From d9c42b899dbe82c11eb38079c44002a945f6c091 Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Wed, 24 Jun 2020 20:40:12 +0700
Subject: [PATCH 01/12] Check null dereference in DOMCrossSiteScripting

---
 .../java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
index d9d08422c9..0b8af3cf9d 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
@@ -41,7 +41,7 @@ public AttackResult completed(@RequestParam Integer param1,
         SecureRandom number = new SecureRandom();
         userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
 
-        if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
+        if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln") && userSessionData.getValue("randValue")!=null ) {
             return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
         } else {
             return failed(this).build();
@@ -49,4 +49,4 @@ public AttackResult completed(@RequestParam Integer param1,
     }
 }
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E--andMoreGarbageHere
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
\ No newline at end of file
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>

From 817eb1529db27861f0a25be647632785a32f05d1 Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Wed, 24 Jun 2020 21:26:11 +0700
Subject: [PATCH 02/12] Revert "Check null dereference in
 DOMCrossSiteScripting"

---
 .../java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
index 0b8af3cf9d..d9d08422c9 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
@@ -41,7 +41,7 @@ public AttackResult completed(@RequestParam Integer param1,
         SecureRandom number = new SecureRandom();
         userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
 
-        if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln") && userSessionData.getValue("randValue")!=null ) {
+        if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
             return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
         } else {
             return failed(this).build();
@@ -49,4 +49,4 @@ public AttackResult completed(@RequestParam Integer param1,
     }
 }
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E--andMoreGarbageHere
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
\ No newline at end of file

From c9ef0a91c3c70b59bb9759b3479acf3f904e6553 Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Wed, 24 Jun 2020 21:32:14 +0700
Subject: [PATCH 03/12] Update DOMCrossSiteScripting.java

---
 .../org/owasp/webgoat/xss/DOMCrossSiteScripting.java     | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
index 0b8af3cf9d..3c8a39ee17 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
@@ -40,12 +40,15 @@ public AttackResult completed(@RequestParam Integer param1,
         UserSessionData userSessionData = getUserSessionData();
         SecureRandom number = new SecureRandom();
         userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
-
-        if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln") && userSessionData.getValue("randValue")!=null ) {
-            return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
+        
+        if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
+            if (userSessionData != null && userSessionData.getValue("randValue") != null){
+                return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
+            }
         } else {
             return failed(this).build();
         }
+        
     }
 }
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E--andMoreGarbageHere

From 915dce206da6aa2c5d886d209444a87569b3baa8 Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Wed, 24 Jun 2020 21:51:40 +0700
Subject: [PATCH 04/12] Revert "Update DOMCrossSiteScripting.java"

---
 .../java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java  | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
index 5ff5c48c9a..d9d08422c9 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
@@ -40,15 +40,12 @@ public AttackResult completed(@RequestParam Integer param1,
         UserSessionData userSessionData = getUserSessionData();
         SecureRandom number = new SecureRandom();
         userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
-        
+
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
-            if (userSessionData != null && userSessionData.getValue("randValue") != null){
-                return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
-            }
+            return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
         } else {
             return failed(this).build();
         }
-        
     }
 }
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E--andMoreGarbageHere

From bb78a271d765fd9a0cce602cb9b4b658983e7d56 Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Thu, 25 Jun 2020 00:16:32 +0700
Subject: [PATCH 05/12] Update WebSecurityConfig.java

---
 .../src/main/java/org/owasp/webgoat/WebSecurityConfig.java    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
index 79a1b075b3..51b8385498 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -69,7 +69,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .permitAll();
         security.and()
                 .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-        security.and().csrf().disable();
+        //security.and().csrf().enable();
 
         http.headers().cacheControl().disable();
         http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
@@ -97,4 +97,4 @@ protected AuthenticationManager authenticationManager() throws Exception {
     public NoOpPasswordEncoder passwordEncoder() {
         return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
     }
-}
\ No newline at end of file
+}

From 1df23716d980e0ac8300b52c8818cea9ddf68efd Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Thu, 25 Jun 2020 00:31:20 +0700
Subject: [PATCH 06/12] Update WebSecurityConfig.java

---
 .../src/main/java/org/owasp/webgoat/WebSecurityConfig.java       | 1 -
 1 file changed, 1 deletion(-)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
index 51b8385498..ab19e81577 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -69,7 +69,6 @@ protected void configure(HttpSecurity http) throws Exception {
                 .permitAll();
         security.and()
                 .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-        //security.and().csrf().enable();
 
         http.headers().cacheControl().disable();
         http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));

From 34d6eb818e79867434bbbbdc02d10c0a0d7668c5 Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Thu, 25 Jun 2020 17:23:04 +0700
Subject: [PATCH 07/12] Update DOMCrossSiteScripting.java

---
 .../java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java  | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
index 5ff5c48c9a..133f8ab5ec 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
@@ -42,9 +42,8 @@ public AttackResult completed(@RequestParam Integer param1,
         userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
         
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
-            if (userSessionData != null && userSessionData.getValue("randValue") != null){
-                return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
-            }
+            Object randValue = userSessionData.getValue("randValue");
+            return success(this).output("phoneHome Response is " + randValue).build();
         } else {
             return failed(this).build();
         }
@@ -52,4 +51,4 @@ public AttackResult completed(@RequestParam Integer param1,
     }
 }
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E--andMoreGarbageHere
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
\ No newline at end of file
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>

From 9f6ee0237fa52ed29e4caa502e33846b374a30e4 Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Thu, 25 Jun 2020 17:25:01 +0700
Subject: [PATCH 08/12] Update WebSecurityConfig.java

---
 .../src/main/java/org/owasp/webgoat/WebSecurityConfig.java       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
index ab19e81577..06b61281f6 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -69,6 +69,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .permitAll();
         security.and()
                 .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
+        security.and().csrf().enable();
 
         http.headers().cacheControl().disable();
         http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));

From 96a89697567fdae013931e5b0532977942720f5f Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Thu, 25 Jun 2020 17:37:30 +0700
Subject: [PATCH 09/12] Update DOMCrossSiteScripting.java

---
 .../main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
index 89a4fb5043..4bf7b00219 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
@@ -42,8 +42,7 @@ public AttackResult completed(@RequestParam Integer param1,
         userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
 
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
-            Object randValue = userSessionData.getValue("randValue");
-            return success(this).output("phoneHome Response is " + randValue).build();
+            return success(this).output("phoneHome Response is " + String.valueOf(userSessionData.getValue("randValue"))).build();
         } else {
             return failed(this).build();
         }

From b391f7b6d393c3298cb3fcbb4f1da2e07a64da7f Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Thu, 25 Jun 2020 23:06:04 +0700
Subject: [PATCH 10/12] Update WebSecurityConfig.java (#5)

* Update WebSecurityConfig.java

* Update WebSecurityConfig.java

* Update DOMCrossSiteScripting.java

* Update WebSecurityConfig.java

* Update DOMCrossSiteScripting.java
---
 .../src/main/java/org/owasp/webgoat/WebSecurityConfig.java    | 4 ++--
 .../java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
index 79a1b075b3..06b61281f6 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -69,7 +69,7 @@ protected void configure(HttpSecurity http) throws Exception {
                 .permitAll();
         security.and()
                 .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-        security.and().csrf().disable();
+        security.and().csrf().enable();
 
         http.headers().cacheControl().disable();
         http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
@@ -97,4 +97,4 @@ protected AuthenticationManager authenticationManager() throws Exception {
     public NoOpPasswordEncoder passwordEncoder() {
         return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
     }
-}
\ No newline at end of file
+}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
index d9d08422c9..4bf7b00219 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/DOMCrossSiteScripting.java
@@ -42,11 +42,11 @@ public AttackResult completed(@RequestParam Integer param1,
         userSessionData.setValue("randValue", String.valueOf(number.nextInt()));
 
         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
-            return success(this).output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build();
+            return success(this).output("phoneHome Response is " + String.valueOf(userSessionData.getValue("randValue"))).build();
         } else {
             return failed(this).build();
         }
     }
 }
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E--andMoreGarbageHere
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
\ No newline at end of file
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>

From 835c168c486e114a0c0ce4a143d6f3cf99e269a6 Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Thu, 25 Jun 2020 23:10:52 +0700
Subject: [PATCH 11/12] Update StoredCrossSiteScriptingVerifier.java

---
 .../webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java
index 8f51389108..cf02db2c70 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/stored/StoredCrossSiteScriptingVerifier.java
@@ -42,7 +42,7 @@ public class StoredCrossSiteScriptingVerifier extends AssignmentEndpoint {
     public AttackResult completed(@RequestParam String successMessage) {
         UserSessionData userSessionData = getUserSessionData();
 
-        if (successMessage.equals(userSessionData.getValue("randValue").toString())) {
+        if (successMessage.equals(String.valueOf(userSessionData.getValue("randValue")))) {
             return success(this).feedback("xss-stored-callback-success").build();
         } else {
             return failed(this).feedback("xss-stored-callback-failure").build();
@@ -51,4 +51,4 @@ public AttackResult completed(@RequestParam String successMessage) {
 }
 
 // something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
-// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
\ No newline at end of file
+// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>

From 56b1c8c99aa6358cea62c297e98917425ec5588d Mon Sep 17 00:00:00 2001
From: kuanbs <49298756+kuanbs@users.noreply.github.com>
Date: Thu, 25 Jun 2020 23:13:00 +0700
Subject: [PATCH 12/12] Update WebSecurityConfig.java

---
 .../src/main/java/org/owasp/webgoat/WebSecurityConfig.java       | 1 -
 1 file changed, 1 deletion(-)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
index 06b61281f6..ab19e81577 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@@ -69,7 +69,6 @@ protected void configure(HttpSecurity http) throws Exception {
                 .permitAll();
         security.and()
                 .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-        security.and().csrf().enable();
 
         http.headers().cacheControl().disable();
         http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));