dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added hints for Reflected XSS assignment.

Browse Source
This commit is contained in:
Benedikt - Desktop 2018-11-18 12:41:47 +01:00 committed by Nanne Baars
parent 3a7601d348
commit 46f92dad3b
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
View File

@ -2,6 +2,7 @@
package org.owasp.webgoat.plugin; package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData; import org.owasp.webgoat.session.UserSessionData;
@ -47,6 +48,7 @@ import java.io.IOException;
* @created October 28, 2003 * @created October 28, 2003
*/ */
@AssignmentPath("/CrossSiteScripting/attack5a") @AssignmentPath("/CrossSiteScripting/attack5a")
@AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
@Autowired @Autowired

8
webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -2,8 +2,12 @@
xss.title=Cross Site Scripting xss.title=Cross Site Scripting
xss-stored.title=Cross Site Scripting (stored) xss-stored.title=Cross Site Scripting (stored)
xss-mitigation.title=Cross Site Scripting (mitigation) xss-mitigation.title=Cross Site Scripting (mitigation)
xss-reflected-5a-success=well done, but alerts aren't very impressive are they? Please continue. xss-reflected-5a-success=Well done, but alerts aren't very impressive are they? Please continue.
xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy) xss-reflected-5a-failure=Try again. We do want to see this specific javascript (in case you are trying to do something more fancy).
xss-reflected-5a-hint-1=Think about how the inputs are presumably processed by the application.
xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values. Not the best option for inputting text right?
xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted?
xss-reflected-5a-hint-4=Just try purchasing something. You want your script to be included in the purchase-confirmation.
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul> xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
xss-reflected-5b-failure=Nope, pretty easy to guess now though. xss-reflected-5b-failure=Nope, pretty easy to guess now though.
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment. xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.