behalf of the currently
+logged in user.
+