Merge pull request WebGoat#487 from matthias-g/xssFixes

Small lesson improvements

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc

@@ -1,15 +1,15 @@
 == Identify Potential for DOM-Based XSS
 
 DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
-Look for a route that takes inputs that you can ID being 'reflected' to the page.
+Look for a route that takes inputs that are being 'reflected' to the page.
 
 For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library).
 Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
 
 Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
-it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9 (although maybe slightly different). The 'base route' in this case is:
+it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
 *start.mvc#lesson/*
+The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the javascript route handler.
 
-The *CrossSiteScripting.lesson/#* after that are parameters that are processed by javascript route handler.
-
-So, what is test route for this test code?
+So, what is the route for the test code that stayed in the app during production?
+To answer this question, you have to check the javascript source.

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc

@@ -8,4 +8,4 @@ The function you want to execute is ...
 
 Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
 
-Once you do trigger it, a subsequent response will come to the browser with a random number. Put that random number in below.
+Once you do trigger it, a subsequent response will come to your browser's console with a random number. Put that random number in below.

webgoat-lessons/csrf/src/main/resources/html/CSRF.html

@@ -20,7 +20,7 @@
           action="/WebGoat/csrf/basic-get-flag"
           enctype="application/json;charset=UTF-8">
         <input name="csrf" type="hidden" value="false"/>
-        <input type="submit" name="ubmit="/>
+        <input type="submit" name="submit"/>
 
     </form>
 

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/plugin/JWTVotesEndpoint.java

@@ -5,6 +5,7 @@
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.impl.TextCodec;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
@@ -25,7 +26,6 @@
 import java.time.Instant;
 import java.util.Date;
 import java.util.Map;
-import java.util.concurrent.TimeUnit;
 
 import static java.util.Comparator.comparingLong;
 import static java.util.Optional.ofNullable;
@@ -39,7 +39,7 @@
 @AssignmentHints({"jwt-change-token-hint1", "jwt-change-token-hint2", "jwt-change-token-hint3", "jwt-change-token-hint4", "jwt-change-token-hint5"})
 public class JWTVotesEndpoint extends AssignmentEndpoint {
 
-    public static final String JWT_PASSWORD = "victory";
+    public static final String JWT_PASSWORD = TextCodec.BASE64.encode("victory");
     private static String validUsers = "TomJerrySylvester";
 
     private static int totalVotes = 38929;