implement xss (mitigation) assignment 6

2019-03-03 16:42:29 +01:00
parent a8106f6671
commit b8e68d13b8
5 changed files with 149 additions and 1 deletions
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
@ -38,4 +38,24 @@
 	</div>
 </div>

+<div class="lesson-page-wrapper">
+	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8c.adoc"></div>
+	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
+		<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack4" enctype="application/json;charset=UTF-8">
+			<div>
+				<div id="editor2" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor2"></div>
+				<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
+				<script th:src="@{/lesson_js/assignment4.js}" type="text/javascript" charset="utf-8"></script>
+			</div>
+			<input type="hidden" name="editor2"/>
+			<div class="input-group" style="position: absolute; top: 365px;">
+				<button class="btn btn-primary" type="submit">Submit</button>
+			</div>
+		</form>
+		<br />
+		<div class="attack-feedback" style="margin-top: 50px;"></div>
+		<div class="attack-output"></div>
+	</div>
+</div>
+
 </html>
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@ -36,4 +36,7 @@ xss-mitigation-3-hint3=Take a look at OWASP Java Encoder Project.
 xss-mitigation-3-hint4=Do not forget to reference the tag libs and choose "e" as prefix.
 xss-mitigation-3-success=You have completed this lesson. Congratulations!
 xss-mitigation-3-failure=This in not the correct answer. Try again!
-xss-mitigation-3-no-code=You did not change anything.
+xss-mitigation-3-no-code=You did not change anything.
+xss-mitigation-4-hint1=Try to have a look at the AntiSamy documentation.
+xss-mitigation-4-success=You have completed this lesson. Congratulations!
+xss-mitigation-4-failed=This is not the correct answer. Try again!
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js
@ -0,0 +1,30 @@
+$(document).ready( () => {
+
+    var editor2 = ace.edit("editor2");
+editor2.setTheme("ace/theme/monokai");
+editor2.session.setMode("ace/mode/java");
+
+editor2.getSession().on("change", () => {
+    setTimeout( () => {
+    $("#codesubmit2 input[name='editor2']").val(ace_collect2());
+}, 20);
+});
+
+editor2.setValue(
+    "import org.owasp.validator.html.*;\n" +
+    "import MyCommentDAO;\n" +
+    "\n" +
+    "public class AntiSamyController {\n" +
+    "    public void saveNewComment(int threadID, int userID, String newComment){\n" +
+    "        MyCommentDAO.addComment(threadID, userID, newComment);\n" +
+    "    }\n" +
+    "}"
+);
+
+});
+
+function ace_collect2() {
+    var editor = ace.edit("editor2");
+    var code = editor.getValue();
+    return code;
+}
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
@ -0,0 +1,49 @@
+== Stored XSS
+One way to prevent stored XSS is the usage of https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project[OWASP AntiSamy]. AntiSamy is able to produce a "clean" string based on a modifiable policy file.
+
+See the java class below which saves a comment into a database.
+
+[source,java]
+-------------------------------------------------------
+public class MyCommentDAO {
+
+    public static void addComment(int threadID, int userID, String newComment) {
+
+                String sql = "INSERT INTO COMMENTS(THREADID, USERID, COMMENT) VALUES(?,?,?);";
+
+                try {
+                        PreparedStatement stmt = connection.prepareStatement(sql);
+
+                        stmt.setInt(1, threadID);
+                        stmt.setInt(2, userID);
+                        stmt.setString(3, newComment);
+
+                        stmt.executeUpdate();
+                } catch (SQLException e) {
+                        e.printStackTrace();
+                }
+        }
+}
+-------------------------------------------------------
+
+
+And here is a java class that is using the addComment function
+
+[source,java]
+-------------------------------------------------------
+import org.owasp.validator.html.*;
+import MyCommentDAO;
+
+public class AntiSamyController {
+    ...
+    public void saveNewComment(int threadID, int userID, String newComment){
+        MyCommentDAO.addComment(threadID, userID, newComment);
+    }
+    ...
+}
+-------------------------------------------------------
+As you can see the Java file stores unfiltered user input into the database.
+You’ll have the whole malicious code stored in your database now.
+
+== It’s your turn!
+Try to prevent this kind of XSS by creating a clean string inside of the saveNewComment() function. Use the "antisamy-slashdot.xml" as policy file for this example: