update to do CSRF-based comment forging

2017-10-12 18:17:48 -06:00
parent d0ec84e9a6
commit b03a32f92c
10 changed files with 452 additions and 25 deletions
--- a/webgoat-lessons/csrf/src/main/resources/css/reviews.css
+++ b/webgoat-lessons/csrf/src/main/resources/css/reviews.css
@ -0,0 +1,75 @@
+/* Component: Posts */
+.post .post-heading {
+    height: 95px;
+    padding: 20px 15px;
+}
+.post .post-heading .avatar {
+    width: 60px;
+    height: 60px;
+    display: block;
+    margin-right: 15px;
+}
+.post .post-heading .meta .title {
+    margin-bottom: 0;
+}
+.post .post-heading .meta .title a {
+    color: black;
+}
+.post .post-heading .meta .title a:hover {
+    color: #aaaaaa;
+}
+.post .post-heading .meta .time {
+    margin-top: 8px;
+    color: #999;
+}
+.post .post-image .image {
+    width:20%;
+    height: 40%;
+}
+.post .post-description {
+    padding: 5px;
+}
+.post .post-footer {
+    border-top: 1px solid #ddd;
+    padding: 15px;
+}
+.post .post-footer .input-group-addon a {
+    color: #454545;
+}
+.post .post-footer .comments-list {
+    padding: 0;
+    margin-top: 20px;
+    list-style-type: none;
+}
+.post .post-footer .comments-list .comment {
+    display: block;
+    width: 100%;
+    margin: 20px 0;
+}
+.post .post-footer .comments-list .comment .avatar {
+    width: 35px;
+    height: 35px;
+}
+.post .post-footer .comments-list .comment .comment-heading {
+    display: block;
+    width: 100%;
+}
+.post .post-footer .comments-list .comment .comment-heading .user {
+    font-size: 14px;
+    font-weight: bold;
+    display: inline;
+    margin-top: 0;
+    margin-right: 10px;
+}
+.post .post-footer .comments-list .comment .comment-heading .time {
+    font-size: 12px;
+    color: #aaa;
+    margin-top: 0;
+    display: inline;
+}
+.post .post-footer .comments-list .comment .comment-body {
+    margin-left: 50px;
+}
+.post .post-footer .comments-list .comment > .comments-list {
+    margin-left: 50px;
+}
--- a/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
+++ b/webgoat-lessons/csrf/src/main/resources/html/CSRF.html
@ -22,14 +22,9 @@
            <input type="submit" name="ubmit=" />

        </form>
-    </div>
-
-    <div class="lesson-page-wrapper">

        <div class="adoc-content" th:replace="doc:CSRF_Basic_Get-1.adoc"></div>

-
-
        <div class="attack-container">
            <div class="assignment-success">
                    <i class="fa fa-2 fa-check hidden" aria-hidden="true">
@ -38,11 +33,11 @@
            <form class="attack-form" accept-charset="UNKNOWN" id="confirm-flag-1"
                      method="POST" name="form2"
                      successCallback=""
-                      action="/WebGoat/csrf/basic-confirm-flag"
+                      action="/WebGoat/csrf/confirm-flag-1"
                      enctype="application/json;charset=UTF-8">

                    Confirm Flag Value:
-                    <input type="text" length="6" name="confirmFlagVal" value="false" />
+                    <input type="text" length="6" name="confirmFlagVal" value="" />

                    <input name="submit" value="Submit" type="submit"/>

@ -52,6 +47,73 @@
            <div class="attack-output"></div>
        </div>
    </div>
+
+    <div class="lesson-page-wrapper">
+
+        <!--<div class="adoc-content" th:replace="doc:CrossSiteScripting_content7b.adoc"></div>-->
+
+        <!-- comment area -->
+        <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/reviews.css}"/>
+        <script th:src="@{/lesson_js/csrf-review.js}" language="JavaScript"></script>
+
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+
+        <div class="container-fluid">
+            <div class="panel post">
+                <div class="post-heading">
+                    <div class="pull-left image">
+                        <img th:src="@{/images/avatar1.png}"
+                             class="img-circle avatar" alt="user profile image"/>
+                    </div>
+                    <div class="pull-left meta">
+                        <div class="title h5">
+                            <a href="#"><b>John Doe</b></a>
+                            is selling this poster, read reviews below.
+                        </div>
+                        <h6 class="text-muted time">24 days ago</h6>
+                    </div>
+                </div>
+
+                <div class="post-image">
+                    <img th:src="@{images/cat.jpg}" class="image" alt="image post"/>
+                </div>
+
+                <div class="post-description">
+
+                </div>
+
+                <div class="attack-container">
+                    <div class="post-footer">
+                        <div class="input-group">
+                            <form class="attack-form" accept-charset="UNKNOWN" id="csrf-review"
+                                  method="POST" name="review-form"
+                                  successCallback=""
+                                  action="/WebGoat/csrf/review">
+                                <input class="form-control" id="reviewText" name="reviewText" placeholder="Add a Review" type="text"/>
+                                <input class="form-control" id="reviewStars" name="stars" type="text" />
+                                <input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9" />
+                                <input type="submit" name="submit" value="Submit review"/>
+                            </form>
+                            <div class="attack-feedback"></div>
+                            <div class="attack-output"></div>
+                            <!--<span class="input-group-addon">-->
+                                    <!--<i id="postReview" class="fa fa-edit" style="font-size: 20px"></i>-->
+                                <!--</span>-->
+                        </div>
+                        <ul class="comments-list">
+                            <div id="list">
+                            </div>
+                        </ul>
+                    </div>
+                </div>
+            </div>
+        </div>
+        <!-- end comments -->
+
+
+    </div>
+
+
    <!--</div>-->

 </html>
--- a/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/csrf/src/main/resources/i18n/WebGoatLabels.properties
@ -1,4 +1,15 @@
 csrf.title=Cross-Site Request Forgeries
 csrf-get-null-referer.success=Congratulations! Appears you made the request from your local machine.
-csrf-get-other-referer.successfeedback=Congratulations! Appears you made the request from\
- 
+csrf-get-other-referer.success=Congratulations! Appears you made the request from a separate host.
+
+
+csrf-get.hint1=The form has hidden inputs.
+csrf-get.hint2=You will need to use an external page and/or script to trigger it.
+csrf-get.hint3=Try creating a local page or one that is uploaded and points to this form as its action.
+csrf-get.hint4=The trigger can be manual or scripted to happen automatically
+
+csrf-same-host=It appears your request is coming from the same host you are submitting to.
+
+csrf-you-forgot-something=There's something missing from your request it appears, so I can't process it.
+
+csrf-review.success=It appears you have submitted correctly from another site. Go reload and see if your post is there.
--- a/webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
+++ b/webgoat-lessons/csrf/src/main/resources/js/csrf-review.js
@ -0,0 +1,46 @@
+$(document).ready(function () {
+//    $("#postReview").on("click", function () {
+//        var commentInput = $("#reviewInput").val();
+//        $.ajax({
+//            type: 'POST',
+//            url: 'csrf/review',
+//            data: JSON.stringify({text: commentInput}),
+//            contentType: "application/json",
+//            dataType: 'json'
+//        }).then(
+//            function () {
+//                getChallenges();
+//                $("#commentInput").val('');
+//            }
+//        )
+//    });
+
+    var html = '<li class="comment">' +
+        '<div class="pull-left">' +
+        '<img class="avatar" src="images/avatar1.png" alt="avatar"/>' +
+        '</div>' +
+        '<div class="comment-body">' +
+        '<div class="comment-heading">' +
+        '<h4 class="user">USER / STARS stars</h4>' +
+        '<h5 class="time">DATETIME</h5>' +
+        '</div>' +
+        '<p>COMMENT</p>' +
+        '</div>' +
+        '</li>';
+
+    getChallenges();
+
+    function getChallenges() {
+        $("#list").empty();
+        $.get('csrf/review', function (result, status) {
+            for (var i = 0; i < result.length; i++) {
+                var comment = html.replace('USER', result[i].user);
+                comment = comment.replace('DATETIME', result[i].dateTime);
+                comment = comment.replace('COMMENT', result[i].text);
+                comment = comment.replace('STARS', result[i].stars)
+                $("#list").append(comment);
+            }
+
+        });
+    }
+})
--- a/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Get_Flag.adoc
+++ b/webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Get_Flag.adoc
@ -1,4 +1,4 @@
 == Basic Get CSRF Exercise

-place holder ...
+Trigger the form below from an external source while logged in. The response will include a 'flag' (a numeric value).