dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added hints for dom-based xss assignment (part 2)

Browse Source
This commit is contained in:
Benedikt - Desktop 2018-11-18 13:19:26 +01:00 committed by Nanne Baars
parent 362671e67e
commit 990bf079d3
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingVerifier.java
View File

@ -32,6 +32,7 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.owasp.webgoat.session.UserSessionData;
@ -47,6 +48,7 @@ import java.io.IOException;
* Created by jason on 11/23/16.
*/
@AssignmentPath("/CrossSiteScripting/dom-follow-up")
@AssignmentHints(value = {"xss-dom-message-hint-1", "xss-dom-message-hint-2", "xss-dom-message-hint-3", "xss-dom-message-hint-4", "xss-dom-message-hint-5", "xss-dom-message-hint-6"})
public class DOMCrossSiteScriptingVerifier extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody

6
webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -19,6 +19,12 @@ xss-reflected-6a-hint-4=Still didn't find it? Check the <a href="/WebGoat/js/goa
xss.lesson1.failure=Are you sure? Try using a tab from a different site.
xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson.
xss-dom-message-hint-2=Your url should look something like that http://localhost:8080/WebGoat/start.mvc#REPLACE-WITH-THE-TEST-ROUTE/some_parameters
xss-dom-message-hint-3=Note how the parameters you send to the test-route get reflected back to the page. Now add your javascript to it.
xss-dom-message-hint-4=You have to use script tags, so your javascript code gets executed when being rendered into the DOM.
xss-dom-message-hint-5=Since you're working with an URL, you might have to URL-encode your parameters.
xss-dom-message-hint-6=Replace '/' with '%2F' in your URL parameters.
xss-stored-comment-success=It appears your payload should invoke the function. To tell for sure, you need to capture the value and put it in the form below. Then we will really know.
xss-stored-comment-failure=We can't see the payload in your submission, but XSS can be tricky. Look for the call back fired after the comments reload. If you see that and can put the correct value there and put it in, maybe you did succeed.
xss-stored-callback-success=Yes, that is the correct value (note, it will be a different value each time the phoneHome endpoint is called).