Xstream RCE works now
This commit is contained in:
@ -131,6 +131,12 @@
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:VulnerableComponents_content5a.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
@ -142,9 +148,14 @@
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<div id="lessonContent">
|
||||
<form accept-charset="UNKNOWN" method="POST" name="form"
|
||||
action="#attack/307/100" enctype="">
|
||||
Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
|
||||
name="SUBMIT" value="Go!" type="SUBMIT"/>
|
||||
action="#attack/307/100" enctype="">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Enter the contact's xml representation:</td>
|
||||
<td><textarea name="payload" value="" type="TEXT" rows="15" cols="60"/></td>
|
||||
<td><input name="SUBMIT" value="Go!" type="SUBMIT"/></td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
</div>
|
||||
</form>
|
||||
|
@ -4,18 +4,17 @@
|
||||
|
||||
* Is it old or is it stable
|
||||
* Was my lack of upgrade a deliberate choice or a lack of knowledge
|
||||
|
||||
=== What is architectural risk?
|
||||
|
||||
* Is my component out of date
|
||||
* Is the project I'm using no longer active
|
||||
* Is my component unpopular
|
||||
|
||||
=== Summary
|
||||
|
||||
=== Summary?
|
||||
image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]
|
||||
* It's really difficult to keep components up to dat
|
||||
|
||||
|
||||
For the components analyzed in 25,000 applications it was found that:
|
||||
|
||||
* 8% of 2 year old components did not have a newer version
|
||||
* 23% of 11 year old components did not have a newer version
|
||||
|
||||
image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]
|
||||
|
@ -6,8 +6,8 @@ In November of 2015, the Apache Commons Collections component latest release was
|
||||
Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit]
|
||||
|
||||
|
||||
=== Dinis Cruz exploit of XStream
|
||||
XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog]
|
||||
=== Dinis Cruz and pwntester exploit of XStream
|
||||
XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC]
|
||||
|
||||
Let's see if you can figure out how to exploit this in WebGoat.
|
||||
You may want to read the article(s) before trying this lesson. Let's see if you can figure out how to exploit this in WebGoat.
|
||||
|
||||
|
@ -0,0 +1,14 @@
|
||||
== Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream)
|
||||
|
||||
WebGoat Sends an XML document to add contacts to a contacts database.
|
||||
[source,xml]
|
||||
----
|
||||
<contact>
|
||||
<id>1</id>
|
||||
<firstName>Bruce</firstName>
|
||||
<lastName>Mayhew</lastName>
|
||||
<email>webgoat@owasp.org</email>
|
||||
</contact>
|
||||
----
|
||||
|
||||
For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using XStream.fromXML(xml).
|
@ -1,3 +1,6 @@
|
||||
vulnerable-components.title=Vulnerable Components
|
||||
EnterYourName=Enter your Name
|
||||
Go!=Go!
|
||||
vulnerable-components.close=Trying to deserialize null object.
|
||||
vulnerable-components.success=If you are not seeing the application you started; it may be minimized
|
||||
vulnerable-components.fromXML=You created contact {0}. This means you did not exploit the remote code execution.
|
Reference in New Issue
Block a user