diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java index c14e125f1..92a56a38d 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java @@ -1,6 +1,10 @@ package org.owasp.webgoat.plugin.mitigation; +import org.jsoup.Jsoup; +import org.jsoup.nodes.Document; +import org.jsoup.nodes.Element; +import org.jsoup.select.Elements; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentPath; @@ -30,32 +34,32 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint { //maybe better idea for assignment // - String line1 =""; - String line2 =""; - + Document doc = Jsoup.parse(editor); String[] lines = editor.split(System.getProperty("line.separator")); - for (int i = 0; i < lines.length; i++) { - if(lines[i].contains("First Name")){ - line1 = lines[i+1].replace(" ","").replace("",""); - } else if (lines[i].contains("Last Name")){ - line2 = lines[i+1].replace(" ", "").replace("", ""); - } + + String include = (lines[0]); + String first_name_element = doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text(); + String last_name_element = doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text(); + + Boolean includeCorrect = false; + Boolean firstNameCorrect = false; + Boolean lastNameCorrect = false; + if(include.contains("<%@") && include.contains("taglib") && include.contains("uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\"") && include.contains("%>")){ + includeCorrect = true; + } + if(first_name_element.equals("${e:forHtml(param.first_name)}")){ + firstNameCorrect = true; + } + if(last_name_element.equals("${e:forHtml(param.last_name)}")){ + lastNameCorrect = true; } - // - //or - //${fn:escapeXml("param.first_name/last_name")} - - if((line1.equals("") || line1.equals("")) - && (line2.equals("")) || line2.equals("")){ - System.out.println("true"); - return trackProgress(success().feedback("xss-mitigation-3-success").build()); - } else if(line1.equals("${fn:escapeXml(\"param.first_name\")}") && line2.equals("${fn:escapeXml(\"param.last_name\")}")){ + if(includeCorrect && firstNameCorrect && lastNameCorrect){ System.out.println("true"); return trackProgress(success().feedback("xss-mitigation-3-success").build()); } else { System.out.println("false"); - System.out.println(line1 + "\n" + line2); + System.out.println(first_name_element + "\n" + last_name_element); return trackProgress(failed().feedback("xss-mitigation-3-failure").build()); } } diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html index f354f5363..60d7abb2c 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html @@ -49,7 +49,9 @@ " \n" + "\n" + "\n" + - "\n"); + "\n" + + "\n" + + "\n");
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties index 5a19e7db2..10a40f8f8 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties @@ -30,9 +30,9 @@ xss-stored-comment-success=It appears your payload should invoke the function. T xss-stored-comment-failure=We can't see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed. xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called). xss-stored-callback-failure=No, that is not the correct value (note, it will be a different value each time the phoneHome endpoint is called). -xss-mitigation-3-hint1=You don't store the user input in this example. Try to html entity escape the user input right before you it into the HTML element. -xss-mitigation-3-hint2=Use JavaServer Pages Standard Tag Library (JSTL) tags or Unified Expression Language -xss-mitigation-3-hint3=You don't have to import the libs. (<%@ taglib uri = "http://java.sun.com/jsp/jstl/core" prefix = "c" %> and <%@ taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix = "fn" %> already included in this example) -xss-mitigation-3-hint4=Have you ever heard of escapeXml? Ask the web. +xss-mitigation-3-hint1=You don't store the user input in this example. Try to encode the user's input right before you place it into the HTML document. +xss-mitigation-3-hint2=Make use of JavaServer Pages Standard Tag Library (JSTL) and JSP Expression Language. +xss-mitigation-3-hint3=Take a look at OWASP Java Encoder Project. +xss-mitigation-3-hint4=Don't forget to reference the taglibs and choose "e" as prefix. xss-mitigation-3-success=You have completed this lesson. Congratulations! xss-mitigation-3-failure=This in not the correct answer. Try again! \ No newline at end of file diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index f652b9a1e..959f701ad 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -97,6 +97,12 @@ xstream 1.4.7 + + + org.jsoup + jsoup + 1.11.3 +