From f3b0ad0a3fb44b199be1b4d59b7470a6fa38b1f8 Mon Sep 17 00:00:00 2001 From: jaqqbek Date: Sat, 1 Nov 2014 16:53:38 +0100 Subject: [PATCH] New Lesson ZipBomb --- .../org/owasp/webgoat/lessons/ZipBomb.java | 217 ++++++++++++++++++ src/main/webapp/images/logos/sages.png | Bin 0 -> 6443 bytes 2 files changed, 217 insertions(+) create mode 100644 src/main/java/org/owasp/webgoat/lessons/ZipBomb.java create mode 100644 src/main/webapp/images/logos/sages.png diff --git a/src/main/java/org/owasp/webgoat/lessons/ZipBomb.java b/src/main/java/org/owasp/webgoat/lessons/ZipBomb.java new file mode 100644 index 000000000..0d1ea5d66 --- /dev/null +++ b/src/main/java/org/owasp/webgoat/lessons/ZipBomb.java @@ -0,0 +1,217 @@ +package org.owasp.webgoat.lessons; + +import java.io.File; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Enumeration; +import java.util.List; +import java.util.zip.ZipEntry; +import java.util.zip.ZipException; +import java.util.zip.ZipFile; + +import org.apache.commons.fileupload.FileItem; +import org.apache.commons.fileupload.disk.DiskFileItemFactory; +import org.apache.commons.fileupload.servlet.ServletFileUpload; +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.html.A; +import org.apache.ecs.html.Form; +import org.apache.ecs.html.IMG; +import org.apache.ecs.html.Input; +import org.apache.ecs.html.P; +import org.owasp.webgoat.session.ECSFactory; +import org.owasp.webgoat.session.WebSession; + +/******************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository + * for free software projects. + * + * For details, please see http://webgoat.github.io + * + * @author Jakub Koperwas of Sages + * @created October 31, 2014 + */ + +public class ZipBomb extends LessonAdapter { + public final static A SAGES_LOGO = new A().setHref( + "http://www.sages.com.pl").addElement( + new IMG("images/logos/sages.png").setAlt("Sages").setBorder(0) + .setHspace(0).setVspace(0).setStyle("width:180px; height:60px")); + + + protected Element createContent(WebSession s) { + + + ElementContainer ec = new ElementContainer(); + + + if ("success".equalsIgnoreCase((String)s.get(ZIP_DOS))){ + System.out.println("final success"); + makeSuccess(s); + } + try { + + ec.addElement(new P().addElement("Upload new File")); + + Input input = new Input(Input.FILE, "myfile", ""); + ec.addElement(input); + + Element b = ECSFactory.makeButton("Start Upload"); + ec.addElement(b); + + + + } catch (Exception e) { + s.setMessage("Error generating " + this.getClass().getName()); + e.printStackTrace(); + } + + return ec; + } + + protected Category getDefaultCategory() { + return Category.DOS; + } + + + public List getHints(WebSession s) { + List hints = new ArrayList(); + + hints + .add("You can upload up to 2MB file at once,see what can you insert INTO the file"); + + return hints; + + } + + public String getInstructions(WebSession s) { + String instructions = ""; + + + instructions = "Server accepts only ZIP files, \n" + + "extracts them after uploading, does something with them and deletes," + + "\n it provides 20 MB temporal storage to handle all request \n" + + "try do perform DOS attack that consume all temporal storage with one request"; + + + return (instructions); + } + + private final static Integer DEFAULT_RANKING = new Integer(10); + private static final String ZIP_DOS = "ZIP_DOS"; + + protected Integer getDefaultRanking() { + return DEFAULT_RANKING; + } + + + + public String getTitle() { + return ("ZipBomb"); + } + + + public Element getCredits() { + return super.getCustomCredits("", SAGES_LOGO); + } + + public void handleRequest(WebSession s) { + File tmpDir=(File)s.getRequest().getServletContext().getAttribute("javax.servlet.context.tempdir"); + + try { + if (ServletFileUpload.isMultipartContent(s.getRequest())) { + + DiskFileItemFactory factory = new DiskFileItemFactory(); + factory.setSizeThreshold(500000); + + ServletFileUpload upload = new ServletFileUpload(factory); + + + List /* FileItem */items = upload.parseRequest(s.getRequest()); + + + java.util.Iterator iter = items.iterator(); + while (iter.hasNext()) { + FileItem item = (FileItem) iter.next(); + + if (!item.isFormField()) { + + File uploadedFile= new File(tmpDir, item.getName()); + + if (item.getSize() < 2000 * 1024) { + if (item.getName().endsWith(".zip")) { + item.write(uploadedFile); + + long total = unzippedSize(uploadedFile); + s.setMessage("File uploaded"); + if (total > 20 * 1024 * 1024) { + s.add(ZIP_DOS, "success"); + System.out.println("success"); + makeMessages(s); + }else{ + s.setMessage("I still have plenty of free storage on the server..."); + } + + } else { + s.setMessage("Only ZIP files are accepted"); + } + } else { + s.setMessage("Only up to 2 MB files are accepted"); + } + } + } + + } + Form form = new Form(getFormAction(), Form.POST).setName("form") + .setEncType("multipart/form-data"); + + form.addElement(createContent(s)); + + setContent(form); + + } catch (Exception e) { + e.printStackTrace(System.out); + } + } + + private long unzippedSize(File uploadedFile) throws ZipException, + IOException { + ZipFile zf = new ZipFile(uploadedFile); + + long total = 0; + Enumeration e = zf.entries(); + while (e.hasMoreElements()) { + ZipEntry entry = (ZipEntry) e.nextElement(); + + total += entry.getSize(); + + } + return total; + } + + + +} diff --git a/src/main/webapp/images/logos/sages.png b/src/main/webapp/images/logos/sages.png new file mode 100644 index 0000000000000000000000000000000000000000..9cf751ba602ff4fa2f37d829525e4c8158331df3 GIT binary patch literal 6443 zcmaJ`Ra6vEw??|VQ@V5L?(S}BQM$WCgrRk)p+rh_5CM_y7^E4x5k_KQNQVZw{15j& z+=u_+?6cQi=d82V*=NW19iXwH77;!@J{lStk&d>yDH_@{)hFE>7yU_QGYiN(O?dv= zHbH1;H01vo&t86fc$H)1lyQ#agTSUN!yF3~i zZL5yDih1}7(!s~uZZX1xSL5IGynxwzeHAgzq2NEduk|{}j`|y20g~m=FCWlS(VO^p zos`;HZx)|FG!O&hnhENa1Q#A?i=CI^+p#~qzBmy4QY`(NfA-5ar@R9a4{C6@ivZ{+ zmu`a_WJ8VlqHuS3Cu&mR>U>6)1Xm^d*Feye%+y`LWYoqLLDCqZN@v$mZe&mG3jTvGm4%b$&2KhMZ?S~;dK*?a?e_0=hi~~hwH`srIYlL>oj`m z;cbFW&5P}AQ!%hU2S`s(5BYMEfnL6}u&~hMyVYz{yX*uWiB02FWXrSr?c&l|8>w9V ziArAwqxJr&d#T{4!?Pdj6%wz#X`! z*E0Eh&y5e7#FtRdycXu9eKMEWiZh4L%=fu7`DdlM6mIHol3gpiKcbuX24{9{PpVnWXFZ<&2(7Iviw z)(MF0PZLAM=m4}CLrWagIh{F4i@Sewt=JN!k-V+ctObP5>L+n{^lESQ^$i_?>VpN@ zvw($f&5|GIgR+Q&fJGm?(APH(uH@cMl^qLnDebuXsi1s)!`mUbh}Z8}((Oe&mzlX< zbd&cHLJ7VIJc}nOkSn@L5BZfcz#orKo-C+@p<$f^P45i{pJ=IA28V@=%ukU<<+H!H z7VubKb5d@>LC^BN$ba8E4E@ZdSd_c!eN|1QmJphK<0&1ueYL2|_xB_zvJott-@7+F zJaL%*28}`_#u7v~*vB3(Z7I;>5-p?;MP^T=fy6rGJaOlfTVtTl^fJ7UV292#Xo$^0OeOD(pa9+$M@3K z&U^Gs^o*1YmQjNSDo(t}CFXh`oWo>x8joEXrtLhbg}MldIrg!pceniY7@ZyY#eg0h9X9GjN(6eH@AedNvV&*Ot`m%Z9T>pO-nYhH!ZDR! z^{llRSSsUUo^`OZTSC4w{yv<1I{>rR-$pGPG48uPgoQo1fmtgQe%uOikA%kiRGX4J3-O!)UCo%WnAVP!`HZv%E(wzFjV!T&!z%6=uH>2`R zU5(upYSd*l#byqz)ETmQl5L?VDuc&js_4`oIYGlbj09Q;-M{OO~G3r%EH@Ps_CdI?l~BIt%?ocUekZeCtD)ge;!-j|@g7?cr33hbV*)>^Ak{ z^sPE>4y6x|r1^|qenp|#-BV`L_6=__D#(fS{)9`E z;E95?8Rb>QDEw_3lNgySCvx!ol%|2Db#>8EtulvUy2`ork_%K~0S5aO3)#z?V=@;d zMIBNp`#<8H-()?#@%Q9(=Wtk>%-J|)#nn)ml2YS`XK{Y#QCD|eY6+LFaI;P~#Y+>) z8I@Fx7-tvL_yNv=g2qMGnjuT36Al+_)-)1Dvhq0f-!}V$&-l~MWSC@QAB`)gGU9H3 zz)=-e2>_{dWZT(Ublc9~n^sLhmhj)M!&wY68;UHBv~ohc1gb8i5d$&}E93lb8*onA zDd8(0f?MWY|7Y7$aUy{UdZx-#EC{I%x&(K$)!Z=cq5j>suB2huiKw3s!jHFpsLKZW ztILakBTOoGVvdy!g_z~IFSo~GFFxJv?~j^2JRB7lnHm=r;90AT2TnhBfBW&{%NN-A zD4Gn+NpW*}N;nRocgGSJJ;u&-al!Bv0%4HWU{F0Dg4pI~*67)I>&?oWjS2 z*Kh8wxDl9%hj*`QJ|_c&$VVf>v?zW>|6TCe)_MveX9&&grMlz89gqUm=VnMz*=ao} z# zmf!uw{9$k!P2_b(!th{?g`F7@*W+T9uC@o8)oAy^20}&Wl_jp)m@G!|&%#1V%qQymC zqz+v4D3iZLT?9xofk6HXJW!ej75JErx|0Q9`x@VeJHYKRJERw5Tj6TF*Rk}y;Hwx> zBZeGMEQF3IFhqin-i|tRy-dr1<#^pCb_!3BFs3R4lI*f8{$P$hMhW6k=(dO-;oMYP zjB898$k8>jdbYT3u({?U2Pa3cLU?~AVSFOJ=Sk}?T3v}&JkM-D1>=-(Wc>7U(=a2# zT7l79uoA$QoQCI_i4XOwlLcWB7 z2C`Qiiu7F)2~m^Y!v*Jt&F{Ss3KUCK>Y9B{-O-$;Du7=|)L9j>M!!dDOaasKIP)2qatiJ(9(t{@7}5IiP`PCV z>QghmBq%^$JX6zE{d;(F28{#0FBw&nLI(T~!lRaGa7*Ot?E9Hnh!yLA4|}8~`m*-E z?PMy4HA=Fr(SjoX`{Kr0#kEjIvyE4+24XP5B|i|doC39H504CJ z->_|%{mR!iHorc(J;u5FLmtqe>5fYmR}=&8lt_TpD6$@1A`6Gr9k3L3Fw39uiK1%MMp? zs(;@yL#p?EEXB2Zp+80(+lfQX@U$*a)1wplrIxk6G?=_FIpp5nXq7+D@lqps&HfS< zpN!))OsUzZTWZ#(wv0G^>_E>ujae6^P6Y|2M0qQ8?L;*3j6(2&%u6v z2;yr2kFTZ0nvncaN#Adr3bs|N#-`sfKhSTF5Qh|p*}k_J^;58Kfw=;S*vtgU z{7Jp`D1Z0uuFBa0W;M-DrnZ&s&}CC8HO6Wzm13rZ_;~8tybV?>kI&5U=?!iFo<}>; z@@49l^5rwvjmKyr&I(WjBuC6X7H6Q?!IThUxn;M>*Otj|Eo|Xzh9RObbj1Skj8k(` zoblTh*3+(Z_vP_KW@6sZuosp^>hww?Q5W`FW>3jQ+yL+e-2ogUp~=`z9ZW+ZXmoMq zC3cP}V)gH{lAJFB%g~ajrre4|RO0@r88ssVbMc#tK4fyhN?-ic@=cdE?SET9jTyir zcjJp8^OU{NtcrC<6icpmbogBcON@zr$?sQ-S&a$-zuA}}cK+pUM4S`(6qQdnU4GDofnbioc|At$p zoqvI2_=W!obtH37oa`-Ej1Z%q>t7Q(!hTMHR5EU*v*(*^@iXe<^zcz*iI7$^#1WS@MtnKP-zhJ z3XcAFvsc$y)CDCzNbb2~>WWEUq-hD!1*3(o0?!Qr%`Po1%uSV6R{e5Qu^*iD>t0xy z>HEBMmD;#Hq0JFF5lrckx!%b*yykEcr*@rvjZn4_|E*WZF^NRh#_qEZo4Rx?_xFtp zh!?k(_-F2kU@!_|ep^HZo zm5C0YC9;|TW6f<$SytnpAjYG!KTW4Q!p*nV;qSpeUu}FKB4PjMbIJ??7dfK{*)evc zldY>J(2R3uCMm}ohge-YG_mXH^7ZC=@9rJ>x2q8SIrEs`Tj4Q~XTyVge}_Dy+Cwo% z`@0*>wiTUL!ebGWz!4)OjcxLv={H?n-N{w!6a%vs6dkPb z%jTH|-m3Ed`f7^0JQdN?<;)*Pg@2CPgU-$d)Uz-uf1E5~q0t^S(Km*D7ow-gZN-`( z7U9bo_{OwJ2&%|+<3 zw@N|Rra!W^81oF}Emz>}${#Nz$H`?qG>GeO-MX~*eN zAU#+RAxz+kF03}LZj|#i&5jU?=lcoLc8+)gBVgU?IxaH;y|AUJVCsasu*oH%unsM+ zxdq!`#`%Ta3N5kyQZmYsNhjll2(emKf!*S3tcR5@ut!j7nuTRA4Uo#h&Loy4ea6Sy z`U^jvZ^n`4Qu}kj?wiAe2#RS_u@L{|mI791t|EQmbc?7{V0JGK&f`rCTeYDj&39g)?giZgkg>cl0jz8yj3R<3;E&9xTQ-aa_feMnzWRVm={wm*#oCt2ZMZM&-NWWO5XkH+N}l1*z2*p2pj#SbF(MdugS@i1VJlR;^RlaOVdG zMt@X$&V0&Hd}%&XJ_X~_n2DH49B+@Y#t0=#c!7K( zjMJBcgHq@WhP4}k?WKBW8S1ySdg4OkvrDhz$3@_6GsmMP9rr(RsD>rwf|})*@iBMB z2>UYo;D>VhvxyF*!f5D8nNtnn`-iv{8w6vSHm)Q2+pI1t2urZKF zhj82De!R$~J~aMMla2v~yfyC15!?{mF#}qyQf`$-(O z+5x`~rW9e~xn;%C?q+X%Rs(>xsRv@bOS+1>TO*zC!~t5a(dE2JS{?gd!Wd@^)}M+f z^s&_bGQyEwVpF7eeE!wNSk?Pu{pXIcT|UR(A`t1Mld55W^40*VT<_M`uS?-3@-0}v z*sJ8`cUte^CfO1saD)Xc^|Vwaxj( z-mQuSN+(NOY(DJe=}_pRe=0^)4PRq@b&-TxH*`+Y*H~B4sS2i^f_8K zBA;|SAHQcKpcLJt#4PuZLFYY$c>vSm*Gg1`-9R$P@l*XJ`A{fJ`er4Ju^WxK>fplUHdK*hpbEk~6sNO$(O% zc(RMEEr}9O?=7%t7$dYM`Swk4I@Lc56k4_NPUrdw%oo|&oj-lDQLk0{(85*_OvR;rt)LzOAN>ThO;kElo}Yx@uAqWiG8=hDUe)%jI^~-EDKNV)p4H&D$+0Oj~fD9}gee)YPcV#c^&Za!k*tU;8 zUSB)yGR~p`;ff`a2Tr-#tYPiW&7{A8d8TWS>a6u~y$hl)3y}N>`;5@H5o{=RMiv4F zUfOMYQsd)0o)yY^7Y?2O5>dn6w9^L_d*C2P}oRYta#4`tOh91Gz)}VRgh%_@npc<5?rwn5(iCG+MOW5PGXUi z{nrg0i?t9U=Bzaosz5a+CwLhLP{}5yq$*3x%{&5q&)wr<6sj2N&IBJp7tC06ylwaL zFl73$kd`Lh4|%Wanq+}qaQyvYPb(*k`FNczphB;YaP2iNWur=#l1(-lPI;MUtrOlQ zthsFY!UK!D%$6uYmH4Rx(_n3hGB4pP{=ee?l>cV3o-npzrwj~` z07nAsWs@frdlnl;&Zsh|Eaj;4j*ZU)mqE8`Ds=Ps_^D4P{6FzuP1Nv5ELt>TJLAG0 U5)YlHj}9~)4MX)hRi`)q1L%ExjQ{`u literal 0 HcmV?d00001