added assignment draft (not working yet)
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							760c3f2990
						
					
				
				
					commit
					73c2313658
				
			| @ -0,0 +1,83 @@ | ||||
| package org.owasp.webgoat.plugin.mitigation; | ||||
|  | ||||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||||
| import org.owasp.webgoat.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import javax.tools.*; | ||||
| import java.io.IOException; | ||||
| import java.net.URI; | ||||
| import java.util.Arrays; | ||||
| import java.util.List; | ||||
| import java.util.regex.Matcher; | ||||
| import java.util.regex.Pattern; | ||||
|  | ||||
| @AssignmentPath("CrossSiteScripting/attack3") | ||||
| //@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"}) | ||||
| public class CrossSiteScriptingLesson3 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     @ResponseBody | ||||
|     public AttackResult completed(@RequestParam String editor) { | ||||
|         String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)"; | ||||
|         editor = editor.replaceAll("\\<.*?>",""); | ||||
|         boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", "")); | ||||
|         List<Diagnostic> hasCompiled = this.compileFromString(editor); | ||||
|         String errors = ""; | ||||
|         if(hasImportant && hasCompiled.size() < 1) { | ||||
|             return trackProgress(success().build()); | ||||
|         } else if(hasCompiled.size() > 1) { | ||||
|             for(Diagnostic d : hasCompiled) { | ||||
|                 errors += d.getMessage(null) + "\n"; | ||||
|             } | ||||
|         } | ||||
|         return trackProgress(failed().output(errors).build()); | ||||
|     } | ||||
|  | ||||
|     private List<Diagnostic> compileFromString(String s) { | ||||
|         JavaCompiler compiler = ToolProvider.getSystemJavaCompiler(); | ||||
|         DiagnosticCollector diagnosticsCollector = new DiagnosticCollector(); | ||||
|         StandardJavaFileManager fileManager  = compiler.getStandardFileManager(diagnosticsCollector, null, null); | ||||
|         JavaFileObject javaObjectFromString = getJavaFileContentsAsString(s); | ||||
|         Iterable fileObjects = Arrays.asList(javaObjectFromString); | ||||
|         JavaCompiler.CompilationTask task = compiler.getTask(null, fileManager, diagnosticsCollector, null, null, fileObjects); | ||||
|         Boolean result = task.call(); | ||||
|         List<Diagnostic> diagnostics = diagnosticsCollector.getDiagnostics(); | ||||
|         return diagnostics; | ||||
|     } | ||||
|  | ||||
|     private SimpleJavaFileObject getJavaFileContentsAsString(String s){ | ||||
|         StringBuilder javaFileContents = new StringBuilder("import java.sql.*; public class TestClass { public static void main(String[] args) {" + s + "}}"); | ||||
|         JavaObjectFromString javaFileObject = null; | ||||
|         try{ | ||||
|             javaFileObject = new JavaObjectFromString("TestClass.java", javaFileContents.toString()); | ||||
|         }catch(Exception exception){ | ||||
|             exception.printStackTrace(); | ||||
|         } | ||||
|         return javaFileObject; | ||||
|     } | ||||
|  | ||||
|     class JavaObjectFromString extends SimpleJavaFileObject { | ||||
|         private String contents = null; | ||||
|         public JavaObjectFromString(String className, String contents) throws Exception{ | ||||
|             super(new URI(className), Kind.SOURCE); | ||||
|             this.contents = contents; | ||||
|         } | ||||
|         public CharSequence getCharContent(boolean ignoreEncodingErrors) throws IOException { | ||||
|             return contents; | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     private boolean check_text(String regex, String text) { | ||||
|         Pattern p = Pattern.compile(regex, Pattern.CASE_INSENSITIVE); | ||||
|         Matcher m = p.matcher(text); | ||||
|         if(m.find()) | ||||
|             return true; | ||||
|         else return false; | ||||
|     } | ||||
| } | ||||
| @ -5,10 +5,35 @@ | ||||
| <div class="lesson-page-wrapper"> | ||||
| 	<div class="adoc-content" th:replace="doc:CrossSiteScriptingMitigation_plan.adoc"></div> | ||||
| </div> | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
| 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div> | ||||
| </div> | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
| 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8a.adoc"></div> | ||||
| 	<div class="attack-container" style="height: 300px; border: none !important"> | ||||
| 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> | ||||
| 		<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3" enctype="application/json;charset=UTF-8"> | ||||
| 			<div> | ||||
| 				<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div> | ||||
| 				<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script> | ||||
| 				<script th:src="@{/lesson_js/assignment10b.js}" type="text/javascript" charset="utf-8"></script> | ||||
| 				<script> | ||||
|                     var editor = ace.edit("editor"); | ||||
|                     editor.setTheme("ace/theme/monokai"); | ||||
|                     editor.session.setMode("ace/mode/html"); | ||||
| 				</script> | ||||
| 			</div> | ||||
| 			<div class="input-group" style="margin-top: 10px"> | ||||
| 				<button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button> | ||||
| 			</div> | ||||
| 		</form> | ||||
| 		<div class="attack-feedback"></div> | ||||
| 		<div class="attack-output"></div> | ||||
| 	</div> | ||||
| </div> | ||||
|  | ||||
| <div class="lesson-page-wrapper"> | ||||
| 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div> | ||||
| </div> | ||||
|  | ||||
| @ -0,0 +1,65 @@ | ||||
| == Reflective XSS | ||||
|  | ||||
| See the HTML file below which passes data to a JSP file. | ||||
|  | ||||
| [source,html] | ||||
| ------------------------------------------------------- | ||||
| <html> | ||||
|    <body> | ||||
|  | ||||
|       <form action = "main.jsp" method = "POST"> | ||||
|          First Name: <input type = "text" name = "first_name"> | ||||
|          <br /> | ||||
|          Last Name: <input type = "text" name = "last_name" /> | ||||
|          <input type = "submit" value = "Submit" /> | ||||
|       </form> | ||||
|  | ||||
|    </body> | ||||
| </html> | ||||
| ------------------------------------------------------- | ||||
|  | ||||
| Here is the JSP file: | ||||
|  | ||||
| [source,html] | ||||
| ------------------------------------------------------- | ||||
| <html> | ||||
|    <head> | ||||
|       <title>Using GET and POST Method to Read Form Data</title> | ||||
|    </head> | ||||
|  | ||||
|    <body> | ||||
|       <center> | ||||
|       <h1>Using POST Method to Read Form Data</h1> | ||||
|  | ||||
|       <ul> | ||||
|          <li><p><b>First Name:</b> | ||||
|             <%= request.getParameter("first_name")%> | ||||
|          </p></li> | ||||
|          <li><p><b>Last  Name:</b> | ||||
|             <%= request.getParameter("last_name")%> | ||||
|          </p></li> | ||||
|       </ul> | ||||
|  | ||||
|    </body> | ||||
| </html> | ||||
| ------------------------------------------------------- | ||||
|  | ||||
|  | ||||
| As you can see the JSP file prints unfiltered user input which is never a good idea. | ||||
| You want people to accesses the page like this: | ||||
|  | ||||
| ---- | ||||
| http://hostname.com/mywebapp/main.jsp?first_name=John&last_name=Smith | ||||
| ---- | ||||
|  | ||||
| But what happens if someone uses this link: | ||||
| ---- | ||||
| http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</script> | ||||
| ---- | ||||
|  | ||||
| === It's your turn! | ||||
|  | ||||
| Try to prevent this kind of XSS by escaping the url parameters: | ||||
|  | ||||
|  | ||||
|  | ||||
		Reference in New Issue
	
	Block a user