dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Process review comments

Browse Source
This commit is contained in:
Nanne Baars 2020-05-21 19:39:22 +02:00 committed by Nanne Baars
parent 9b72610510
commit 5739705d8a
6 changed files with 20 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
webgoat-lessons/xxe/src/main/resources/images/xxe-parser-java.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 KiB

BIN
webgoat-lessons/xxe/src/main/resources/images/xxe-parser.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 189 KiB

After

Width:  |  Height:  |  Size: 210 KiB

2
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_changing_content_type_solution.adoc
View File

@ -69,3 +69,5 @@ Content-Type: application/xml
<!DOCTYPE user [<!ENTITY root SYSTEM "file:///"> ]><comment><text>&root;This is my first message</text></comment>
----
In some company networks some network devices might drop this payload completely if it was sent over HTTP. In that case no response is returned on the `POST` and the endpoint never receives the request. However, these kind of protections are of limited use, as the same request would pass successfully in an HTTPS setup, where that payload would be encrypted.

28
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_code.adoc
View File

@ -22,36 +22,34 @@ This piece of code defines a new `XmlMapper` (`ObjectMapper`) which is a popular
/**
* @since 2.4
*/
public XmlMapper(XMLInputFactory inputF) { // <2>
this(new XmlFactory(inputF)); //<3>
public XmlMapper(XMLInputFactory inputF) { // <1>
this(new XmlFactory(inputF)); //<2>
}
----
<2> This is the 'constructor' we called from the listing above (1)
<3> Call to another 'constructor' and initialize a new instance of `XmlFactory`
<1> This is the 'constructor' we called from the listing above (1)
<2> Call to another 'constructor' and initialize a new instance of `XmlFactory`
Let's take a look at the source code of `XMLFactory`
[source, java]
----
public XmlFactory(XMLInputFactory xmlIn) { // <4>
this(xmlIn, null); } // <5>
public XmlFactory(XMLInputFactory xmlIn) { // <1>
this(xmlIn, null); } // <2>
protected XmlFactory(XMLInputFactory xmlIn, XMLOutputFactory xmlOut, ...) { // <6>
if (xmlIn == null) { //<7>
protected XmlFactory(XMLInputFactory xmlIn, XMLOutputFactory xmlOut, ...) { // <3>
if (xmlIn == null) { //<4>
xmlIn = XMLInputFactory.newInstance();
// as per [dataformat-xml#190], disable external entity expansion by default
xmlIn.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); // <8>
xmlIn.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); // <5>
// and ditto wrt [dataformat-xml#211], SUPPORT_DTD
xmlIn.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); // <9>
xmlIn.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); // <6>
}
}
----
<4> This is the 'constructor' definition of the new instance created in 3
<5> Call to another 'constructor' defined in 6
<8> XXE protection
<9> XXE protection
<1> This is the 'constructor' definition of the new instance created in 3
<2> Call to another 'constructor' defined in 3
In 7 we know `if (xmlIn == null)` will not be true because if we look at our declaration at the top we created our own instance `XMLInputFactory.newInstance()` which is not `null`. This means that we have a XML parser which is by default **not** secured against XXE injection. The interesting part at 8 and 9 is the extra protection nested inside the if statement.
In 4 we know `if (xmlIn == null)` will not be true because if we look at our declaration at the top we created our own instance `XMLInputFactory.newInstance()` which is not `null`. This means that we have a XML parser which is by default **not** secured against XXE injection. The interesting part at 5 and 6 is the extra protection nested inside the if statement.
If we look at the Spring Boot framework for example how they initialize the same parser:

4
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_intro.adoc
View File

@ -13,6 +13,10 @@ image::images/xxe-parser.png[XML parser]
As you can see once the XML document is processed by the parser, it will replace the defined entity `js` with the defined constant "Jo Smith". As you can see this has many advantages as you can change `js` in one place to for example "John Smith".
In a Java application XML can be used to get data from the client to the server, we are all familiar with JSON apis we can also use xml to get the information across. Most of the time the framework automatically populate the Java object based on the xml structure, for example:
[role="lesson-image"]
image::images/xxe-parser-java.png[XML parser]
=== What is an XXE injection?

2
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_simple_solution.adoc
View File

@ -49,4 +49,4 @@ Content-Type: application/xml
----
Line 7 contains the input entered in text box if we would use the comment form.
To solve the lesson you have to intercept the complete the outgoing request and replace the complete body with the solution. See our lessons about intercepting HTTP traffic.
To solve the lesson you have to intercept the complete outgoing request and replace the complete body with the solution. See our lessons about intercepting HTTP traffic.