From 52a48df70cec17484d213d5a9079525a47bc4dcd Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 12 Jun 2017 15:08:55 +0200
Subject: [PATCH] XXE successfully completed message was no longer shown, fixed
 it by using form POST together with customjs functions. Introduced callback
 functionality which you can specify after the posting in order to be able to
 load the comments list again.

---
 .../js/goatApp/view/LessonContentView.js      |  8 +++--
 webgoat-lessons/sol.txt                       |  2 +-
 .../org/owasp/webgoat/plugin/SimpleXXE.java   |  3 +-
 .../xxe/src/main/resources/html/XXE.html      |  8 +++--
 .../xxe/src/main/resources/js/xxe.js          | 32 ++++++++-----------
 5 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
index beb0f6fa6..dd96905cb 100644
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
@@ -80,7 +80,9 @@ define(['jquery',
             var self = this;
             // TODO custom Data prep for submission
             var prepareDataFunctionName = $(curForm).attr('prepareData');
+            var callbackFunctionName = $(curForm).attr('callback');
             var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
+            var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {};
             // var submitData = this.$form.serialize();
             this.curForm = curForm;
             this.$curFeedback = $(curForm).closest('.attack-container').find('.attack-feedback');
@@ -93,14 +95,16 @@ define(['jquery',
                 url:formUrl,
                 method:formMethod,
                 contentType:contentType,
-                data: submitData
+                data: submitData,
+                complete: function (data) {
+                    callbackFunction();
+                }
             }).then(self.onSuccessResponse.bind(self), self.onErrorResponse.bind(self));
             return false;
          },
 
         onSuccessResponse: function(data) {
             this.renderFeedback(data.feedback);
-
             this.renderOutput(data.output || "");
             //TODO: refactor back assignmentCompleted in Java
             if (data.lessonCompleted || data.assignmentCompleted) {
diff --git a/webgoat-lessons/sol.txt b/webgoat-lessons/sol.txt
index c686e4396..d54494a64 100644
--- a/webgoat-lessons/sol.txt
+++ b/webgoat-lessons/sol.txt
@@ -11,7 +11,7 @@ Smith' union select userid,user_name, password,cookie,cookie, cookie,userid from
 
 ## XXE ##
 
-Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
+Simple - <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;</text></comment>
 
 Modern Rest Framework - change content type to: Content-Type: application/xml && 
 <?xml version="1.0" standalone="yes" ?><!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><user>  <username>&root;</username><password>test</password></user>
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
index f1f5bdfc3..4a3de9d8f 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
@@ -9,7 +9,6 @@ import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
@@ -65,7 +64,7 @@ public class SimpleXXE extends AssignmentEndpoint {
 
     @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
     @ResponseBody
-    public AttackResult createNewComment(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
+    public AttackResult createNewComment(@RequestBody String commentStr) throws Exception {
         String error = "";
         try {
             Comment comment = comments.parseXml(commentStr);
diff --git a/webgoat-lessons/xxe/src/main/resources/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
index 21b4aa916..bbdc2e39a 100644
--- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
@@ -24,8 +24,10 @@
 
         <form class="attack-form" accept-charset="UNKNOWN"
               method="POST" name="form"
-              action="/WebGoat/xxe/simple"
-              enctype="application/json;charset=UTF-8">
+              prepareData="simpleXXE"
+              callback="simpleXXECallback"
+              contentType="application/xml"
+              action="/WebGoat/xxe/simple">
             <div class="container-fluid">
                 <div class="panel post">
                     <div class="post-heading">
@@ -54,7 +56,7 @@
                             <input class="form-control" id="commentInputSimple" placeholder="Add a comment"
                                    type="text"/>
                             <span class="input-group-addon">
-                                <i id="postCommentSimple" class="fa fa-edit" style="font-size: 20px"></i>
+                                <button id="postCommentSimple" class="fa fa-edit" style="font-size: 20px"></button>
                             </span>
                         </div>
                         <ul class="comments-list">
diff --git a/webgoat-lessons/xxe/src/main/resources/js/xxe.js b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
index dc5b0ddcf..f0219af89 100644
--- a/webgoat-lessons/xxe/src/main/resources/js/xxe.js
+++ b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
@@ -1,23 +1,17 @@
+webgoat.customjs.simpleXXE = function () {
+    var commentInput = $("#commentInputSimple").val();
+    var xml = '<?xml version="1.0"?>' +
+        '<comment>' +
+        '  <text>' + commentInput + '</text>' +
+        '</comment>';
+    return xml;
+}
+
+webgoat.customjs.simpleXXECallback = function() {
+    getComments('#commentsListSimple');
+}
+
 $(document).ready(function () {
-    $("#postCommentSimple").unbind();
-    $("#postCommentSimple").on("click", function () {
-        var commentInput = $("#commentInputSimple").val();
-        var xml = '<?xml version="1.0"?>' +
-            '<comment>' +
-            '  <text>' + commentInput + '</text>' +
-            '</comment>';
-        $.ajax({
-            type: 'POST',
-            url: 'xxe/simple',
-            data: xml,
-            contentType: "application/xml",
-            dataType: 'xml',
-            complete: function (data) {
-                $("#commentInputSimple").val('');
-                getComments('#commentsListSimple')
-            }
-        })
-    });
     getComments('#commentsListSimple');
 });