Merge branch 'next' of https://github.com/WebGoat/WebGoat into next

Conflicts:
	.gitignore

Author: act-ive

.gitignore

@@ -1,5 +1,18 @@
 /nb-configuration.xml
 /nbactions.xml
+/target/
+/.classpath
+/.project
+/.settings/.jsdtscope
+/.settings/org.eclipse.jdt.core.prefs
+/.settings/org.eclipse.m2e.core.prefs
+/.settings/org.eclipse.wst.common.component
+/.settings/org.eclipse.wst.common.project.facet.core.prefs.xml
+/.settings/org.eclipse.wst.common.project.facet.core.xml
+/.settings/org.eclipse.wst.jsdt.ui.superType.container
+/.settings/org.eclipse.wst.jsdt.ui.superType.name
+/.settings/org.eclipse.wst.validation.prefs
+/.externalToolBuilders/
 .project
 /target
 .classpath
@@ -11,5 +24,3 @@ src/main/main.iml
 *.LOCAL.*.jsp
 *.REMOTE.*.jsp
 
-
-

src/main/java/org/owasp/webgoat/HammerHead.java

@@ -134,8 +134,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
                 logger.debug("Response already committed, exiting");
                 return;
             }
-
-            if ("true".equals(request.getParameter("start"))) {
+            
+            if ("true".equals(request.getParameter("start")) || request.getQueryString() == null) {
                 logger.warn("Redirecting to start controller");
                 response.sendRedirect("start.mvc");
                 return;

src/main/java/org/owasp/webgoat/controller/About.java

@@ -0,0 +1,49 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.owasp.webgoat.controller;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class About {
+    
+    final Logger logger = LoggerFactory.getLogger(About.class);
+    private static final String WELCOMED = "welcomed";
+    
+    @RequestMapping(value = "about.mvc", method = RequestMethod.GET)
+    public ModelAndView welcome(HttpServletRequest request,
+            @RequestParam(value = "error", required = false) String error,
+            @RequestParam(value = "logout", required = false) String logout) {
+
+        // set the welcome attribute
+        // this is so the attack servlet does not also 
+        // send them to the welcome page
+        HttpSession session = request.getSession();
+        if (session.getAttribute(WELCOMED) == null) {
+            session.setAttribute(WELCOMED, "true");
+        }
+        
+        //go ahead and send them to webgoat (skip the welcome page)
+        ModelAndView model = new ModelAndView();
+        //model.setViewName("welcome");
+        //model.setViewName("main_new");
+        model.setViewName("about");
+        return model;
+    }
+    
+}

src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -19,7 +19,9 @@
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
 import org.apache.ecs.html.Body;
+import org.apache.ecs.html.Center;
 import org.apache.ecs.html.Form;
+import org.apache.ecs.html.H1;
 import org.apache.ecs.html.Head;
 import org.apache.ecs.html.Html;
 import org.apache.ecs.html.IMG;
@@ -729,11 +731,8 @@ public static Element readMethodFromFile(BufferedReader reader, String methodNam
      */
     public void handleRequest(WebSession s) {
         // call createContent first so messages will go somewhere
-
         Form form = new Form(getFormAction(), Form.POST).setName("form").setEncType("");
-
         form.addElement(createContent(s));
-
         setContent(form);
     }
 

src/main/java/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java

@@ -103,7 +103,7 @@ public String getLessonSolutionFileName(WebSession s)
 	{
 		String solutionFileName = null;
 		String stage = getStage(s);
-		solutionFileName = "/lesson_solutions/Lab XSS/Lab " + stage + ".html";
+		solutionFileName = "/lesson_solutions_1/Lab XSS/Lab " + stage + ".html";
 		return solutionFileName;
 	}
 

src/main/java/org/owasp/webgoat/lessons/HttpBasics.java

@@ -2,9 +2,11 @@
 
 import java.util.ArrayList;
 import java.util.List;
+
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
+import org.apache.ecs.html.BR;
 import org.apache.ecs.html.Input;
 import org.owasp.webgoat.session.ECSFactory;
 import org.owasp.webgoat.session.WebSession;
@@ -58,6 +60,7 @@ protected Element createContent(WebSession s) {
 
         StringBuffer person = null;
         try {
+        	ec.addElement(new BR());
             ec.addElement(new StringElement(WebGoatI18N.get("EnterYourName") + ": "));
 
             person = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));

src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java

@@ -1,7 +1,6 @@
 
 package org.owasp.webgoat.lessons;
 
-import java.io.PrintWriter;
 import java.net.URLDecoder;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
@@ -54,7 +53,8 @@ public class HttpSplitting extends SequentialLessonAdapter
 	private static String STAGE = "stage";
 
     public final static A MAC_LOGO = new A().setHref("http://www.softwaresecured.com").addElement(new IMG("images/logos/softwaresecured.gif").setAlt("Software Secured").setBorder(0).setHspace(0).setVspace(0));
-	/**
+
+    /**
 	 * Description of the Method
 	 * 
 	 * @param s

src/main/java/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java

@@ -176,7 +176,7 @@ public String getLessonSolutionFileName(WebSession s)
 	{
 		String solutionFileName = null;
 		String stage = getStage(s);
-		solutionFileName = "/lesson_solutions/Lab Access Control/Lab " + stage + ".html";
+		solutionFileName = "/lesson_solutions_1/Lab Access Control/Lab " + stage + ".html";
 		return solutionFileName;
 	}
 

src/main/java/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java

@@ -272,7 +272,7 @@ public String getLessonSolutionFileName(WebSession s)
 	{
 		String solutionFileName = null;
 		String stage = getStage(s);
-		solutionFileName = "/lesson_solutions/Lab SQL Injection/Lab " + stage + ".html";
+		solutionFileName = "/lesson_solutions_1/Lab SQL Injection/Lab " + stage + ".html";
 		return solutionFileName;
 	}
 }

src/main/java/org/owasp/webgoat/service/LessonTitleService.java

@@ -0,0 +1,40 @@
+package org.owasp.webgoat.service;
+
+import javax.servlet.http.HttpSession;
+
+import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class LessonTitleService extends BaseService {
+	
+	 /**
+     * Returns the title for the current attack
+     *
+     * @param session
+     * @return
+     */
+    @RequestMapping(value = "/lessontitle.mvc", produces = "application/html")
+    public @ResponseBody
+    String showPlan(HttpSession session) {
+        WebSession ws = getWebSession(session);
+        return getLessonTitle(ws);
+    }
+
+    private String getLessonTitle(WebSession s) {
+    	String title = "";
+        int scr = s.getCurrentScreen();
+        Course course = s.getCourse();
+
+        if (s.isUser() || s.isChallenge()) {
+            AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+            title = lesson != null ? lesson.getTitle() : "";
+        }
+        return title;
+    }
+
+}