XXE successfully completed message was no longer shown, fixed it by using form POST together with customjs functions.

Introduced callback functionality which you can specify after the posting in order to be able to load the comments list again.
2017-06-12 15:08:55 +02:00
parent 19a4859e4f
commit 52a48df70c
5 changed files with 26 additions and 27 deletions
--- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
@ -24,8 +24,10 @@

        <form class="attack-form" accept-charset="UNKNOWN"
              method="POST" name="form"
-              action="/WebGoat/xxe/simple"
-              enctype="application/json;charset=UTF-8">
+              prepareData="simpleXXE"
+              callback="simpleXXECallback"
+              contentType="application/xml"
+              action="/WebGoat/xxe/simple">
            <div class="container-fluid">
                <div class="panel post">
                    <div class="post-heading">
@ -54,7 +56,7 @@
                            <input class="form-control" id="commentInputSimple" placeholder="Add a comment"
                                   type="text"/>
                            <span class="input-group-addon">
-                                <i id="postCommentSimple" class="fa fa-edit" style="font-size: 20px"></i>
+                                <button id="postCommentSimple" class="fa fa-edit" style="font-size: 20px"></button>
                            </span>
                        </div>
                        <ul class="comments-list">
--- a/webgoat-lessons/xxe/src/main/resources/js/xxe.js
+++ b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
@ -1,23 +1,17 @@
+webgoat.customjs.simpleXXE = function () {
+    var commentInput = $("#commentInputSimple").val();
+    var xml = '<?xml version="1.0"?>' +
+        '<comment>' +
+        '  <text>' + commentInput + '</text>' +
+        '</comment>';
+    return xml;
+}
+
+webgoat.customjs.simpleXXECallback = function() {
+    getComments('#commentsListSimple');
+}
+
 $(document).ready(function () {
-    $("#postCommentSimple").unbind();
-    $("#postCommentSimple").on("click", function () {
-        var commentInput = $("#commentInputSimple").val();
-        var xml = '<?xml version="1.0"?>' +
-            '<comment>' +
-            '  <text>' + commentInput + '</text>' +
-            '</comment>';
-        $.ajax({
-            type: 'POST',
-            url: 'xxe/simple',
-            data: xml,
-            contentType: "application/xml",
-            dataType: 'xml',
-            complete: function (data) {
-                $("#commentInputSimple").val('');
-                getComments('#commentsListSimple')
-            }
-        })
-    });
    getComments('#commentsListSimple');
 });