Merge pull request #487 from matthias-g/xssFixes
Small lesson improvements
This commit is contained in:
misfir3
GitHub
commit
701a99cf8f
@ -1,15 +1,15 @@
|
||||
== Identify Potential for DOM-Based XSS
|
||||
|
||||
DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
|
||||
Look for a route that takes inputs that you can ID being 'reflected' to the page.
|
||||
Look for a route that takes inputs that are being 'reflected' to the page.
|
||||
|
||||
For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library).
|
||||
Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
|
||||
|
||||
Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
|
||||
it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9 (although maybe slightly different). The 'base route' in this case is:
|
||||
it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is:
|
||||
*start.mvc#lesson/*
|
||||
The *CrossSiteScripting.lesson/9* after that are parameters that are processed by the javascript route handler.
|
||||
|
||||
The *CrossSiteScripting.lesson/#* after that are parameters that are processed by javascript route handler.
|
||||
|
||||
So, what is test route for this test code?
|
||||
So, what is the route for the test code that stayed in the app during production?
|
||||
To answer this question, you have to check the javascript source.
|
||||
@ -8,4 +8,4 @@ The function you want to execute is ...
|
||||
|
||||
Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
|
||||
|
||||
Once you do trigger it, a subsequent response will come to the browser with a random number. Put that random number in below.
|
||||
Once you do trigger it, a subsequent response will come to your browser's console with a random number. Put that random number in below.
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
action="/WebGoat/csrf/basic-get-flag"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
<input name="csrf" type="hidden" value="false"/>
|
||||
<input type="submit" name="ubmit="/>
|
||||
<input type="submit" name="submit"/>
|
||||
|
||||
</form>
|
||||
|
||||
|
||||
@ -5,6 +5,7 @@ import io.jsonwebtoken.Claims;
|
||||
import io.jsonwebtoken.Jwt;
|
||||
import io.jsonwebtoken.JwtException;
|
||||
import io.jsonwebtoken.Jwts;
|
||||
import io.jsonwebtoken.impl.TextCodec;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
@ -25,7 +26,6 @@ import java.time.Duration;
|
||||
import java.time.Instant;
|
||||
import java.util.Date;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
import static java.util.Comparator.comparingLong;
|
||||
import static java.util.Optional.ofNullable;
|
||||
@ -39,7 +39,7 @@ import static java.util.stream.Collectors.toList;
|
||||
@AssignmentHints({"jwt-change-token-hint1", "jwt-change-token-hint2", "jwt-change-token-hint3", "jwt-change-token-hint4", "jwt-change-token-hint5"})
|
||||
public class JWTVotesEndpoint extends AssignmentEndpoint {
|
||||
|
||||
public static final String JWT_PASSWORD = "victory";
|
||||
public static final String JWT_PASSWORD = TextCodec.BASE64.encode("victory");
|
||||
private static String validUsers = "TomJerrySylvester";
|
||||
|
||||
private static int totalVotes = 38929;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user