dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Renamed to pathtraversal

Browse Source
This commit is contained in:
Àngel Ollé Blázquez
2022-07-30 22:23:43 +02:00
parent 37d684fdd3
commit 91470b93ea
36 changed files with 24 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
src/main/resources/lessons/pathtraversal/css/path_traversal.css Normal file
View File

@ -0,0 +1,57 @@
.upload-container
{
width: 500px;
margin: 20px auto;
}
.preview
{
padding: 10px;
position: relative;
}
.preview i
{
color: white;
font-size: 35px;
transform: translate(50px,130px);
}
.preview-img
{
border-radius: 100%;
box-shadow: 0px 0px 5px 2px rgba(0,0,0,0.7);
}
.browse-button
{
width: 200px;
height: 200px;
border-radius: 100%;
position: absolute; /* Tweak the position property if the element seems to be unfit */
top: 10px;
left: 150px;
background: linear-gradient(180deg, transparent, black);
opacity: 0;
transition: 0.3s ease;
}
.browse-button:hover
{
opacity: 1;
}
.browse-input
{
width: 200px;
height: 200px;
border-radius: 100%;
transform: translate(-1px,-26px);
opacity: 0;
}
.Error
{
color: crimson;
font-size: 13px;
}

23
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_intro.adoc Normal file
View File

@ -0,0 +1,23 @@
=== Path traversal
A path(directory) traversal is a vulnerability where an attacker can access or store files and directories outside
the application's location. It may lead to reading files from other directories and overwriting critical system files in case of a file
upload.
=== How does it work?
For example, let's assume we have an application that hosts some files, in the following
format: `http://example.com/file=report.pdf` now as an attacker, you are interested in other files, of course, so
you try `http://example.com/file=../../../../../etc/passwd.` In this case, you try walking up to the root of the filesystem
and then go into `/etc/passwd` to gain access to this file. The `../` is called dot-dot-slash, another name
for this attack.
Of course, this is a straightforward example, and in most cases, this will not work as frameworks implemented controls. So we need to get a little more creative and start encoding `../` before the request is sent to the server.
For example, if we URL encode `../`, you will get `%2e%2e%2f`, and the webserver receiving this request will decode
it again to `../`.
Also, note that avoiding applications filtering those encodings double encoding might work as well. Double encoding
might be necessary when you have a system A which calls system B. System A will only decode once and
call B with the still encoded URL.

6
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_retrieval.adoc Normal file
View File

@ -0,0 +1,6 @@
=== Retrieving other files with a path traversal
Path traversals are not limited to file uploads; when retrieving files, it can be the case that a path traversal
is possible to retrieve other files from the system. In this assignment, try to find a file called `path-traversal-secret.jpg`

12
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload.adoc Normal file
View File

@ -0,0 +1,12 @@
=== Path traversal while uploading files
In this assignment, the goal is to overwrite a specific file on the file system. Of course, WebGoat cares about the users
so you need to upload your file to the following location outside the usual upload location.
|===
|OS |Location
|`operatingSystem:os[]`
|`webGoatTempDir:temppath[]PathTraversal`
|===

11
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_fix.adoc Normal file
View File

@ -0,0 +1,11 @@
=== Path traversal while uploading files
The developer became aware of the vulnerability and implemented a fix that removed the `../` from the input.
Again the same assignment, but can you bypass the implemented fix?
|===
|OS |Location
|`operatingSystem:os[]`
|`webGoatTempDir:temppath[]PathTraversal`
|===

12
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_fixed.adoc Normal file
View File

@ -0,0 +1,12 @@
=== Path traversal while retrieving files
Finally, the upload is no longer vulnerable at least help us to verify :-)
In this assignment, you need to get the contents of the following file:
|===
|OS |Location
|`operatingSystem:os[]`
|`webGoatTempDir:temppath[]PathTraversal/secret.txt`
|===

70
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_mitigation.adoc Normal file
View File

@ -0,0 +1,70 @@
=== Path traversal mitigation
As we saw in the previous assignments, protecting a file upload can be daunting. The thing comes down to trust
input without validating it.
In the examples shown before, a solution might be not to trust user input and create a random file name on the
server-side.
If you need to save it based on user input, the best way to keep you safe is to check the canonical path. For example, in Java:
[source]
----
var multiPartFile = ...
var targetFile = new File("/tmp", multiPartFile.getOriginalName());
var canonicalPath = targetFile.getCanonicalPath();
if (!canonicalPath.startWith("/tmp") {
throw new IllegalArgumentException("Invalid filename");
}
IOUtils.copy(multiPartFile.getBytes(), targetFile);
----
The canonical path function will resolve to an absolute path, removing `.` and `..` etc. By checking whether the canonical
the path is inside the expected directory.
For path traversals, while retrieving, one can apply the same technique described above, but as a defense in depth you
can also implement mitigation by running the application under a specific not privileged user who is not allowed to read and write
in any other directory.
Make sure that you build detection for catching these cases in any case, but be careful with returning explicit information
to the user. Every tiny detail might give the attacker knowledge about your system.
==== Be aware...
As shown in the previous examples, be careful which method you use to retrieve parameters, especially query parameters.
Spring Boot does a decent job denying invalid path variables. To recap:
[source]
----
@Getter("/f")
public void f(@RequestParam("name") String name) {
//name is automatically decoded so %2E%2E%2F%2E%2E%2Ftest will become ../../test
}
@Getter("/g")
public void g(HttpServletRequest request) {
var queryString = request.getQueryString(); // will return
}
@Getter("/h")
public void h(HttpServletRequest request) {
var name = request.getParam("name"); //will return ../../test
----
If you invoke `/f` with `/f?name=%2E%2E%2F%2E%2E%2Ftest` it will become `../../test`. If you invoke `g` with
`/g?name=%2E%2E%2F%2E%2E%2Ftest` it will return `%2E%2E%2F%2E%2E%2Ftest` *NO* decoding will be applied.
The behavior of `/h` with the same parameter will be the same as `/f`
As you can see, be careful and familiarize yourself with the correct methods to call. In every case, write a
unit test in such cases, which covers encoded characters.
==== Spring Boot protection
By default, Spring Boot has protection for using, for example, `../` in a path. The projection resides in the `StrictHttpFirewall` class. This will protect endpoint where the user input is part of the `path` like `/test/1.jpg`
if you replace `1.jpg` with `../../secret.txt`, it will block the request. With query parameters, that protection
will not be there.
In the lesson about "File uploads" more examples of vulnerabilities are shown.

14
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_upload_remove_user_input.adoc Normal file
View File

@ -0,0 +1,14 @@
=== Path traversal while uploading files
The developer again became aware of the vulnerability by not validating the input of the `full name` input field.
A fix was applied in an attempt to solve this vulnerability.
Again the same assignment, but can you bypass the implemented fix?
|===
|OS |Location
|`operatingSystem:os[]`
|`webGoatTempDir:temppath[]PathTraversal`
|===

31
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip.adoc Normal file
View File

@ -0,0 +1,31 @@
=== Zip Slip vulnerability
As a developer, you have many occasions where you have to deal with zip files. For example, think about the upload facility or processing a bunch of CSV files that are uploaded as a zip file. A neat vulnerability was discovered and responsibly disclosed by the Snyk Security team. It uses path traversal, which can be used while extracting files. With the path traversal, you try to overwrite files outside the intended target folder. For example, you might be able to overwrite the `ls` command while extracting a zip file. Once this command has been replaced with some extra malicious actions each time the user types in `ls`, you can send the outcome of the listing towards your server before showing the actual command to the user. So you end up with remote command execution.
==== Problem
The problem occurs with how we extract zip files in Java; a common way to do this is:
[source]
----
File destinationDir = new File("/tmp/zip");
Enumeration<? extends ZipEntry> entries = zip.entries();
while (entries.hasMoreElements()) {
ZipEntry e = entries.nextElement();
File f = new File(destinationDir, e.getName());
InputStream is = zip.getInputStream(e);
IOUtils.copy(is, write(f));
}
----
At first glance, this looks ok, and you wrote something along the same lines. As we have seen in the previous assignments, the problem is that you can use a path traversal to break out of the `destinationDir` and start walking towards different locations.
But what if we receive a zip file with the following contents:
[source]
----
orders.csv
../../../../../../../tmp/evil.sh
----
if you extract the zip file with the code above the file will be saved in `/tmp/evil.sh`.

13
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc Normal file
View File

@ -0,0 +1,13 @@
=== Zip Slip assignment
This time the developers only allow you to upload zip files. However, they made a programming mistake in uploading the zip file will extract it, but it will not replace your image. Can you find a way to overwrite your current image bypassing the programming mistake?
|===
|OS |Location
|`operatingSystem:os[]`
|`webGoatTempDir:temppath[]PathTraversal`
|===

48
src/main/resources/lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc Normal file
View File

@ -0,0 +1,48 @@
=== Solution
First, let's create a zip file with an image inside:
[source]
----
curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg
zip profile.zip cat.jpg
----
Now let's upload this as our profile image. We can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
[source]
----
Zip file extracted successfully failed to copy the image. Please get in touch with our helpdesk.
----
Let's create a zip file that traverses to the top and then back into the given directory in the assignment.
First, create the directory structure:
[source, subs="macros"]
----
mkdir -p webGoatTempDir:temppath[]PathTraversal/username:user[]
cd webGoatTempDir:temppath[]PathTraversal/username:user[]
curl -o username:user[] http://localhost:8080/WebGoat/images/cats/1.jpg
zip profile.zip ../../../../../../../..webGoatTempDir:temppath[]PathTraversal/username:user[]/username:user[].jpg
----
Now, if we upload this zip file, it solves the assignment.
=== Why did this work?
In the code, the developers used the following fragment:
[source%linenums]
----
ZipFile zip = new ZipFile(uploadedZipFile);
Enumeration<? extends ZipEntry> entries = zip.entries();
while (entries.hasMoreElements()) {
ZipEntry e = entries.nextElement();
File profilePicture = new File(uploadDirectory, e.getName());
InputStream is = zip.getInputStream(e);
Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
}
----
The fix is to make sure the resulting file in line 5 resides in the directory you expect. Same as with the path traversal mitigation, use `profilePicture.getCanonicalPath()` to ensure the path is the same as you expect it to be.

280
src/main/resources/lessons/pathtraversal/html/PathTraversal.html Normal file
View File

@ -0,0 +1,280 @@
<html xmlns:th="http://www.thymeleaf.org">
<script th:src="@{/lesson_js/path_traversal.js}" language="JavaScript"></script>
<link rel="stylesheet" type="text/css" th:href="@{/lesson_css/path_traversal.css}"/>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="upload-container">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
onsubmit='return false'
contentType="false"
successCallback="profileUploadCallback"
failureCallback="profileUploadCallback"
informationalCallback="profileUploadCallback"
prepareData="profileUpload"
enctype="multipart/form-data"
action="/WebGoat/PathTraversal/profile-upload">
<div class="preview text-center">
<img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
height="200" id="preview"/>
<div class="browse-button">
<i class="fa fa-pencil"></i>
<input class="browse-input" type="file" required name="uploadedFile" id="uploadedFile"/>
</div>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Full Name:</label>
<input class="form-control" type="text" id="fullName" name="fullName" required value="test"
placeholder="Enter Your Full Name"/>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Email:</label>
<input class="form-control" type="email" id="email" name="email" required
placeholder="Enter Your Email" value="test@test.com"/>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Password:</label>
<input class="form-control" type="password" id="password" name="password" required
placeholder="Enter Password" value="test"/>
<span class="Error"></span>
</div>
<div class="form-group">
<button class="btn btn-primary btn-block" value="Submit">Update</button>
</div>
</form>
</div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload_fix.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="upload-container">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
onsubmit='return false'
contentType="false"
successCallback="profileUploadCallbackFix"
failureCallback="profileUploadCallbackFix"
informationalCallback="profileUploadCallbackFix"
prepareData="profileUploadFix"
enctype="multipart/form-data"
action="/WebGoat/PathTraversal/profile-upload-fix">
<div class="preview text-center">
<img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
height="200" id="previewFix"/>
<div class="browse-button">
<i class="fa fa-pencil"></i>
<input class="browse-input" type="file" required name="uploadedFile" id="uploadedFileFix"/>
</div>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Full Name:</label>
<input class="form-control" type="text" id="fullNameFix" name="fullName" required value="test"
placeholder="Enter Your Full Name"/>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Email:</label>
<input class="form-control" type="email" id="emailFix" name="email" required
placeholder="Enter Your Email" value="test@test.com"/>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Password:</label>
<input class="form-control" type="password" id="passwordFix" name="password" required
placeholder="Enter Password" value="test"/>
<span class="Error"></span>
</div>
<div class="form-group">
<button class="btn btn-primary btn-block" value="Submit">Update</button>
</div>
</form>
</div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_upload_remove_user_input.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="upload-container">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
onsubmit='return false'
contentType="false"
successCallback="profileUploadCallbackRemoveUserInput"
failureCallback="profileUploadCallbackRemoveUserInput"
informationalCallback="profileUploadCallbackRemoveUserInput"
prepareData="profileUploadRemoveUserInput"
enctype="multipart/form-data"
action="/WebGoat/PathTraversal/profile-upload-remove-user-input">
<div class="preview text-center">
<img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
height="200" id="previewRemoveUserInput"/>
<div class="browse-button">
<i class="fa fa-pencil"></i>
<input class="browse-input" type="file" required name="uploadedFile"
id="uploadedFileRemoveUserInput"/>
</div>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Full Name:</label>
<input class="form-control" type="text" id="fullNameRemoveUserInput" name="fullName" required
value="test"
placeholder="Enter Your Full Name"/>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Email:</label>
<input class="form-control" type="email" id="emailRemoveUserInput" name="email" required
placeholder="Enter Your Email" value="test@test.com"/>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Password:</label>
<input class="form-control" type="password" id="passwordRemoveUserInput" name="password" required
placeholder="Enter Password" value="test"/>
<span class="Error"></span>
</div>
<div class="form-group">
<button class="btn btn-primary btn-block" value="Submit">Update</button>
</div>
</form>
</div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_retrieval.adoc"></div>
<div class="attack-container">
<div class="container-fluid">
<div class="input-group" style="margin-top: 10px">
<button class="btn btn-primary" onclick="newRandomPicture()">Show random cat picture
</button>
</div>
<br/>
<div>
<img id="randomCatPicture" th:src="@{/images/cats/1.jpg}" width="50%" height="50%"/>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="/WebGoat/PathTraversal/random">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"
style="font-size:20px"></i></div>
<input type="text" class="form-control" id="pathTraversalSecret" name="secret"/>
</div>
<div class="input-group" style="margin-top: 10px">
<button type="submit" class="btn btn-primary">Submit secret</button>
</div>
</div>
</form>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_assignment.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<div class="upload-container">
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="form"
onsubmit='return false'
contentType="false"
prepareData="profileZipSlip"
enctype="multipart/form-data"
action="/WebGoat/PathTraversal/zip-slip">
<div class="preview text-center">
<img th:src="@{|~/WebGoat/PathTraversal/zip-slip/profile-image/${#authentication.name}|}" width="1"
height="1" />
<img class="preview-img" th:src="@{/images/account.png}" alt="Preview Image" width="200"
height="200" id="previewZipSlip"/>
<div class="browse-button">
<i class="fa fa-pencil"></i>
<input class="browse-input" type="file" required name="uploadedFile"
id="uploadedFileZipSlip"/>
</div>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Full Name:</label>
<input class="form-control" type="text" id="fullNameZipSlip" name="fullName" required
value="test"
placeholder="Enter Your Full Name"/>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Email:</label>
<input class="form-control" type="email" id="emailZipSlip" name="email" required
placeholder="Enter Your Email" value="test@test.com"/>
<span class="Error"></span>
</div>
<div class="form-group">
<label>Password:</label>
<input class="form-control" type="password" id="passwordZipSlip" name="password" required
placeholder="Enter Password" value="test"/>
<span class="Error"></span>
</div>
<div class="form-group">
<button class="btn btn-primary btn-block" value="Submit">Update</button>
</div>
</form>
</div>
<br/>
<div class="attack-feedback"></div>
<div class="attack-output"></div>
</div>
</div>
<div class="lesson-page-wrapper">
<div class="lesson-page-solution">
<div class="adoc-content" th:replace="doc:lessons/pathtraversal/documentation/PathTraversal_zip_slip_solution.adoc"></div>
</div>
</div>
</html>

58
src/main/resources/lessons/pathtraversal/i18n/WebGoatLabels.properties Normal file
View File

@ -0,0 +1,58 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
path-traversal-title=Path traversal
path-traversal-profile-updated=Profile has been updated, your image is available at: {0}"
path-traversal-profile-empty-file=File appears to be empty please upload a non empty file
path-traversal-profile-attempt=Nice try, but the directory({0}) is incorrect, please write the file to the correct directory
path-traversal-profile-empty-name=Name is empty
path-traversal-profile.hint1=Try updating the profile WebGoat will display the location
path-traversal-profile.hint2=Look at the displayed location how is the file name on the server constructed?
path-traversal-profile.hint3=Does the server validate any input given in the full name field?
path-traversal-profile-fix.hint1=Take a look what happens compared to the previous assignment
path-traversal-profile-fix.hint2=The new and improved version removes `../` from the input, can you bypass this?
path-traversal-profile-fix.hint3=Try to construct a full name which after cleaning still has `../` in the full name
path-traversal-profile-remove-user-input.hint1=Take a look what happened to the file name
path-traversal-profile-remove-user-input.hint2=Can we still manipulate the request?
path-traversal-profile-remove-user-input.hint3=You can try to use a proxy to intercept the POST request
path-traversal-profile-retrieve.hint1=Can you specify the image to be fetched?
path-traversal-profile-retrieve.hint2=Look at the location header...
path-traversal-profile-retrieve.hint3=Use /random?id=1 for example to fetch a specific image
path-traversal-profile-retrieve.hint4=Use /random/?id=../../1.jpg to navigate to a different directory
path-traversal-profile-retrieve.hint5='..' and '/' are no longer allowed, can you bypass this restriction
path-traversal-profile-retrieve.hint6=Use url encoding for ../ to bypass the restriction
path-traversal-zip-slip.hint1=Try uploading a picture in a zip file
path-traversal-zip-slip.hint2=Upload a zip file which traverses to the right directory
path-traversal-zip-slip.hint3=Did you create a zip file with the right image name?
path-traversal-zip-slip.hint4=Check the http request to find out which image name should be used
path-traversal-zip-slip.no-zip=Please upload a zip file
path-traversal-zip-slip.extracted=Zip file extracted successfully failed to copy the image. Please get in touch with our helpdesk.

BIN
src/main/resources/lessons/pathtraversal/images/account.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.1 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/10.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 108 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 86 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/4.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/5.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/6.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/7.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 118 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/8.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
src/main/resources/lessons/pathtraversal/images/cats/9.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

78
src/main/resources/lessons/pathtraversal/js/path_traversal.js Normal file
View File

@ -0,0 +1,78 @@
webgoat.customjs.profileUpload = function () {
var picture = document.getElementById("uploadedFile").files[0];
var formData = new FormData();
formData.append("uploadedFile", picture);
formData.append("fullName", $("#fullName").val());
formData.append("email", $("#email").val());
formData.append("password", $("#password").val());
return formData;
}
webgoat.customjs.profileUploadCallback = function () {
$.get("PathTraversal/profile-picture", function (result, status) {
document.getElementById("preview").src = "data:image/png;base64," + result;
});
}
webgoat.customjs.profileUploadFix = function () {
var picture = document.getElementById("uploadedFileFix").files[0];
var formData = new FormData();
formData.append("uploadedFileFix", picture);
formData.append("fullNameFix", $("#fullNameFix").val());
formData.append("emailFix", $("#emailFix").val());
formData.append("passwordFix", $("#passwordFix").val());
return formData;
}
webgoat.customjs.profileUploadCallbackFix = function () {
$.get("PathTraversal/profile-picture", function (result, status) {
document.getElementById("previewFix").src = "data:image/png;base64," + result;
});
}
webgoat.customjs.profileUploadRemoveUserInput = function () {
var picture = document.getElementById("uploadedFileRemoveUserInput").files[0];
var formData = new FormData();
formData.append("uploadedFileRemoveUserInput", picture);
formData.append("fullName", $("#fullNameRemoveUserInput").val());
formData.append("email", $("#emailRemoveUserInput").val());
formData.append("password", $("#passwordRemoveUserInput").val());
return formData;
}
webgoat.customjs.profileUploadCallbackRemoveUserInput = function () {
$.get("PathTraversal/profile-picture", function (result, status) {
document.getElementById("previewRemoveUserInput").src = "data:image/png;base64," + result;
});
}
webgoat.customjs.profileUploadCallbackRetrieval = function () {
$.get("PathTraversal/profile-picture", function (result, status) {
document.getElementById("previewRetrieval").src = "data:image/png;base64," + result;
});
}
function newRandomPicture() {
$.get("PathTraversal/random-picture", function (result, status) {
document.getElementById("randomCatPicture").src = "data:image/png;base64," + result;
});
}
webgoat.customjs.profileZipSlip = function () {
var picture = document.getElementById("uploadedFileZipSlip").files[0];
var formData = new FormData();
formData.append("uploadedFileZipSlip", picture);
formData.append("fullName", $("#fullNameZipSlip").val());
formData.append("email", $("#emailZipSlip").val());
formData.append("password", $("#passwordZipSlip").val());
return formData;
}
webgoat.customjs.profileZipSlipRetrieval = function () {
$.get("PathTraversal/zip-slip", function (result, status) {
document.getElementById("previewZipSlip").src = "data:image/png;base64," + result;
});
}