added assignment draft (not working yet)

2018-11-20 01:17:52 +01:00 · 2018-11-20 01:17:52 +01:00 · 73c2313658
commit 73c2313658
parent 760c3f2990
3 changed files with 173 additions and 0 deletions
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
@ -0,0 +1,83 @@
 package org.owasp.webgoat.plugin.mitigation;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import javax.tools.*;
 import java.io.IOException;
 import java.net.URI;
 import java.util.Arrays;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@AssignmentPath("CrossSiteScripting/attack3")
 //@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"})
 public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
    @RequestMapping(method = RequestMethod.POST)
    @ResponseBody
    public AttackResult completed(@RequestParam String editor) {
        String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
        editor = editor.replaceAll("\\<.*?>","");
        boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", ""));
        List<Diagnostic> hasCompiled = this.compileFromString(editor);
        String errors = "";
        if(hasImportant && hasCompiled.size() < 1) {
            return trackProgress(success().build());
        } else if(hasCompiled.size() > 1) {
            for(Diagnostic d : hasCompiled) {
                errors += d.getMessage(null) + "\n";
            }
        }
        return trackProgress(failed().output(errors).build());
    }
    private List<Diagnostic> compileFromString(String s) {
        JavaCompiler compiler = ToolProvider.getSystemJavaCompiler();
        DiagnosticCollector diagnosticsCollector = new DiagnosticCollector();
        StandardJavaFileManager fileManager  = compiler.getStandardFileManager(diagnosticsCollector, null, null);
        JavaFileObject javaObjectFromString = getJavaFileContentsAsString(s);
        Iterable fileObjects = Arrays.asList(javaObjectFromString);
        JavaCompiler.CompilationTask task = compiler.getTask(null, fileManager, diagnosticsCollector, null, null, fileObjects);
        Boolean result = task.call();
        List<Diagnostic> diagnostics = diagnosticsCollector.getDiagnostics();
        return diagnostics;
    }
    private SimpleJavaFileObject getJavaFileContentsAsString(String s){
        StringBuilder javaFileContents = new StringBuilder("import java.sql.*; public class TestClass { public static void main(String[] args) {" + s + "}}");
        JavaObjectFromString javaFileObject = null;
        try{
            javaFileObject = new JavaObjectFromString("TestClass.java", javaFileContents.toString());
        }catch(Exception exception){
            exception.printStackTrace();
        }
        return javaFileObject;
    }
    class JavaObjectFromString extends SimpleJavaFileObject {
        private String contents = null;
        public JavaObjectFromString(String className, String contents) throws Exception{
            super(new URI(className), Kind.SOURCE);
            this.contents = contents;
        }
        public CharSequence getCharContent(boolean ignoreEncodingErrors) throws IOException {
            return contents;
        }
    }
    private boolean check_text(String regex, String text) {
        Pattern p = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
        Matcher m = p.matcher(text);
        if(m.find())
            return true;
        else return false;
    }
 }
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
@ -5,10 +5,35 @@
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScriptingMitigation_plan.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8a.adoc"></div>
 	<div class="attack-container" style="height: 300px; border: none !important">
 		<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 		<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3" enctype="application/json;charset=UTF-8">
 			<div>
 				<div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div>
 				<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
 				<script th:src="@{/lesson_js/assignment10b.js}" type="text/javascript" charset="utf-8"></script>
 				<script>
                    var editor = ace.edit("editor");
                    editor.setTheme("ace/theme/monokai");
                    editor.session.setMode("ace/mode/html");
 				</script>
 			</div>
 			<div class="input-group" style="margin-top: 10px">
 				<button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button>
 			</div>
 		</form>
 		<div class="attack-feedback"></div>
 		<div class="attack-output"></div>
 	</div>
 </div>
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
 </div>
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc
@ -0,0 +1,65 @@
 == Reflective XSS
 See the HTML file below which passes data to a JSP file.
 [source,html]
 -------------------------------------------------------
 <html>
   <body>
      <form action = "main.jsp" method = "POST">
         First Name: <input type = "text" name = "first_name">
         <br />
         Last Name: <input type = "text" name = "last_name" />
         <input type = "submit" value = "Submit" />
      </form>
   </body>
 </html>
 -------------------------------------------------------
 Here is the JSP file:
 [source,html]
 -------------------------------------------------------
 <html>
   <head>
      <title>Using GET and POST Method to Read Form Data</title>
   </head>
   <body>
      <center>
      <h1>Using POST Method to Read Form Data</h1>
      <ul>
         <li><p><b>First Name:</b>
            <%= request.getParameter("first_name")%>
         </p></li>
         <li><p><b>Last  Name:</b>
            <%= request.getParameter("last_name")%>
         </p></li>
      </ul>
   </body>
 </html>
 -------------------------------------------------------
 As you can see the JSP file prints unfiltered user input which is never a good idea.
 You want people to accesses the page like this:
 ----
 http://hostname.com/mywebapp/main.jsp?first_name=John&last_name=Smith
 ----
 But what happens if someone uses this link:
 ----
 http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</script>
 ----
 === It's your turn!
 Try to prevent this kind of XSS by escaping the url parameters: