added assignment draft (not working yet)

2018-11-20 01:17:52 +01:00
parent 760c3f2990
commit 73c2313658
3 changed files with 173 additions and 0 deletions
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
@@ -0,0 +1,83 @@
+package org.owasp.webgoat.plugin.mitigation;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.tools.*;
+import java.io.IOException;
+import java.net.URI;
+import java.util.Arrays;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@AssignmentPath("CrossSiteScripting/attack3")
+//@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"})
+public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseBody
+    public AttackResult completed(@RequestParam String editor) {
+        String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
+        editor = editor.replaceAll("\\<.*?>","");
+        boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", ""));
+        List<Diagnostic> hasCompiled = this.compileFromString(editor);
+        String errors = "";
+        if(hasImportant && hasCompiled.size() < 1) {
+            return trackProgress(success().build());
+        } else if(hasCompiled.size() > 1) {
+            for(Diagnostic d : hasCompiled) {
+                errors += d.getMessage(null) + "\n";
+            }
+        }
+        return trackProgress(failed().output(errors).build());
+    }
+
+    private List<Diagnostic> compileFromString(String s) {
+        JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
+        DiagnosticCollector diagnosticsCollector = new DiagnosticCollector();
+        StandardJavaFileManager fileManager  = compiler.getStandardFileManager(diagnosticsCollector, null, null);
+        JavaFileObject javaObjectFromString = getJavaFileContentsAsString(s);
+        Iterable fileObjects = Arrays.asList(javaObjectFromString);
+        JavaCompiler.CompilationTask task = compiler.getTask(null, fileManager, diagnosticsCollector, null, null, fileObjects);
+        Boolean result = task.call();
+        List<Diagnostic> diagnostics = diagnosticsCollector.getDiagnostics();
+        return diagnostics;
+    }
+
+    private SimpleJavaFileObject getJavaFileContentsAsString(String s){
+        StringBuilder javaFileContents = new StringBuilder("import java.sql.*; public class TestClass { public static void main(String[] args) {" + s + "}}");
+        JavaObjectFromString javaFileObject = null;
+        try{
+            javaFileObject = new JavaObjectFromString("TestClass.java", javaFileContents.toString());
+        }catch(Exception exception){
+            exception.printStackTrace();
+        }
+        return javaFileObject;
+    }
+
+    class JavaObjectFromString extends SimpleJavaFileObject {
+        private String contents = null;
+        public JavaObjectFromString(String className, String contents) throws Exception{
+            super(new URI(className), Kind.SOURCE);
+            this.contents = contents;
+        }
+        public CharSequence getCharContent(boolean ignoreEncodingErrors) throws IOException {
+            return contents;
+        }
+    }
+
+    private boolean check_text(String regex, String text) {
+        Pattern p = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
+        Matcher m = p.matcher(text);
+        if(m.find())
+            return true;
+        else return false;
+    }
+}
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
@@ -5,10 +5,35 @@
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScriptingMitigation_plan.adoc"></div>
 </div>
+
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
 </div>

+<div class="lesson-page-wrapper">
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8a.adoc"></div>
+	<div class="attack-container" style="height: 300px; border: none !important">
+		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+		<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3" enctype="application/json;charset=UTF-8">
+			<div>
+				<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div>
+				<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
+				<script th:src="@{/lesson_js/assignment10b.js}" type="text/javascript" charset="utf-8"></script>
+				<script>
+                    var editor = ace.edit("editor");
+                    editor.setTheme("ace/theme/monokai");
+                    editor.session.setMode("ace/mode/html");
+				</script>
+			</div>
+			<div class="input-group" style="margin-top: 10px">
+				<button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button>
+			</div>
+		</form>
+		<div class="attack-feedback"></div>
+		<div class="attack-output"></div>
+	</div>
+</div>
+
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
 </div>
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc
@@ -0,0 +1,65 @@
+== Reflective XSS
+
+See the HTML file below which passes data to a JSP file.
+
+[source,html]
+-------------------------------------------------------
+<html>
+   <body>
+
+      <form action = "main.jsp" method = "POST">
+         First Name: <input type = "text" name = "first_name">
+         <br />
+         Last Name: <input type = "text" name = "last_name" />
+         <input type = "submit" value = "Submit" />
+      </form>
+
+   </body>
+</html>
+-------------------------------------------------------
+
+Here is the JSP file:
+
+[source,html]
+-------------------------------------------------------
+<html>
+   <head>
+      <title>Using GET and POST Method to Read Form Data</title>
+   </head>
+
+   <body>
+      <center>
+      <h1>Using POST Method to Read Form Data</h1>
+
+      <ul>
+         <li><p><b>First Name:</b>
+            <%= request.getParameter("first_name")%>
+         </p></li>
+         <li><p><b>Last  Name:</b>
+            <%= request.getParameter("last_name")%>
+         </p></li>
+      </ul>
+
+   </body>
+</html>
+-------------------------------------------------------
+
+
+As you can see the JSP file prints unfiltered user input which is never a good idea.
+You want people to accesses the page like this:
+
+----
+http://hostname.com/mywebapp/main.jsp?first_name=John&last_name=Smith
+----
+
+But what happens if someone uses this link:
+----
+http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</script>
+----
+
+=== It's your turn!
+
+Try to prevent this kind of XSS by escaping the url parameters:
+
+
+