Xstream RCE works now

This commit is contained in:
mayhew64
2017-02-07 23:51:05 -05:00
parent 65d728dfff
commit 33e807797c
10 changed files with 161 additions and 40 deletions

View File

@ -131,6 +131,12 @@
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:VulnerableComponents_content5a.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
@ -142,9 +148,14 @@
enctype="application/json;charset=UTF-8">
<div id="lessonContent">
<form accept-charset="UNKNOWN" method="POST" name="form"
action="#attack/307/100" enctype="">
Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
name="SUBMIT" value="Go!" type="SUBMIT"/>
action="#attack/307/100" enctype="">
<table>
<tr>
<td>Enter the contact's xml representation:</td>
<td><textarea name="payload" value="" type="TEXT" rows="15" cols="60"/></td>
<td><input name="SUBMIT" value="Go!" type="SUBMIT"/></td>
</tr>
</table>
</form>
</div>
</form>

View File

@ -4,18 +4,17 @@
* Is it old or is it stable
* Was my lack of upgrade a deliberate choice or a lack of knowledge
=== What is architectural risk?
* Is my component out of date
* Is the project I'm using no longer active
* Is my component unpopular
=== Summary
=== Summary?
image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]
* It's really difficult to keep components up to dat
For the components analyzed in 25,000 applications it was found that:
* 8% of 2 year old components did not have a newer version
* 23% of 11 year old components did not have a newer version
image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]

View File

@ -6,8 +6,8 @@ In November of 2015, the Apache Commons Collections component latest release was
Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit]
=== Dinis Cruz exploit of XStream
XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog]
=== Dinis Cruz and pwntester exploit of XStream
XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC]
Let's see if you can figure out how to exploit this in WebGoat.
You may want to read the article(s) before trying this lesson. Let's see if you can figure out how to exploit this in WebGoat.

View File

@ -0,0 +1,14 @@
== Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream)
WebGoat Sends an XML document to add contacts to a contacts database.
[source,xml]
----
<contact>
<id>1</id>
<firstName>Bruce</firstName>
<lastName>Mayhew</lastName>
<email>webgoat@owasp.org</email>
</contact>
----
For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using XStream.fromXML(xml).

View File

@ -1,3 +1,6 @@
vulnerable-components.title=Vulnerable Components
EnterYourName=Enter your Name
Go!=Go!
vulnerable-components.close=Trying to deserialize null object.
vulnerable-components.success=If you are not seeing the application you started; it may be minimized
vulnerable-components.fromXML=You created contact {0}. This means you did not exploit the remote code execution.