implement xss (mitigation) assignment 6

2019-03-03 16:42:29 +01:00 · 2019-03-03 16:42:29 +01:00 · b8e68d13b8
commit b8e68d13b8
parent a8106f6671
5 changed files with 149 additions and 1 deletions
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson4.java
@ -0,0 +1,46 @@
 package org.owasp.webgoat.plugin;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import javax.tools.*;
 import java.io.IOException;
 import java.net.URI;
 import java.util.Arrays;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@AssignmentPath("CrossSiteScripting/attack4")
@AssignmentHints(value = {"xss-mitigation-4-hint1"})
 public class CrossSiteScriptingLesson4 extends AssignmentEndpoint {
    @RequestMapping(method = RequestMethod.POST)
    @ResponseBody
    public AttackResult completed(@RequestParam String editor2) {
        String editor = editor2.replaceAll("\\<.*?>","");
        System.out.println(editor);
        if ((editor.contains("Policy.getInstance(\"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, \"antisamy-slashdot.xml\"") || editor.contains(".scan(newComment, new File(\"antisamy-slashdot.xml\")")) &&
                editor.contains("new AntiSamy();")&&
                editor.contains(".scan(newComment,") &&
                editor.contains("CleanResults") &&
                editor.contains("MyCommentDAO.addComment(threadID, userID")&&
                editor.contains(".getCleanHTML());"))
        {
            System.out.println("true");
            return trackProgress(success().feedback("xss-mitigation-4-success").build());
        }
        else {
            System.out.println("false");
            return trackProgress(failed().feedback("xss-mitigation-4-failed").build());
        }
    }
 }
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScriptingMitigation.html
@ -38,4 +38,24 @@
 	</div>
 </div>
 <div class="lesson-page-wrapper">
 	<div class="adoc-content" th:replace="doc:CrossSiteScripting_content8c.adoc"></div>
 	<div class="attack-container" style="height: 100%; border: none !important;min-height: 450px;">
 		<form id="codesubmit2" style="height: 100%; min-height: 350px;" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/CrossSiteScripting/attack4" enctype="application/json;charset=UTF-8">
 			<div>
 				<div id="editor2" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0; height: 350px;" name="editor2"></div>
 				<script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
 				<script th:src="@{/lesson_js/assignment4.js}" type="text/javascript" charset="utf-8"></script>
 			</div>
 			<input type="hidden" name="editor2"/>
 			<div class="input-group" style="position: absolute; top: 365px;">
 				<button class="btn btn-primary" type="submit">Submit</button>
 			</div>
 		</form>
 		<br />
 		<div class="attack-feedback" style="margin-top: 50px;"></div>
 		<div class="attack-output"></div>
 	</div>
 </div>
 </html>
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@ -37,3 +37,6 @@ xss-mitigation-3-hint4=Do not forget to reference the tag libs and choose "e" as
 xss-mitigation-3-success=You have completed this lesson. Congratulations!
 xss-mitigation-3-failure=This in not the correct answer. Try again!
 xss-mitigation-3-no-code=You did not change anything.
 xss-mitigation-4-hint1=Try to have a look at the AntiSamy documentation.
 xss-mitigation-4-success=You have completed this lesson. Congratulations!
 xss-mitigation-4-failed=This is not the correct answer. Try again!
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/js/assignment4.js
@ -0,0 +1,30 @@
 $(document).ready( () => {
    var editor2 = ace.edit("editor2");
 editor2.setTheme("ace/theme/monokai");
 editor2.session.setMode("ace/mode/java");
 editor2.getSession().on("change", () => {
    setTimeout( () => {
    $("#codesubmit2 input[name='editor2']").val(ace_collect2());
 }, 20);
 });
 editor2.setValue(
    "import org.owasp.validator.html.*;\n" +
    "import MyCommentDAO;\n" +
    "\n" +
    "public class AntiSamyController {\n" +
    "    public void saveNewComment(int threadID, int userID, String newComment){\n" +
    "        MyCommentDAO.addComment(threadID, userID, newComment);\n" +
    "    }\n" +
    "}"
 );
 });
 function ace_collect2() {
    var editor = ace.edit("editor2");
    var code = editor.getValue();
    return code;
 }
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8c.adoc
@ -0,0 +1,49 @@
 == Stored XSS
 One way to prevent stored XSS is the usage of https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project[OWASP AntiSamy]. AntiSamy is able to produce a "clean" string based on a modifiable policy file.
 See the java class below which saves a comment into a database.
 [source,java]
 -------------------------------------------------------
 public class MyCommentDAO {
    public static void addComment(int threadID, int userID, String newComment) {
                String sql = "INSERT INTO COMMENTS(THREADID, USERID, COMMENT) VALUES(?,?,?);";
                try {
                        PreparedStatement stmt = connection.prepareStatement(sql);
                        stmt.setInt(1, threadID);
                        stmt.setInt(2, userID);
                        stmt.setString(3, newComment);
                        stmt.executeUpdate();
                } catch (SQLException e) {
                        e.printStackTrace();
                }
        }
 }
 -------------------------------------------------------
 And here is a java class that is using the addComment function
 [source,java]
 -------------------------------------------------------
 import org.owasp.validator.html.*;
 import MyCommentDAO;
 public class AntiSamyController {
    ...
    public void saveNewComment(int threadID, int userID, String newComment){
        MyCommentDAO.addComment(threadID, userID, newComment);
    }
    ...
 }
 -------------------------------------------------------
 As you can see the Java file stores unfiltered user input into the database.
 You’ll have the whole malicious code stored in your database now.
 == It’s your turn!
 Try to prevent this kind of XSS by creating a clean string inside of the saveNewComment() function. Use the "antisamy-slashdot.xml" as policy file for this example: