Changed XXE lessons to use photo comment example

2017-05-04 06:25:11 +02:00
parent 05f6fb226f
commit 6f0f71b131
9 changed files with 250 additions and 155 deletions
--- a/webgoat-lessons/xxe/src/main/resources/html/XXE.html
+++ b/webgoat-lessons/xxe/src/main/resources/html/XXE.html
@ -48,13 +48,13 @@
                </div>
                <div class="post-footer">
                    <div class="input-group">
-                        <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
+                        <input class="form-control" id="commentInputSimple" placeholder="Add a comment" type="text"/>
                        <span class="input-group-addon">
-                                <i id="postComment" class="fa fa-edit" style="font-size: 20px"></i>
+                                <i id="postCommentSimple" class="fa fa-edit" style="font-size: 20px"></i>
                            </span>
                    </div>
                    <ul class="comments-list">
-                        <div id="comments_list">
+                        <div id="commentsListSimple">
                        </div>
                    </ul>
                </div>
@ -68,111 +68,112 @@
 </div>

 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:XXE_changing_content_type.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
-        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-        <form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
-              action="/WebGoat/XXE/content-type" contentType="application/json">
-            <div id="lessonContent">
-                <strong>Registration form</strong>
-                <form prepareData="registerJson" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
-                    <table>
-                        <tr>
-                            <td>Username</td>
-                            <td><input name="username" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>E-mail</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>Password</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td></td>
-                            <td align="right"><input type="submit" value="Sign up"/></td>
-                        </tr>
-                    </table>
-                    <br/>
-                    <br/>
-                </form>
-                <div class="attack-feedback"></div>
-                <div class="attack-output"></div>
+        <div class="container-fluid">
+            <div class="panel post">
+                <div class="post-heading">
+                    <div class="pull-left image">
+                        <img th:src="@{/images/avatar1.png}"
+                             class="img-circle avatar" alt="user profile image"/>
+                    </div>
+                    <div class="pull-left meta">
+                        <div class="title h5">
+                            <a href="#"><b>John Doe</b></a>
+                            uploaded a photo.
+                        </div>
+                        <h6 class="text-muted time">24 days ago</h6>
+                    </div>
+                </div>
+
+                <div class="post-image">
+                    <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
+                </div>
+
+                <div class="post-description">
+
+                </div>
+                <div class="post-footer">
+                    <div class="input-group">
+                        <input class="form-control" id="commentInputContentType" placeholder="Add a comment" type="text"/>
+                        <span class="input-group-addon">
+                                <i id="postCommentContentType" class="fa fa-edit" style="font-size: 20px"></i>
+                            </span>
+                    </div>
+                    <ul class="comments-list">
+                        <div id="commentsListContentType">
+                        </div>
+                    </ul>
+                </div>
            </div>
-        </form>
+        </div>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
    </div>
 </div>


 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:XXE_overflow.adoc"></div>
 </div>

 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:XXE_blind.adoc"></div>
 </div>

 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:XXE_blind_assignment.adoc"></div>
    <div class="attack-container">
        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
-        <!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
-        <!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
-        <form class="attack-form" accept-charset="UNKNOWN" prepareData="register" method="POST" name="form"
-              action="/WebGoat/XXE/blind" contentType="application/xml">
-            <div id="lessonContent">
-                <strong>Registration form</strong>
-                <form prepareData="register" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
-                    <table>
-                        <tr>
-                            <td>Username</td>
-                            <td><input name="username" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>E-mail</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td>Password</td>
-                            <td><input name="email" value="" type="TEXT"/></td>
-                        </tr>
-                        <tr>
-                            <td></td>
-                            <td align="right"><input type="submit" value="Sign up"/></td>
-                        </tr>
-                    </table>
-                    <br/>
-                    <br/>
-                </form>
-                <div class="attack-feedback"></div>
-                <div class="attack-output"></div>
+        <div class="container-fluid">
+            <div class="panel post">
+                <div class="post-heading">
+                    <div class="pull-left image">
+                        <img th:src="@{/images/avatar1.png}"
+                             class="img-circle avatar" alt="user profile image"/>
+                    </div>
+                    <div class="pull-left meta">
+                        <div class="title h5">
+                            <a href="#"><b>John Doe</b></a>
+                            uploaded a photo.
+                        </div>
+                        <h6 class="text-muted time">24 days ago</h6>
+                    </div>
+                </div>
+
+                <div class="post-image">
+                    <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
+                </div>
+
+                <div class="post-description">
+
+                </div>
+                <div class="post-footer">
+                    <div class="input-group">
+                        <input class="form-control" id="commentInput" placeholder="Add a comment" type="text"/>
+                        <span class="input-group-addon">
+                                <i id="postCommentBlind" class="fa fa-edit" style="font-size: 20px"></i>
+                            </span>
+                    </div>
+                    <ul class="comments-list">
+                        <div id="commentsListBlind">
+                        </div>
+                    </ul>
+                </div>
            </div>
-        </form>
+        </div>
+
+        <br/>
+        <div class="attack-feedback"></div>
+        <div class="attack-output"></div>
    </div>
 </div>


 <div class="lesson-page-wrapper">
-    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
-    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
-    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
    <div class="adoc-content" th:replace="doc:XXE_mitigation.adoc"></div>
 </div>

--- a/webgoat-lessons/xxe/src/main/resources/images/avatar1.png
+++ b/webgoat-lessons/xxe/src/main/resources/images/avatar1.png
--- a/webgoat-lessons/xxe/src/main/resources/js/xxe.js
+++ b/webgoat-lessons/xxe/src/main/resources/js/xxe.js
@ -1,22 +1,73 @@
 $(document).ready(function () {
-    $("#postComment").unbind();
-    $("#postComment").on("click", function () {
-        var commentInput = $("#commentInput").val();
+    $("#postCommentSimple").unbind();
+    $("#postCommentSimple").on("click", function () {
+        var commentInput = $("#commentInputSimple").val();
+        var xml = '<?xml version="1.0"?>' +
+            '<comment>' +
+            '  <text>' + commentInput + '</text>' +
+            '</comment>';
        $.ajax({
            type: 'POST',
            url: 'xxe/simple',
-            data: JSON.stringify({text: commentInput}),
-            contentType: "application/json",
-            dataType: 'json'
+            data: xml,
+            contentType: "application/xml",
+            dataType: 'xml',
+            complete: function (data) {
+                $("#commentInputSimple").val('');
+                getComments('#commentsListSimple')
+            }
+        })
+    });
+    getComments('#commentsListSimple');
+});
+
+$(document).ready(function () {
+    $("#postCommentBlind").unbind();
+    $("#postCommentBlind").on("click", function () {
+        var commentInput = $("#commentInput").val();
+        var xml = '<?xml version="1.0"?>' +
+            '<comment>' +
+            '  <text>' + commentInput + '</text>' +
+            '</comment>';
+        $.ajax({
+            type: 'POST',
+            url: 'xxe/blind',
+            data: xml,
+            contentType: "application/xml",
+            dataType: 'xml'
        }).then(
            function () {
-                getComments();
+                getComments('#commentsListBlind');
                $("#commentInput").val('');
            }
        )
-    })
+    });
+    getComments('#commentsListBlind');
+});
+
+$(document).ready(function () {
+    $("#postCommentContentType").unbind();
+    $("#postCommentContentType").on("click", function () {
+        var commentInput = $("#commentInputContentType").val();
+        $.ajax({
+            type: 'POST',
+            url: 'xxe/content-type',
+            data: JSON.stringify({text: commentInput}),
+            contentType: "application/json",
+            dataType: 'xml'
+        }).then(
+            function () {
+                getComments('#commentsListContentType');
+                $("#commentInputContentType").val('');
+            }
+        )
+    });
+    getComments('#commentsListContentType');
+});
+
+$(document).ready(function () {
    getComments();
-})
+});

 var html = '<li class="comment">' +
    '<div class="pull-left">' +
@ -31,15 +82,15 @@ var html = '<li class="comment">' +
    '</div>' +
    '</li>';

-function getComments() {
-    $.get("xxe/simple", function (result, status) {
-        $("#comments_list").empty();
+function getComments(field) {
+    $.get("xxe/comments", function (result, status) {
+        $(field).empty();
        for (var i = 0; i < result.length; i++) {
            var comment = html.replace('USER', result[i].user);
            comment = comment.replace('DATETIME', result[i].dateTime);
            comment = comment.replace('COMMENT', result[i].text);
-            $("#comments_list").append(comment);
+            $(field).append(comment);
        }

    });
-}
+}
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
@ -8,11 +8,11 @@ Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This

 [source]
 ----
-curl -i http://localhost:8080/WebGoat/XXE/ping
+curl -i http://localhost:8080/WebGoat/XXE/ping?text=HelloWorld

 will result in:

-GET curl/7.45.0
+GET curl/7.45.0 HelloWorld
 ----

 at the server side.
@ -33,12 +33,12 @@ Now submit the form and change the xml to:
 ----
 <?xml version="1.0"?>
 <!DOCTYPE root [
-<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/plugin_lessons/XXE/attack.dtd">
+<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/XXE/attack.dtd">
 %remote;
 ]>
-<user>
-  <username>test&ping;</username>
-</user>
+<comment>
+  <text>test&ping;</text>
+</comment>
 ----

 Now if we check our server log we will see:
@ -48,7 +48,8 @@ Now if we check our server log we will see:
 GET Java/1.8.0_101 HelloWorld
 ----

-So with the XXE we are able to ping our own server which means XXE injection is possible.
+So with the XXE we are able to ping our own server which means XXE injection is possible. So with the XXE injection
+we are basically able to reach the same effect as we did in the beginning with the curl command.

 [NOTE]
 In this case we use http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd to fetch the dtd but in reality this will