fix: XSS mitigation
This commit is contained in:
		| @ -15,7 +15,8 @@ | ||||
|  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | ||||
|  * 02111-1307, USA. | ||||
|  * | ||||
|  * Getting Source ============== | ||||
|  * Getting Source | ||||
|  * ============== | ||||
|  * | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. | ||||
|  */ | ||||
| @ -30,12 +31,9 @@ import org.owasp.webgoat.container.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| // @RestController | ||||
| @Deprecated | ||||
| // TODO This assignment seems not to be in use in the UI | ||||
| // it is there to make sure the lesson can be marked complete | ||||
| // in order to restore it, make it accessible through the UI and uncomment RestController | ||||
| @RestController | ||||
| @AssignmentHints( | ||||
|     value = { | ||||
|       "xss-mitigation-3-hint1", | ||||
| @ -60,9 +58,9 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint { | ||||
|       String lastNameElement = | ||||
|           doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text(); | ||||
|  | ||||
|       Boolean includeCorrect = false; | ||||
|       Boolean firstNameCorrect = false; | ||||
|       Boolean lastNameCorrect = false; | ||||
|       boolean includeCorrect = false; | ||||
|       boolean firstNameCorrect = false; | ||||
|       boolean lastNameCorrect = false; | ||||
|  | ||||
|       if (include.contains("<%@") | ||||
|           && include.contains("taglib") | ||||
|  | ||||
| @ -22,20 +22,15 @@ | ||||
|  | ||||
| package org.owasp.webgoat.lessons.xss; | ||||
|  | ||||
| import lombok.extern.slf4j.Slf4j; | ||||
| import org.owasp.webgoat.container.assignments.AssignmentEndpoint; | ||||
| import org.owasp.webgoat.container.assignments.AssignmentHints; | ||||
| import org.owasp.webgoat.container.assignments.AttackResult; | ||||
| import org.springframework.web.bind.annotation.PostMapping; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
| import org.springframework.web.bind.annotation.RestController; | ||||
|  | ||||
| // @RestController | ||||
| @Deprecated | ||||
| // TODO This assignment seems not to be in use in the UI | ||||
| // it is there to make sure the lesson can be marked complete | ||||
| // in order to restore it, make it accessible through the UI and uncomment RestController@Slf4j | ||||
| @Slf4j | ||||
| @RestController | ||||
| @AssignmentHints(value = {"xss-mitigation-4-hint1"}) | ||||
| public class CrossSiteScriptingLesson4 extends AssignmentEndpoint { | ||||
|  | ||||
| @ -44,7 +39,6 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint { | ||||
|   public AttackResult completed(@RequestParam String editor2) { | ||||
|  | ||||
|     String editor = editor2.replaceAll("\\<.*?>", ""); | ||||
|     log.debug(editor); | ||||
|  | ||||
|     if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") | ||||
|             || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") | ||||
| @ -54,10 +48,8 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint { | ||||
|         && editor.contains("CleanResults") | ||||
|         && editor.contains("MyCommentDAO.addComment(threadID, userID") | ||||
|         && editor.contains(".getCleanHTML());")) { | ||||
|       log.debug("true"); | ||||
|       return success(this).feedback("xss-mitigation-4-success").build(); | ||||
|     } else { | ||||
|       log.debug("false"); | ||||
|       return failed(this).feedback("xss-mitigation-4-failed").build(); | ||||
|     } | ||||
|   } | ||||
|  | ||||
| @ -15,7 +15,8 @@ | ||||
|  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | ||||
|  * 02111-1307, USA. | ||||
|  * | ||||
|  * Getting Source ============== | ||||
|  * Getting Source | ||||
|  * ============== | ||||
|  * | ||||
|  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. | ||||
|  */ | ||||
| @ -24,7 +25,9 @@ package org.owasp.webgoat.lessons.xss; | ||||
|  | ||||
| import org.owasp.webgoat.container.lessons.Category; | ||||
| import org.owasp.webgoat.container.lessons.Lesson; | ||||
| import org.springframework.stereotype.Component; | ||||
|  | ||||
| @Component | ||||
| public class CrossSiteScriptingMitigation extends Lesson { | ||||
|   @Override | ||||
|   public Category getDefaultCategory() { | ||||
| @ -33,6 +36,6 @@ public class CrossSiteScriptingMitigation extends Lesson { | ||||
|  | ||||
|   @Override | ||||
|   public String getTitle() { | ||||
|     return "xss-mitigation.title"; | ||||
|     return "6.xss-mitigation.title"; | ||||
|   } | ||||
| } | ||||
|  | ||||
| @ -1,7 +1,7 @@ | ||||
| # XSS success, failure messages and hints | ||||
| 4.xss.title=Cross Site Scripting | ||||
| 5.xss-stored.title=Cross Site Scripting (stored) | ||||
| xss-mitigation.title=Cross Site Scripting (mitigation) | ||||
| 6.xss-mitigation.title=Cross Site Scripting (mitigation) | ||||
|  | ||||
| xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment. | ||||
| xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment. | ||||
|  | ||||
		Reference in New Issue
	
	Block a user