Initial Commit of SSRF Lesson

webgoat-lessons/ssrf/src/main/resources/html/SSRF.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+
+<html xmlns:th="http://www.thymeleaf.org">
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:SSRF_Intro.adoc"></div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:SSRF_Task1.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="form"
+                  action="/WebGoat/SSRF/task1"
+                  enctype="application/json;charset=UTF-8">
+                <table>
+                    <tr>
+                        <input type="hidden" id="url" name="url" value="images/tom.png"/>
+
+                        <td><input
+                                name="Steal the Cheese" value="Steal the Cheese" type="SUBMIT"/></td>
+                        <td></td>
+                    </tr>
+                </table>
+            </form>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:SSRF_Task2.adoc"></div>
+        <div class="attack-container">
+            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+            <form class="attack-form" accept-charset="UNKNOWN"
+                  method="POST" name="form"
+                  action="/WebGoat/SSRF/task2"
+                  enctype="application/json;charset=UTF-8">
+                <table>
+                    <tr>
+                        <input type="hidden" id="url" name="url" value="images/cat.png"/>
+
+                        <td><input
+                                name="Run Ifconfig" value="Run Ifconfig" type="SUBMIT"/></td>
+                        <td></td>
+                    </tr>
+                </table>
+            </form>
+            <div class="attack-feedback"></div>
+            <div class="attack-output"></div>
+        </div>
+    </div>
+
+    <div class="lesson-page-wrapper">
+        <div class="adoc-content" th:replace="doc:SSRF_Prevent.adoc"></div>
+    </div>
+</html>

webgoat-lessons/ssrf/src/main/resources/i18n/WebGoatLabels.properties

@@ -0,0 +1,9 @@
+ssrf.title=Server-Side Request Forgery
+
+ssrf.tom=You failed to steal the cheese!
+ssrf.success=You rocked the SSRF!
+ssrf.failure=You need to stick to the game plan!
+
+ssrf.hint1=You should use an HTTP proxy to intercept the request and change the URL.
+ssrf.hint2=If Tom is images/tom.png, Jerry would be images/jerry.png.
+ssrf.hint3=You need to put the protocol, "http://" in front of ifconfig.pro.

webgoat-lessons/ssrf/src/main/resources/js/credentials.js

@@ -0,0 +1,6 @@
+function submit_secret_credentials() {
+    var xhttp = new XMLHttpRequest();
+    xhttp['open']('POST', '#attack/307/100', true);
+	//sending the request is obfuscated, to descourage js reading
+	var _0xb7f9=["\x43\x61\x70\x74\x61\x69\x6E\x4A\x61\x63\x6B","\x42\x6C\x61\x63\x6B\x50\x65\x61\x72\x6C","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x73\x65\x6E\x64"];xhttp[_0xb7f9[3]](JSON[_0xb7f9[2]]({username:_0xb7f9[0],password:_0xb7f9[1]}))
+}

webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Intro.adoc

@@ -0,0 +1,12 @@
+
+== Concept
+In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.
+
+== Goals
+* The user will need to modify the URL.
+
+== SSRF How-To
+* https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF
+
+== A New Era of SSRF by Orange Tsai
+* https://www.youtube.com/watch?v=D1S-G8rJrEk

webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Prevent.adoc

@@ -0,0 +1,10 @@
+
+== Prevent
+To prevent SSRF vulnerabilities in web applications, it is recommended to adhere to the following guidelines:
+
+* Use a whitelist of allowed domains, resources and protocols from where the web server can fetch resources.
+* Any input accepted from the user should be validated and rejected if it does not match the positive specification expected.
+* If possible, do not accept user input in functions that control where the web server can fetch resources.
+
+== References
+* https://www.owasp.org/index.php/Server_Side_Request_Forgery

webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task1.adoc

@@ -0,0 +1,2 @@
+=== Change the URL to display Jerry 
+

webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task2.adoc

@@ -0,0 +1,2 @@
+=== Change the URL to display the Interface Configuration with ifconfig.pro
+