diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java new file mode 100644 index 000000000..ab641b11b --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java @@ -0,0 +1,111 @@ +package org.owasp.webgoat.lessons; + +import java.util.ArrayList; +import java.util.List; +import java.util.Arrays; + +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.B; +import org.apache.ecs.html.H1; +import org.apache.ecs.html.Input; +import org.apache.ecs.html.P; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; +import org.apache.ecs.html.TextArea; +import org.owasp.webgoat.session.ECSFactory; +import org.owasp.webgoat.session.WebSession; + +public class CSRF extends LessonAdapter { + + private final static String MESSAGE = "message"; + private final static String TITLE = "title"; + + @Override + protected Element createContent(WebSession s) { + ElementContainer ec = new ElementContainer(); + String emailBody = null; + + try{ + Table t = new Table( 0 ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 ); + TR row1 = new TR(); + TR row2 = new TR(); + row1.addElement( new TD( new StringElement( "Title: " ) ) ); + + Input inputTitle = new Input( Input.TEXT, TITLE, "" ); + row1.addElement( new TD( inputTitle ) ); + + TD item1 = new TD(); + item1.setVAlign( "TOP" ); + item1.addElement( new StringElement( "Message: " ) ); + row2.addElement( item1 ); + + TD item2 = new TD(); + TextArea ta = new TextArea( MESSAGE, 5, 60 ); + item2.addElement( ta ); + row2.addElement( item2 ); + t.addElement( row1 ); + t.addElement( row2 ); + + Element b = ECSFactory.makeButton( "Submit" ); + ec = new ElementContainer(); + ec.addElement( t ); + ec.addElement( new P().addElement( b ) ); + + emailBody = new String( s.getParser().getRawParameter( MESSAGE, "" ) ); + + } + catch (Exception e) + { + s.setMessage( "Error generating " + this.getClass().getName() ); + e.printStackTrace(); + } + + if (emailBody.length() != 0 && + emailBody.indexOf( "=0 && + emailBody.indexOf( "src=") > 0 && + emailBody.indexOf( "height=\"1\"" ) > 0 && + emailBody.indexOf( "width=\"1\"" ) > 0) + { + makeSuccess( s ); + } + + return ec; + } + + @Override + protected Category getDefaultCategory() { + return AbstractLesson.A4; + } + + private final static Integer DEFAULT_RANKING = new Integer(140); + + @Override + protected Integer getDefaultRanking() { + + return DEFAULT_RANKING; + } + + @Override + protected List getHints() { + List hints = new ArrayList(); + hints.add( "Enter some text and try to include an image in there." ); + hints.add( "The format of an image in html is
<img src=\"[URL]\" width=\"1\" height=\"1\" />
"); + hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." ); + + return hints; + } + + /** + * Gets the title attribute of the MessageBoardScreen object + * + * @return The title value + */ + public String getTitle() + { + return ( "How to Perform Cross Site Request Forgery (CSRF)" ); + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java index 833998eac..dd9650a6a 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java @@ -1,7 +1,5 @@ package org.owasp.webgoat.lessons; import java.util.*; -import java.net.URLDecoder; -import java.io.UnsupportedEncodingException; import org.apache.ecs.*; import org.apache.ecs.html.*; @@ -75,7 +73,7 @@ public class HttpSplitting extends LessonAdapter { //Split by the line separator line.separator is platform independant String[] arrTokens = lang.toString().toUpperCase().split(System.getProperty("line.separator")); - //Check if the user ended the first request and wrote the second malcious reply + //Check if the user ended the first request and wrote the second malacious reply if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 && Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 ) { @@ -99,7 +97,7 @@ public class HttpSplitting extends LessonAdapter { hints.add( "A 200 OK message looks like this: HTTP/1.1 200 OK" ); return hints; - + } private final static Integer DEFAULT_RANKING = new Integer(10); diff --git a/ webgoat/main/project/WebContent/lesson_plans/CSRF.html b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html new file mode 100644 index 000000000..9cc655e12 --- /dev/null +++ b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html @@ -0,0 +1,27 @@ +
+

Lesson Plan Title: Cross Site Request Forgery.

+
+ +

Concept / Topic To Teach:

+ This lesson teaches how to Cross Site Request Forgery (CSRF) attacks. +
+
+

+How the attacks works: +

+Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page that contains img links like the one below: + +
<img src="http://www.mybank.com/sendFunds.do?acctId=123456"/>
+ +When the victim's browser attempts to render this page, it will issue a request to www.mybank.com to the transferFunds.do page with the specified parameters. The browser will think the link is to get an image, even though it actually is a funds transfer function. + +The request will include any cookies associated with the site. Therefore, if the user has authenticated to the site, and has either a permanent cookie or even a current session cookie, the site will have no way to distinguish this from a legitimate user request. + +In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, or any other function provided by the vulnerable website +
+

General Goal(s):

+ +* Your goal is to send an email to a newsgroup.
+* Try to include a 1x1 pixel image that includes a URL that transfers funds to your account.
+* Whoever receives this email and happens to be authenticated at that time will be a victim. + diff --git a/ webgoat/main/project/doc/WebGoatv4UsersGuide_DRAFT.doc b/ webgoat/main/project/doc/WebGoatv4UsersGuide_DRAFT.doc index 23c11538c..1933d6d80 100644 Binary files a/ webgoat/main/project/doc/WebGoatv4UsersGuide_DRAFT.doc and b/ webgoat/main/project/doc/WebGoatv4UsersGuide_DRAFT.doc differ