dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Solved issue with POST in vulnerable components lesson

Browse Source
This commit is contained in:
Nanne Baars 2017-02-07 23:49:26 +01:00
parent 8d3b028acc
commit 65d728dfff
2 changed files with 15 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
View File

@ -4,9 +4,9 @@ import com.thoughtworks.xstream.XStream;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import java.io.IOException; import java.io.IOException;
@ -49,7 +49,7 @@ import java.io.IOException;
public class VulnerableComponentsLesson extends AssignmentEndpoint { public class VulnerableComponentsLesson extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST) @RequestMapping(method = RequestMethod.POST)
public @ResponseBody AttackResult completed(@RequestBody String payload) throws IOException { public @ResponseBody AttackResult completed(@RequestParam String payload) throws IOException {
String process = "open"; String process = "open";
String arguments = "/Applications/Calculator.app"; String arguments = "/Applications/Calculator.app";

22
webgoat-lessons/vulnerable-components/src/main/resources/plugin/VulnerableComponents/html/VulnerableComponents.html
View File

@ -132,8 +132,7 @@
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div> <div class="adoc-content" th:replace="doc:VulnerableComponents_content5.adoc"></div>
<div class="attack-container"> <div class="attack-container">
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div id="lessonContent">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
@ -141,25 +140,14 @@
method="POST" name="form" method="POST" name="form"
action="/WebGoat/VulnerableComponents/attack1" action="/WebGoat/VulnerableComponents/attack1"
enctype="application/json;charset=UTF-8"> enctype="application/json;charset=UTF-8">
<div id="lessonContent">
<form accept-charset="UNKNOWN" method="POST" name="form"
action="#attack/307/100" enctype="">
Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input Enter Your XML payload: <input name="payload" value="" type="TEXT"/><input
name="SUBMIT" value="Go!" type="SUBMIT"/> name="SUBMIT" value="Go!" type="SUBMIT"/>
</form> </form>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div> </div>
</form>
</div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div> <div class="attack-feedback"></div>
<div class="attack-output"></div> <div class="attack-output"></div>