XXE last assignment completely working

2016-11-23 09:47:35 +01:00
parent c80bfcbc2f
commit 5347311319
9 changed files with 8 additions and 228 deletions
--- a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html
@ -132,7 +132,7 @@
        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
        <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
-              action="/WebGoat/XXE/content-type" contentType="application/json">
+              action="/WebGoat/XXE/blind" contentType="application/json">
            <script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
                    language="JavaScript"></script>
            <div id="lessonContent">
--- a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc
@ -4,4 +4,4 @@ In the previous page we showed you how you can ping a server with a XXE attack,
 contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/plugin/XXE/secret.txt`, for Windows
 this would be `c:/Users/USER/.webgoat/plugin/XXE/secret.txt`

-Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]`
+Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]` (NOTE: this endpoint is under your full control)