From b8e68d13b84636973a0b1e2a09995ddba1ea6009 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marvin=20Sch=C3=B6ning?= <schoening.marvin@web.de>
Date: Sun, 3 Mar 2019 16:42:29 +0100
Subject: [PATCH] implement xss (mitigation) assignment 6

---
 .../plugin/CrossSiteScriptingLesson4.java     | 46 +++++++++++++++++
 .../html/CrossSiteScriptingMitigation.html    | 20 ++++++++
 .../resources/i18n/WebGoatLabels.properties   |  5 +-
 .../src/main/resources/js/assignment4.js      | 30 ++++++++++++
 .../en/CrossSiteScripting_content8c.adoc      | 49 +++++++++++++++++++
 5 files changed, 149 insertions(+), 1 deletion(-)
 create mode 100644 webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
 create mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js
 create mode 100644 webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc

diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
new file mode 100644
index 000000000..2c7b5857e
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
@@ -0,0 +1,46 @@
+package org.owasp.webgoat.plugin;
+
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import javax.tools.*;
+import java.io.IOException;
+import java.net.URI;
+import java.util.Arrays;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@AssignmentPath("CrossSiteScripting/attack4")
+@AssignmentHints(value = {"xss-mitigation-4-hint1"})
+public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
+
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseBody
+    public AttackResult completed(@RequestParam String editor2) {
+
+        String editor = editor2.replaceAll("\\<.*?>","");
+        System.out.println(editor);
+
+        if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")")) &&
+                editor.contains("new AntiSamy();")&&
+                editor.contains(".scan(newComment,") &&
+                editor.contains("CleanResults") &&
+                editor.contains("MyCommentDAO.addComment(threadID, userID")&&
+                editor.contains(".getCleanHTML());"))
+        {
+            System.out.println("true");
+            return trackProgress(success().feedback("xss-mitigation-4-success").build());
+        }
+        else {
+            System.out.println("false");
+            return trackProgress(failed().feedback("xss-mitigation-4-failed").build());
+        }
+    }
+}
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
index f979b6942..c25349256 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
@@ -38,4 +38,24 @@
 	</div>
 </div>
 
+<div class="lesson-page-wrapper">
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8c.adoc"></div>
+	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
+		<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack4" enctype="application/json;charset=UTF-8">
+			<div>
+				<div id="editor2" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor2"></div>
+				<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
+				<script th:src="@{/lesson_js/assignment4.js}" type="text/javascript" charset="utf-8"></script>
+			</div>
+			<input type="hidden" name="editor2"/>
+			<div class="input-group" style="position: absolute; top: 365px;">
+				<button class="btn btn-primary" type="submit">Submit</button>
+			</div>
+		</form>
+		<br />
+		<div class="attack-feedback" style="margin-top: 50px;"></div>
+		<div class="attack-output"></div>
+	</div>
+</div>
+
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
index 760f78378..d746965dd 100644
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -36,4 +36,7 @@ xss-mitigation-3-hint3=Take a look at OWASP Java Encoder Project.
 xss-mitigation-3-hint4=Do not forget to reference the tag libs and choose "e" as prefix.
 xss-mitigation-3-success=You have completed this lesson. Congratulations!
 xss-mitigation-3-failure=This in not the correct answer. Try again!
-xss-mitigation-3-no-code=You did not change anything.
\ No newline at end of file
+xss-mitigation-3-no-code=You did not change anything.
+xss-mitigation-4-hint1=Try to have a look at the AntiSamy documentation.
+xss-mitigation-4-success=You have completed this lesson. Congratulations!
+xss-mitigation-4-failed=This is not the correct answer. Try again!
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js b/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js
new file mode 100644
index 000000000..8ba2b5578
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js
@@ -0,0 +1,30 @@
+$(document).ready( () => {
+
+    var editor2 = ace.edit("editor2");
+editor2.setTheme("ace/theme/monokai");
+editor2.session.setMode("ace/mode/java");
+
+editor2.getSession().on("change", () => {
+    setTimeout( () => {
+    $("#codesubmit2 input[name='editor2']").val(ace_collect2());
+}, 20);
+});
+
+editor2.setValue(
+    "import org.owasp.validator.html.*;\n" +
+    "import MyCommentDAO;\n" +
+    "\n" +
+    "public class AntiSamyController {\n" +
+    "    public void saveNewComment(int threadID, int userID, String newComment){\n" +
+    "        MyCommentDAO.addComment(threadID, userID, newComment);\n" +
+    "    }\n" +
+    "}"
+);
+
+});
+
+function ace_collect2() {
+    var editor = ace.edit("editor2");
+    var code = editor.getValue();
+    return code;
+}
\ No newline at end of file
diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
new file mode 100644
index 000000000..dd25dfbfa
--- /dev/null
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
@@ -0,0 +1,49 @@
+== Stored XSS
+One way to prevent stored XSS is the usage of https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project[OWASP AntiSamy]. AntiSamy is able to produce a "clean" string based on a modifiable policy file.
+
+See the java class below which saves a comment into a database.
+
+[source,java]
+-------------------------------------------------------
+public class MyCommentDAO {
+
+    public static void addComment(int threadID, int userID, String newComment) {
+
+                String sql = "INSERT INTO COMMENTS(THREADID, USERID, COMMENT) VALUES(?,?,?);";
+
+                try {
+                        PreparedStatement stmt = connection.prepareStatement(sql);
+
+                        stmt.setInt(1, threadID);
+                        stmt.setInt(2, userID);
+                        stmt.setString(3, newComment);
+
+                        stmt.executeUpdate();
+                } catch (SQLException e) {
+                        e.printStackTrace();
+                }
+        }
+}
+-------------------------------------------------------
+
+
+And here is a java class that is using the addComment function
+
+[source,java]
+-------------------------------------------------------
+import org.owasp.validator.html.*;
+import MyCommentDAO;
+
+public class AntiSamyController {
+    ...
+    public void saveNewComment(int threadID, int userID, String newComment){
+        MyCommentDAO.addComment(threadID, userID, newComment);
+    }
+    ...
+}
+-------------------------------------------------------
+As you can see the Java file stores unfiltered user input into the database.
+You’ll have the whole malicious code stored in your database now.
+
+== It’s your turn!
+Try to prevent this kind of XSS by creating a clean string inside of the saveNewComment() function. Use the "antisamy-slashdot.xml" as policy file for this example:
\ No newline at end of file