dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

XSS updates

Browse Source
This commit is contained in:
Jason White
2017-02-17 15:59:38 -05:00
parent d99a1d8448
commit ac6e8b59b7
6 changed files with 193 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
View File

@ -21,7 +21,7 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
AttackResult completed(@RequestParam Integer param1,
@RequestParam Integer param2, HttpServletRequest request) throws IOException {
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
System.out.println("DOM-XSS successful");
System.out.println("DOM-XSS successful, param1 is 42");
return trackProgress(success().build());
} else {
return trackProgress(failed().build());

35
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java Normal file
View File

@ -0,0 +1,35 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* Created by jason on 11/23/16.
*/
@AssignmentPath("/CrossSiteScripting/dom-follow-up")
public class DOMCrossSiteScriptingFollowUp extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody
AttackResult completed(@RequestParam String successMessage) throws IOException {
if (successMessage.equals("DOM-XSS successful, param1 is 42")) {
return trackProgress(success().feedback("xss-dom-message-success").build());
} else {
return trackProgress(failed().feedback("xss-dom-message-success").build());
}
}
}
// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>

261
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
View File

@ -184,7 +184,8 @@
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
@ -208,133 +209,161 @@
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
</div>
<div class="lesson-page-wrapper">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6b.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="DOMFollowUp"
action="/WebGoat/CrossSiteScripting/dom-follow-up"
enctype="application/json;charset=UTF-8">
<input name="successMessage" value="" type="TEXT" />
<input name="submitMessage" value="Submit" type="SUBMIT"/>
</form>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" />
</div>
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>-->
<!--</div>-->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>-->
<!--<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" />-->
<!--</div>-->
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content"
th:replace="doc:CrossSiteScripting_content9a.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content"-->
<!--th:replace="doc:CrossSiteScripting_content9a.adoc"></div>-->
<!--<div class="attack-container">-->
<!--<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
<!--&lt;!&ndash; using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat &ndash;&gt;-->
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<form class="attack-form" accept-charset="UNKNOWN" method="POST"
name="form" action="/WebGoat/CrossSiteScripting/attack9a"
enctype="application/json;charset=UTF-8">
<!--&lt;!&ndash; using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat &ndash;&gt;-->
<!--&lt;!&ndash; you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework &ndash;&gt;-->
<!--&lt;!&ndash; of course, you can write your own ajax submission /handling in your own javascript if you like &ndash;&gt;-->
<!--<form class="attack-form" accept-charset="UNKNOWN" method="POST"-->
<!--name="form" action="/WebGoat/CrossSiteScripting/attack9a"-->
<!--enctype="application/json;charset=UTF-8">-->
<table cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td>Title:</td>
<td><input name="title" value="" type="TEXT" /></td>
</tr>
<tr>
<td valign="TOP">Message:</td>
<td><textarea cols="60" name="message" rows="5"></textarea></td>
</tr>
</tbody>
</table>
<p>
<input name="SUBMIT" value="Submit" type="SUBMIT" />
</p>
<hr />
<hr />
<h1>Message List</h1>
<table cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td>
</tr>
</tbody>
</table>
</form>
<!--<table cellspacing="0" cellpadding="0" border="0">-->
<!--<tbody>-->
<!--<tr>-->
<!--<td>Title:</td>-->
<!--<td><input name="title" value="" type="TEXT" /></td>-->
<!--</tr>-->
<!--<tr>-->
<!--<td valign="TOP">Message:</td>-->
<!--<td><textarea cols="60" name="message" rows="5"></textarea></td>-->
<!--</tr>-->
<!--</tbody>-->
<!--</table>-->
<!--<p>-->
<!--<input name="SUBMIT" value="Submit" type="SUBMIT" />-->
<!--</p>-->
<!--<hr />-->
<!--<hr />-->
<!--<h1>Message List</h1>-->
<!--<table cellspacing="0" cellpadding="0" border="0">-->
<!--<tbody>-->
<!--<tr>-->
<!--<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td>-->
<!--</tr>-->
<!--</tbody>-->
<!--</table>-->
<!--</form>-->
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
</div>
<!--&lt;!&ndash; do not remove the two following div's, this is where your feedback/output will land &ndash;&gt;-->
<!--<div class="attack-feedback"></div>-->
<!--<div class="attack-output"></div>-->
<!--&lt;!&ndash; ... of course, you can move them if you want to, but that will not look consistent to other lessons &ndash;&gt;-->
<!--</div>-->
<!--</div>-->
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div>
</div>
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div>-->
<!--</div>-->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div>-->
<!--</div>-->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div>-->
<!--</div>-->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div>-->
<!--</div> -->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div>-->
<!--</div> -->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div>-->
<!--</div> -->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div>-->
<!--</div> -->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div>-->
<!--</div>-->
<!--<div class="lesson-page-wrapper">-->
<!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div>-->
<!--</div> -->
</html>

2
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
View File

@ -1,4 +1,4 @@
== Try It! DOM-Based XSS
== Ientify Potential for DOM-Based XSS
For this, you'll want to look for some 'test' code in the route handlers (javascript/backbone). Sometimes, test code gets left in.
(Often times test code is very simple and lacks security or any quality controls!).

9
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc Normal file
View File

@ -0,0 +1,9 @@
== Try It! DOM-Based XSS
Some attacks are 'blind'. Fortunately, you have the server running here so you will be able to tell if you are successful. Use the route you just found and see if
you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat. The function you want to execute is ...
*webgoat.customjs.phoneHome()*
Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab. Once you complete it, paste the output message from the log below ...

2
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
View File

@ -6,5 +6,7 @@ xss-reflected-5b-failure=Nope, pretty easy to guess now though.
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
xss.lesson1.failure=Are you sure? Try using a tab from a different site.
xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
#xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this.