dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

implemented xss mitigation assignment 1, draft validation without parser

Browse Source
This commit is contained in:
Philippe Steinbach 2018-11-26 17:55:21 +01:00 committed by Nanne Baars
parent 6327b82204
commit 8944bfcc1d
5 changed files with 115 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
View File

@ -18,43 +18,34 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
@AssignmentPath("CrossSiteScripting/attack3")
//@AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"})
@AssignmentHints(value = {"mitigation-3-hint1", "mitigation-3-hint2", "mitigation-3-hint3", "mitigation-3-hint4"})
public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
@ResponseBody
public AttackResult completed(@RequestParam String editor) {
String regex1 = "<(\\\"[^\\\"]*\\\"|'[^']*'|[^'\\\">])*>(.*<(\\\"[^\\\"]*\\\"|'[^']*'|[^'\\\">])*>)?"; //Insert regex to verify html
editor = editor.replaceAll("\\<.*?>","");
boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", ""));
//http://www.java67.com/2012/10/how-to-escape-html-special-characters-JSP-Java-Example.html
//
//<c:out value=${first_name/last_name} escapeXml='true'/>
//<c:out value="${first_name/last_name}" escapeXml="true"/>
//or
//${fn:escapeXml("param.first_name/last_name")}
//check html string for regex
//check for c:out && escapeXml="true" && !request.getParameter
/**
if(hasImportant && hasCompiled.size() < 1) {
System.out.println(editor);
if (editor.contains("c:out") && editor.contains("escapeXml=\"true\"") && editor.contains("value=\"${last_name}\"") && editor.contains("value=\"${first_name}\"")) {
System.out.println("true");
return trackProgress(success().build());
} else if(hasCompiled.size() > 1) {
for(Diagnostic d : hasCompiled) {
errors += d.getMessage(null) + "\n";
}
else if (editor.contains("${fn:escapeXml") && editor.contains("\"param.first_name\"") && editor.contains("\"param.last_name\"")) {
System.out.println("true");
return trackProgress(success().build());
}
**/
else {
System.out.println("false");
return trackProgress(failed().build());
}
private boolean check_text(String regex, String text) {
Pattern p = Pattern.compile(regex, Pattern.CASE_INSENSITIVE);
Matcher m = p.matcher(text);
if(m.find())
return true;
else return false;
}
}
}

4
webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
View File

@ -12,6 +12,10 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8a.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8b.adoc"></div>
<div class="attack-container" style="height: 300px; border: none !important">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack3" enctype="application/json;charset=UTF-8">

4
webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -30,3 +30,7 @@ xss-stored-comment-success=It appears your payload should invoke the function. T
xss-stored-comment-failure=We can't see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called).
xss-stored-callback-failure=No, that is not the correct value (note, it will be a different value each time the phoneHome endpoint is called).
xss-mitigation-3-hint1=You don't store the user input in this example. Try to escape the user input right before you it into the HTML element.
xss-mitigation-3-hint2=Use JavaServer Pages Standard Tag Library (JSTL) tags or Unified Expression Language
xss-mitigation-3-hint3=You don't have to import the libs. (<%@ taglib uri = "http://java.sun.com/jsp/jstl/core" prefix = "c" %> and <%@ taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix = "fn" %> already included in this example)
xss-mitigation-3-hint4=Have you ever heared of escapeXml? Ask the web.

80
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8a.adoc
View File

@ -1,65 +1,43 @@
== Reflective XSS
== What is encoding
See the HTML file below which passes data to a JSP file.
Not trusting user input means validating data for type, length, format and range whenever it passes through a trust boundary,
say from a Web form to an application script, and then encoding it prior to redisplay in a dynamic page.
[source,html]
-------------------------------------------------------
<html>
<body>
In practice, this means that you need to review every point on your site where user-supplied data is handled and processed and
ensure that, before being passed back to the user, any values accepted from the client side are checked, filtered and encoded.
<form action = "main.jsp" method = "POST">
First Name: <input type = "text" name = "first_name">
<br />
Last Name: <input type = "text" name = "last_name" />
<input type = "submit" value = "Submit" />
</form>
Client-side validation cannot be relied upon, but user input can be forced down to a minimal alphanumeric set with server-side
processing before being used by a Web application in any way.
</body>
</html>
-------------------------------------------------------
== Escaping
Here is the JSP file:
Escaping means that you convert (or mark) key characters of the data to prevent it from being interpreted in a dangerous context.
In the case of HTML output, you need to convert the < and > characters (among others), to prevent any malicious code from rendering.
Escaping these characters involves turning them into their entity equivalents \&lt; and \&gt;,
which will not be interpreted as HTML tags by a browser.
[source,html]
-------------------------------------------------------
<html>
<head>
<title>Using GET and POST Method to Read Form Data</title>
</head>
== Special characters
<body>
<center>
<h1>Using POST Method to Read Form Data</h1>
You need to encode special characters like "<" and ">" before they are redisplayed if they are received from user input.
For example, encoding "<" and ">" ensures a browser will display <script> but not execute it.
In conjunction to encoding, it is important that your webpages always define their character set so the browser won't interpret
special character encodings from other character sets.
<ul>
<li><p><b>First Name:</b>
<%= request.getParameter("first_name")%>
</p></li>
<li><p><b>Last Name:</b>
<%= request.getParameter("last_name")%>
</p></li>
</ul>
Cross-site scripting attacks usually occur when you manage to sneak a script (usually javascript) onto someone else's website, where
it can run maliciously.
</body>
</html>
-------------------------------------------------------
=== Relevant XML/HTML special characters
|===
|Char |Escape string |
|< |\&lt;|
|> |\&gt;|
|" |\&quot;|
|' |\&apos;|
|& |\&amp;|
|===
As you can see the JSP file prints unfiltered user input which is never a good idea.
You want people to accesses the page like this:
----
http://hostname.com/mywebapp/main.jsp?first_name=John&last_name=Smith
----
But what happens if someone uses this link:
----
http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</script>
----
=== It's your turn!
Try to prevent this kind of XSS by escaping the url parameters:

65
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc Normal file
View File

@ -0,0 +1,65 @@
== Reflective XSS
See the HTML file below which passes data to a JSP file.
[source,html]
-------------------------------------------------------
<html>
<body>
<form action = "main.jsp" method = "POST">
First Name: <input type = "text" name = "first_name">
<br />
Last Name: <input type = "text" name = "last_name" />
<input type = "submit" value = "Submit" />
</form>
</body>
</html>
-------------------------------------------------------
Here is the JSP file:
[source,html]
-------------------------------------------------------
<html>
<head>
<title>Using GET and POST Method to Read Form Data</title>
</head>
<body>
<center>
<h1>Using POST Method to Read Form Data</h1>
<ul>
<li><p><b>First Name:</b>
<%= request.getParameter("first_name")%>
</p></li>
<li><p><b>Last Name:</b>
<%= request.getParameter("last_name")%>
</p></li>
</ul>
</body>
</html>
-------------------------------------------------------
As you can see the JSP file prints unfiltered user input which is never a good idea.
You want people to accesses the page like this:
----
http://hostname.com/mywebapp/main.jsp?first_name=John&last_name=Smith
----
But what happens if someone uses this link:
----
http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</script>
----
=== It's your turn!
Try to prevent this kind of XSS by escaping the url parameters in the JSP file: