The WebGoat 7.1 Release is comprised 104 commits from 16 different contributors a over a period of 9 months.

This is a release ta include many bug fixes and is intended to be the last release of the 7.X branch, as the WebGoat team have big plans for next release.

For a glimpse of what has been implemented, check our change log:

Change Log

7.1 (2016-11-18)

Full Changelog

Implemented enhancements:

• i8n highlighting #96
• Improve uniqueness of menu item Id's #45

Fixed bugs:

• Stored XSS Lesson does not render message and attack does not fire #141
• Source code is not available for this lesson. #137

Closed issues:

• Fix lesson client side filtering #272
• Reset lesson does not work anymore #271
• Lesson plans not loading with manual build and easy-run jar (standalone jar) not running at all #268
• Unable to download webgoat jar file #261
• Developer edition build isn't working in its entirety #260
• Amazon S3 downloadable JAR is missing #259
• Code does not compile on dev branch #258
• Executable jar crashes if empty .extract folder exist #251
• Java Error Message in Lesson "How to Bypass a Path Based Access Control Scheme" #240
• developer bootstrap says git is missing when it is installed #236
• Application Won't Start #234
• Restart lesson button isn't working #226
• Navigation to start page is broken after login #218
• Links in menu missing pointer cursor #216
• Restart lesson button not working #213
• WebGoat stops at DEBUG - Exit: getEngine() #211
• Labs: Remnant files and solved stages #208
• Labs: Navigating to Instructor java examples #206
• WebGoat 7.0 and ZAP 2.4.3 will not proxy #204
• Failing Build #201
• Missing mvn package of webgoat-container in README.MD #200
• Seems translation to Russian for "Congratulations. You have successfully completed this lesson." phrase is broken. #199
• HtmlEncoder uses static methods but must be instantiated #195
• webgoat-container should unpack all the lessons #192
• Access Control Flaws, LAB stage 3: Remove the FindProfile screen #186
• Injection Flaws | XPath Injection date file path issue #184
• hints don't appear to work on labs #183
• Session Management Flaws - Spoof an Authentication Cookie render issue #181
• Challenge - Show* buttons show on initial lesson load #180
• Http Basics - minor edits and change completion state #178
• Lab Cross-Site Scripting Stage 1 solution #176
• Backdoor lesson breaks menu CSS #175
• Redirect localhost:8080 to localhost:8080/WebGoat #173
• Session Fixation link in stage 2 does not work #170
• A failure occurred when execute the command "sh webgoat_developer_bootstrap.sh" #145
• Copy lessons into plugin_lessons #254
• WebGoat // Lesson Plan and Solution are note available #242
• Lab: Client side filtering - broken path #232
• AXIS class not found error in Web Services / WSDL Scanning #222
• WSDL link in SOAP Request Lesson crashing with AXIS error #221
• Labs: RBAC stage 1 and 3 not working #209
• How to create a Legacy Lesson - instruction edit #177
• Can't tell when WebGoat has actually started when using: webgoat_developer_bootstrap.sh #75

Merged pull requests:

• Add VMware fusion #264 (akiernan)
• Remove Exception from method signature #257 (RubieV)
• Code cleanup using @test(expected = Exception) #256 (RubieV)
• Added OWASP Labs badge #252 (psiinon)
• updates from day 1 @appsec EU #246 (misfir3)
• Update java required version as stated in #234 #243 (span)
• Updates to Dev Bootstrap #239 (dilshanraja)
• Fix broken start/home link on logo #229 (span)
• Developer controls #228 (span)
• Admin should also be able to see the solution, source and lesson plan. #224 (nbaars)
• Fixed the classnames in the wsdd config file (moved to different pack… #223 (nbaars)
• Feature/169 #220 (nbaars)
• Update README.MD #219 (muzir)
• Fix #213 by changing the id of the restart button to the correct id #214 (span)
• Fixed #184 #212 (nbaars)
• Fix shebang #210 (nxadm)
• Enable weak authentication cookie lesson #207 (span)
• -- Remove raw type usage, add type check parameter. #205 (muzir)
• Update package references in readme #203 (span)
• Develop #202 (misfir3)
• Fixes #195 by adding static initialisation of the maps #197 (span)
• Add stage parameter in the session to keep track of current stage #196 (span)
• webgoat-container should unpack all the lessons #192 #193 (nbaars)