Reworked some XSS assignments

2018-11-18 14:34:37 +01:00
parent 990bf079d3
commit 2ee3b22207
6 changed files with 21 additions and 15 deletions
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
@ -99,28 +99,28 @@
 							Cherry</td>
 						<td align="right">69.99</td>
 						<td align="right"><input size="6" value="1" name="QTY1"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>Dynex - Traditional Notebook Case</td>
 						<td align="right">27.99</td>
 						<td align="right"><input size="6" value="1" name="QTY2"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>Hewlett-Packard - Pavilion Notebook with Intel Centrino</td>
 						<td align="right">1599.99</td>
 						<td align="right"><input size="6" value="1" name="QTY3"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>3 - Year Performance Service Plan $1000 and Over</td>
 						<td align="right">299.99</td>
 						<td align="right"><input size="6" value="1" name="QTY4"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					</tbody>
@ -152,7 +152,6 @@
 					</tr>
 					</tbody>
 				</table>
-				<br />
 				<hr width="90%"/>
 			</form>
 		</div>
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@ -2,7 +2,9 @@
 xss.title=Cross Site Scripting
 xss-stored.title=Cross Site Scripting (stored)
 xss-mitigation.title=Cross Site Scripting (mitigation)
-xss-reflected-5a-success=Well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-success-alert=Well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-success-console=Well done, but console logs aren't very impressive are they? Please continue.
+xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
 xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy).
 xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
 xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
@ -5,4 +5,4 @@ Identify which field is susceptible to XSS
 It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response.
 In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.

-Make sure to include in your attack payload "<script>alert('my javascript here')</script>".
+An easy way to find out if a field is vulnerable to an XSS attack is to use the _alert()_ or _console.log()_ methods. Use one of them to find out which field is vulnerable.