- Update the Docker startup script, it is now possible to pass
skip-nginx
or setSKIP_NGINX
as environment variable.
- Docker image now supports nginx when browsing to http://localhost a landing page is shown.
- #1039 jwt-7-Code review
- #1031 SQL Injection (intro) 5: Data Control Language (DCL) the wiki's solution is not correct
- #1027 Webgoat 8.2.1 Vulnerable_Components_12 Shows internal server error
- New Docker image for arm64 architecture is now available (for Apple M1)
- Add new zip slip lesson (part of path traversal)
- SQL lessons are now separate for each user, database are now per user and no longer shared across users
- Moved to Java 15 & Spring Boot 2.4 & moved to JUnit 5
- #974 SQL injection Intro 5 not solvable
- #962 SQL-Lesson 5 (Advanced) Solvable with wrong anwser
- #961 SQl-Injection lesson 4 not deleting created row
- #949 Challenge: Admin password reset always solvable
- #923 - Upgrade to Java 15
- #922 - Vulnerable components lesson
- #891 - Update the OWASP website with the new all-in-one Docker container
- #844 - Suggestion: Update navigation
- #843 - Bypass front-end restrictions: Field restrictions - confusing text in form
- #841 - XSS - Reflected XSS confusing instruction and success messages
- #839 - SQL Injection (mitigation) Order by clause confusing
- #838 - SQL mitigation (filtering) can only be passed by updating table
Special thanks to the following contributors providing us with a pull request:
- nicholas-quirk
- VijoPlays
- aolle
- trollingHeifer
- maximmasiutin
- toshihue
- avivmu
- KellyMarchewa
- NatasG
- gabe-sky
- Added new lessons for cryptography and path-traversal
- Extra content added to the XXE lesson
- Explanation of the assignments will be part of WebGoat, in this release we added detailed descriptions on how to solve the XXE lesson. In the upcoming releases new explanations will be added. If you want to contribute please create a pull request on Github.
- Docker improvements + docker stack for complete container with nginx
- Included JWT token decoding and generation, since jwt.io does not support None anymore
- #743 - Character encoding errors
- #811 - Flag submission fails
- #810 - Scoreboard for challenges shows csrf users
- #788 - strange copy in constructor
- #760 - Execution of standalone jar fails (Flyway migration step
- #766 - Unclear objective of vulnerable components practical assignment
- #708 - Seems like the home directory of WebGoat always use @project.version@
- #719 - WebGoat: 'Contact Us' email link in header is not correctly set
- #715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful
- #725 - Vulnerable Components lesson 12 broken due to too new dependency
- #716 - On M26 @project.version@ is not "interpreted" #7
- #721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page
- #724 - Dead link in VulnerableComponents lesson 11
Special thanks to the following contributors providing us with a pull request:
- Satoshi SAKAO
- Philippe Lafoucrière
- Cotonne
- Tiago Mussi
- thegoodcrumpets
- Atharva Vaidya
- torleif
- August Detlefsen
- Choe Hyeong Jin
And everyone who provided feedback through Github.
Team WebGoat