XSS updates
This commit is contained in:
Jason White
parent
d99a1d8448
commit
ac6e8b59b7
@ -21,7 +21,7 @@ public class DOMCrossSiteScripting extends AssignmentEndpoint {
|
||||
AttackResult completed(@RequestParam Integer param1,
|
||||
@RequestParam Integer param2, HttpServletRequest request) throws IOException {
|
||||
if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
|
||||
System.out.println("DOM-XSS successful");
|
||||
System.out.println("DOM-XSS successful, param1 is 42");
|
||||
return trackProgress(success().build());
|
||||
} else {
|
||||
return trackProgress(failed().build());
|
||||
|
||||
@ -0,0 +1,35 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* Created by jason on 11/23/16.
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/dom-follow-up")
|
||||
public class DOMCrossSiteScriptingFollowUp extends AssignmentEndpoint {
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String successMessage) throws IOException {
|
||||
if (successMessage.equals("DOM-XSS successful, param1 is 42")) {
|
||||
return trackProgress(success().feedback("xss-dom-message-success").build());
|
||||
} else {
|
||||
return trackProgress(failed().feedback("xss-dom-message-success").build());
|
||||
}
|
||||
}
|
||||
}
|
||||
// something like ... http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere%3Cscript%3Ewebgoat.customjs.phoneHome();%3C%2Fscript%3E
|
||||
// or http://localhost:8080/WebGoat/start.mvc#test/testParam=foobar&_someVar=234902384lotslsfjdOf9889080GarbageHere<script>webgoat.customjs.phoneHome();<%2Fscript>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -184,6 +184,7 @@
|
||||
<div class="lesson-page-wrapper">
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6.adoc"></div>
|
||||
</div>
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
@ -208,71 +209,25 @@
|
||||
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
|
||||
</div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>
|
||||
<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" />
|
||||
</div>
|
||||
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content"
|
||||
th:replace="doc:CrossSiteScripting_content9a.adoc"></div>
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content6b.adoc"></div>
|
||||
<div class="attack-container">
|
||||
<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
|
||||
<!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
|
||||
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
|
||||
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
|
||||
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
|
||||
<form class="attack-form" accept-charset="UNKNOWN" method="POST"
|
||||
name="form" action="/WebGoat/CrossSiteScripting/attack9a"
|
||||
<form class="attack-form" accept-charset="UNKNOWN"
|
||||
method="POST" name="DOMFollowUp"
|
||||
action="/WebGoat/CrossSiteScripting/dom-follow-up"
|
||||
enctype="application/json;charset=UTF-8">
|
||||
|
||||
<table cellspacing="0" cellpadding="0" border="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>Title:</td>
|
||||
<td><input name="title" value="" type="TEXT" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="TOP">Message:</td>
|
||||
<td><textarea cols="60" name="message" rows="5"></textarea></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p>
|
||||
<input name="SUBMIT" value="Submit" type="SUBMIT" />
|
||||
</p>
|
||||
<hr />
|
||||
<hr />
|
||||
<h1>Message List</h1>
|
||||
<table cellspacing="0" cellpadding="0" border="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<input name="successMessage" value="" type="TEXT" />
|
||||
<input name="submitMessage" value="Submit" type="SUBMIT"/>
|
||||
</form>
|
||||
|
||||
<!-- do not remove the two following div's, this is where your feedback/output will land -->
|
||||
<div class="attack-feedback"></div>
|
||||
<div class="attack-output"></div>
|
||||
@ -281,60 +236,134 @@
|
||||
</div>
|
||||
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7.adoc"></div>
|
||||
</div>
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8.adoc"></div>-->
|
||||
<!--</div>-->
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content9.adoc"></div>-->
|
||||
<!--<img align="middle" th:src="@{/plugin_lessons/plugin/CrossSiteScripting/images/Reflected-XSS.png}" />-->
|
||||
<!--</div>-->
|
||||
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div>
|
||||
</div>
|
||||
<div class="lesson-page-wrapper">
|
||||
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
|
||||
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
|
||||
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
|
||||
<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div>
|
||||
</div>
|
||||
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content"-->
|
||||
<!--th:replace="doc:CrossSiteScripting_content9a.adoc"></div>-->
|
||||
<!--<div class="attack-container">-->
|
||||
<!--<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>-->
|
||||
<!--<!– using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat –>-->
|
||||
|
||||
<!--<!– using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat –>-->
|
||||
<!--<!– you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework –>-->
|
||||
<!--<!– of course, you can write your own ajax submission /handling in your own javascript if you like –>-->
|
||||
<!--<form class="attack-form" accept-charset="UNKNOWN" method="POST"-->
|
||||
<!--name="form" action="/WebGoat/CrossSiteScripting/attack9a"-->
|
||||
<!--enctype="application/json;charset=UTF-8">-->
|
||||
|
||||
<!--<table cellspacing="0" cellpadding="0" border="0">-->
|
||||
<!--<tbody>-->
|
||||
<!--<tr>-->
|
||||
<!--<td>Title:</td>-->
|
||||
<!--<td><input name="title" value="" type="TEXT" /></td>-->
|
||||
<!--</tr>-->
|
||||
<!--<tr>-->
|
||||
<!--<td valign="TOP">Message:</td>-->
|
||||
<!--<td><textarea cols="60" name="message" rows="5"></textarea></td>-->
|
||||
<!--</tr>-->
|
||||
<!--</tbody>-->
|
||||
<!--</table>-->
|
||||
<!--<p>-->
|
||||
<!--<input name="SUBMIT" value="Submit" type="SUBMIT" />-->
|
||||
<!--</p>-->
|
||||
<!--<hr />-->
|
||||
<!--<hr />-->
|
||||
<!--<h1>Message List</h1>-->
|
||||
<!--<table cellspacing="0" cellpadding="0" border="0">-->
|
||||
<!--<tbody>-->
|
||||
<!--<tr>-->
|
||||
<!--<td><a href="#" style="cursor: hand" link="attack?Num=1"><u></u></a></td>-->
|
||||
<!--</tr>-->
|
||||
<!--</tbody>-->
|
||||
<!--</table>-->
|
||||
<!--</form>-->
|
||||
|
||||
<!--<!– do not remove the two following div's, this is where your feedback/output will land –>-->
|
||||
<!--<div class="attack-feedback"></div>-->
|
||||
<!--<div class="attack-output"></div>-->
|
||||
<!--<!– ... of course, you can move them if you want to, but that will not look consistent to other lessons –>-->
|
||||
<!--</div>-->
|
||||
<!--</div>-->
|
||||
|
||||
|
||||
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content10.adoc"></div>-->
|
||||
<!--</div>-->
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content11.adoc"></div>-->
|
||||
<!--</div>-->
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content12.adoc"></div>-->
|
||||
<!--</div>-->
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13.adoc"></div>-->
|
||||
<!--</div> -->
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content13a.adoc"></div>-->
|
||||
<!--</div> -->
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content14.adoc"></div>-->
|
||||
<!--</div> -->
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15.adoc"></div>-->
|
||||
<!--</div> -->
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content15a.adoc"></div>-->
|
||||
<!--</div>-->
|
||||
|
||||
<!--<div class="lesson-page-wrapper">-->
|
||||
<!--<!– reuse this lesson-page-wrapper block for each 'page' of content in your lesson –>-->
|
||||
<!--<!– include content here, or can be placed in another location. Content will be presented via asciidocs files,-->
|
||||
<!--which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc –>-->
|
||||
<!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content16.adoc"></div>-->
|
||||
<!--</div> -->
|
||||
|
||||
</html>
|
||||
@ -1,4 +1,4 @@
|
||||
== Try It! DOM-Based XSS
|
||||
== Ientify Potential for DOM-Based XSS
|
||||
|
||||
For this, you'll want to look for some 'test' code in the route handlers (javascript/backbone). Sometimes, test code gets left in.
|
||||
(Often times test code is very simple and lacks security or any quality controls!).
|
||||
|
||||
@ -0,0 +1,9 @@
|
||||
== Try It! DOM-Based XSS
|
||||
|
||||
Some attacks are 'blind'. Fortunately, you have the server running here so you will be able to tell if you are successful. Use the route you just found and see if
|
||||
you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat. The function you want to execute is ...
|
||||
|
||||
*webgoat.customjs.phoneHome()*
|
||||
|
||||
Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab. Once you complete it, paste the output message from the log below ...
|
||||
|
||||
@ -6,5 +6,7 @@ xss-reflected-5b-failure=Nope, pretty easy to guess now though.
|
||||
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
|
||||
xss-reflected-6a-failure=No, look at the example. Check the GoatRouter.js file. It should be pretty easy to determine.
|
||||
xss.lesson1.failure=Are you sure? Try using a tab from a different site.
|
||||
xss-dom-message-success=Correct, I hope you didn't cheat, using the console!
|
||||
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
|
||||
|
||||
#xss-reflected-5b-do5a-first=Do the reflected xss attack prior to this, then come back and answer this.
|
||||
Loading…
x
Reference in New Issue
Block a user