Version 8.1.0

New functionality

• Added new lessons for cryptography and path-traversal
• Extra content added to the XXE lesson
• Explanation of the assignments will be part of WebGoat, in this release we added detailed descriptions on how to solve the XXE lesson. In the upcoming releases new explanations will be added. If you want to contribute please create a pull request on Github.
• Docker improvements + docker stack for complete container with nginx
• Included JWT token decoding and generation, since jwt.io does not support None anymore

Bug fixes

• #743 - Character encoding errors
• #811 - Flag submission fails
• #810 - Scoreboard for challenges shows csrf users
• #788 - strange copy in constructor
• #760 - Execution of standalone jar fails (Flyway migration step
• #766 - Unclear objective of vulnerable components practical assignment
• #708 - Seems like the home directory of WebGoat always use @project.version@
• #719 - WebGoat: 'Contact Us' email link in header is not correctly set
• #715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful
• #725 - Vulnerable Components lesson 12 broken due to too new dependency
• #716 - On M26 @project.version@ is not "interpreted" #7
• #721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page
• #724 - Dead link in VulnerableComponents lesson 11

Contributors

Special thanks to the following contributors providing us with a pull request:

• Satoshi SAKAO
• Philippe Lafoucrière
• Cotonne
• Tiago Mussi
• thegoodcrumpets
• Atharva Vaidya
• torleif
• August Detlefsen
• Choe Hyeong Jin

And everyone who provided feedback through Github.

Team WebGoat

The WebGoat 7.1 Release is comprised 104 commits from 16 different contributors a over a period of 9 months.

This is a release ta include many bug fixes and is intended to be the last release of the 7.X branch, as the WebGoat team have big plans for next release.

For a glimpse of what has been implemented, check our change log:

Change Log

7.1 (2016-11-18)

Full Changelog

Implemented enhancements:

• i8n highlighting #96
• Improve uniqueness of menu item Id's #45

Fixed bugs:

• Stored XSS Lesson does not render message and attack does not fire #141
• Source code is not available for this lesson. #137

Closed issues:

• Fix lesson client side filtering #272
• Reset lesson does not work anymore #271
• Lesson plans not loading with manual build and easy-run jar (standalone jar) not running at all #268
• Unable to download webgoat jar file #261
• Developer edition build isn't working in its entirety #260
• Amazon S3 downloadable JAR is missing #259
• Code does not compile on dev branch #258
• Executable jar crashes if empty .extract folder exist #251
• Java Error Message in Lesson "How to Bypass a Path Based Access Control Scheme" #240
• developer bootstrap says git is missing when it is installed #236
• Application Won't Start #234
• Restart lesson button isn't working #226
• Navigation to start page is broken after login #218
• Links in menu missing pointer cursor #216
• Restart lesson button not working #213
• WebGoat stops at DEBUG - Exit: getEngine() #211
• Labs: Remnant files and solved stages #208
• Labs: Navigating to Instructor java examples #206
• WebGoat 7.0 and ZAP 2.4.3 will not proxy #204
• Failing Build #201
• Missing mvn package of webgoat-container in README.MD #200
• Seems translation to Russian for "Congratulations. You have successfully completed this lesson." phrase is broken. #199
• HtmlEncoder uses static methods but must be instantiated #195
• webgoat-container should unpack all the lessons #192
• Access Control Flaws, LAB stage 3: Remove the FindProfile screen #186
• Injection Flaws | XPath Injection date file path issue #184
• hints don't appear to work on labs #183
• Session Management Flaws - Spoof an Authentication Cookie render issue #181
• Challenge - Show* buttons show on initial lesson load #180
• Http Basics - minor edits and change completion state #178
• Lab Cross-Site Scripting Stage 1 solution #176
• Backdoor lesson breaks menu CSS #175
• Redirect localhost:8080 to localhost:8080/WebGoat #173
• Session Fixation link in stage 2 does not work #170
• A failure occurred when execute the command "sh webgoat_developer_bootstrap.sh" #145
• Copy lessons into plugin_lessons #254
• WebGoat // Lesson Plan and Solution are note available #242
• Lab: Client side filtering - broken path #232
• AXIS class not found error in Web Services / WSDL Scanning #222
• WSDL link in SOAP Request Lesson crashing with AXIS error #221
• Labs: RBAC stage 1 and 3 not working #209
• How to create a Legacy Lesson - instruction edit #177
• Can't tell when WebGoat has actually started when using: webgoat_developer_bootstrap.sh #75

Merged pull requests:

• Add VMware fusion #264 (akiernan)
• Remove Exception from method signature #257 (RubieV)
• Code cleanup using @Test(expected = Exception) #256 (RubieV)
• Added OWASP Labs badge #252 (psiinon)
• updates from day 1 @AppSec EU #246 (misfir3)
• Update java required version as stated in webgoat/webgoat#234 #243 (span)
• Updates to Dev Bootstrap #239 (dilshanraja)
• Fix broken start/home link on logo #229 (span)
• Developer controls #228 (span)
• Admin should also be able to see the solution, source and lesson plan. #224 (nbaars)
• Fixed the classnames in the wsdd config file (moved to different pack… #223 (nbaars)
• Feature/169 #220 (nbaars)
• Update README.MD #219 (muzir)
• Fix #213 by changing the id of the restart button to the correct id #214 (span)
• Fixed #184 #212 (nbaars)
• Fix shebang #210 (nxadm)
• Enable weak authentication cookie lesson #207 (span)
• -- Remove raw type usage, add type check parameter. #205 (muzir)
• Update package references in readme #203 (span)
• Develop #202 (misfir3)
• Fixes #195 by adding static initialisation of the maps #197 (span)
• Add stage parameter in the session to keep track of current stage #196 (span)
• webgoat-container should unpack all the lessons #192 #193 (nbaars)

WebGoat 7 is the latest in a series of infrastructure improvements to move WebGoat into the modern era. With the new plugin architecture and separation of the server framework from the lessons, lessons now require just a few lines of code. Lessons can now be produced without having to understand the entirety of the WebGoat server.

This release contains both the WebGoat container and 50+ lessons created by the WebGoat team.