- Contains the XMLInjection lesson.

- New files added:
  XMLInjection.html, XMLInjection.java and XMLInjection/EmployeesData.xml

git-svn-id: http://webgoat.googlecode.com/svn/trunk@33 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LogSpoofing.java

@@ -111,7 +111,7 @@ public class LogSpoofing extends LessonAdapter {
 
 	@Override
 	public String getTitle() {
-		return "Log Spoofing";
+		return "How to Perform Log Spoofing";
 	}
 
 	@Override

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java

@@ -0,0 +1,201 @@
+/**
+ * 
+ */
+package org.owasp.webgoat.lessons;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.io.IOException;
+import java.io.FileInputStream;
+import org.xml.sax.InputSource;
+import org.w3c.dom.NodeList;
+import org.w3c.dom.Node;
+
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathFactory;
+import javax.xml.xpath.XPathExpressionException;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.P;
+import org.apache.ecs.html.TD;
+import org.apache.ecs.html.TR;
+import org.apache.ecs.html.TH;
+import org.apache.ecs.html.Table;
+import org.apache.ecs.html.H1;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.B;
+import org.apache.ecs.html.PRE;
+import org.apache.ecs.HtmlColor;
+
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.session.ECSFactory;
+
+/**
+ * @author sherif
+ *
+ */
+public class XMLInjection extends LessonAdapter {
+
+	private final static Integer DEFAULT_RANKING = new Integer(74);
+	private final static String USERNAME = "Username";
+	private final static String PASSWORD = "Password";
+
+	protected Element createContent(WebSession s) {
+
+		NodeList nodes = null;
+		ElementContainer ec = new ElementContainer();
+		
+		try{
+			ec.addElement( new BR().addElement (new H1().addElement( "Welcome to WebGoat employee intranet")));
+			ec.addElement( new BR());
+			Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
+			
+			TR tr = new TR();
+			tr.addElement( new TH().addElement("Please input your username and password to view your profile.").setColSpan(2).setAlign("left"));
+			t1.addElement(tr);
+			
+			tr = new TR();
+			tr.addElement( new TD().addElement("*Required Fields").setWidth("30%").setColSpan(2).setAlign("left"));
+			t1.addElement(tr);
+			
+			tr = new TR();
+			tr.addElement( new TD().addElement("&nbsp").setWidth("30%").setColSpan(2).setAlign("left"));
+			t1.addElement(tr);
+
+			tr = new TR();
+			tr.addElement( new TD( new B( new StringElement( "*User Name: " ) ) ));		
+			
+			Input input1 = new Input( Input.TEXT, USERNAME, "" );
+			tr.addElement( new TD( input1 ) );
+			t1.addElement( tr );
+
+			tr = new TR();
+			tr.addElement( new TD( new B( new StringElement( "*Password: " ) ) ));		
+
+			Input input2 = new Input( Input.PASSWORD, PASSWORD, "" );
+			tr.addElement( new TD( input2 ) );
+			t1.addElement( tr );
+
+			Element b = ECSFactory.makeButton( "Submit" );
+			t1.addElement( new TR( new TD( b ) ) );
+			ec.addElement( t1 );
+			
+			String username = s.getParser().getRawParameter(USERNAME , "");
+			if (username == null || username.length() == 0)
+			{
+				ec.addElement( new P().addElement( new StringElement("Username is a required field")));
+				return ec;
+			}
+			
+			String password = s.getParser().getRawParameter(PASSWORD , "");
+			if (password == null || password.length() == 0)
+			{
+				ec.addElement( new P().addElement( new StringElement("Password is a required field")));
+				return ec;
+			}
+			
+			String dir = s.getContext().getRealPath( "/lessons/XMLInjection/EmployeesData.xml" );
+			File d = new File( dir );
+			XPathFactory  factory = XPathFactory.newInstance();
+			XPath xPath = factory.newXPath();
+			InputSource inputSource = new InputSource(new FileInputStream(d));			
+			String expression = "/employees/employee[loginID/text()='" + username + "' and passwd/text()='" + password + "']";
+    	    nodes = (NodeList)xPath.evaluate(expression, inputSource, XPathConstants.NODESET);
+    	    int nodesLength = nodes.getLength();
+    	    
+    	    Table t2 = null;
+    	    if (nodesLength > 0)
+    	    {
+    			t2 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(1).setWidth("90%").setAlign("center");
+    			tr = new TR();
+    			tr.setBgColor( HtmlColor.GRAY );
+    			tr.addElement( new TD().addElement("Username") );
+    			tr.addElement( new TD().addElement("Account No.") );
+    			tr.addElement( new TD().addElement("Salary") );
+    			t2.addElement(tr);
+    	    }
+			    	    
+    	    for (int i=0; i<nodesLength; i++)
+    	    {
+    	    	Node node = nodes.item(i);	
+    	    	String[] arrTokens = node.getTextContent().split("[\\t\\s\\n]+");
+    	    	    	    	
+    	    	tr = new TR();
+    			tr.addElement( new TD().addElement(arrTokens[1]) );
+    			tr.addElement( new TD().addElement(arrTokens[2]) );
+    			tr.addElement( new TD().addElement(arrTokens[4]) );
+    			t2.addElement(tr);
+    	    	
+	
+    	    }
+    	    if (nodes.getLength() > 1)
+    	    {
+    	    	makeSuccess( s );
+    	    }
+    	    if (t2 != null)
+    	    {
+    	    	ec.addElement( new PRE());
+    	    	ec.addElement(t2);
+    	    }
+			 
+		}
+		catch (IOException e)
+		{
+			s.setMessage( "Error generating " + this.getClass().getName() );
+			e.printStackTrace();			
+		}
+		catch (IllegalArgumentException e)
+		{
+			s.setMessage( "Error generating " + this.getClass().getName() );
+			e.printStackTrace();			
+		}
+		catch (XPathExpressionException e)
+		{
+			s.setMessage( "Error generating " + this.getClass().getName() );
+			e.printStackTrace();			
+		}		
+		return ec;
+	}
+
+	public Element getCredits() {
+		
+		return new StringElement("Sherif Koussa");
+	}
+
+
+	protected Category getDefaultCategory() {
+		
+		return AbstractLesson.A6;
+	}
+
+	protected boolean getDefaultHidden() {
+		// TODO Auto-generated method stub
+		return false;
+	}
+
+	protected Integer getDefaultRanking() {
+		
+		return DEFAULT_RANKING;
+	}
+
+	protected List getHints() {
+		// TODO Auto-generated method stub
+		List<String> hints = new ArrayList<String>();
+		hints.add( "Remember that the data is stored in XML format." );
+		hints.add( "The system is using XPath to query." );
+		hints.add( "XPath is almost the same thing as SQL, the same hacking techniques apply too." );
+		hints.add( "Try username: tricked' or 1=1 or 'a'='a and a password: trickedya " );
+		return hints;
+	}
+
+	public String getTitle() {
+		
+		return "How to Perform XML Injection";
+	}
+
+}

webgoat/main/project/WebContent/lesson_plans/CSRF.html

@@ -3,7 +3,7 @@
  </div>
  
 <p><b>Concept / Topic To Teach:</b> </p>
- This lesson teaches how to Cross Site Request Forgery (CSRF) attacks.
+ This lesson teaches how to perform Cross Site Request Forgery (CSRF) attacks.
  <br> 
 <div align="Left"> 
 <p>

webgoat/main/project/WebContent/lesson_plans/ForcedBrowsing.html

@@ -17,5 +17,5 @@ One technique is to manipulate the URL in the browser by deleting sections from
 <!-- Start Instructions -->
 * Your goal should be to try to guess the URL for the "config" interface.<br>
 * The "config" URL is only available to the maintenance personnel.<br>
-* The application doesn't check for horizontal priveleges.
+* The application doesn't check for horizontal privileges.
 <!-- Stop Instructions -->

webgoat/main/project/WebContent/lesson_plans/XMLInjection.html

@@ -0,0 +1,22 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> Cross Site Request Forgery. </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+ This lesson teaches how to perform XPath (XML) Injection attacks.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+</p>
+Similar to SQL Injection, XML Injection attacks occur when a web site uses user supplied information to query XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured or access data that they may not normally have access to.
+They may even be able to elevate their privileges on the web site if the xml data is being used for authentication (such as an xml based user file). 
+
+Querying XML is done with XPath, a type of simple descriptive statement that allows the xml query to locate a piece of information. Like SQL you can specify certain attributes to find and patterns to match. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page. This input must be sanitized to verify that it doesn't mess up the XPath query and return the wrong data. 
+
+
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+The form below allows employees to see all their personal data including their salaries. Your goal is to try to see other employees data as well.
+<!-- Stop Instructions -->

webgoat/main/project/WebContent/lessons/XMLInjection/EmployeesData.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<employees>
+	<employee id="1">
+		<loginID>Mike</loginID>
+		<accountno>11123</accountno>
+		<passwd>test123</passwd>
+		<salary>468100</salary>
+	</employee>
+	<employee id="2">
+		<loginID>John</loginID>
+		<accountno>63458</accountno>
+		<passwd>myownpass</passwd>
+		<salary>559833</salary>
+	</employee>
+	<employee id="3">
+		<loginID>Sarah</loginID>
+		<accountno>23363</accountno>
+		<passwd>secret</passwd>
+		<salary>84000</salary>
+	</employee>
+</employees>