Reworked some XSS assignments

2018-11-18 14:34:37 +01:00 · 2018-11-18 14:34:37 +01:00 · 2ee3b22207
commit 2ee3b22207
parent 990bf079d3
6 changed files with 21 additions and 15 deletions
--- a/webgoat-lessons/cia/src/main/resources/js/questions_cia.json
+++ b/webgoat-lessons/cia/src/main/resources/js/questions_cia.json
@ -29,7 +29,7 @@
      "1": "A system can be considered safe until all the goals are harmed. Harming one goal has no effect on the systems security.",
      "2": "The systems security is compromised even if only one goal is harmed.",
      "3": "It's not that bad when an attacker reads or changes data, at least some data is still available, hence only when the goal of availability is harmed the security of the system is compromised.",
-      "4": "It shouldn't be possible for an attacker to change data or make it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed."
+      "4": "It shouldn't be a problem if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed."
    }
  }]
 }
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
@ -58,9 +58,13 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 	public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
 												@RequestParam Integer QTY2, @RequestParam Integer QTY3,
 												@RequestParam Integer QTY4, @RequestParam String field1,
-												@RequestParam Integer field2, HttpServletRequest request)
+												@RequestParam String field2, HttpServletRequest request)
 			throws IOException {

+		if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
+			return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
+		}
+
 		double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;

 		userSessionData.setValue("xss-reflected1-complete",(Object)"false");
@ -75,13 +79,14 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
 			userSessionData.setValue("xss-reflected1-complete",(Object)"false");
 		}

-		if (field1.toLowerCase().contains("<script>alert('my javascript here')</script>")) {
+		if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
 			//return trackProgress()
 			userSessionData.setValue("xss-reflected-5a-complete","true");
-			return trackProgress(success()
-					.feedback("xss-reflected-5a-success")
-					.output(cart.toString())
-					.build());
+			if(field1.toLowerCase().contains("console.log")) {
+				return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
+			} else {
+				return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
+			}
 		} else {
 			userSessionData.setValue("xss-reflected1-complete","false");
 			return trackProgress(success()
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson6a.java
@ -55,7 +55,7 @@ public class CrossSiteScriptingLesson6a extends AssignmentEndpoint {
    public @ResponseBody
    AttackResult completed(@RequestParam String DOMTestRoute)  throws IOException {

-        if (DOMTestRoute.equals("start.mvc#test/")) {
+        if (DOMTestRoute.matches("start\\.mvc#test(\\/|)")) {
            //return trackProgress()
            return trackProgress(success().feedback("xss-reflected-6a-success").build());
        } else {
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
@ -99,28 +99,28 @@
 							Cherry</td>
 						<td align="right">69.99</td>
 						<td align="right"><input size="6" value="1" name="QTY1"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>Dynex - Traditional Notebook Case</td>
 						<td align="right">27.99</td>
 						<td align="right"><input size="6" value="1" name="QTY2"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>Hewlett-Packard - Pavilion Notebook with Intel Centrino</td>
 						<td align="right">1599.99</td>
 						<td align="right"><input size="6" value="1" name="QTY3"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					<tr>
 						<td>3 - Year Performance Service Plan $1000 and Over</td>
 						<td align="right">299.99</td>
 						<td align="right"><input size="6" value="1" name="QTY4"
-												 type="TEXT" /></td>
+												 type="NUMBER" /></td>
 						<td>$0.00</td>
 					</tr>
 					</tbody>
@ -152,7 +152,6 @@
 					</tr>
 					</tbody>
 				</table>
-				<br />
 				<hr width="90%"/>
 			</form>
 		</div>
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@ -2,7 +2,9 @@
 xss.title=Cross Site Scripting
 xss-stored.title=Cross Site Scripting (stored)
 xss-mitigation.title=Cross Site Scripting (mitigation)
-xss-reflected-5a-success=Well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-success-alert=Well done, but alerts aren't very impressive are they? Please continue.
+xss-reflected-5a-success-console=Well done, but console logs aren't very impressive are they? Please continue.
+xss-reflected-5a-failed-wrong-field=Seems like you tried to compromise our shop with an reflected XSS attack.<br/> We do our... "best"... to prevent such attacks. Try again!
 xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy).
 xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
 xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5a.adoc
@ -5,4 +5,4 @@ Identify which field is susceptible to XSS
 It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is used in an HTTP response.
 In a reflected XSS attack, an attacker can craft a URL with the attack script and post it to another website, email it, or otherwise get a victim to click on it.

-Make sure to include in your attack payload "<script>alert('my javascript here')</script>".
+An easy way to find out if a field is vulnerable to an XSS attack is to use the _alert()_ or _console.log()_ methods. Use one of them to find out which field is vulnerable.