dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

assignment now has working feedback

Browse Source
This commit is contained in:
PhilippeSteinbach 2018-12-07 12:04:36 +01:00 committed by Nanne Baars
parent 66821df6f0
commit 387a0e8e7d
4 changed files with 86 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
View File

@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import java.io.IOException;
import javax.tools.*; import javax.tools.*;
import java.io.IOException; import java.io.IOException;
@ -30,12 +30,11 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST) @RequestMapping(method = RequestMethod.POST)
@ResponseBody @ResponseBody
public AttackResult completed(@RequestParam String editor) { public AttackResult completed(@RequestParam String editor) {
//https://github.com/OWASP/owasp-java-encoder String unescapedString = org.jsoup.parser.Parser.unescapeEntities(editor, true);
//maybe better idea for assignment try {
//<e:forHtml value="${param.title}" /> if (editor.isEmpty()) return trackProgress(failed().feedback("xss-mitigation-3-no-code").build());
Document doc = Jsoup.parse(unescapedString);
Document doc = Jsoup.parse(editor); String[] lines = unescapedString.split("<html>");
String[] lines = editor.split(System.getProperty("line.separator"));
String include = (lines[0]); String include = (lines[0]);
String first_name_element = doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text(); String first_name_element = doc.select("body > table > tbody > tr:nth-child(1) > td:nth-child(2)").first().text();
@ -44,6 +43,7 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
Boolean includeCorrect = false; Boolean includeCorrect = false;
Boolean firstNameCorrect = false; Boolean firstNameCorrect = false;
Boolean lastNameCorrect = false; Boolean lastNameCorrect = false;
if (include.contains("<%@") && include.contains("taglib") && include.contains("uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\"") && include.contains("%>")) { if (include.contains("<%@") && include.contains("taglib") && include.contains("uri=\"https://www.owasp.org/index.php/OWASP_Java_Encoder_Project\"") && include.contains("%>")) {
includeCorrect = true; includeCorrect = true;
} }
@ -58,9 +58,10 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
System.out.println("true"); System.out.println("true");
return trackProgress(success().feedback("xss-mitigation-3-success").build()); return trackProgress(success().feedback("xss-mitigation-3-success").build());
} else { } else {
System.out.println("false");
System.out.println(first_name_element + "\n" + last_name_element);
return trackProgress(failed().feedback("xss-mitigation-3-failure").build()); return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
} }
}catch(Exception e) {
return trackProgress(failed().output(e.getMessage()).build());
}
} }
} }

47
webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
View File

@ -16,55 +16,26 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8b.adoc"></div> <div class="adoc-content" th:replace="doc:CrossSiteScripting_content8b.adoc"></div>
<div class="attack-container" style="height: 300px; border: none !important"> <div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <form id="codesubmit" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3" enctype="application/json;charset=UTF-8">
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3" enctype="application/json;charset=UTF-8">
<div> <div>
<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div> <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor"></div>
<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script> <script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
<script th:src="@{/lesson_js/assignment3.js}" type="text/javascript" charset="utf-8"></script> <script th:src="@{/lesson_js/assignment3.js}" type="text/javascript" charset="utf-8"></script>
<script>
var editor = ace.edit("editor");
editor.setTheme("ace/theme/monokai");
editor.session.setMode("ace/mode/html");
editor.setValue("<html>\n" +
"\n" +
"<head>\n" +
" <title>Using GET and POST Method to Read Form Data</title>\n" +
"</head>\n" +
"\n" +
"<body>\n" +
" <h1>Using POST Method to Read Form Data</h1>\n" +
" <table>\n" +
" <tbody>\n" +
" <tr>\n" +
" <td><b>First Name:</b></td>\n" +
" <td>YOUR CODE HERE</td>\n" +
" </tr>\n" +
" <tr>\n" +
" <td><b>Last Name:</b></td>\n" +
" <td>YOUR CODE HERE</td>\n" +
" </tr>\n" +
" </tbody>\n" +
" </table>\n" +
"</body>\n" +
"\n" +
"</html>\n" +
"\n" +
"\n");
</script>
</div> </div>
<div class="input-group" style="margin-top: 10px"> <input type="hidden" name="editor"/>
<button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button> <div class="input-group" style="position: absolute; top: 365px;">
<button class="btn btn-primary" type="submit">Submit</button>
</div> </div>
</form> </form>
<div class="attack-feedback"></div> <br />
<div class="attack-feedback" style="margin-top: 50px;"></div>
<div class="attack-output"></div> <div class="attack-output"></div>
</div> </div>
</div>
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div> <div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
</div> </div>
</div>
</html> </html>

1
webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -36,3 +36,4 @@ xss-mitigation-3-hint3=Take a look at OWASP Java Encoder Project.
xss-mitigation-3-hint4=Don't forget to reference the taglibs and choose "e" as prefix. xss-mitigation-3-hint4=Don't forget to reference the taglibs and choose "e" as prefix.
xss-mitigation-3-success=You have completed this lesson. Congratulations! xss-mitigation-3-success=You have completed this lesson. Congratulations!
xss-mitigation-3-failure=This in not the correct answer. Try again! xss-mitigation-3-failure=This in not the correct answer. Try again!
xss-mitigation-3-no-code=You didn't change anything.

54
webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment3.js
View File

@ -1,12 +1,50 @@
$(document).ready( () => {
var editor = ace.edit("editor");
editor.setTheme("ace/theme/monokai");
editor.session.setMode("ace/mode/html");
editor.getSession().on("change", () => {
setTimeout( () => {
$("#codesubmit input[name='editor']").val(ace_collect());
}, 20);
});
editor.setValue("<html>\n" +
"<head>\n" +
" <title>Using GET and POST Method to Read Form Data</title>\n" +
"</head>\n" +
"<body>\n" +
" <h1>Using POST Method to Read Form Data</h1>\n" +
" <table>\n" +
" <tbody>\n" +
" <tr>\n" +
" <td><b>First Name:</b></td>\n" +
" <td>YOUR CODE HERE</td>\n" +
" </tr>\n" +
" <tr>\n" +
" <td><b>Last Name:</b></td>\n" +
" <td>YOUR CODE HERE</td>\n" +
" </tr>\n" +
" </tbody>\n" +
" </table>\n" +
"</body>\n" +
"</html>\n" +
"\n" +
"\n");
});
function ace_collect() { function ace_collect() {
let code = ""; let code = "";
code = editor.getSession().getValue();
$.ajax({ $(".ace_xml").each(function(i, el) {
type: "POST", var to_add = el.innerHTML;
url: "/WebGoat/CrossSiteScripting/attack3", code += to_add;
dataType: "text",
data: {
editor: code
}
}); });
console.log("+ "+editor.toString());
console.log("code: "+code);
return code;
} }