fix: XSS mitigation

2023-08-25 23:24:20 +02:00
parent 3365c8d447
commit a67fbf5a5a
4 changed files with 15 additions and 22 deletions
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson3.java
@ -15,7 +15,8 @@
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 *
- * Getting Source ==============
+ * Getting Source
+ * ==============
 *
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
 */
@ -30,12 +31,9 @@ import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;

-// @RestController
-@Deprecated
-// TODO This assignment seems not to be in use in the UI
-// it is there to make sure the lesson can be marked complete
-// in order to restore it, make it accessible through the UI and uncomment RestController
+@RestController
@AssignmentHints(
    value = {
      "xss-mitigation-3-hint1",
@ -60,9 +58,9 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
      String lastNameElement =
          doc.select("body > table > tbody > tr:nth-child(2) > td:nth-child(2)").first().text();

-      Boolean includeCorrect = false;
-      Boolean firstNameCorrect = false;
-      Boolean lastNameCorrect = false;
+      boolean includeCorrect = false;
+      boolean firstNameCorrect = false;
+      boolean lastNameCorrect = false;

      if (include.contains("<%@")
          && include.contains("taglib")
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson4.java
@ -22,20 +22,15 @@

 package org.owasp.webgoat.lessons.xss;

-import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;

-// @RestController
-@Deprecated
-// TODO This assignment seems not to be in use in the UI
-// it is there to make sure the lesson can be marked complete
-// in order to restore it, make it accessible through the UI and uncomment RestController@Slf4j
-@Slf4j
+@RestController
@AssignmentHints(value = {"xss-mitigation-4-hint1"})
 public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {

@ -44,7 +39,6 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
  public AttackResult completed(@RequestParam String editor2) {

    String editor = editor2.replaceAll("\\<.*?>", "");
-    log.debug(editor);

    if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"")
            || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"")
@ -54,10 +48,8 @@ public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
        && editor.contains("CleanResults")
        && editor.contains("MyCommentDAO.addComment(threadID, userID")
        && editor.contains(".getCleanHTML());")) {
-      log.debug("true");
      return success(this).feedback("xss-mitigation-4-success").build();
    } else {
-      log.debug("false");
      return failed(this).feedback("xss-mitigation-4-failed").build();
    }
  }
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingMitigation.java
@ -15,7 +15,8 @@
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 *
- * Getting Source ==============
+ * Getting Source
+ * ==============
 *
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
 */
@ -24,7 +25,9 @@ package org.owasp.webgoat.lessons.xss;

 import org.owasp.webgoat.container.lessons.Category;
 import org.owasp.webgoat.container.lessons.Lesson;
+import org.springframework.stereotype.Component;

+@Component
 public class CrossSiteScriptingMitigation extends Lesson {
  @Override
  public Category getDefaultCategory() {
@ -33,6 +36,6 @@ public class CrossSiteScriptingMitigation extends Lesson {

  @Override
  public String getTitle() {
-    return "xss-mitigation.title";
+    return "6.xss-mitigation.title";
  }
 }
--- a/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties
+++ b/src/main/resources/lessons/xss/i18n/WebGoatLabels.properties
@ -1,7 +1,7 @@
 # XSS success, failure messages and hints
 4.xss.title=Cross Site Scripting
 5.xss-stored.title=Cross Site Scripting (stored)
-xss-mitigation.title=Cross Site Scripting (mitigation)
+6.xss-mitigation.title=Cross Site Scripting (mitigation)

 xss-reflected-5a-success-alert=Congratulations, but alerts are not very impressive are they? Let's continue to the next assignment.
 xss-reflected-5a-success-console=Congratulations, but console logs are not very impressive are they? Let's continue to the next assignment.