diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java index 80933dfa2..be22ed45e 100644 --- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java +++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java @@ -4,9 +4,9 @@ import com.thoughtworks.xstream.XStream; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; -import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.ResponseBody; import java.io.IOException; @@ -49,11 +49,11 @@ import java.io.IOException; public class VulnerableComponentsLesson extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) - public @ResponseBody AttackResult completed(@RequestBody String payload) throws IOException { + public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException { String process = "open"; String arguments = "/Applications/Calculator.app"; - String payload2 = "<sorted-set>" + + String payload2 = "<sorted-set>" + "<string>foo</string>" + "<dynamic-proxy>" + "<interface>java.lang.Comparable</interface>" + diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html index e35a3d6f4..8151c06ce 100644 --- a/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html +++ b/webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html @@ -131,35 +131,23 @@ <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div> - <div class="attack-container"> - <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> - <div id="lessonContent"> - <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> - <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> - <!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> - <form class="attack-form" accept-charset="UNKNOWN" - method="POST" name="form" - action="/WebGoat/VulnerableComponents/attack1" - enctype="application/json;charset=UTF-8"> - Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input - name="SUBMIT" value="Go!" type="SUBMIT"/> - </form> - <!-- do not remove the two following div's, this is where your feedback/output will land --> - <div class="attack-feedback"></div> - <div class="attack-output"></div> - <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> - </div> - - </div> - - - <div class="attack-container"> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> - + <form class="attack-form" accept-charset="UNKNOWN" + method="POST" name="form" + action="/WebGoat/VulnerableComponents/attack1" + enctype="application/json;charset=UTF-8"> + <div id="lessonContent"> + <form accept-charset="UNKNOWN" method="POST" name="form" + action="#attack/307/100" enctype=""> + Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input + name="SUBMIT" value="Go!" type="SUBMIT"/> + </form> + </div> + </form> <!-- do not remove the two following div's, this is where your feedback/output will land --> <div class="attack-feedback"></div> <div class="attack-output"></div>