"); + cart.append( " -------------------
"); + cart.append( " $" + totalSale); - if (field1.toLowerCase().contains("")) { + //init state + if (userSessionData.getValue("xss-reflected1-complete") == null) { + userSessionData.setValue("xss-reflected1-complete",(Object)"false"); + } + + if (field1.toLowerCase().contains("")) { //return trackProgress() - userSessionData.setValue("xss-reflected-5a-complete","true"); - return trackProgress(success() - .feedback("xss-reflected-5a-success") - .output(cart.toString()) - .build()); + userSessionData.setValue("xss-reflected-5a-complete","true"); + return trackProgress(success() + .feedback("xss-reflected-5a-success") + .output(cart.toString()) + .build()); } else { - userSessionData.setValue("xss-reflected1-complete","false"); - return trackProgress(success() - .feedback("xss-reflected-5a-failure") - .output(cart.toString()) - .build()); - } + userSessionData.setValue("xss-reflected1-complete","false"); + return trackProgress(success() + .feedback("xss-reflected-5a-failure") + .output(cart.toString()) + .build()); + } } } \ No newline at end of file diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java index 7bd3456ff..aa27c4195 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java @@ -1,8 +1,40 @@ +/*************************************************************************************************** + * + * + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew WebGoat + * @created October 28, 2003 + */ + package org.owasp.webgoat.plugin; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentPath; import org.owasp.webgoat.assignments.AttackResult; +import org.owasp.webgoat.session.UserSessionData; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; @@ -10,27 +42,27 @@ import org.springframework.web.bind.annotation.ResponseBody; import javax.servlet.http.HttpServletRequest; import java.io.IOException; +import java.security.SecureRandom; -/** - * Created by jason on 11/23/16. - */ -@AssignmentPath("/CrossSiteScripting/dom-xss") + +@AssignmentPath("/CrossSiteScripting/phone-home-xss") public class DOMCrossSiteScripting extends AssignmentEndpoint { @RequestMapping(method = RequestMethod.POST) public @ResponseBody AttackResult completed(@RequestParam Integer param1, @RequestParam Integer param2, HttpServletRequest request) throws IOException { + + UserSessionData userSessionData = getUserSessionData(); + SecureRandom number = new SecureRandom(); + userSessionData.setValue("randValue",number.nextInt()); + if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) { - System.out.println("DOM-XSS successful, param1 is 42"); - return trackProgress(success().build()); + System.out.println(userSessionData.getValue("randValue") + " << randValue"); + return trackProgress(success().output("phoneHome Response is " + userSessionData.getValue("randValue").toString()).build()); } else { return trackProgress(failed().build()); } } } -// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E -// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere"; + + static { + comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "Comment for Unit Testing")); + comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "This comment is safe")); + comments.add(new Comment("guest", DateTime.now().toString(fmt), "This one is safe too.")); + comments.add(new Comment("guest", DateTime.now().toString(fmt), "Can you post a comment, calling webgoat.customjs.phoneHome() ?")); + } + + @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE,consumes = ALL_VALUE) + @ResponseBody + public Collection
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
+
+
+
+
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ![]()
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ![]()
+
+
+
+
-
- ' +
+ ' ';
+
+ getChallenges();
+
+ function getChallenges() {
+ $("#list").empty();
+ $.get('CrossSiteScripting/stored-xss', function (result, status) {
+ for (var i = 0; i < result.length; i++) {
+ var comment = html.replace('USER', result[i].user);
+ comment = comment.replace('DATETIME', result[i].dateTime);
+ comment = comment.replace('COMMENT', result[i].text);
+ $("#list").append(comment);
+ }
+
+ });
+ }
+})
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10.adoc
rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content10-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11.adoc
rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content11-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12.adoc
rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content12-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13.adoc
rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a.adoc
rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content13a-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14.adoc
rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content14-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15.adoc
rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a.adoc
rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content15a-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16-off.adoc
similarity index 100%
rename from webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16.adoc
rename to webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content16-off.adoc
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
index 477752127..16de62421 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content5b.adoc
@@ -1,5 +1,10 @@
-== Was it Really Reflected XSS?
+== Self XSS or Reflected XSS?
-You should have been able to execute script with the last example. Was it truly reflected XSS?
+You should have been able to execute script with the last example. At this point, it would be considered 'self XSS' though.
+Why is that?
+That is because there is no link that would tigger that XSS.
+You can try it yourself to see what happens ... go to (substitute localhost with your server's name or IP if you need to):
+
+link: http://localhost:8080/WebGoat/CrossSiteScripting/attack5a?QTY1=1&QTY2=1&QTY3=1&QTY4=1&field1=4128+3214+0002+1999&field2=111
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc
index 1445c3baf..0a8ba10db 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6.adoc
@@ -1,8 +1,10 @@
-== DOM-Based XSS Scenario
+== Reflected and DOM-Based XSS
-DOM-based XSS is similar to reflected. The difference is that the payload will never go to the server, but will only ever be processed by the client.
+DOM-based XSS is another form of reflected XSS. Both are triggered by sending a link with inputs that are reflected to the browser.
+The difference between DOM and 'traditional' reflected XSS is that, with DOM, the payload will never go to the server. It will only ever be processed by the client.
-* Attacker sends a malicious URL to victim
+
+* Attacker sends a malicious URL to victim
* Victim clicks on the link
* That link may load a malicious web page or a web page they use (are logged into?) that has a vulnerable route/handler
* If it's a malicious web page, it may use it's own JavaScript to attack another page/url with a vulnerable route/handler
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc
index 08176abe4..656d9f4de 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6a.adoc
@@ -1,12 +1,15 @@
== Ientify Potential for DOM-Based XSS
-For this, you'll want to look for some 'test' code in the route handlers (javascript/backbone). Sometimes, test code gets left in.
-(Often times test code is very simple and lacks security or any quality controls!).
+DOM-Based XSS can usually be found by looking for the route configurations in the client-side code.
+Look for a route that takes inputs that you can ID being 'reflected' to the page.
+
+For this example, you'll want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary javascript library).
+Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).
Your objective is to find the route and exploit it. First though ... what is the base route? As an example, look at the URL for this lesson ...
it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/5 (although maybe slightly different). The 'base route' in this case is:
*start.mvc#lesson/*
-The *CrossSiteScripting.lesson/5* after that are parameters that are processed by javascript route handler.
+The *CrossSiteScripting.lesson/#* after that are parameters that are processed by javascript route handler.
So, what is test route for this test code?
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc
index d66d36423..3fd67b860 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content6b.adoc
@@ -1,9 +1,11 @@
== Try It! DOM-Based XSS
-Some attacks are 'blind'. Fortunately, you have the server running here so you will be able to tell if you are successful. Use the route you just found and see if
-you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat. The function you want to execute is ...
+Some attacks are 'blind'. Fortunately, you have the server running here so you will be able to tell if you are successful.
+Use the route you just found and see if you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat.
+The function you want to execute is ...
*webgoat.customjs.phoneHome()*
-Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab. Once you complete it, paste the output message from the log below ...
+Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.
+Once you do trigger it, a subsequent response will come to the browser with a random number. Put that random number in below.
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7-off.adoc
new file mode 100644
index 000000000..95ec99a41
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7-off.adoc
@@ -0,0 +1,18 @@
+== DOM-Based XSS Example
+
+----
+
+----
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc
index 95ec99a41..ebfc3c4f0 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7.adoc
@@ -1,18 +1,11 @@
-== DOM-Based XSS Example
+== Stored XSS
+Stored cross-site scripting is different in that the payload is persisted (stored) as opposed to passed/injected via a link.
-----
-
-----
+== Stored XSS Scenario
+* Attacker posts malicious script to a message board
+* Message is stored in a server database
+* Victim reads the message
+* The malicious script embedded in the message board post executes in the victim’s browser
+** The script steals sensitive information, like the session id, and releases it to the attacker
+
+*Victim does not realize attack occurred*
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc
new file mode 100644
index 000000000..f7141ffa6
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content7b.adoc
@@ -0,0 +1,6 @@
+See the comments below.
+
+Add a comment with a javascript payload. Again ... you want to call the _webgoat.customjs.phoneHome_ function.
+
+As an attacker (offensive security), keep in mind that most apps are not going to have such a straight-forwardly named compromise.
+Also, you may have to find a way to load your own javascript dynamically to fully achieve goals of exfiltrating data.
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8-off.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8-off.adoc
new file mode 100644
index 000000000..6eda0dd78
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8-off.adoc
@@ -0,0 +1,20 @@
+== DOM-based XSS Defense
+
+* Attacker creates url:
++
+----
+http://mylogin.com/login?error=
+----
+
+* JavaScript must enforce input validation
++
+----
+ if ( errorMsg\[1\].match(/^[ a-zA-Z0-9:-]$/))
+ {
+ document.write(‘some error’);
+ }
+ else
+ {
+ document.write(''+errorMsg\[1\]+'');
+ }
+----
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc
index 6eda0dd78..80a3c7a25 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc
@@ -1,20 +1,27 @@
-== DOM-based XSS Defense
+== XSS Defense
-* Attacker creates url:
-+
-----
-http://mylogin.com/login?error=
-----
-* JavaScript must enforce input validation
-+
-----
- if ( errorMsg\[1\].match(/^[ a-zA-Z0-9:-]$/))
- {
- document.write(‘some error’);
- }
- else
- {
- document.write(''+errorMsg\[1\]+'');
- }
-----
+=== Why?
+Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in seession
+
+=== What to encode?
+The basic premise of defending against XSS is *output endoding* any untrusted input that goes to the screen.
+That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters*
+
+Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted).
+Sometimes data is shared across multiple systems and what you think is your data, may not have been created by you/your team.
+
+=== When/Where?
+Encode *as the data is sent to the browser* (not in your persisted data). In the case of *Single Page Apps (SPA's), you will need to encode
+in the client*. Consult your framework/library for me details, but some resources will be provided on the next page.
+
+=== How?
+
+ * Encode as HTML Entities in HTML Body
+ * Encode as HTML Entities in HTML Attribute
+ * Encode for Javascript if outputting user input to javascript (but think about that ... you're outputting user input into javascript on your page!!)
+
+*DO NOT* try to blacklist/negative filter on strings like 'MoreTextHere\"}")
+ .contentType(MediaType.APPLICATION_JSON));
+
+ results.andExpect(status().isOk());
+ results.andExpect(jsonPath("$.lessonCompleted",CoreMatchers.is(true)));
+ }
+
+ @Test
+ public void failure() throws Exception {
+ ResultActions results = mockMvc.perform(MockMvcRequestBuilders.post("/CrossSiteScripting/stored-xss")
+ .content("{\"text\":\"someTextHereMoreTextHere\"}")
+ .contentType(MediaType.APPLICATION_JSON));
+
+ results.andExpect(status().isOk());
+ results.andExpect(jsonPath("$.lessonCompleted",CoreMatchers.is(false)));
+ }
+
+ /* For the next two tests there is a comment seeded ...
+ comments.add(new Comment("secUriTy", DateTime.now().toString(fmt), "Comment for Unit Testing"));
+ ... the isEncoded method will remain commented out as it will fail (because WebGoat isn't supposed to be secure)
+ */
+
+ //Ensures it is vulnerable
+ @Test
+ public void isNotEncoded() throws Exception {
+ //do get to get comments after posting xss payload
+ ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
+ taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString(""))));
+ }
+
+
+ //Could be used to test an encoding solution ... commented out so build will pass. Uncommenting will fail build, but leaving in as positive Security Unit Test
+// @Test
+// public void isEncoded() throws Exception {
+// //do get to get comments after posting xss payload
+// ResultActions taintedResults = mockMvc.perform(MockMvcRequestBuilders.get("/CrossSiteScripting/stored-xss"));
+// taintedResults.andExpect(jsonPath("$[0].text",CoreMatchers.is(CoreMatchers.containsString("<scriptgt;"))));
+// }
+}
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy-win.png b/webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy-win.png
index 76ba1a12b..fd3967972 100644
Binary files a/webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy-win.png and b/webgoat-lessons/http-proxies/src/main/resources/images/chrome-manual-proxy-win.png differ
diff --git a/webgoat-lessons/http-proxies/src/main/resources/images/zap-local-proxy-8090.png b/webgoat-lessons/http-proxies/src/main/resources/images/zap-local-proxy-8090.png
new file mode 100644
index 000000000..4001bce6a
Binary files /dev/null and b/webgoat-lessons/http-proxies/src/main/resources/images/zap-local-proxy-8090.png differ
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
index bce555d3b..3970da773 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro1.adoc
@@ -17,3 +17,19 @@ When ZAP starts, you will be presented with a dialog such as the one below ...
image::images/zap-start.png[ZAP Start,548,256,style="lesson-image"]
+=== Set ZAP's port (if running WebGoat locally)
+
+*NOTE*: The following proxy set up is only needed if you are running WebGoat locally. If it's on a remote server, or you are running on
+WebGoat (or any application) that is not using port 8080 locally, you can leave ZAP at it's default. and use 8080, instead of
+8090 when setting up your browser to proxy (next page).
+
+If you are setting up ZAP while running WebGoat locally ...
+
+* Open ZAP
+* Go to Tools >> Options in the menu
+* Select 'Local Proxy' on the left
+* Input 8090 for the 'Port'
+
+*Remember*: If you are not running WebGoat locally, leave this setting along, skip to the next page and use 8080 instead of 8090
+
+image::images/zap-local-proxy-8090.png[ZAP Proxy Config,750,587,style="lesson-image"]
\ No newline at end of file
diff --git a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
index 4adcecc5f..2926daed2 100644
--- a/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
+++ b/webgoat-lessons/http-proxies/src/main/resources/lessonPlans/en/HttpBasics_ProxyIntro2.adoc
@@ -11,7 +11,7 @@ This will send all of your traffic to the proxy. Since we haven't set up a trust
. Click _Settings_
. Select _Manual proxy configuration_
.. input *127.0.0.1* as the Proxy
-.. input *8080* as the port
+.. input *8090* as the port if running WebGoat locally and you updated ZAP to 8090 (otherwise, use *8080*)
.. check the _Use this proxy server for all protocols_ checkbox
image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesson-image"]
@@ -23,7 +23,7 @@ image::images/firefox-proxy-config.png[Firefox Proxy Config,510,634,style="lesso
. Click the _Change proxy settings_ button
. Select the _proxies_ tab
. Select Web Proxy (HTTP)
-. Input 127.0.0.1 in the first box under _Web Proxy Server_ and your port # (8080 is what used earlier) in the second box (to the right)
+. Input 127.0.0.1 in the first box under _Web Proxy Server_ and your port # (8090 if running WebGoat locally, otherwise 8080) in the second box (to the right)
. You may also want to clear the _Bypass proxy settings for these Hosts & Domains_ text input at the bottom, but shouldn't need to
@@ -37,6 +37,8 @@ image::images/chrome-manual-proxy-win.png[Chrome Proxy, 394,346,style="lesson-im
(Win config image above)
+*Remember*: If running WebGoat locally, you can use ZAP's default port of 8080 instead of 8090 (or whatever number you prefer to use)
+
=== Other Proxy Configuration Options
If you don't want to manage the proxy manually, there are extensions or plugins that can help you to do so without digging through as much config,
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java
index 2cde6b967..5079a2132 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORDiffAttributes.java
@@ -1,6 +1,7 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -42,6 +43,7 @@ import java.io.IOException;
*/
@AssignmentPath("IDOR/diff-attributes")
+@AssignmentHints({"idor.hints.idorDiffAttributes1","idor.hints.idorDiffAttributes2","idor.hints.idorDiffAttributes3"})
public class IDORDiffAttributes extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
index 1d196030c..1d2e7cd52 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDOREditOtherProfiile.java
@@ -1,6 +1,7 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
@@ -38,6 +39,7 @@ import org.springframework.web.bind.annotation.*;
*/
@AssignmentPath("IDOR/profile/{userId}")
+@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
public class IDOREditOtherProfiile extends AssignmentEndpoint {
@Autowired
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java
index c90188097..7d0d45dd8 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOtherProfile.java
@@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
@@ -46,6 +47,7 @@ import java.util.Map;
*/
@AssignmentPath("IDOR/profile/{userId}")
+@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3","idor.hints.otherProfile4","idor.hints.otherProfile5","idor.hints.otherProfile6","idor.hints.otherProfile7","idor.hints.otherProfile8","idor.hints.otherProfile9"})
public class IDORViewOtherProfile extends AssignmentEndpoint{
@Autowired
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
index 677783200..990c9a2a7 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/IDORViewOwnProfileAltUrl.java
@@ -2,6 +2,7 @@ package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
@@ -46,6 +47,7 @@ import java.util.Map;
*/
@AssignmentPath("IDOR/profile/alt-path")
+@AssignmentHints({"idor.hints.ownProfileAltUrl1","idor.hints.ownProfileAltUrl2","idor.hints.ownProfileAltUrl3"})
public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint{
@Autowired
diff --git a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
index 622b8f5ac..952ba97b7 100644
--- a/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
+++ b/webgoat-lessons/idor/src/main/java/org/owasp/webgoat/plugin/ViewOtherUserProfile.java
@@ -1,64 +1,66 @@
-package org.owasp.webgoat.plugin;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.session.UserSessionData;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-/**
- * Created by jason on 1/5/17.
- */
-
-@AssignmentPath("/IDOR/viewprofile/{id}")
-public class ViewOtherUserProfile extends AssignmentEndpoint {
-
- private String color;
- private String size;
- private boolean isAdmin;
-
- @Autowired
- UserSessionData userSessionData;
-
- @RequestMapping(produces = {"application/json"})
- public @ResponseBody
- AttackResult completed(@PathVariable String userId, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- List json = Lists.newArrayList();
- // can be re-used
- Map errorMap = new HashMap();
- errorMap.put("error","not logged in, go back and log in first");
-
- if (userSessionData.getValue("idor-authenticated-as") == null) {
- json.add(errorMap);
- return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
- } else {
- if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
- System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
- //logged in
- String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
- //secure code would check to make sure authUserId matches userId or some similar access control
- // ... and in this endpoint, we won't bother with that
- UserProfile userProfile = new UserProfile(userId);
- return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
- }
- }
- // else
- return trackProgress(failed().build());
- }
-
-
-
-
-}
+//package org.owasp.webgoat.plugin;
+//
+//import com.google.common.collect.Lists;
+//import org.owasp.webgoat.assignments.AssignmentEndpoint;
+//import org.owasp.webgoat.assignments.AssignmentHints;
+//import org.owasp.webgoat.assignments.AssignmentPath;
+//import org.owasp.webgoat.assignments.AttackResult;
+//import org.owasp.webgoat.session.UserSessionData;
+//import org.springframework.beans.factory.annotation.Autowired;
+//import org.springframework.web.bind.annotation.PathVariable;
+//import org.springframework.web.bind.annotation.RequestMapping;
+//import org.springframework.web.bind.annotation.ResponseBody;
+//
+//import javax.servlet.ServletException;
+//import javax.servlet.http.HttpServletRequest;
+//import javax.servlet.http.HttpServletResponse;
+//import java.io.IOException;
+//import java.util.HashMap;
+//import java.util.List;
+//import java.util.Map;
+//
+///**
+// * Created by jason on 1/5/17.
+// */
+//
+//@AssignmentPath("/IDOR/viewprofile/{id}")
+//@AssignmentHints({"idor.hints.otherProfile1","idor.hints.otherProfile2","idor.hints.otherProfile3"})
+//public class ViewOtherUserProfile extends AssignmentEndpoint {
+//
+// private String color;
+// private String size;
+// private boolean isAdmin;
+//
+// @Autowired
+// UserSessionData userSessionData;
+//
+// @RequestMapping(produces = {"application/json"})
+// public @ResponseBody
+// AttackResult completed(@PathVariable String userId, HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+// List json = Lists.newArrayList();
+// // can be re-used
+// Map errorMap = new HashMap();
+// errorMap.put("error","not logged in, go back and log in first");
+//
+// if (userSessionData.getValue("idor-authenticated-as") == null) {
+// json.add(errorMap);
+// return trackProgress(failed().feedback("idor.view.other.profile.failure1").build());
+// } else {
+// if (userSessionData.getValue("idor-authenticated-as").equals("bill") || userSessionData.getValue("idor-authenticated-as").equals("tom")) {
+// System.out.println("**** authenticated as " + userSessionData.getValue("idor-authenticated-as"));
+// //logged in
+// String authUserId = (String)userSessionData.getValue("idor-authenticated-user-id");
+// //secure code would check to make sure authUserId matches userId or some similar access control
+// // ... and in this endpoint, we won't bother with that
+// UserProfile userProfile = new UserProfile(userId);
+// return trackProgress(failed().feedback("idor.view.other.profile.failure2").build());
+// }
+// }
+// // else
+// return trackProgress(failed().build());
+// }
+//
+//
+//
+//
+//}
diff --git a/webgoat-lessons/idor/src/main/resources/html/IDOR.html b/webgoat-lessons/idor/src/main/resources/html/IDOR.html
index ead98411a..82fb3dcff 100644
--- a/webgoat-lessons/idor/src/main/resources/html/IDOR.html
+++ b/webgoat-lessons/idor/src/main/resources/html/IDOR.html
@@ -138,7 +138,7 @@
-
+
-
-
-
-
-
-
-
-
-
+
+
+
+
-
+
+
+
+
+
+
+
+
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ![user profile image]()
+
+
+
+ ![image post]()
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index 68d7f6267..9d3490287 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -8,5 +8,7 @@ xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file.
xss.lesson1.failure=Are you sure? Try using a tab from a different site.
xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
-
-#xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this.
\ No newline at end of file
+xss-stored-comment-success=It appears your payload should invoke the function. To tell for sure, you need to capture the value and put it in the form below. Then we will really know.
+xss-stored-comment-failure=We can't see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
+xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called).
+xss-stored-callback-failure=No, that is not the correct value (note, it will be a different value each time the phoneHome endpoint is called).
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/images/avatar1.png b/webgoat-lessons/cross-site-scripting/src/main/resources/images/avatar1.png
new file mode 100644
index 000000000..4ea864f90
Binary files /dev/null and b/webgoat-lessons/cross-site-scripting/src/main/resources/images/avatar1.png differ
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js b/webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js
new file mode 100644
index 000000000..57cc3dc55
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js
@@ -0,0 +1,45 @@
+$(document).ready(function () {
+ $("#postComment").on("click", function () {
+ var commentInput = $("#commentInput").val();
+ $.ajax({
+ type: 'POST',
+ url: 'CrossSiteScripting/stored-xss',
+ data: JSON.stringify({text: commentInput}),
+ contentType: "application/json",
+ dataType: 'json'
+ }).then(
+ function () {
+ getChallenges();
+ $("#commentInput").val('');
+ }
+ )
+ })
+
+ var html = '' +
+ '
' +
+ '
' +
+ '' +
+ '
USER
' + + 'DATETIME
' + + 'COMMENT
' + + '