2023.3
Version 2023.3
With great pleasure, we present you with a new release of WebGoat 2023.3. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
many more releases this year.
New functionality
- New year's resolution(2022): major refactoring of WebGoat to simplify the setup and improve building times.
- Move away from multi-project setup:
- This has a huge performance benefit when building the application. Build time locally is now
Total time: 42.469 s
(depends on your local machine of course) - No longer add Maven dependencies in several places
- H2 no longer needs to run as separate process, which solves the issue of WebWolf sharing and needing to configure the correct database connection.
- This has a huge performance benefit when building the application. Build time locally is now
- More explicit paths in html files to reference
adoc
files, less magic. - Integrate WebWolf in WebGoat, the setup was way too complicated and needed configuration which could lead to mistakes and a not working application. This also simplifies the Docker configuration as there is only 1 Docker image.
- Add WebWolf button in WebGoat
- Move all lessons into
src/main/resources
- WebGoat selects a port dynamically when starting. It will still start of port 8080 it will try another port to ease the user experience.
- WebGoat logs URL after startup:
Please browse to http://127.0.0.1:8080/WebGoat to get started...
- Simplify
Dockerfile
as we no longer need a script to start everything - Maven build now start WebGoat jar with Maven plugin to make sure we run against the latest build.
- Added
Initializable
interface for a lesson, an assignment can implement this interface to set it up for a specific user and to reset the assignment back to its original state when a reset lesson occurs. SeeBlindSendFileAssignment
for an example. - Integration tests now use the same user. This saves a lot of time as before every test used a different user which triggered the Flyway migration to set up the database schema for the user. This migration took a lot of time.
- Updated introduction lesson to WebWolf.
- Added language switch for support for multiple languages.
- Removed logic to start WebGoat on a random port when port
8080
is taken. We would loop until we found a free port. We simplified this to just start on the specified port. - Add Google formatter for all our code, a PR now checks whether the code adheres to the standard.
- Renaming of all packages and folders.
- #1039 New OWASP Top 10
- #1065 New lesson about logging
Bug fixes
- #1193 Vulnerable component lesson - java.desktop does not "opens java.beans" to unnamed module
- #1176 Minor: XXE lesson 12 patch not reset by 'lesson reset' while it IS reset by leaving/returning to lesson
- #1134 "Exploiting XStream" assignment does not work
- #1130 Typo: Using Indrect References
- #1101 SQL lesson not correct
- #1079 startup.sh issues of WebWolf - cannot connect to the WebGoat DB
- #1379 Move XXE to A05:2021-Security Misconfiguration
- #1298 SocketUtils is deprecated and will be removed in Spring Security 6
- #1248 Rewrite the WebWolf Introduction Lesson with the new changes
- #1200 Type cast error in sample code at JWT token section
- #1173 --server.port=9000 is not respected on Windows (both cmd as Powershell)
- #1103 (A1) path traversel lesson 7 seems broken
- #986 - User registration not persistant
Full change log: v8.2.2...v2023.3
Contributors
Special thanks to the following contributors providing us with a pull request:
And everyone who provided feedback through Github.
Team WebGoat