Reworked some XSS assignments

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java

@@ -58,9 +58,13 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 	public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
 												@RequestParam Integer QTY2, @RequestParam Integer QTY3,
 												@RequestParam Integer QTY4, @RequestParam String field1,
-												@RequestParam Integer field2, HttpServletRequest request)
+												@RequestParam String field2, HttpServletRequest request)
 			throws IOException {
 
+		if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
+			return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
+		}
+
 		double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
 
 		userSessionData.setValue("xss-reflected1-complete",(Object)"false");
@@ -75,13 +79,14 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 			userSessionData.setValue("xss-reflected1-complete",(Object)"false");
 		}
 
-		if (field1.toLowerCase().contains("<script>alert('my javascript here')</script>")) {
+		if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
 			//return trackProgress()
 			userSessionData.setValue("xss-reflected-5a-complete","true");
-			return trackProgress(success()
-					.feedback("xss-reflected-5a-success")
-					.output(cart.toString())
-					.build());
+			if(field1.toLowerCase().contains("console.log")) {
+				return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
+			} else {
+				return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
+			}
 		} else {
 			userSessionData.setValue("xss-reflected1-complete","false");
 			return trackProgress(success()

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java

@@ -55,7 +55,7 @@ public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
     public @ResponseBody
     AttackResult completed(@RequestParam String DOMTestRoute)  throws IOException {
 
-        if (DOMTestRoute.equals("start.mvc#test/")) {
+        if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
             //return trackProgress()
             return trackProgress(success().feedback("xss-reflected-6a-success").build());
         } else {

webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html

@@ -99,28 +99,28 @@
 							Cherry</td>
 						<td align="right">69.99</td>
 						<td align="right"><input size="6" value="1" name="QTY1"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>Dynex - Traditional Notebook Case</td>
 						<td align="right">27.99</td>
 						<td align="right"><input size="6" value="1" name="QTY2"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>Hewlett-Packard - Pavilion Notebook with Intel Centrino</td>
 						<td align="right">1599.99</td>
 						<td align="right"><input size="6" value="1" name="QTY3"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>3 - Year Performance Service Plan $1000 and Over</td>
 						<td align="right">299.99</td>
 						<td align="right"><input size="6" value="1" name="QTY4"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					</tbody>
@@ -152,7 +152,6 @@
 					</tr>
 					</tbody>
 				</table>
-				<br />
 				<hr width="90%"/>
 			</form>
 		</div>

webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties

@@ -2,7 +2,9 @@
 xss.title=Cross Site Scripting
 xss-stored.title=Cross Site Scripting (stored)
 xss-mitigation.title=Cross Site Scripting (mitigation)
-xss-reflected-5a-success=Well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-success-alert=Well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-success-console=Well done, but console logs aren't very impressive are they? Please continue.
+xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
 xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy).
 xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
 xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc

@@ -5,4 +5,4 @@ Identify which field is susceptible to XSS
 It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response.
 In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.
 
-Make sure to include in your attack payload "<script>alert('my javascript here')</script>".
+An easy way to find out if a field is vulnerable to an XSS attack is to use the _alert()_ or _console.log()_ methods. Use one of them to find out which field is vulnerable.