XXE last assignment completely working

2016-11-23 09:47:35 +01:00 · 2016-11-23 09:47:35 +01:00 · 5347311319
commit 5347311319
parent c80bfcbc2f
9 changed files with 8 additions and 228 deletions
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
@ -1,5 +1,6 @@
 package org.owasp.webgoat.plugin;
 import com.google.common.base.Joiner;
 import org.apache.commons.lang.exception.ExceptionUtils;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.model.AttackResult;
@ -55,18 +56,19 @@ public class BlindSendFileAssignment extends Assignment {
    @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
    @ResponseBody
    public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
-        String error = "";
+        String error = "Parsing successful contents not send to server";
        try {
            parseXml(userInfo);
        } catch (Exception e) {
            error = ExceptionUtils.getFullStackTrace(e);
        }
-        File logFile = new File(getPluginDirectory(), "plugin/XXE/");
+        File logFile = new File(getPluginDirectory(), "/XXE/log.txt");
        List<String> lines = Files.readAllLines(Paths.get(logFile.toURI()));
        boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent();
        logFile.delete();
        if (solved) {
-            return AttackResult.success();
+            return AttackResult.success(String.format("Contents of the file is: %s", Joiner.on('\n').join(lines)));
        } else {
            return AttackResult.failed("Try again...", error);
        }
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java
@ -54,7 +54,7 @@ public class Ping extends Endpoint {
    public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {
        String logLine = String.format("%s %s %s", "GET", userAgent, text);
        log.debug(logLine);
-        File logFile = new File(getPluginDirectory(), "plugin/XXE/");
+        File logFile = new File(getPluginDirectory(), "/XXE/log.txt");
        try {
            try (PrintWriter pw = new PrintWriter(logFile)) {
                pw.println(logLine);
--- a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html
@ -132,7 +132,7 @@
        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
        <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
-              action="/WebGoat/XXE/content-type" contentType="application/json">
+              action="/WebGoat/XXE/blind" contentType="application/json">
            <script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
                    language="JavaScript"></script>
            <div id="lessonContent">
--- a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc
@ -4,4 +4,4 @@ In the previous page we showed you how you can ping a server with a XXE attack,
 contents of ~/.webgoat/plugin/XXE/secret.txt to our server. For Linux: `/home/USER/.webgoat/plugin/XXE/secret.txt`, for Windows
 this would be `c:/Users/USER/.webgoat/plugin/XXE/secret.txt`
-Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]`
+Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]` (NOTE: this endpoint is under your full control)
--- a/webgoat-standalone/.gitignore
+++ b/webgoat-standalone/.gitignore
@ -1,8 +0,0 @@
 target/
 .idea/
 *.iml
 /src/main/webapp/plugin_lessons/*.jar
 /src/main/webapp/plugin_extracted/*
 dependency-reduced-pom.xml
 src/main/webapp/users/guest.org.owasp.webgoat.lessons.BackDoors.props
 /src/main/webapp/WEB-INF/lib/*.jar
--- a/webgoat-standalone/README.MD
+++ b/webgoat-standalone/README.MD
@ -1,31 +0,0 @@
 # WebGoat standalone runner
 ## Introduction
 This project is aimed to be the replacement for the exec-war, it contains
 a simple Main.class which will start an embedded Tomcat server.
 This makes it easier to change the server address and the portnumber for example.
 It kind of works in the same way Spring Boot starts an embedded Tomcat server.
 ## Usage
 For the first time make sure you run a complete build:
 ```Shell
 mvn clean install
 ```
 Open up your favourite IDE and run the Main.class which will start the
 embedded Tomcat server.
 Or in a shell:
 ```Shell
 java -jar webgoat-standalone-<<version>>-exec.jar
 ```
 The following command line options are available:
 ```
 -a, --address Specify the server address, like 192.168.0.1 (default localhost)
 -p, --port    Specify on which port the server should run (default 6047)
 ```
--- a/webgoat-standalone/pom.xml
+++ b/webgoat-standalone/pom.xml
@ -1,102 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <name>webgoat-standalone</name>
    <modelVersion>4.0.0</modelVersion>
    <artifactId>webgoat-standalone</artifactId>
    <parent>
        <groupId>org.owasp.webgoat</groupId>
        <artifactId>webgoat-parent</artifactId>
        <version>7.2-SNAPSHOT</version>
    </parent>
    <dependencies>
        <dependency>
            <groupId>com.github.ryenus</groupId>
            <artifactId>rop</artifactId>
            <version>1.1.1</version>
        </dependency>
        <dependency>
            <groupId>org.owasp.webgoat</groupId>
            <artifactId>webgoat-container</artifactId>
            <version>${project.version}</version>
        </dependency>
        <!--************* Tomcat dependencies **************-->
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-core</artifactId>
            <version>${tomcat-catalina.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-logging-juli</artifactId>
            <version>${tomcat-catalina.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-jasper</artifactId>
            <version>${tomcat-catalina.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat</groupId>
            <artifactId>tomcat-jasper</artifactId>
            <version>${tomcat-catalina.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat</groupId>
            <artifactId>tomcat-jasper-el</artifactId>
            <version>${tomcat-catalina.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat</groupId>
            <artifactId>tomcat-jsp-api</artifactId>
            <version>${tomcat-catalina.version}</version>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>${maven-compiler-plugin.version}</version>
                <configuration>
                    <source>1.7</source>
                    <target>1.7</target>
                    <encoding>ISO-8859-1</encoding>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-shade-plugin</artifactId>
                <version>2.3</version>
                <executions>
                    <!-- Run shade goal on package phase -->
                    <execution>
                        <phase>package</phase>
                        <goals>
                            <goal>shade</goal>
                        </goals>
                        <configuration>
                            <transformers>
                                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
                                    <resource>META-INF/spring.handlers</resource>
                                </transformer>
                                <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
                                    <resource>META-INF/spring.schemas</resource>
                                </transformer>
                                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
                                    <mainClass>org.owasp.webgoat.Main</mainClass>
                                </transformer>
                            </transformers>
                            <shadedArtifactAttached>true</shadedArtifactAttached>
                            <shadedClassifierName>exec</shadedClassifierName>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
 </project>
--- a/webgoat-standalone/src/main/java/org/owasp/webgoat/Main.java
+++ b/webgoat-standalone/src/main/java/org/owasp/webgoat/Main.java
@ -1,80 +0,0 @@
 package org.owasp.webgoat;
 import com.github.ryenus.rop.OptionParser;
 import com.github.ryenus.rop.OptionParser.Option;
 import org.apache.catalina.connector.Connector;
 import org.apache.catalina.core.StandardContext;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.coyote.AbstractProtocol;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.net.InetAddress;
 import static com.github.ryenus.rop.OptionParser.Command;
 /**
 * ************************************************************************************************
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
 * please see http://www.owasp.org/
 * <p>
 * Copyright (c) 2002 - 20014 Bruce Mayhew
 * <p>
 * This program is free software; you can redistribute it and/or modify it under the terms of the
 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * <p>
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 * <p>
 * You should have received a copy of the GNU General Public License along with this program; if
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 * <p>
 * Getting Source ==============
 * <p>
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
 * projects.
 * <p>
 *
 * @author WebGoat
 * @version $Id: $Id
 * @since July 24, 2016
 */
@Command(name = "webgoat", descriptions = "Starting WebGoat")
 public class Main {
    private final Logger logger = LoggerFactory.getLogger(Main.class);
    @Option(opt = {"-p", "--port"}, description = "HTTP port to use")
    int port = 6047;
    @Option(opt = {"-a", "--address"}, description = "Server address to use")
    String address = "localhost";
    void run() throws Exception {
        String webappDirLocation = "webgoat-container/src/main/webapp/";
        Tomcat tomcat = new Tomcat();
        StandardContext ctx = (StandardContext) tomcat.addWebapp("/WebGoat", new File(webappDirLocation).getAbsolutePath());
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setPort(port);
        if (connector.getProtocolHandler() instanceof AbstractProtocol) {
            AbstractProtocol<?> protocol = (AbstractProtocol<?>) connector.getProtocolHandler();
            protocol.setAddress(InetAddress.getByName(address));
            protocol.setPort(port);
        }
        tomcat.getService().addConnector(connector);
        tomcat.start();
        logger.info("Browse to http://{}:{}/WebGoat and happy hacking!", address, port);
        tomcat.getServer().await();
    }
    public static void main(String[] args) throws Exception {
        OptionParser parser = new OptionParser(Main.class);
        parser.parse(args);
    }
 }
--- a/webgoat-standalone/src/main/standalone.properties
+++ b/webgoat-standalone/src/main/standalone.properties
@ -1 +0,0 @@
 # Dummy property file to figure out whether we started as a war or as a standalone jar
		`@ -1 +0,0 @@`
			`# Dummy property file to figure out whether we started as a war or as a standalone jar`