dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added XMLInjection lesson

Browse Source 
Modified DOM Injection lesson
Added gratification to http splitting

git-svn-id: http://webgoat.googlecode.com/svn/trunk@37 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
sherif.fathy 2006-12-21 04:39:32 +00:00
parent 60d65681ff
commit 575d040c24
4 changed files with 248 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOMInjection.java
View File

@ -8,32 +8,17 @@ import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer; import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement; import org.apache.ecs.StringElement;
import org.apache.ecs.html.BR; import org.apache.ecs.html.BR;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H1; import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input; import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD; import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR; import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table; import org.apache.ecs.html.Table;
import org.apache.ecs.html.Button;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
public class DOMInjection extends LessonAdapter { public class DOMInjection extends LessonAdapter {
private final static Integer DEFAULT_RANKING = new Integer(10); private final static Integer DEFAULT_RANKING = new Integer(10);
private final static String KEY = "key"; private final static String KEY = "key";
/*public void handleRequest( WebSession s )
{
//Setting a special action to be able to submit to redirect.jsp
Form form = new Form( "/WebGoat/lessons/AJAXSecurity/DOMInjection.jsp?" +
"Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString()
, Form.POST ).setName( "form" ).setEncType( "" );
form.addElement( createContent( s ) );
setContent(form);
}*/
protected Element createContent(WebSession s) { protected Element createContent(WebSession s) {
@ -68,7 +53,6 @@ public class DOMInjection extends LessonAdapter {
String lineSep = System.getProperty("line.separator"); String lineSep = System.getProperty("line.separator");
String script = "<script>" + lineSep + String script = "<script>" + lineSep +
"function validate() {" + lineSep + "function validate() {" + lineSep +
"alert('we are here');" + lineSep +
"var keyField = document.getElementById('key');" + lineSep + "var keyField = document.getElementById('key');" + lineSep +
"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) + "var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString() + "&menu=" + getDefaultCategory().getRanking().toString() +
@ -126,25 +110,21 @@ public class DOMInjection extends LessonAdapter {
return ec ; return ec ;
} }
@Override
public Element getCredits() { public Element getCredits() {
return new StringElement("This screen created by: Sherif Koussa"); return new StringElement("This screen created by: Sherif Koussa");
} }
@Override
protected Category getDefaultCategory() { protected Category getDefaultCategory() {
return AJAX_SECURITY; return AJAX_SECURITY;
} }
@Override
protected Integer getDefaultRanking() { protected Integer getDefaultRanking() {
return DEFAULT_RANKING; return DEFAULT_RANKING;
} }
@Override
protected List getHints() { protected List getHints() {
List<String> hints = new ArrayList<String>(); List<String> hints = new ArrayList<String>();
@ -154,9 +134,7 @@ public class DOMInjection extends LessonAdapter {
return hints; return hints;
} }
@Override
public String getTitle() { public String getTitle() {
// TODO Auto-generated method stub
return "DOM Injection"; return "DOM Injection";
} }

30
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
View File

@ -1,4 +1,6 @@
package org.owasp.webgoat.lessons; package org.owasp.webgoat.lessons;
import java.io.PrintWriter;
import java.net.URLDecoder;
import java.util.*; import java.util.*;
import org.apache.ecs.*; import org.apache.ecs.*;
@ -42,14 +44,14 @@ public class HttpSplitting extends LessonAdapter {
protected Element createContent(WebSession s) protected Element createContent(WebSession s)
{ {
ElementContainer ec = new ElementContainer(); ElementContainer ec = new ElementContainer();
StringBuffer lang = null; String lang = null;
try try
{ {
//add the text //add the text
ec.addElement( new StringElement( "Search by country : " ) ); ec.addElement( new StringElement( "Search by country : " ) );
lang = new StringBuffer( s.getParser().getStringParameter( LANGUAGE, "" ) ); lang = URLDecoder.decode(s.getParser().getRawParameter( LANGUAGE, "" )) ;
//add the search by field //add the search by field
Input input = new Input( Input.TEXT, LANGUAGE, lang.toString() ); Input input = new Input( Input.TEXT, LANGUAGE, lang.toString() );
@ -71,13 +73,31 @@ public class HttpSplitting extends LessonAdapter {
if ( lang.length() != 0 && fromRedirect.length() != 0 ) if ( lang.length() != 0 && fromRedirect.length() != 0 )
{ {
//Split by the line separator line.separator is platform independant //Split by the line separator line.separator is platform independant
String[] arrTokens = lang.toString().toUpperCase().split(System.getProperty("line.separator")); String lineSep = System.getProperty("line.separator");
String[] arrTokens = lang.toString().toUpperCase().split(lineSep);
//Check if the user ended the first request and wrote the second malacious reply //Check if the user ended the first request and wrote the second malacious reply
if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 && if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 &&
Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 ) Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 )
{ {
ec.addElement("HTTP/1.1 200 OK" + System.getProperty("line.separator") + "test"); try
{
//ec.addElement("HTTP/1.1 200 OK" + System.getProperty("line.separator") + "<html>test</html>");
//s.getResponse().setContentType("text/html");
//s.getResponse().setHeader("Cache-Control", "no-cache");
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
out.print(lang.substring(lang.indexOf("HTTP/1.1")));
out.flush();
out.close();
//we gotta set it manually here so that we don't throw an exception
getLessonTracker(s).setCompleted(true);
}
catch(Exception e)
{
e.printStackTrace();
}
makeSuccess( s ); makeSuccess( s );
} }
} }
@ -101,7 +121,7 @@ public class HttpSplitting extends LessonAdapter {
} }
private final static Integer DEFAULT_RANKING = new Integer(10); private final static Integer DEFAULT_RANKING = new Integer(20);
protected Integer getDefaultRanking() protected Integer getDefaultRanking()
{ {

205
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java Normal file
View File

@ -0,0 +1,205 @@
package org.owasp.webgoat.lessons;
import java.io.PrintWriter;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.BR;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.apache.ecs.html.Div;
import org.apache.ecs.StringElement;
import org.owasp.webgoat.session.WebSession;
public class XMLInjection extends LessonAdapter {
private final static Integer DEFAULT_RANKING = new Integer(20);
private final static String ACCOUNTID = "accountID";
public void handleRequest(WebSession s) {
try
{
if(s.getParser().getRawParameter("from", "").equals("ajax"))
{
if(s.getParser().getRawParameter(ACCOUNTID, "").equals("836239"))
{
String lineSep = System.getProperty("line.separator");
String xmlStr = "<root>" + lineSep +
"<reward>WebGoat t-shirt 20 Pts</reward>" + lineSep +
"<reward>WebGoat Secure Kettle 50 Pts</reward>" + lineSep +
"<reward>WebGoat Mug 30 Pts</reward>" + lineSep +
"</root>";
s.getResponse().setContentType("text/xml");
s.getResponse().setHeader("Cache-Control", "no-cache");
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
out.print(xmlStr);
out.flush();
out.close();
return;
}
}
}
catch (Exception ex)
{
ex.printStackTrace();
}
Form form = new Form( getFormAction(), Form.POST ).setName( "form" ).setEncType( "" );
form.addElement( createContent( s ) );
setContent(form);
}
protected Element createContent(WebSession s) {
ElementContainer ec = new ElementContainer();
boolean isDone = false;
if (s.getParser().getRawParameter("done", "").equals("yes"))
{
isDone = true;
}
String lineSep = System.getProperty("line.separator");
String script = "<script>" + lineSep +
"function getRewards() {" + lineSep +
"var accountIDField = document.getElementById('" + ACCOUNTID + "');" + lineSep +
"if (accountIDField.value.length < 6 ) { return; }" + lineSep +
"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString() +
"&from=ajax&" + ACCOUNTID + "=' + encodeURIComponent(accountIDField.value);" + lineSep +
"if (typeof XMLHttpRequest != 'undefined') {" + lineSep +
"req = new XMLHttpRequest();" + lineSep +
"} else if (window.ActiveXObject) {" + lineSep +
"req = new ActiveXObject('Microsoft.XMLHTTP');" + lineSep +
" }" + lineSep +
" req.open('GET', url, true);" + lineSep +
" req.onreadystatechange = callback;" + lineSep +
" req.send(null);" + lineSep +
"}" + lineSep +
"function callback() {" + lineSep +
" if (req.readyState == 4) { " + lineSep +
" if (req.status == 200) { " + lineSep +
" var rewards = req.responseXML.getElementsByTagName('root')[0];" + lineSep +
" var rewardsDiv = document.getElementById('rewardsDiv');" + lineSep +
" rewardsDiv.innerHTML = '';" + lineSep +
" var strHTML='';"+ lineSep +
" strHTML = '<tr><td>&nbsp;</td><td>Rewards</td></tr>';" + lineSep +
" for(var i=0; i<rewards.childNodes.length; i++){" + lineSep +
" var node = rewards.childNodes[i];" + lineSep +
" strHTML = strHTML + '<tr><td><input name=\"check' + i +'\" type=\"checkbox\"></td><td>';" + lineSep +
" strHTML = strHTML + node.childNodes[0].nodeValue + '</td></tr>';" + lineSep +
" }" + lineSep +
" strHTML = '<table>' + strHTML + '</table>';" + lineSep +
" rewardsDiv.innerHTML = strHTML;"+ lineSep +
//" if (rewards.childNodes.length>3){" + lineSep +
//" makeSuccess();" + lineSep +
//" }" + lineSep +
" }}}" + lineSep +
//"function makeSuccess(){" + lineSep +
//"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) +
//"&menu=" + getDefaultCategory().getRanking().toString() +
//"&from=ajax&done=yes';" + lineSep +
//" req.open('GET', url, true);" + lineSep +
//" req.send(null);" + lineSep +
//"}" + lineSep +
"</script>" + lineSep;
if (!isDone)
{
ec.addElement( new StringElement(script));
}
ec.addElement( new BR().addElement (new H1().addElement( "Welcome to WebGoat-Miles Reward Miles Program.")));
ec.addElement( new BR());
Table t1 = new Table().setCellSpacing(0).setCellPadding(0).setBorder(0).setWidth("90%").setAlign("center");
TR tr = new TR();
tr = new TR();
tr.addElement( new TD("Please enter your account ID:") );
Input input1 = new Input( Input.TEXT, ACCOUNTID, "" );
input1.addAttribute("onkeyup", "getRewards();");
tr.addElement( new TD(input1));
t1.addElement( tr );
ec.addElement(t1);
ec.addElement(new BR());
ec.addElement(new BR());
ec.addElement(new BR());
Div div = new Div();
div.addAttribute("name", "rewardsDiv");
div.addAttribute("id", "rewardsDiv");
ec.addElement(div);
Input b = new Input();
b.setType( Input.SUBMIT );
b.setValue( "Submit" );
b.setName("SUBMIT");
ec.addElement(b);
if (s.getParser().getRawParameter("SUBMIT", "")!= "")
{
if(s.getParser().getRawParameter("check3", "") != "")
{
makeSuccess(s);
}
}
return ec;
}
protected Element makeSuccess(WebSession s)
{
getLessonTracker( s ).setCompleted( true );
s.setMessage("Congratulations. You have successfully completed this lesson.");
return ( null );
}
public Element getCredits() {
return new StringElement("Created by Sherif Koussa");
}
protected Category getDefaultCategory() {
return AJAX_SECURITY;
}
protected Integer getDefaultRanking() {
return DEFAULT_RANKING;
}
protected List getHints() {
List<String> hints = new ArrayList<String>();
hints.add( "This page is using XMLHTTP to comunicate with the server." );
hints.add( "Try to intercept the reply and check the reply." );
hints.add( "Intercept the reply and try to inject some XML to add more rewards to yourself." );
return hints;
}
public String getTitle() {
return "XML Injection";
}
}

18
webgoat/main/project/WebContent/lesson_plans/XMLInjection.html Normal file
View File

@ -0,0 +1,18 @@
<div align="Center">
<p><b>Lesson Plan Title:</b> XML Injection Attacks. </p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
This lesson teaches how to perform XML Injection attacks.
<br>
<div align="Left">
<p>
<b>How the attacks works:</b>
</p>
AJAX applications use XML to exchange information with the server. This XML can be easily intercepted and altered by a malacious attacker.
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
The form below takes your WebGoat Rewards Mile account and returns back the kind of rewards you can afford. Your goal is to try to add more rewards to your allowed set of rewards. Your account ID is 836239.
<!-- Stop Instructions -->