dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

XSS updates

Browse Source
This commit is contained in:
Jason White 2017-02-17 15:59:38 -05:00
parent d99a1d8448
commit ac6e8b59b7
6 changed files with 193 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
View File

@ -21,7 +21,7 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
AttackResult completed(@RequestParam Integer param1, AttackResult completed(@RequestParam Integer param1,
@RequestParam Integer param2, HttpServletRequest request) throws IOException { @RequestParam Integer param2, HttpServletRequest request) throws IOException {
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) { if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
System.out.println("DOM-XSS successful"); System.out.println("DOM-XSS successful, param1 is 42");
return trackProgress(success().build()); return trackProgress(success().build());
} else { } else {
return trackProgress(failed().build()); return trackProgress(failed().build());

35
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScriptingFollowUp.java Normal file
View File

@ -0,0 +1,35 @@
package org.owasp.webgoat.plugin;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* Created by jason on 11/23/16.
*/
@AssignmentPath("/CrossSiteScripting/dom-follow-up")
public class DOMCrossSiteScriptingFollowUp extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
public @ResponseBody
AttackResult completed(@RequestParam String successMessage) throws IOException {
if (successMessage.equals("DOM-XSS successful, param1 is 42")) {
return trackProgress(success().feedback("xss-dom-message-success").build());
} else {
return trackProgress(failed().feedback("xss-dom-message-success").build());
}
}
}
// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>

261
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/html/CrossSiteScripting.html
View File

@ -184,7 +184,8 @@
<div class="lesson-page-wrapper"> <div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6.adoc"></div> <div class="adoc-content" th:replace="doc:CrossSiteScripting_content6.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files, <!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
@ -208,133 +209,161 @@
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> <!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div> </div>
</div> </div>
<div class="lesson-page-wrapper">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6b.adoc"></div>
<div class="attack-container">
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<form class="attack-form" accept-charset="UNKNOWN"
method="POST" name="DOMFollowUp"
action="/WebGoat/CrossSiteScripting/dom-follow-up"
enctype="application/json;charset=UTF-8">
<input name="successMessage" value="" type="TEXT" />
<input name="submitMessage" value="Submit" type="SUBMIT"/>
</form>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div> <div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>-->
</div> <!--</div>-->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>-->
<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" /> <!--<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" />-->
</div> <!--</div>-->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" <!--<div class="adoc-content"-->
th:replace="doc:CrossSiteScripting_content9a.adoc"></div> <!--th:replace="doc:CrossSiteScripting_content9a.adoc"></div>-->
<div class="attack-container"> <!--<div class="attack-container">-->
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div> <!--<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat --> <!--&lt;!&ndash; using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat &ndash;&gt;-->
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat --> <!--&lt;!&ndash; using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat &ndash;&gt;-->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework --> <!--&lt;!&ndash; you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework &ndash;&gt;-->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like --> <!--&lt;!&ndash; of course, you can write your own ajax submission /handling in your own javascript if you like &ndash;&gt;-->
<form class="attack-form" accept-charset="UNKNOWN" method="POST" <!--<form class="attack-form" accept-charset="UNKNOWN" method="POST"-->
name="form" action="/WebGoat/CrossSiteScripting/attack9a" <!--name="form" action="/WebGoat/CrossSiteScripting/attack9a"-->
enctype="application/json;charset=UTF-8"> <!--enctype="application/json;charset=UTF-8">-->
<table cellspacing="0" cellpadding="0" border="0"> <!--<table cellspacing="0" cellpadding="0" border="0">-->
<tbody> <!--<tbody>-->
<tr> <!--<tr>-->
<td>Title:</td> <!--<td>Title:</td>-->
<td><input name="title" value="" type="TEXT" /></td> <!--<td><input name="title" value="" type="TEXT" /></td>-->
</tr> <!--</tr>-->
<tr> <!--<tr>-->
<td valign="TOP">Message:</td> <!--<td valign="TOP">Message:</td>-->
<td><textarea cols="60" name="message" rows="5"></textarea></td> <!--<td><textarea cols="60" name="message" rows="5"></textarea></td>-->
</tr> <!--</tr>-->
</tbody> <!--</tbody>-->
</table> <!--</table>-->
<p> <!--<p>-->
<input name="SUBMIT" value="Submit" type="SUBMIT" /> <!--<input name="SUBMIT" value="Submit" type="SUBMIT" />-->
</p> <!--</p>-->
<hr /> <!--<hr />-->
<hr /> <!--<hr />-->
<h1>Message List</h1> <!--<h1>Message List</h1>-->
<table cellspacing="0" cellpadding="0" border="0"> <!--<table cellspacing="0" cellpadding="0" border="0">-->
<tbody> <!--<tbody>-->
<tr> <!--<tr>-->
<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td> <!--<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td>-->
</tr> <!--</tr>-->
</tbody> <!--</tbody>-->
</table> <!--</table>-->
</form> <!--</form>-->
<!-- do not remove the two following div's, this is where your feedback/output will land --> <!--&lt;!&ndash; do not remove the two following div's, this is where your feedback/output will land &ndash;&gt;-->
<div class="attack-feedback"></div> <!--<div class="attack-feedback"></div>-->
<div class="attack-output"></div> <!--<div class="attack-output"></div>-->
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons --> <!--&lt;!&ndash; ... of course, you can move them if you want to, but that will not look consistent to other lessons &ndash;&gt;-->
</div> <!--</div>-->
</div> <!--</div>-->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div>-->
</div> <!--</div>-->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div>-->
</div> <!--</div>-->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div>-->
</div> <!--</div>-->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div>-->
</div> <!--</div> -->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div>-->
</div> <!--</div> -->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div>-->
</div> <!--</div> -->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div>-->
</div> <!--</div> -->
<div class="lesson-page-wrapper"> <!--<div class="lesson-page-wrapper">-->
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div>-->
</div> <!--</div>-->
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson --> <!--<div class="lesson-page-wrapper">-->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files, <!--&lt;!&ndash; reuse this lesson-page-wrapper block for each 'page' of content in your lesson &ndash;&gt;-->
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc --> <!--&lt;!&ndash; include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div> <!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc &ndash;&gt;-->
</div> <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div>-->
<!--</div> -->
</html> </html>

2
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6a.adoc
View File

@ -1,4 +1,4 @@
== Try It! DOM-Based XSS == Ientify Potential for DOM-Based XSS
For this, you'll want to look for some 'test' code in the route handlers (javascript/backbone). Sometimes, test code gets left in. For this, you'll want to look for some 'test' code in the route handlers (javascript/backbone). Sometimes, test code gets left in.
(Often times test code is very simple and lacks security or any quality controls!). (Often times test code is very simple and lacks security or any quality controls!).

9
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/lessonPlans/en/CrossSiteScripting_content6b.adoc Normal file
View File

@ -0,0 +1,9 @@
== Try It! DOM-Based XSS
Some attacks are 'blind'. Fortunately, you have the server running here so you will be able to tell if you are successful. Use the route you just found and see if
you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat. The function you want to execute is ...
*webgoat.customjs.phoneHome()*
Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab. Once you complete it, paste the output message from the log below ...

2
webgoat-lessons/cross-site-scripting/src/main/resources/plugin/i18n/WebGoatLabels.properties
View File

@ -6,5 +6,7 @@ xss-reflected-5b-failure=Nope, pretty easy to guess now though.
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment. xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine. xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
xss.lesson1.failure=Are you sure? Try using a tab from a different site. xss.lesson1.failure=Are you sure? Try using a tab from a different site.
xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
#xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this. #xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this.