dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: XSS mitigation

Browse Source
This commit is contained in:
Àngel Ollé Blázquez 2023-08-25 23:24:20 +02:00
parent 3365c8d447
commit a67fbf5a5a
4 changed files with 15 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
View File

@ -15,7 +15,8 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* *
* Getting Source ============== * Getting Source
* ==============
* *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
@ -30,12 +31,9 @@ import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
// @RestController @RestController
@Deprecated
// TODO This assignment seems not to be in use in the UI
// it is there to make sure the lesson can be marked complete
// in order to restore it, make it accessible through the UI and uncomment RestController
@AssignmentHints( @AssignmentHints(
value = { value = {
"xss-mitigation-3-hint1", "xss-mitigation-3-hint1",
@ -60,9 +58,9 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
String lastNameElement = String lastNameElement =
doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text(); doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();
Boolean includeCorrect = false; boolean includeCorrect = false;
Boolean firstNameCorrect = false; boolean firstNameCorrect = false;
Boolean lastNameCorrect = false; boolean lastNameCorrect = false;
if (include.contains("<%@") if (include.contains("<%@")
&& include.contains("taglib") && include.contains("taglib")

12
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
View File

@ -22,20 +22,15 @@
package org.owasp.webgoat.lessons.xss; package org.owasp.webgoat.lessons.xss;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint; import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints; import org.owasp.webgoat.container.assignments.AssignmentHints;
import org.owasp.webgoat.container.assignments.AttackResult; import org.owasp.webgoat.container.assignments.AttackResult;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
// @RestController @RestController
@Deprecated
// TODO This assignment seems not to be in use in the UI
// it is there to make sure the lesson can be marked complete
// in order to restore it, make it accessible through the UI and uncomment RestController@Slf4j
@Slf4j
@AssignmentHints(value = {"xss-mitigation-4-hint1"}) @AssignmentHints(value = {"xss-mitigation-4-hint1"})
public class CrossSiteScriptingLesson4 extends AssignmentEndpoint { public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
@ -44,7 +39,6 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
public AttackResult completed(@RequestParam String editor2) { public AttackResult completed(@RequestParam String editor2) {
String editor = editor2.replaceAll("\\<.*?>", ""); String editor = editor2.replaceAll("\\<.*?>", "");
log.debug(editor);
if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"")
|| editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"")
@ -54,10 +48,8 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
&& editor.contains("CleanResults") && editor.contains("CleanResults")
&& editor.contains("MyCommentDAO.addComment(threadID, userID") && editor.contains("MyCommentDAO.addComment(threadID, userID")
&& editor.contains(".getCleanHTML());")) { && editor.contains(".getCleanHTML());")) {
log.debug("true");
return success(this).feedback("xss-mitigation-4-success").build(); return success(this).feedback("xss-mitigation-4-success").build();
} else { } else {
log.debug("false");
return failed(this).feedback("xss-mitigation-4-failed").build(); return failed(this).feedback("xss-mitigation-4-failed").build();
} }
} }

7
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
View File

@ -15,7 +15,8 @@
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA. * 02111-1307, USA.
* *
* Getting Source ============== * Getting Source
* ==============
* *
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/ */
@ -24,7 +25,9 @@ package org.owasp.webgoat.lessons.xss;
import org.owasp.webgoat.container.lessons.Category; import org.owasp.webgoat.container.lessons.Category;
import org.owasp.webgoat.container.lessons.Lesson; import org.owasp.webgoat.container.lessons.Lesson;
import org.springframework.stereotype.Component;
@Component
public class CrossSiteScriptingMitigation extends Lesson { public class CrossSiteScriptingMitigation extends Lesson {
@Override @Override
public Category getDefaultCategory() { public Category getDefaultCategory() {
@ -33,6 +36,6 @@ public class CrossSiteScriptingMitigation extends Lesson {
@Override @Override
public String getTitle() { public String getTitle() {
return "xss-mitigation.title"; return "6.xss-mitigation.title";
} }
} }

2
src/main/resources/lessons/xss/i18n/WebGoatLabels.properties
View File

@ -1,7 +1,7 @@
# XSS success, failure messages and hints # XSS success, failure messages and hints
4.xss.title=Cross Site Scripting 4.xss.title=Cross Site Scripting
5.xss-stored.title=Cross Site Scripting (stored) 5.xss-stored.title=Cross Site Scripting (stored)
xss-mitigation.title=Cross Site Scripting (mitigation) 6.xss-mitigation.title=Cross Site Scripting (mitigation)
xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment. xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment.
xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment. xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment.