Added test for XXE

2017-11-02 20:41:30 +01:00
parent fc1353b2f1
commit 56fc0fce05
4 changed files with 156 additions and 12 deletions
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
@ -20,6 +20,10 @@ import java.io.IOException;
 import java.io.StringReader;
 import java.util.Collection;
 import java.util.Map;
+import java.util.Optional;
+
+import static java.util.Optional.empty;
+import static java.util.Optional.of;

 /**
 * @author nbaars
@ -67,12 +71,12 @@ public class Comments {
        return (Comment) unmarshaller.unmarshal(xsr);
    }

-    protected Comment parseJson(String comment) {
+    protected Optional<Comment> parseJson(String comment) {
        ObjectMapper mapper = new ObjectMapper();
        try {
-            return mapper.readValue(comment, Comment.class);
+            return of(mapper.readValue(comment, Comment.class));
        } catch (IOException e) {
-            return new Comment();
+            return empty();
        }
    }

--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
@ -61,27 +61,26 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
    @ResponseBody
    public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
        AttackResult attackResult = failed().build();
-        Comment comment = null;
+
        if (APPLICATION_JSON_VALUE.equals(contentType)) {
-            comment = comments.parseJson(commentStr);
-            comments.addComment(comment, true);
+            comments.parseJson(commentStr).ifPresent(c -> comments.addComment(c, true));
            attackResult = failed().feedback("xxe.content.type.feedback.json").build();
        }

        if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
            String error = "";
            try {
-                comment = comments.parseXml(commentStr);
+                Comment comment = comments.parseXml(commentStr);
                comments.addComment(comment, false);
+                if (checkSolution(comment)) {
+                    attackResult = success().build();
+                }
            } catch (Exception e) {
                error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
+                attackResult = failed().feedback("xxe.content.type.feedback.xml").output(error).build();
            }
-            attackResult = failed().feedback("xxe.content.type.feedback.xml").output(error).build();
        }

-        if (checkSolution(comment)) {
-            attackResult = success().build();
-        }
        return trackProgress(attackResult);
    }

@ -89,7 +88,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
        String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
        boolean success = true;
        for (String directory : directoriesToCheck) {
-            success &= comment.getText().contains(directory);
+            success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
        }
        return success;
    }