Releases: WebGoat/WebGoat
Releases · WebGoat/WebGoat
v8.2.0
Version 8.2.0
New functionality
- Add new zip slip lesson (part of path traversal)
- SQL lessons are now separate for each user, database are now per user and no longer shared across users
- Moved to Java 15 & Spring Boot 2.4 & moved to JUnit 5
Bug fixes
- #974 SQL injection Intro 5 not solvable
- #962 SQL-Lesson 5 (Advanced) Solvable with wrong anwser
- #961 SQl-Injection lesson 4 not deleting created row
- #949 Challenge: Admin password reset always solvable
- #923 - Upgrade to Java 15
- #922 - Vulnerable components lesson
- #891 - Update the OWASP website with the new all-in-one Docker container
- #844 - Suggestion: Update navigation
- #843 - Bypass front-end restrictions: Field restrictions - confusing text in form
- #841 - XSS - Reflected XSS confusing instruction and success messages
- #839 - SQL Injection (mitigation) Order by clause confusing
- #838 - SQL mitigation (filtering) can only be passed by updating table
Contributors
Special thanks to the following contributors providing us with a pull request:
- nicholas-quirk
- VijoPlays
- aolle
- trollingHeifer
- maximmasiutin
- toshihue
- avivmu
- KellyMarchewa
- NatasG
- gabe-sky
v8.1.0
Version 8.1.0
New functionality
- Added new lessons for cryptography and path-traversal
- Extra content added to the XXE lesson
- Explanation of the assignments will be part of WebGoat, in this release we added detailed descriptions on how to solve the XXE lesson. In the upcoming releases new explanations will be added. If you want to contribute please create a pull request on Github.
- Docker improvements + docker stack for complete container with nginx
- Included JWT token decoding and generation, since jwt.io does not support None anymore
Bug fixes
- #743 - Character encoding errors
- #811 - Flag submission fails
- #810 - Scoreboard for challenges shows csrf users
- #788 - strange copy in constructor
- #760 - Execution of standalone jar fails (Flyway migration step
- #766 - Unclear objective of vulnerable components practical assignment
- #708 - Seems like the home directory of WebGoat always use @project.version@
- #719 - WebGoat: 'Contact Us' email link in header is not correctly set
- #715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful
- #725 - Vulnerable Components lesson 12 broken due to too new dependency
- #716 - On M26 @project.version@ is not "interpreted" #7
- #721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page
- #724 - Dead link in VulnerableComponents lesson 11
Contributors
Special thanks to the following contributors providing us with a pull request:
- Satoshi SAKAO
- Philippe Lafoucrière
- Cotonne
- Tiago Mussi
- thegoodcrumpets
- Atharva Vaidya
- torleif
- August Detlefsen
- Choe Hyeong Jin
And everyone who provided feedback through Github.
Team WebGoat
The OWASP WebGoat 7.1 Release
The WebGoat 7.1 Release is comprised 104 commits from 16 different contributors a over a period of 9 months.
This is a release ta include many bug fixes and is intended to be the last release of the 7.X branch, as the WebGoat team have big plans for next release.
For a glimpse of what has been implemented, check our change log:
Change Log
7.1 (2016-11-18)
Implemented enhancements:
Fixed bugs:
- Stored XSS Lesson does not render message and attack does not fire #141
- Source code is not available for this lesson. #137
Closed issues:
- Fix lesson client side filtering #272
- Reset lesson does not work anymore #271
- Lesson plans not loading with manual build and easy-run jar (standalone jar) not running at all #268
- Unable to download webgoat jar file #261
- Developer edition build isn't working in its entirety #260
- Amazon S3 downloadable JAR is missing #259
- Code does not compile on dev branch #258
- Executable jar crashes if empty .extract folder exist #251
- Java Error Message in Lesson "How to Bypass a Path Based Access Control Scheme" #240
- developer bootstrap says git is missing when it is installed #236
- Application Won't Start #234
- Restart lesson button isn't working #226
- Navigation to start page is broken after login #218
- Links in menu missing pointer cursor #216
- Restart lesson button not working #213
- WebGoat stops at DEBUG - Exit: getEngine() #211
- Labs: Remnant files and solved stages #208
- Labs: Navigating to Instructor java examples #206
- WebGoat 7.0 and ZAP 2.4.3 will not proxy #204
- Failing Build #201
- Missing mvn package of webgoat-container in README.MD #200
- Seems translation to Russian for "Congratulations. You have successfully completed this lesson." phrase is broken. #199
- HtmlEncoder uses static methods but must be instantiated #195
- webgoat-container should unpack all the lessons #192
- Access Control Flaws, LAB stage 3: Remove the FindProfile screen #186
- Injection Flaws | XPath Injection date file path issue #184
- hints don't appear to work on labs #183
- Session Management Flaws - Spoof an Authentication Cookie render issue #181
- Challenge - Show* buttons show on initial lesson load #180
- Http Basics - minor edits and change completion state #178
- Lab Cross-Site Scripting Stage 1 solution #176
- Backdoor lesson breaks menu CSS #175
- Redirect localhost:8080 to localhost:8080/WebGoat #173
- Session Fixation link in stage 2 does not work #170
- A failure occurred when execute the command "sh webgoat_developer_bootstrap.sh" #145
- Copy lessons into plugin_lessons #254
- WebGoat // Lesson Plan and Solution are note available #242
- Lab: Client side filtering - broken path #232
- AXIS class not found error in Web Services / WSDL Scanning #222
- WSDL link in SOAP Request Lesson crashing with AXIS error #221
- Labs: RBAC stage 1 and 3 not working #209
- How to create a Legacy Lesson - instruction edit #177
- Can't tell when WebGoat has actually started when using: webgoat_developer_bootstrap.sh #75
Merged pull requests:
- Add VMware fusion #264 (akiernan)
- Remove Exception from method signature #257 (RubieV)
- Code cleanup using @test(expected = Exception) #256 (RubieV)
- Added OWASP Labs badge #252 (psiinon)
- updates from day 1 @appsec EU #246 (misfir3)
- Update java required version as stated in #234 #243 (span)
- Fix broken start/home link on logo #229 (span)
- Developer controls #228 (span)
- Admin should also be able to see the solution, source and lesson plan. #224 (nbaars)
- Fixed the classnames in the wsdd config file (moved to different pack… #223 (nbaars)
- Feature/169 #220 (nbaars)
- Update README.MD #219 (muzir)
- Fix #213 by changing the id of the restart button to the correct id #214 (span)
- Fixed #184 #212 (nbaars)
- Fix shebang #210 (nxadm)
- Enable weak authentication cookie lesson #207 (span)
- -- Remove raw type usage, add type check parameter. #205 (muzir)
- Update package references in readme #203 (span)
- Develop #202 (misfir3)
- Fixes #195 by adding static initialisation of the maps #197 (span)
- Add stage parameter in the session to keep track of current stage #196 (span)
- webgoat-container should unpack all the lessons #192 #193 (nbaars)
The OWASP WebGoat 7.0.1 Release
WebGoat 7 is the latest in a series of infrastructure improvements to move WebGoat into the modern era. With the new plugin architecture and separation of the server framework from the lessons, lessons now require just a few lines of code. Lessons can now be produced without having to understand the entirety of the WebGoat server.
This release contains both the WebGoat container and 50+ lessons created by the WebGoat team.