From 8bc91ba4ec92792f0009f489b711c90d97ee5081 Mon Sep 17 00:00:00 2001
From: PhilippeSteinbach <steinbach.phil@gmail.com>
Date: Mon, 3 Dec 2018 11:37:09 +0100
Subject: [PATCH] finished assignment

---
 .../plugin/CrossSiteScriptingLesson3.java     | 42 ++++++++++--------
 .../html/CrossSiteScriptingMitigation.html    | 23 ++++++++++
 .../resources/i18n/WebGoatLabels.properties   |  6 ++-
 .../src/main/resources/js/assignment3.js      |  6 +--
 .../en/CrossSiteScripting_content8b.adoc      | 44 ++++++++++---------
 webgoat-lessons/pom.xml                       |  6 ---
 6 files changed, 74 insertions(+), 53 deletions(-)

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
index 0c3681fd1..d6c65fec0 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson3.java
@@ -1,5 +1,6 @@
 package org.owasp.webgoat.plugin.mitigation;
 
+
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
@@ -8,8 +9,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
-import org.jsoup.*;
-import org.w3c.dom.*;
 
 
 import javax.tools.*;
@@ -27,31 +26,36 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
     @RequestMapping(method = RequestMethod.POST)
     @ResponseBody
     public AttackResult completed(@RequestParam String editor) {
+        //https://github.com/OWASP/owasp-java-encoder
+        //maybe better idea for assignment
+
+        String line1 ="";
+        String line2 ="";
+
+        String[] lines = editor.split(System.getProperty("line.separator"));
+        for (int i = 0; i < lines.length; i++) {
+            if(lines[i].contains("First Name")){
+                line1 = lines[i+1].replace("                <td>","").replace("</td>","");
+            } else if (lines[i].contains("Last Name")){
+                line2 = lines[i+1].replace("                <td>", "").replace("</td>", "");
+            }
+        }
 
-        editor = editor.replaceAll("\\<.*?>","");
-        //http://www.java67.com/2012/10/how-to-escape-html-special-characters-JSP-Java-Example.html
-        //
         //<c:out value="${first_name/last_name}" escapeXml="true"/>
         //or
         //${fn:escapeXml("param.first_name/last_name")}
 
-        //check html string for regex
-            //check for c:out && escapeXml="true" && !request.getParameter
-        //Document doc = Jsoup.parse(editor);
-        //Element e = doc.getElementById();
-
-        System.out.println(editor);
-        if (editor.contains("c:out") && editor.contains("escapeXml=\"true\"") && editor.contains("value=\"${last_name}\"") && editor.contains("value=\"${first_name}\"")) {
+        if((line1.equals("<c:out value=\"${first_name}\" escapeXml=\"true\"/>") || line1.equals("<c:out escapeXml=\"true\" value=\"${first_name}\"/>"))
+                && (line2.equals("<c:out value=\"${last_name}\" escapeXml=\"true\"/>")) || line2.equals("<c:out escapeXml=\"true\" value=\"${last_name}\" />")){
             System.out.println("true");
-            return trackProgress(success().build());
-        }
-        else if (editor.contains("${fn:escapeXml") && editor.contains("\"param.first_name\"") && editor.contains("\"param.last_name\"")) {
+            return trackProgress(success().feedback("xss-mitigation-3-success").build());
+        } else if(line1.equals("${fn:escapeXml(\"param.first_name\")}") && line2.equals("${fn:escapeXml(\"param.last_name\")}")){
             System.out.println("true");
-            return trackProgress(success().build());
-        }
-        else {
+            return trackProgress(success().feedback("xss-mitigation-3-success").build());
+        } else {
             System.out.println("false");
-            return trackProgress(failed().build());
+            System.out.println(line1 + "\n" + line2);
+            return trackProgress(failed().feedback("xss-mitigation-3-failure").build());
         }
     }
 }
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
index c01ed1ece..f354f5363 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
@@ -27,6 +27,29 @@
                     var editor = ace.edit("editor");
                     editor.setTheme("ace/theme/monokai");
                     editor.session.setMode("ace/mode/html");
+                    editor.setValue("<html>\n" +
+                        "\n" +
+                        "<head>\n" +
+                        "    <title>Using GET and POST Method to Read Form Data</title>\n" +
+                        "</head>\n" +
+                        "\n" +
+                        "<body>\n" +
+                        "    <h1>Using POST Method to Read Form Data</h1>\n" +
+                        "    <table>\n" +
+                        "        <tbody>\n" +
+                        "            <tr>\n" +
+                        "                <td><b>First Name:</b></td>\n" +
+                        "                <td>YOUR CODE HERE</td>\n" +
+                        "            </tr>\n" +
+                        "            <tr>\n" +
+                        "                <td><b>Last Name:</b></td>\n" +
+                        "                <td>YOUR CODE HERE</td>\n" +
+                        "            </tr>\n" +
+                        "        </tbody>\n" +
+                        "    </table>\n" +
+                        "</body>\n" +
+                        "\n" +
+                        "</html>\n");
 				</script>
 			</div>
 			<div class="input-group" style="margin-top: 10px">
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index be093abfe..5a19e7db2 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -30,7 +30,9 @@ xss-stored-comment-success=It appears your payload should invoke the function. T
 xss-stored-comment-failure=We can't see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
 xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called).
 xss-stored-callback-failure=No, that is not the correct value (note, it will be a different value each time the phoneHome endpoint is called).
-xss-mitigation-3-hint1=You don't store the user input in this example. Try to escape the user input right before you it into the HTML element.
+xss-mitigation-3-hint1=You don't store the user input in this example. Try to html entity escape the user input right before you it into the HTML element.
 xss-mitigation-3-hint2=Use JavaServer Pages Standard Tag Library (JSTL) tags or Unified Expression Language
 xss-mitigation-3-hint3=You don't have to import the libs. (<%@ taglib uri = "http://java.sun.com/jsp/jstl/core" prefix = "c" %> and <%@ taglib uri = "http://java.sun.com/jsp/jstl/functions" prefix = "fn" %> already included in this example)
-xss-mitigation-3-hint4=Have you ever heared of escapeXml? Ask the web.
\ No newline at end of file
+xss-mitigation-3-hint4=Have you ever heard of escapeXml? Ask the web.
+xss-mitigation-3-success=You have completed this lesson. Congratulations!
+xss-mitigation-3-failure=This in not the correct answer. Try again!
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment3.js b/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment3.js
index 92258e0be..053ff63d5 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment3.js
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment3.js
@@ -1,10 +1,6 @@
 function ace_collect() {
     let code = "";
-    $(".ace_line").each(function(i, el) {
-        code += el.innerHTML;
-    });
-    console.log(code);
-    code = $(".ace_content")[0].innerHTML;
+    code = editor.getSession().getValue();
     $.ajax({
         type: "POST",
         url: "/WebGoat/CrossSiteScripting/attack3",
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc
index 9f92a9422..787c2e88a 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8b.adoc
@@ -21,27 +21,29 @@ Here is the JSP file:
 [source,html]
 -------------------------------------------------------
 <html>
-   <head>
-      <title>Using GET and POST Method to Read Form Data</title>
-   </head>
-   <body>
-      <center>
-      <h1>Using POST Method to Read Form Data</h1>
-      <ul>
-         <li>
-            <p>
-                <b>First Name:</b>
-                <%= request.getParameter("first_name")%>
-            </p>
-         </li>
-         <li>
-            <p>
-                <b>Last  Name:</b>
-                <%= request.getParameter("last_name")%>
-            </p>
-         </li>
-      </ul>
-   </body>
+
+<head>
+    <title>Using GET and POST Method to Read Form Data</title>
+</head>
+
+<body>
+    <h1>Using POST Method to Read Form Data</h1>
+    <table>
+        <tbody>
+            <tr>
+                <td><b>First Name:</b></td>
+                <td><%= request.getParameter("first_name")%></td>
+            </tr>
+            <tr>
+                <td><b>Last Name:</b></td>
+                <td>
+                    <%= request.getParameter("last_name")%>
+                </td>
+            </tr>
+        </tbody>
+    </table>
+</body>
+
 </html>
 -------------------------------------------------------
 
diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml
index 5efff3d9d..9513eab7c 100644
--- a/webgoat-lessons/pom.xml
+++ b/webgoat-lessons/pom.xml
@@ -86,12 +86,6 @@
             <artifactId>encoder</artifactId>
             <version>1.2</version>
         </dependency>
-        <dependency>
-            <!-- jsoup HTML parser library @ https://jsoup.org/ -->
-            <groupId>org.jsoup</groupId>
-            <artifactId>jsoup</artifactId>
-            <version>1.11.3</version>
-        </dependency>
         <!-- Temporarily -->
         <dependency>
             <groupId>com.thoughtworks.xstream</groupId>