diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/Contact.java b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/Contact.java
index ab050bcd3..e02915781 100644
--- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/Contact.java
+++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/Contact.java
@@ -22,19 +22,14 @@
package org.owasp.webgoat.vulnerable_components;
-import com.thoughtworks.xstream.annotations.XStreamAlias;
-
-@XStreamAlias("contact")
-public class Contact {
- @XStreamAlias("name")
- String name;
-
- public String getName() {
- return name;
- }
-
- public void setName(String name) {
- this.name = name;
- }
+public interface Contact {
+ public Integer getId();
+ public void setId(Integer id);
+ public String getFirstName();
+ public void setFirstName(String firstName);
+ public String getLastName();
+ public void setLastName(String lastName);
+ public String getEmail();
+ public void setEmail(String email);
}
\ No newline at end of file
diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactConverter.java b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactConverter.java
index 7f814cd45..200ce6f13 100644
--- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactConverter.java
+++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactConverter.java
@@ -36,15 +36,15 @@ public class ContactConverter implements Converter {
public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) {
Contact contact = (Contact) value;
- writer.startNode("name");
- writer.setValue(contact.getName());
+ writer.startNode("firstName");
+ writer.setValue(contact.getFirstName());
writer.endNode();
}
public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
- Contact contact = new Contact();
+ Contact contact = new ContactImpl();
reader.moveDown();
- contact.setName(reader.getValue());
+ contact.setFirstName(reader.getValue());
reader.moveUp();
return contact;
}
diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactImpl.java b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactImpl.java
new file mode 100644
index 000000000..951c2f678
--- /dev/null
+++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactImpl.java
@@ -0,0 +1,35 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.vulnerable_components;
+
+import lombok.Data;
+
+@Data
+public class ContactImpl implements Contact {
+
+ private Integer id;
+ private String firstName;
+ private String lastName;
+ private String email;
+
+}
\ No newline at end of file
diff --git a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
index eced258d3..b881aa4ab 100644
--- a/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
+++ b/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
@@ -24,54 +24,83 @@ package org.owasp.webgoat.vulnerable_components;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;
+
+import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.*;
@RestController
-//@AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
+@AssignmentHints({"vulnerable.hint"})
public class VulnerableComponentsLesson extends AssignmentEndpoint {
+
+
+ /*
+ *
+
+
+
+
+ calc.exe
+
+
+ start
+
+
+
+
+org.owasp.webgoat.vulnerable_components.Contact
+
+
+
+ calc.exe
+
+
+ start
+
+
+ */
@PostMapping("/VulnerableComponents/attack1")
public @ResponseBody
AttackResult completed(@RequestParam String payload) {
- XStream xstream = new XStream(new DomDriver());
+ XStream xstream = new XStream(/*new DomDriver()*/);
xstream.setClassLoader(Contact.class.getClassLoader());
- xstream.processAnnotations(Contact.class);
-// xstream.registerConverter(new ContactConverter());
-// xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW);
-
-// Contact c = new Contact();
-// c.setName("Alvaro");
-// String sc = xstream.toXML(c);
-// System.out.println(sc);
-
-
-// String payload2 = "" +
-// "foo" +
-// "" +
-// "java.lang.Comparable" +
-// "" +
-// " " +
-// " " +
-// " /Applications/Calculator.app/Contents/MacOS/Calculator" +
-// " " +
-// " " +
-// " start" +
-// "" +
-// "" +
-// "";
+ //xstream.processAnnotations(Contact.class);
+ xstream.alias("contact", ContactImpl.class);
+ //xstream.aliasField("id", Contact.class, "id");
+ xstream.ignoreUnknownElements();
+ //xstream.registerConverter(new ContactConverter());
+ //xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW);
+ Contact contact = null;
+
try {
-// System.out.println("Payload:" + payload);
- Contact expl = (Contact) xstream.fromXML(payload);
- return success(this).feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build();
- } catch (com.thoughtworks.xstream.converters.ConversionException ex) {
- if (ex.getMessage().contains("Integer")) {
- return success(this).feedback("vulnerable-components.success").build();
- }
- return failed(this).feedback("vulnerable-components.close").build();
+
+
+ if (!StringUtils.isEmpty(payload)) {
+ //payload = payload.replace("contact ", " ", ">").replace(" <", "<");
+ }
+ System.out.println(payload);
+
+ contact = (Contact) xstream.fromXML(payload);
+
+
+ } catch (Exception ex) {
+ return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
}
+
+ try {
+ if (null!=contact) {
+ contact.getFirstName();//trigger the example like https://x-stream.github.io/CVE-2013-7285.html
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ return success(this).feedback("vulnerable-components.success").build();
+ }
+ return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
}
}
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties
index 4e7943e20..07db2fc11 100644
--- a/webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties
@@ -1,6 +1,7 @@
vulnerable-components.title=Vulnerable Components
EnterYourName=Enter your Name
Go!=Go!
+vulnerable.hint=Here is some explanation of someone trying the exercise in an earlier version: https://www.youtube.com/watch?v=iWcRR2WcBFU
vulnerable-components.close=Trying to deserialize null object.
-vulnerable-components.success=If you are not seeing the application you started; it may be minimized
+vulnerable-components.success=You successfully tried to exploit the CVE-2013-7285 vulnerability
vulnerable-components.fromXML=You created contact {0}. This means you did not exploit the remote code execution.
\ No newline at end of file
diff --git a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc
index f31b3ddfe..e669e9825 100644
--- a/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc
+++ b/webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc
@@ -12,3 +12,4 @@ WebGoat Sends an XML document to add contacts to a contacts database.
----
For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`.
+So find information about the CVE vulnerability and sends some payload that triggers the vulnerability.