From 53473113199b42e989dff27b3c476b0d8b2e306b Mon Sep 17 00:00:00 2001
From: Nanne Baars <nbaars@xebia.com>
Date: Wed, 23 Nov 2016 09:47:35 +0100
Subject: [PATCH] XXE last assignment completely working

---
 .../plugin/BlindSendFileAssignment.java       |   8 +-
 .../java/org/owasp/webgoat/plugin/Ping.java   |   2 +-
 .../main/resources/plugin/XXE/html/XXE.html   |   2 +-
 .../lessonPlans/en/XXE_blind_assignment.adoc  |   2 +-
 webgoat-standalone/.gitignore                 |   8 --
 webgoat-standalone/README.MD                  |  31 ------
 webgoat-standalone/pom.xml                    | 102 ------------------
 .../src/main/java/org/owasp/webgoat/Main.java |  80 --------------
 .../src/main/standalone.properties            |   1 -
 9 files changed, 8 insertions(+), 228 deletions(-)
 delete mode 100644 webgoat-standalone/.gitignore
 delete mode 100644 webgoat-standalone/README.MD
 delete mode 100644 webgoat-standalone/pom.xml
 delete mode 100644 webgoat-standalone/src/main/java/org/owasp/webgoat/Main.java
 delete mode 100644 webgoat-standalone/src/main/standalone.properties

diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
index 0de89a992..359149583 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
@@ -1,5 +1,6 @@
 package org.owasp.webgoat.plugin;
 
+import com.google.common.base.Joiner;
 import org.apache.commons.lang.exception.ExceptionUtils;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.model.AttackResult;
@@ -55,18 +56,19 @@ public class BlindSendFileAssignment extends Assignment {
     @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
     public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
-        String error = "";
+        String error = "Parsing successful contents not send to server";
         try {
             parseXml(userInfo);
         } catch (Exception e) {
             error = ExceptionUtils.getFullStackTrace(e);
         }
 
-        File logFile = new File(getPluginDirectory(), "plugin/XXE/");
+        File logFile = new File(getPluginDirectory(), "/XXE/log.txt");
         List<String> lines = Files.readAllLines(Paths.get(logFile.toURI()));
         boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent();
+        logFile.delete();
         if (solved) {
-            return AttackResult.success();
+            return AttackResult.success(String.format("Contents of the file is: %s", Joiner.on('\n').join(lines)));
         } else {
             return AttackResult.failed("Try again...", error);
         }
diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
index e72b99ffe..e189af8ce 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
@@ -54,7 +54,7 @@ public class Ping extends Endpoint {
     public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
         String logLine = String.format("%s %s %s", "GET", userAgent, text);
         log.debug(logLine);
-        File logFile = new File(getPluginDirectory(), "plugin/XXE/");
+        File logFile = new File(getPluginDirectory(), "/XXE/log.txt");
         try {
             try (PrintWriter pw = new PrintWriter(logFile)) {
                 pw.println(logLine);
diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html
index e10652683..918cc0e0b 100644
--- a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html
@@ -132,7 +132,7 @@
         <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
         <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
         <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
-              action="/WebGoat/XXE/content-type" contentType="application/json">
+              action="/WebGoat/XXE/blind" contentType="application/json">
             <script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
                     language="JavaScript"></script>
             <div id="lessonContent">
diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc
index 7b57af1cd..dd8dfca85 100644
--- a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc
@@ -4,4 +4,4 @@ In the previous page we showed you how you can ping a server with a XXE attack,
 contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/plugin/XXE/secret.txt`, for Windows
 this would be `c:/Users/USER/.webgoat/plugin/XXE/secret.txt`
 
-Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]`
+Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]` (NOTE: this endpoint is under your full control)
diff --git a/webgoat-standalone/.gitignore b/webgoat-standalone/.gitignore
deleted file mode 100644
index 6503556df..000000000
--- a/webgoat-standalone/.gitignore
+++ /dev/null
@@ -1,8 +0,0 @@
-target/
-.idea/
-*.iml
-/src/main/webapp/plugin_lessons/*.jar
-/src/main/webapp/plugin_extracted/*
-dependency-reduced-pom.xml
-src/main/webapp/users/guest.org.owasp.webgoat.lessons.BackDoors.props
-/src/main/webapp/WEB-INF/lib/*.jar
\ No newline at end of file
diff --git a/webgoat-standalone/README.MD b/webgoat-standalone/README.MD
deleted file mode 100644
index 334d6332f..000000000
--- a/webgoat-standalone/README.MD
+++ /dev/null
@@ -1,31 +0,0 @@
-# WebGoat standalone runner
-
-## Introduction
-This project is aimed to be the replacement for the exec-war, it contains
-a simple Main.class which will start an embedded Tomcat server.
-This makes it easier to change the server address and the portnumber for example.
-It kind of works in the same way Spring Boot starts an embedded Tomcat server.
-
-## Usage
-
-For the first time make sure you run a complete build:
-
-```Shell
-mvn clean install
-```
-
-Open up your favourite IDE and run the Main.class which will start the
-embedded Tomcat server.
-
-Or in a shell:
-
-```Shell
-java -jar webgoat-standalone-<<version>>-exec.jar
-```
-
-The following command line options are available:
-
-```
--a, --address Specify the server address, like 192.168.0.1 (default localhost)
--p, --port    Specify on which port the server should run (default 6047)
-```
\ No newline at end of file
diff --git a/webgoat-standalone/pom.xml b/webgoat-standalone/pom.xml
deleted file mode 100644
index e604aabf3..000000000
--- a/webgoat-standalone/pom.xml
+++ /dev/null
@@ -1,102 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-
-    <name>webgoat-standalone</name>
-    <modelVersion>4.0.0</modelVersion>
-    <artifactId>webgoat-standalone</artifactId>
-
-    <parent>
-        <groupId>org.owasp.webgoat</groupId>
-        <artifactId>webgoat-parent</artifactId>
-        <version>7.2-SNAPSHOT</version>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>com.github.ryenus</groupId>
-            <artifactId>rop</artifactId>
-            <version>1.1.1</version>
-        </dependency>
-        <dependency>
-            <groupId>org.owasp.webgoat</groupId>
-            <artifactId>webgoat-container</artifactId>
-            <version>${project.version}</version>
-        </dependency>
-
-        <!--************* Tomcat dependencies **************-->
-        <dependency>
-            <groupId>org.apache.tomcat.embed</groupId>
-            <artifactId>tomcat-embed-core</artifactId>
-            <version>${tomcat-catalina.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat.embed</groupId>
-            <artifactId>tomcat-embed-logging-juli</artifactId>
-            <version>${tomcat-catalina.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat.embed</groupId>
-            <artifactId>tomcat-embed-jasper</artifactId>
-            <version>${tomcat-catalina.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat</groupId>
-            <artifactId>tomcat-jasper</artifactId>
-            <version>${tomcat-catalina.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat</groupId>
-            <artifactId>tomcat-jasper-el</artifactId>
-            <version>${tomcat-catalina.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat</groupId>
-            <artifactId>tomcat-jsp-api</artifactId>
-            <version>${tomcat-catalina.version}</version>
-        </dependency>
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>${maven-compiler-plugin.version}</version>
-                <configuration>
-                    <source>1.7</source>
-                    <target>1.7</target>
-                    <encoding>ISO-8859-1</encoding>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-shade-plugin</artifactId>
-                <version>2.3</version>
-                <executions>
-                    <!-- Run shade goal on package phase -->
-                    <execution>
-                        <phase>package</phase>
-                        <goals>
-                            <goal>shade</goal>
-                        </goals>
-                        <configuration>
-                            <transformers>
-                                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
-                                    <resource>META-INF/spring.handlers</resource>
-                                </transformer>
-                                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
-                                    <resource>META-INF/spring.schemas</resource>
-                                </transformer>
-                                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
-                                    <mainClass>org.owasp.webgoat.Main</mainClass>
-                                </transformer>
-                            </transformers>
-                            <shadedArtifactAttached>true</shadedArtifactAttached>
-                            <shadedClassifierName>exec</shadedClassifierName>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-        </plugins>
-    </build>
-</project>
diff --git a/webgoat-standalone/src/main/java/org/owasp/webgoat/Main.java b/webgoat-standalone/src/main/java/org/owasp/webgoat/Main.java
deleted file mode 100644
index bfaf47407..000000000
--- a/webgoat-standalone/src/main/java/org/owasp/webgoat/Main.java
+++ /dev/null
@@ -1,80 +0,0 @@
-package org.owasp.webgoat;
-
-import com.github.ryenus.rop.OptionParser;
-import com.github.ryenus.rop.OptionParser.Option;
-import org.apache.catalina.connector.Connector;
-import org.apache.catalina.core.StandardContext;
-import org.apache.catalina.startup.Tomcat;
-import org.apache.coyote.AbstractProtocol;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.File;
-import java.net.InetAddress;
-
-import static com.github.ryenus.rop.OptionParser.Command;
-
-/**
- * ************************************************************************************************
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- *
- * @author WebGoat
- * @version $Id: $Id
- * @since July 24, 2016
- */
-@Command(name = "webgoat", descriptions = "Starting WebGoat")
-public class Main {
-
-    private final Logger logger = LoggerFactory.getLogger(Main.class);
-
-    @Option(opt = {"-p", "--port"}, description = "HTTP port to use")
-    int port = 6047;
-
-    @Option(opt = {"-a", "--address"}, description = "Server address to use")
-    String address = "localhost";
-
-    void run() throws Exception {
-        String webappDirLocation = "webgoat-container/src/main/webapp/";
-        Tomcat tomcat = new Tomcat();
-        StandardContext ctx = (StandardContext) tomcat.addWebapp("/WebGoat", new File(webappDirLocation).getAbsolutePath());
-
-        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
-        connector.setPort(port);
-
-        if (connector.getProtocolHandler() instanceof AbstractProtocol) {
-            AbstractProtocol<?> protocol = (AbstractProtocol<?>) connector.getProtocolHandler();
-            protocol.setAddress(InetAddress.getByName(address));
-            protocol.setPort(port);
-        }
-        tomcat.getService().addConnector(connector);
-        tomcat.start();
-        logger.info("Browse to http://{}:{}/WebGoat and happy hacking!", address, port);
-        tomcat.getServer().await();
-    }
-
-    public static void main(String[] args) throws Exception {
-        OptionParser parser = new OptionParser(Main.class);
-        parser.parse(args);
-    }
-}
\ No newline at end of file
diff --git a/webgoat-standalone/src/main/standalone.properties b/webgoat-standalone/src/main/standalone.properties
deleted file mode 100644
index 12be50b78..000000000
--- a/webgoat-standalone/src/main/standalone.properties
+++ /dev/null
@@ -1 +0,0 @@
-# Dummy property file to figure out whether we started as a war or as a standalone jar
\ No newline at end of file