Merge branch 'release/v8.0.0.M18'
This commit is contained in:
Nanne Baars
@ -49,10 +49,7 @@ import org.owasp.encoder.*;
|
||||
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.*;
|
||||
|
||||
import static org.springframework.web.bind.annotation.RequestMethod.GET;
|
||||
|
||||
@ -72,20 +69,19 @@ public class StoredXssComments extends AssignmentEndpoint {
|
||||
comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "<script>console.warn('unit test me')</script>Comment for Unit Testing"));
|
||||
comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe"));
|
||||
comments.add(new Comment("guest", DateTime.now().toString(fmt), "This one is safe too."));
|
||||
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
|
||||
comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?"));
|
||||
}
|
||||
|
||||
@RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE)
|
||||
@ResponseBody
|
||||
public Collection<Comment> retrieveComments() {
|
||||
Collection<Comment> allComments = Lists.newArrayList();
|
||||
List<Comment> allComments = Lists.newArrayList();
|
||||
Collection<Comment> newComments = userComments.get(webSession.getUserName());
|
||||
allComments.addAll(comments);
|
||||
if (newComments != null) {
|
||||
allComments.addAll(newComments);
|
||||
}
|
||||
|
||||
allComments.addAll(comments);
|
||||
|
||||
Collections.reverse(allComments);
|
||||
return allComments;
|
||||
}
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@ xss-reflected-5a-failure=Try again. We do want to see this specific javascript (
|
||||
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
|
||||
xss-reflected-5b-failure=Nope, pretty easy to guess now though.
|
||||
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
|
||||
xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
|
||||
xss-reflected-6a-failure=No, look at the example. Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
|
||||
xss.lesson1.failure=Are you sure? Try using a tab from a different site.
|
||||
xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
|
||||
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
|
||||
|
||||
@ -4,7 +4,7 @@ You should have been able to execute script with the last example. At this point
|
||||
|
||||
Why is that?
|
||||
|
||||
That is because there is no link that would tigger that XSS.
|
||||
That is because there is no link that would trigger that XSS.
|
||||
You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to):
|
||||
|
||||
link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('myjavascripthere')</script>4128+3214+0002+1999&field2=111
|
||||
link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=<script>alert('my%20javascript%20here')</script>4128+3214+0002+1999&field2=111
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
== Ientify Potential for DOM-Based XSS
|
||||
== Identify Potential for DOM-Based XSS
|
||||
|
||||
DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
|
||||
Look for a route that takes inputs that you can ID being 'reflected' to the page.
|
||||
Look for a route that takes inputs that are being 'reflected' to the page.
|
||||
|
||||
For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library).
|
||||
Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
|
||||
|
||||
Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
|
||||
it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/5 (although maybe slightly different). The 'base route' in this case is:
|
||||
it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
|
||||
*start.mvc#lesson/*
|
||||
The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the javascript route handler.
|
||||
|
||||
The *CrossSiteScripting.lesson/#* after that are parameters that are processed by javascript route handler.
|
||||
|
||||
So, what is test route for this test code?
|
||||
So, what is the route for the test code that stayed in the app during production?
|
||||
To answer this question, you have to check the javascript source.
|
||||
@ -8,4 +8,4 @@ The function you want to execute is ...
|
||||
|
||||
Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
|
||||
|
||||
Once you do trigger it, a subsequent response will come to the browser with a random number. Put that random number in below.
|
||||
Once you do trigger it, a subsequent response will come to your browser's console with a random number. Put that random number in below.
|
||||
|
||||
Reference in New Issue
Block a user