Merge branch 'release/v8.0.0.M25'

.gitignore

@@ -50,4 +50,5 @@ webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml
 webgoat.lck
 webgoat.log
 webgoat.properties
-webgoat.script
+webgoat.script
+TestClass.class

README.MD

@@ -27,7 +27,7 @@ you are caught engaging in unauthorized hacking, most companies will fire you.
 Claiming that you were doing security research will not work as that is the
 first thing that all hackers claim.*
 
-# Run Instructions:
+# Installation Instructions:
 
 ## 1. Standalone 
 
@@ -152,3 +152,7 @@ docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
 docker login
 docker push webgoat/webgoat-8.0
 ```
+
+# Run Instructions:
+
+Once installed connect to http://localhost:8080/WebGoat and http://localhost:9090/WebWolf

pom.xml

@@ -6,7 +6,7 @@
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>v8.0.0.M24</version>
+    <version>v8.0.0.M25</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>

webgoat-container/pom.xml

@@ -10,7 +10,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M24</version>
+        <version>v8.0.0.M25</version>
     </parent>
 
     <profiles>

webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java

@@ -34,7 +34,6 @@
 import org.owasp.webgoat.i18n.Language;
 import org.owasp.webgoat.i18n.Messages;
 import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.LabelDebugger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
@@ -132,6 +131,7 @@ public PluginMessages pluginMessages(Messages messages, Language language) {
         PluginMessages pluginMessages = new PluginMessages(messages, language);
         pluginMessages.setDefaultEncoding("UTF-8");
         pluginMessages.setBasenames("i18n/WebGoatLabels");
+        pluginMessages.setFallbackToSystemLocale(false);
         return pluginMessages;
     }
 
@@ -145,6 +145,7 @@ public Messages messageSource(Language language) {
         Messages messages = new Messages(language);
         messages.setDefaultEncoding("UTF-8");
         messages.setBasename("classpath:i18n/messages");
+        messages.setFallbackToSystemLocale(false);
         return messages;
     }
 
@@ -153,7 +154,7 @@ public LocaleResolver localeResolver() {
         SessionLocaleResolver slr = new SessionLocaleResolver();
         return slr;
     }
-
+    
     @Bean
     public LabelDebugger labelDebugger() {
         return new LabelDebugger();

webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java

@@ -45,6 +45,7 @@ public class LessonMenuItem {
     private List<LessonMenuItem> children = new ArrayList<LessonMenuItem>();
     private boolean complete;
     private String link;
+    private int ranking;
 //    private boolean showSource = true;
 //    private boolean showHints = true;
 
@@ -156,6 +157,13 @@ public void setLink(String link) {
         this.link = link;
     }
 
+    public void setRanking(int ranking) {
+        this.ranking = ranking;
+    }
+
+    public int getRanking() {
+        return this.ranking;
+    }
 
 
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java

@@ -43,6 +43,7 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
 import java.util.stream.Collectors;
@@ -86,11 +87,13 @@ List<LessonMenuItem> showLeftNav() {
                 LessonMenuItem lessonItem = new LessonMenuItem();
                 lessonItem.setName(lesson.getTitle());
                 lessonItem.setLink(lesson.getLink());
+                lessonItem.setRanking(lesson.getRanking());
                 lessonItem.setType(LessonMenuItemType.LESSON);
                 LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
                 lessonItem.setComplete(lessonTracker.isLessonSolved());
                 categoryItem.addChild(lessonItem);
             }
+            categoryItem.getChildren().sort((o1, o2) -> o1.getRanking() - o2.getRanking());
             menu.add(categoryItem);
         }
         return menu;

webgoat-container/src/main/java/org/owasp/webgoat/session/CreateDB.java

@@ -982,6 +982,64 @@ private void createTransactionTable(Connection connection) throws SQLException {
         }
     }
 
+    /**
+     * Creates the table used in SQL-Injections (introduction)
+     */
+    private void createEmployeesTable(Connection connection) throws SQLException {
+        Statement statement = connection.createStatement();
+
+        // Drop employees and access_log tables
+        try {
+            statement.executeUpdate("DROP TABLE employees");
+        } catch (SQLException e) {
+            System.out.println("Info - Could not drop employees table");
+        }
+        try {
+            statement.executeUpdate("DROP TABLE access_log");
+        } catch (SQLException e) {
+            System.out.println("Info - Could not drop access_log table");
+        }
+
+        // Create the employees table
+        try {
+            String createTableStatement = "CREATE TABLE employees ("
+                    + "userid varchar(6) not null primary key,"
+                    + "first_name varchar(20),"
+                    + "last_name varchar(20),"
+                    + "department varchar(20),"
+                    + "salary int,"
+                    + "auth_tan varchar(6)"
+                    + ")";
+            statement.executeUpdate(createTableStatement);
+        } catch (SQLException e) {
+            System.out.println("Error creating employees table " + e.getLocalizedMessage());
+        }
+
+        // Populate
+        String insertData1 = "INSERT INTO employees VALUES ('32147','Paulina',  'Travers', 'Accounting',  46000, 'P45JSI')";
+        String insertData2 = "INSERT INTO employees VALUES ('89762','Tobi',     'Barnett', 'Development', 77000, 'TA9LL1')";
+        String insertData3 = "INSERT INTO employees VALUES ('96134','Bob',      'Franco',  'Marketing',   83700, 'LO9S2V')";
+        String insertData4 = "INSERT INTO employees VALUES ('34477','Abraham ', 'Holman',  'Development', 50000, 'UU2ALK')";
+        String insertData5 = "INSERT INTO employees VALUES ('37648','John',     'Smith',   'Marketing',   64350, '3SL99A')";
+        statement.executeUpdate(insertData1);
+        statement.executeUpdate(insertData2);
+        statement.executeUpdate(insertData3);
+        statement.executeUpdate(insertData4);
+        statement.executeUpdate(insertData5);
+
+        // Create the logging table
+        try {
+            String createTableStatement = "CREATE TABLE access_log ("
+                    + "id int not null primary key identity,"
+                    + "time varchar(50),"
+                    + "action varchar(200)"
+                    + ")";
+            statement.executeUpdate(createTableStatement);
+        } catch (SQLException e) {
+            System.out.println("Error creating access_log table " + e.getLocalizedMessage());
+        }
+    }
+
     /**
      * Description of the Method
      *
@@ -1009,6 +1067,7 @@ public void makeDB(Connection connection) throws SQLException {
         createMFEImagesTable(connection);
         createModifyWithSQLLessonTable(connection);
         createJWTKeys(connection);
+        createEmployeesTable(connection);
         System.out.println("Success: creating tables.");
     }
 }

webgoat-container/src/main/resources/static/css/quiz.css

@@ -0,0 +1,67 @@
+.attack-container.quiz {
+    background: none;
+    border: none;
+}
+
+#q_container p {
+    font-weight: bold;
+}
+
+#q_container .quiz_question {
+    border: solid 2px white;
+    padding: 4px;
+    margin: 5px 2px 20px 2px;
+    box-shadow: 0px 1px 3px 1px #e4e4e4;
+}
+
+#q_container .quiz_question label {
+    font-weight: normal;
+    position: relative;
+    top: -2px;
+}
+
+#q_container .quiz_question input {
+    -webkit-appearance: none;
+    -moz-appearance: none;
+    appearance: none;
+    border: 2px solid #dadada;
+    background: white;
+    width: 15px;
+    height: 15px;
+    margin-right: 6px;
+}
+
+#q_container .quiz_question input:checked {
+    background: #51b7ff;
+}
+
+#q_container .quiz_question input:hover,
+#q_container .quiz_question label:hover {
+    cursor: pointer;
+}
+
+#q_container .quiz_question.correct {
+    border: solid 2px #ddf7dd;
+    background: #ddf7dd;
+    transition: all 300ms ease-in-out;
+}
+
+#q_container .quiz_question.incorrect {
+    border: solid 2px #f5d3d3;
+    background: #f5d3d3;
+    transition: all 300ms ease-in-out;
+}
+
+input[name='Quiz_solutions'] {
+    background: white;
+    border: 1px solid gray;
+    padding: 7px 10px;
+    transition: 300ms all ease-in-out;
+}
+
+input[name='Quiz_solutions']:hover {
+    background: #51b7ff;
+    color: white;
+    border-color: white;
+    transition: 300ms all ease-in-out;
+}

webgoat-container/src/main/resources/static/js/libs/ace/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,6 @@
+*Issue #, if available:*
+
+*Description of changes:*
+
+
+By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

webgoat-container/src/main/resources/static/js/libs/ace/CODE_OF_CONDUCT.md

@@ -0,0 +1,4 @@
+## Code of Conduct
+This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 
+For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 
+[email protected] with any additional questions or comments.

webgoat-container/src/main/resources/static/js/libs/ace/CONTRIBUTING.md

@@ -0,0 +1,61 @@
+# Contributing Guidelines
+
+Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 
+documentation, we greatly value feedback and contributions from our community.
+
+Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 
+information to effectively respond to your bug report or contribution.
+
+
+## Reporting Bugs/Feature Requests
+
+We welcome you to use the GitHub issue tracker to report bugs or suggest features.
+
+When filing an issue, please check [existing open](https://github.com/ajaxorg/ace-builds/issues), or [recently closed](https://github.com/ajaxorg/ace-builds/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aclosed%20), issues to make sure somebody else hasn't already 
+reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
+
+* A reproducible test case or series of steps
+* The version of our code being used
+* Any modifications you've made relevant to the bug
+* Anything unusual about your environment or deployment
+
+
+## Contributing via Pull Requests
+Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
+
+1. You are working against the latest source on the *master* branch.
+2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
+3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
+
+To send us a pull request, please:
+
+1. Fork the repository.
+2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
+3. Ensure local tests pass.
+4. Commit to your fork using clear commit messages.
+5. Send us a pull request, answering any default questions in the pull request interface.
+6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
+
+GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 
+[creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
+
+
+## Finding contributions to work on
+Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/ajaxorg/ace-builds/labels/help%20wanted) issues is a great place to start. 
+
+
+## Code of Conduct
+This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 
+For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 
+[email protected] with any additional questions or comments.
+
+
+## Security issue notifications
+If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
+
+
+## Licensing
+
+See the [LICENSE](https://github.com/ajaxorg/ace-builds/blob/master/LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
+
+We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes.