diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java index 8d01547d9..83c35e320 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java @@ -16,7 +16,7 @@ public class XSSTest extends IntegrationTest { Map params = new HashMap<>(); params.clear(); - params.put("answer_xss_1", "yes"); + params.put("checkboxAttack1", "value"); checkAssignment(url("/CrossSiteScripting/attack1"), params, true); params.clear(); diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java index 3f988a8e2..f9141c93d 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java @@ -36,8 +36,8 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint { @PostMapping("/CrossSiteScripting/attack1") @ResponseBody - public AttackResult completed(@RequestParam String answer_xss_1) { - if (answer_xss_1.toString().toLowerCase().equals("yes")) { + public AttackResult completed(@RequestParam(value = "checkboxAttack1", required = false) String checkboxValue) { + if (checkboxValue != null) { return success(this).build(); } else { return failed(this).feedback("xss.lesson1.failure").build(); diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html index f4a037966..93f4d6d09 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html @@ -15,8 +15,7 @@ action="/WebGoat/CrossSiteScripting/attack1"> - - + diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties index 91d3fff5b..81b40e219 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties @@ -17,7 +17,7 @@ xss-reflected-6a-hint-1=To search through the client side code, use the develope xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes. xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution. xss-reflected-6a-hint-4=Still did not find it? Check the GoatRouter.js file. It should be pretty easy to determine. -xss.lesson1.failure=Are you sure? Try using a tab from a different site. +xss.lesson1.failure=The cookies should be the same on both tabs. Ensure that the tabs are from the same site. xss-dom-message-success=Correct, I hope you did not cheat, using the console! xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful. xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson. diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc index 4e64a7c83..4771c4e61 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc @@ -28,5 +28,6 @@ alert(document.cookie); == Try It! Using Chrome or Firefox -* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat) -* Then, on that second that open the browser developer tools and open the javascript console. And type: `alert(document.cookie);` . +* Open a second tab and use the same url as this page you are currently on (or any URL within this instance of WebGoat). +* Then, on that second tab open the browser developer tools and open the javascript console. And type: `alert(document.cookie);`. +* The cookies should be the same on each tab. diff --git a/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java new file mode 100644 index 000000000..3f2c0f48e --- /dev/null +++ b/webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java @@ -0,0 +1,76 @@ +/* + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2021 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + * + * Getting Source + * ============== + * + * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. + */ + +package org.owasp.webgoat.xss; + +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup; + +import org.hamcrest.CoreMatchers; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.junit.jupiter.MockitoExtension; +import org.owasp.webgoat.assignments.AssignmentEndpointTest; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; + +/** + * + * @author Angel Olle Blazquez + * + */ + +@ExtendWith(MockitoExtension.class) +class CrossSiteScriptingLesson1Test extends AssignmentEndpointTest { + + private static final String CONTEXT_PATH = "/CrossSiteScripting/attack1"; + + @Autowired + private MockMvc mockMvc; + + @BeforeEach + public void setup() { + CrossSiteScriptingLesson1 crossSiteScriptingLesson1 = new CrossSiteScriptingLesson1(); + init(crossSiteScriptingLesson1); + mockMvc = standaloneSetup(crossSiteScriptingLesson1).build(); + } + + @Test + void success() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH) + .param("checkboxAttack1", "value")) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true))); + } + + @Test + void failure() throws Exception { + mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH)) + .andExpect(status().isOk()) + .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); + } + +}
Were the cookies the same on each tab? The cookies are the same on each tab