diff --git a/webgoat-lessons/bypass-restrictions/pom.xml b/webgoat-lessons/bypass-restrictions/pom.xml new file mode 100755 index 000000000..0f5b02576 --- /dev/null +++ b/webgoat-lessons/bypass-restrictions/pom.xml @@ -0,0 +1,34 @@ +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> + <modelVersion>4.0.0</modelVersion> + <artifactId>bypass-restrictions</artifactId> + <packaging>jar</packaging> + <parent> + <groupId>org.owasp.webgoat.lesson</groupId> + <artifactId>webgoat-lessons-parent</artifactId> + <version>8.0-SNAPSHOT</version> + </parent> + + <dependencies> + <dependency> + <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-test</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.springframework.security</groupId> + <artifactId>spring-security-test</artifactId> + <version>4.1.3.RELEASE</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <version>${junit.version}</version> + <type>jar</type> + <scope>test</scope> + </dependency> + + </dependencies> + +</project> diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictions.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictions.java new file mode 100755 index 000000000..5f74cea57 --- /dev/null +++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictions.java @@ -0,0 +1,63 @@ +package org.owasp.webgoat.plugin; + +import com.beust.jcommander.internal.Lists; +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.List; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + * <p> + * Copyright (c) 2002 - 20014 Bruce Mayhew + * <p> + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * <p> + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * <p> + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * <p> + * Getting Source ============== + * <p> + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + * <p> + * + * @author WebGoat + * @version $Id: $Id + * @since October 12, 2016 + */ +public class BypassRestrictions extends NewLesson { + @Override + public Category getDefaultCategory() { + return Category.PARAMETER_TAMPERING; + } + + @Override + public List<String> getHints() { + return Lists.newArrayList(); + } + + @Override + public Integer getDefaultRanking() { + return 2; + } + + @Override + public String getTitle() { + return "bypass-restrictions.title"; + } + + @Override + public String getId() { + return "BypassRestrictions"; + } +} diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java new file mode 100755 index 000000000..b916019f8 --- /dev/null +++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFieldRestrictions.java @@ -0,0 +1,74 @@ +package org.owasp.webgoat.plugin; + +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentPath; +import org.owasp.webgoat.assignments.AttackResult; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; + +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; + +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository + * for free software projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> + * @created October 28, 2003 + */ +@AssignmentPath("/BypassRestrictions/FieldRestrictions") +public class BypassRestrictionsFieldRestrictions extends AssignmentEndpoint { + + @RequestMapping(method = RequestMethod.POST) + public + @ResponseBody + AttackResult completed(@RequestParam String select, @RequestParam String radio, @RequestParam String checkbox, @RequestParam String shortInput) throws IOException { + if (select.toString().equals("option1") || select.toString().equals("option2")) { + return trackProgress(failed().build()); + } + if (radio.toString().equals("option1") || radio.toString().equals("option2")) { + return trackProgress(failed().build()); + } + if (checkbox.toString().equals("on") || checkbox.toString().equals("off")) { + return trackProgress(failed().build()); + } + if (shortInput.toString().length() <= 5) { + return trackProgress(failed().build()); + } + /*if (disabled == null) { + return trackProgress(failed().build()); + } + if (submit.toString().equals("submit")) { + return trackProgress(failed().build()); + }*/ + return trackProgress(success().build()); + } +} diff --git a/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java new file mode 100644 index 000000000..7eaefb129 --- /dev/null +++ b/webgoat-lessons/bypass-restrictions/src/main/java/org/owasp/webgoat/plugin/BypassRestrictionsFrontendValidation.java @@ -0,0 +1,87 @@ +package org.owasp.webgoat.plugin; + +import org.owasp.webgoat.assignments.AssignmentEndpoint; +import org.owasp.webgoat.assignments.AssignmentPath; +import org.owasp.webgoat.assignments.AttackResult; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; + +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; + +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 20014 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository + * for free software projects. + * + * For details, please see http://webgoat.github.io + * + * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a> + * @created October 28, 2003 + */ +@AssignmentPath("/BypassRestrictions/frontendValidation") +public class BypassRestrictionsFrontendValidation extends AssignmentEndpoint { + + @RequestMapping(method = RequestMethod.POST) + public + @ResponseBody + AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7, @RequestParam Integer error) throws IOException { + String regex1="^[a-z]{3}$"; + String regex2="^[0-9]{3}$"; + String regex3="^[a-zA-Z0-9 ]*$"; + String regex4="^(one|two|three|four|five|six|seven|eight|nine)$"; + String regex5="^\\d{5}$"; + String regex6="^\\d{5}(-\\d{4})?$"; + String regex7="^[2-9]\\d{2}-?\\d{3}-?\\d{4}$"; + if (error>0) { + return trackProgress(failed().build()); + } + if (field1.matches(regex1)) { + return trackProgress(failed().build()); + } + if (field2.matches(regex2)) { + return trackProgress(failed().build()); + } + if (field3.matches(regex3)) { + return trackProgress(failed().build()); + } + if (field4.matches(regex4)) { + return trackProgress(failed().build()); + } + if (field5.matches(regex5)) { + return trackProgress(failed().build()); + } + if (field6.matches(regex6)) { + return trackProgress(failed().build()); + } + if (field7.matches(regex7)) { + return trackProgress(failed().build()); + } + return trackProgress(success().build()); + } +} diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html b/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html new file mode 100755 index 000000000..f8153ca3e --- /dev/null +++ b/webgoat-lessons/bypass-restrictions/src/main/resources/html/BypassRestrictions.html @@ -0,0 +1,124 @@ +<!DOCTYPE html> + +<html xmlns:th="http://www.thymeleaf.org"> + + <div class="lesson-page-wrapper"> + <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> + <!-- include content here. Content will be presented via asciidocs files, + which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> + <div class="adoc-content" th:replace="doc:BypassRestrictions_Intro.adoc"></div> + </div> + + <div class="lesson-page-wrapper"> + <!-- stripped down without extra comments --> + <div class="adoc-content" th:replace="doc:BypassRestrictions_FieldRestrictions.adoc"></div> + <div class="attack-container"> + <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> + <form class="attack-form" accept-charset="UNKNOWN" name="fieldRestrictions" + method="POST" + action="/WebGoat/BypassRestrictions/FieldRestrictions" + enctype="application/json;charset=UTF-8"> + + <div>Select field with two possible values</div> + <select name="select"> + <option value="option1">Option 1</option> + <option value="option2">Option 2</option> + </select> + <div>Radio button with two possible values</div> + <input type="radio" name="radio" value="option1" checked="checked"/> Option 1<br /> + <input type="radio" name="radio" value="option2" /> Option 2<br /> + <div>Checkbox: value either on or off</div> + <input type="checkbox" name="checkbox" checked="checked"/> Checkbox + <div>Input restricted to max 5 characters</div> + <input type="text" value="12345" name="shortInput" maxlength="5"/> + <div>Disabled input field</div> + <input type="submit" value="submit"/> + + </form> + <div class="attack-feedback"></div> + <div class="attack-output"></div> + </div> + </div> + + <div class="lesson-page-wrapper"> + <div class="adoc-content" th:replace="doc:BypassRestrictions_FrontendValidation.adoc"></div> + <div class="attack-container"> + <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> + + <form class="attack-form" accept-charset="UNKNOWN" name="frontendValidation" + id="frontendValidation" + method="POST" + action="/WebGoat/BypassRestrictions/frontendValidation/" + enctype="application/json;charset=UTF-8" + onsubmit="return validate()"> + <div> + Field1: exactly three lowercase characters(^[a-z]{3}$) + </div> + <div> + <textarea cols="25" name="field1" rows="1">abc</textarea> + </div> + <p></p> + <div>Field2: exactly three digits(^[0-9]{3}$)</div> + <div> + <textarea cols="25" name="field2" rows="1">123</textarea> + </div> + <p></p> + <div>Field3: letters, numbers, and space only(^[a-zA-Z0-9 ]*$)</div> + <div> + <textarea cols="25" name="field3" rows="1">abc 123 ABC</textarea> + </div> + <p></p> + <div>Field4: enumeration of numbers (^(one|two|three|four|five|six|seven|eight|nine)$)</div> + <div> + <textarea cols="25" name="field4" rows="1">seven</textarea> + </div> + <p></p> + <div>Field5: simple zip code (^\d{5}$)</div> + <div> + <textarea cols="25" name="field5" rows="1">01101</textarea> + </div> + <p></p> + <div>Field6: zip with optional dash four (^\d{5}(-\d{4})?$)</div> + <div> + <textarea cols="25" name="field6" rows="1">90210-1111</textarea> + </div> + <p></p> + <div>Field7: US phone number with or without dashes (^[2-9]\d{2}-?\d{3}-?\d{4}$)</div> + <div> + <textarea cols="25" name="field7" rows="1">301-604-4882</textarea> + </div> + <input type="hidden" value="" name="error" /> + <p><input type="submit" value="Submit" /></p> + </form> + + <script> + let regex1=/^[a-z]{3}$/; + let regex2=/^[0-9]{3}$/; + let regex3=/^[a-zA-Z0-9 ]*$/; + let regex4=/^(one|two|three|four|five|six|seven|eight|nine)$/; + let regex5=/^\d{5}$/; + let regex6=/^\d{5}(-\d{4})?$/; + let regex7=/^[2-9]\d{2}-?\d{3}-?\d{4}$/; + var validate = function() { + let msg='JavaScript found form errors'; + let err=0; + if (!regex1.test(document.frontendValidation.field1.value)) {err+=1; msg+='\n bad field1';} + if (!regex2.test(document.frontendValidation.field2.value)) {err+=1; msg+='\n bad field2';} + if (!regex3.test(document.frontendValidation.field3.value)) {err+=1; msg+='\n bad field3';} + if (!regex4.test(document.frontendValidation.field4.value)) {err+=1; msg+='\n bad field4';} + if (!regex5.test(document.frontendValidation.field5.value)) {err+=1; msg+='\n bad field5';} + if (!regex6.test(document.frontendValidation.field6.value)) {err+=1; msg+='\n bad field6';} + if (!regex7.test(document.frontendValidation.field7.value)) {err+=1; msg+='\n bad field7';} + document.frontendValidation.error.value = err + if ( err > 0 ) { + alert(msg) + return false; + } + return true; + } + </script> + <div class="attack-feedback"></div> + <div class="attack-output"></div> + </div> + </div> +</html> diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/bypass-restrictions/src/main/resources/i18n/WebGoatLabels.properties new file mode 100755 index 000000000..bff117c72 --- /dev/null +++ b/webgoat-lessons/bypass-restrictions/src/main/resources/i18n/WebGoatLabels.properties @@ -0,0 +1,4 @@ +bypass-restrictions.title=Bypass front-end restrictions + +bypass-restrictions.intercept.success=Well done, you intercepted the request as expected +bypass-restrictions.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know! diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc new file mode 100755 index 000000000..4d103d6b3 --- /dev/null +++ b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FieldRestrictions.adoc @@ -0,0 +1,6 @@ +== Field Restrictions +In most browsers, client has complete or almost complete control over HTML part +of the webpage. They can alter values or restrictions to fit their preference. + +=== Task +Send a request that bypasses restrictions of all four of these fields diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc new file mode 100644 index 000000000..2f02262d0 --- /dev/null +++ b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_FrontendValidation.adoc @@ -0,0 +1,8 @@ +== Validation +Often, there is some mechanism in place to prevent users from sending altered +field values to server, such as validation before sending. Most of popular browsers +such as Chrome don't allow editing scripts during runtime. We will have to circumvent +the validation some other way. + +=== Task +Send a request that does not fit the regular expression above the field in all fields. diff --git a/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc new file mode 100755 index 000000000..5743d6f9a --- /dev/null +++ b/webgoat-lessons/bypass-restrictions/src/main/resources/lessonPlans/en/BypassRestrictions_Intro.adoc @@ -0,0 +1,10 @@ + +== Concept +Users have a great degree of control over the front-end of the web application. +They can alter HTML code, sometimes also scripts. This is why +apps that require certain format of input should also validate on server-side. + +== Goals +* The user should have a basic knowledge of HTML +* The user should be able to tamper a request before sending (with proxy or other tool) +* The user will be able to tamper with field restrictions and bypass client-side validation diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index 79d287f30..5267c0099 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -14,6 +14,7 @@ </parent> <modules> + <module>bypass-restrictions</module> <module>challenge</module> <module>client-side-filtering</module> <module>cross-site-scripting</module> diff --git a/webgoat-server/pom.xml b/webgoat-server/pom.xml index bce375377..03297cc02 100644 --- a/webgoat-server/pom.xml +++ b/webgoat-server/pom.xml @@ -91,6 +91,11 @@ <!--<artifactId>challenge</artifactId>--> <!--<version>${project.version}</version>--> <!--</dependency>--> + <dependency> + <groupId>org.owasp.webgoat.lesson</groupId> + <artifactId>bypass-restrictions</artifactId> + <version>${project.version}</version> + </dependency> <dependency> <groupId>org.owasp.webgoat.lesson</groupId> <artifactId>client-side-filtering</artifactId>