dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added test for XXE

Browse Source
This commit is contained in:
Nanne Baars 2017-11-02 20:41:30 +01:00
parent fc1353b2f1
commit 56fc0fce05
4 changed files with 156 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Comments.java
View File

@ -20,6 +20,10 @@ import java.io.IOException;
import java.io.StringReader; import java.io.StringReader;
import java.util.Collection; import java.util.Collection;
import java.util.Map; import java.util.Map;
import java.util.Optional;
import static java.util.Optional.empty;
import static java.util.Optional.of;
/** /**
* @author nbaars * @author nbaars
@ -67,12 +71,12 @@ public class Comments {
return (Comment) unmarshaller.unmarshal(xsr); return (Comment) unmarshaller.unmarshal(xsr);
} }
protected Comment parseJson(String comment) { protected Optional<Comment> parseJson(String comment) {
ObjectMapper mapper = new ObjectMapper(); ObjectMapper mapper = new ObjectMapper();
try { try {
return mapper.readValue(comment, Comment.class); return of(mapper.readValue(comment, Comment.class));
} catch (IOException e) { } catch (IOException e) {
return new Comment(); return empty();
} }
} }

17
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
View File

@ -61,27 +61,26 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
@ResponseBody @ResponseBody
public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception { public AttackResult createNewUser(@RequestBody String commentStr, @RequestHeader("Content-Type") String contentType) throws Exception {
AttackResult attackResult = failed().build(); AttackResult attackResult = failed().build();
Comment comment = null;
if (APPLICATION_JSON_VALUE.equals(contentType)) { if (APPLICATION_JSON_VALUE.equals(contentType)) {
comment = comments.parseJson(commentStr); comments.parseJson(commentStr).ifPresent(c -> comments.addComment(c, true));
comments.addComment(comment, true);
attackResult = failed().feedback("xxe.content.type.feedback.json").build(); attackResult = failed().feedback("xxe.content.type.feedback.json").build();
} }
if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) { if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
String error = ""; String error = "";
try { try {
comment = comments.parseXml(commentStr); Comment comment = comments.parseXml(commentStr);
comments.addComment(comment, false); comments.addComment(comment, false);
if (checkSolution(comment)) {
attackResult = success().build();
}
} catch (Exception e) { } catch (Exception e) {
error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e); error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
attackResult = failed().feedback("xxe.content.type.feedback.xml").output(error).build();
} }
attackResult = failed().feedback("xxe.content.type.feedback.xml").output(error).build();
} }
if (checkSolution(comment)) {
attackResult = success().build();
}
return trackProgress(attackResult); return trackProgress(attackResult);
} }
@ -89,7 +88,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES; String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
boolean success = true; boolean success = true;
for (String directory : directoriesToCheck) { for (String directory : directoriesToCheck) {
success &= comment.getText().contains(directory); success &= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
} }
return success; return success;
} }

75
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/ContentTypeAssignmentTest.java Normal file
View File

@ -0,0 +1,75 @@
package org.owasp.webgoat.plugin;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author nbaars
* @since 11/2/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class ContentTypeAssignmentTest extends LessonTest {
@Autowired
private Comments comments;
@Before
public void setup() throws Exception {
XXE xxe = new XXE();
when(webSession.getCurrentLesson()).thenReturn(xxe);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void sendingXmlButContentTypeIsJson() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
.contentType(MediaType.APPLICATION_JSON)
.content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
}
@Test
public void workingAttack() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
.contentType(MediaType.APPLICATION_XML)
.content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
}
@Test
public void postingJsonShouldAddComment() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
.contentType(MediaType.APPLICATION_JSON)
.content("{ \"text\" : \"Hello World\"}"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
assertThat(comments.getComments().stream().filter(c -> c.getText().equals("Hello World")).count()).isEqualTo(1);
}
@Test
public void postingInvalidJsonShouldAddComment() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/content-type")
.contentType(MediaType.APPLICATION_JSON)
.content("{ 'text' : 'Wrong'"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("xxe.content.type.feedback.json"))));
assertThat(comments.getComments().stream().filter(c -> c.getText().equals("Wrong")).count()).isEqualTo(0);
}
}

66
webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/SimpleXXETest.java Normal file
View File

@ -0,0 +1,66 @@
package org.owasp.webgoat.plugin;
import org.hamcrest.CoreMatchers;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.owasp.webgoat.plugins.LessonTest;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author nbaars
* @since 11/2/17.
*/
@RunWith(SpringJUnit4ClassRunner.class)
public class SimpleXXETest extends LessonTest {
@Before
public void setup() throws Exception {
XXE xxe = new XXE();
when(webSession.getCurrentLesson()).thenReturn(xxe);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void workingAttack() throws Exception {
//Call with XXE injection
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
.content("<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///\"> ]><comment><text>&root;</text></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
}
@Test
public void postingJsonCommentShouldNotSolveAssignment() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
.content("<comment><text>test</ext></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
}
@Test
public void postingXmlCommentWithoutXXEShouldNotSolveAssignment() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
.content("<?xml version=\"1.0\" standalone=\"yes\" ?><comment><text>&root;</text></comment>"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
}
@Test
public void postingPlainTextShouldShwoException() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post("/xxe/simple")
.content("test"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.output", CoreMatchers.startsWith("javax.xml.bind.UnmarshalException\\n - with linked exception")))
.andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
}
}