This patch contains the HTTP connector that intercepts the requests to the application and tries to communicate with OSG.
It also contains the DOM Injection lesson git-svn-id: http://webgoat.googlecode.com/svn/trunk@35 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
sherif.fathy
@ -104,6 +104,8 @@ public abstract class AbstractLesson extends Screen implements Comparable
|
||||
*/
|
||||
public final static Category WEB_SERVICES = new Category( "Web Services", new Integer( 1110 ) );
|
||||
|
||||
public final static Category AJAX_SECURITY = new Category( "AJAX Security", new Integer( 1150 ) );
|
||||
|
||||
public final static Category NEW_LESSON = new Category ( "New Lessons" , new Integer ( 1210 ) );
|
||||
|
||||
public final static Category ADMIN_FUNCTIONS = new Category( "Admin Functions", new Integer( 10 ) );
|
||||
@ -162,6 +164,7 @@ public abstract class AbstractLesson extends Screen implements Comparable
|
||||
categories.add(A9);
|
||||
categories.add(A10);
|
||||
categories.add(WEB_SERVICES);
|
||||
categories.add(AJAX_SECURITY);
|
||||
categories.add(NEW_LESSON);
|
||||
categories.add(ADMIN_FUNCTIONS);
|
||||
categories.add(GENERAL);
|
||||
|
||||
@ -0,0 +1,163 @@
|
||||
package org.owasp.webgoat.lessons;
|
||||
|
||||
import java.io.PrintWriter;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.ecs.Element;
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.StringElement;
|
||||
import org.apache.ecs.html.BR;
|
||||
import org.apache.ecs.html.Form;
|
||||
import org.apache.ecs.html.H1;
|
||||
import org.apache.ecs.html.Input;
|
||||
import org.apache.ecs.html.TD;
|
||||
import org.apache.ecs.html.TR;
|
||||
import org.apache.ecs.html.Table;
|
||||
import org.apache.ecs.html.Button;
|
||||
import org.owasp.webgoat.session.ECSFactory;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
public class DOMInjection extends LessonAdapter {
|
||||
|
||||
private final static Integer DEFAULT_RANKING = new Integer(10);
|
||||
private final static String KEY = "key";
|
||||
/*public void handleRequest( WebSession s )
|
||||
{
|
||||
//Setting a special action to be able to submit to redirect.jsp
|
||||
Form form = new Form( "/WebGoat/lessons/AJAXSecurity/DOMInjection.jsp?" +
|
||||
"Screen=" + String.valueOf(getScreenId()) +
|
||||
"&menu=" + getDefaultCategory().getRanking().toString()
|
||||
, Form.POST ).setName( "form" ).setEncType( "" );
|
||||
|
||||
form.addElement( createContent( s ) );
|
||||
|
||||
setContent(form);
|
||||
}*/
|
||||
|
||||
protected Element createContent(WebSession s) {
|
||||
|
||||
String key = "K1JFWP8BSO8HI52LNPQS8F5L01N";
|
||||
ElementContainer ec = new ElementContainer();
|
||||
|
||||
try
|
||||
{
|
||||
String userKey = s.getParser().getRawParameter(KEY, "");
|
||||
String fromAJAX = s.getParser().getRawParameter("from" , "");
|
||||
if (fromAJAX.equalsIgnoreCase("ajax") && userKey.length()!= 0 && userKey.equals(key))
|
||||
{
|
||||
s.getResponse().setContentType("text/html");
|
||||
s.getResponse().setHeader("Cache-Control", "no-cache");
|
||||
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
|
||||
out.print("document.forms[0].SUBMIT.disabled = false;");
|
||||
out.flush();
|
||||
out.close();
|
||||
return ec;
|
||||
}
|
||||
if (s.getRequest().getMethod().equalsIgnoreCase("POST"))
|
||||
{
|
||||
makeSuccess(s);
|
||||
}
|
||||
}
|
||||
catch(Exception e)
|
||||
{
|
||||
s.setMessage( "Error generating " + this.getClass().getName() );
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
String lineSep = System.getProperty("line.separator");
|
||||
String script = "<script>" + lineSep +
|
||||
"function validate() {" + lineSep +
|
||||
"alert('we are here');" + lineSep +
|
||||
"var keyField = document.getElementById('key');" + lineSep +
|
||||
"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) +
|
||||
"&menu=" + getDefaultCategory().getRanking().toString() +
|
||||
"&from=ajax&key=' + encodeURIComponent(keyField.value);" + lineSep +
|
||||
"if (typeof XMLHttpRequest != 'undefined') {" + lineSep +
|
||||
"req = new XMLHttpRequest();" + lineSep +
|
||||
"} else if (window.ActiveXObject) {" + lineSep +
|
||||
"req = new ActiveXObject('Microsoft.XMLHTTP');" + lineSep +
|
||||
" }" + lineSep +
|
||||
" req.open('GET', url, true);" + lineSep +
|
||||
" req.onreadystatechange = callback;" + lineSep +
|
||||
" req.send(null);" + lineSep +
|
||||
"}" + lineSep +
|
||||
"function callback() {" + lineSep +
|
||||
" if (req.readyState == 4) { " + lineSep +
|
||||
" if (req.status == 200) { " + lineSep +
|
||||
" var message = req.responseText;" + lineSep +
|
||||
" eval(message);" + lineSep +
|
||||
" }}}" + lineSep +
|
||||
"</script>" + lineSep;
|
||||
|
||||
ec.addElement( new StringElement(script));
|
||||
ec.addElement( new BR().addElement (new H1().addElement( "Welcome to WebGoat Registration Page:")));
|
||||
ec.addElement( new BR().addElement ("Please enter the license key that was emailed to you to start using the application."));
|
||||
ec.addElement( new BR());
|
||||
ec.addElement( new BR());
|
||||
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("70%").setAlign("center");
|
||||
|
||||
TR tr = new TR();
|
||||
tr.addElement( new TD( new StringElement( "License Key: " ) ));
|
||||
|
||||
Input input1 = new Input( Input.TEXT, KEY , "" );
|
||||
input1.addAttribute("onkeyup", "validate();");
|
||||
tr.addElement( new TD( input1 ) );
|
||||
t1.addElement( tr );
|
||||
|
||||
tr = new TR();
|
||||
tr.addElement( new TD( " " ).setColSpan(2));
|
||||
|
||||
t1.addElement( tr );
|
||||
|
||||
tr = new TR();
|
||||
Input b = new Input();
|
||||
b.setType( Input.SUBMIT );
|
||||
b.setValue( "Activate!" );
|
||||
b.setName("SUBMIT");
|
||||
b.setDisabled(true);
|
||||
tr.addElement(new TD( " " ));
|
||||
tr.addElement( new TD( b ) );
|
||||
|
||||
t1.addElement(tr);
|
||||
ec.addElement( t1 );
|
||||
|
||||
|
||||
return ec ;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Element getCredits() {
|
||||
|
||||
return new StringElement("This screen created by: Sherif Koussa");
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Category getDefaultCategory() {
|
||||
|
||||
return AJAX_SECURITY;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected Integer getDefaultRanking() {
|
||||
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List getHints() {
|
||||
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints.add( "This page is using XMLHTTP to comunicate with the server." );
|
||||
hints.add( "Try to find a way to inject the DOM to enable the Activate button." );
|
||||
hints.add( "Intercept the reply and add document.forms[0].SUBMIT.disabled = false;" );
|
||||
return hints;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getTitle() {
|
||||
// TODO Auto-generated method stub
|
||||
return "DOM Injection";
|
||||
}
|
||||
|
||||
}
|
||||
@ -77,6 +77,7 @@ public class HttpSplitting extends LessonAdapter {
|
||||
if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 &&
|
||||
Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 )
|
||||
{
|
||||
ec.addElement("HTTP/1.1 200 OK" + System.getProperty("line.separator") + "test");
|
||||
makeSuccess( s );
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user