dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

XSS Lesson one boolean response

Browse Source 
Signed-off-by: Àngel Ollé Blázquez <angel@olleb.com>
This commit is contained in:
Àngel Ollé Blázquez 2021-10-01 19:45:24 +02:00 committed by Nanne Baars
parent 8e6d87d429
commit dfa0e1cdca
6 changed files with 84 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java
View File

@ -16,7 +16,7 @@ public class XSSTest extends IntegrationTest {
Map<String, Object> params = new HashMap<>(); Map<String, Object> params = new HashMap<>();
params.clear(); params.clear();
params.put("answer_xss_1", "yes"); params.put("checkboxAttack1", "value");
checkAssignment(url("/CrossSiteScripting/attack1"), params, true); checkAssignment(url("/CrossSiteScripting/attack1"), params, true);
params.clear(); params.clear();

4
webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
View File

@ -36,8 +36,8 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
@PostMapping("/CrossSiteScripting/attack1") @PostMapping("/CrossSiteScripting/attack1")
@ResponseBody @ResponseBody
public AttackResult completed(@RequestParam String answer_xss_1) { public AttackResult completed(@RequestParam(value = "checkboxAttack1", required = false) String checkboxValue) {
if (answer_xss_1.toString().toLowerCase().equals("yes")) { if (checkboxValue != null) {
return success(this).build(); return success(this).build();
} else { } else {
return failed(this).feedback("xss.lesson1.failure").build(); return failed(this).feedback("xss.lesson1.failure").build();

3
webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
View File

@ -15,8 +15,7 @@
action="/WebGoat/CrossSiteScripting/attack1"> action="/WebGoat/CrossSiteScripting/attack1">
<table> <table>
<tr> <tr>
<td>Were the cookies the same on each tab?</td> <td><input type="checkbox" name="checkboxAttack1"> The cookies are the same on each tab </td>
<td><input name="answer_xss_1" value="" type="TEXT" /></td>
<td><input <td><input
name="answer" value="Submit" type="SUBMIT"/></td> name="answer" value="Submit" type="SUBMIT"/></td>
<td></td> <td></td>

2
webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -17,7 +17,7 @@ xss-reflected-6a-hint-1=To search through the client side code, use the develope
xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes. xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes.
xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution. xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution.
xss-reflected-6a-hint-4=Still did not find it? Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine. xss-reflected-6a-hint-4=Still did not find it? Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
xss.lesson1.failure=Are you sure? Try using a tab from a different site. xss.lesson1.failure=The cookies should be the same on both tabs. Ensure that the tabs are from the same site.
xss-dom-message-success=Correct, I hope you did not cheat, using the console! xss-dom-message-success=Correct, I hope you did not cheat, using the console!
xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful. xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson. xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson.

5
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
View File

@ -28,5 +28,6 @@ alert(document.cookie);
== Try It! Using Chrome or Firefox == Try It! Using Chrome or Firefox
* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat) * Open a second tab and use the same url as this page you are currently on (or any URL within this instance of WebGoat).
* Then, on that second that open the browser developer tools and open the javascript console. And type: `alert(document.cookie);` . * Then, on that second tab open the browser developer tools and open the javascript console. And type: `alert(document.cookie);`.
* The cookies should be the same on each tab.

76
webgoat-lessons/cross-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java Normal file
View File

@ -0,0 +1,76 @@
/*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2021 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source
* ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
*/
package org.owasp.webgoat.xss;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.junit.jupiter.MockitoExtension;
import org.owasp.webgoat.assignments.AssignmentEndpointTest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
/**
*
* @author Angel Olle Blazquez
*
*/
@ExtendWith(MockitoExtension.class)
class CrossSiteScriptingLesson1Test extends AssignmentEndpointTest {
private static final String CONTEXT_PATH = "/CrossSiteScripting/attack1";
@Autowired
private MockMvc mockMvc;
@BeforeEach
public void setup() {
CrossSiteScriptingLesson1 crossSiteScriptingLesson1 = new CrossSiteScriptingLesson1();
init(crossSiteScriptingLesson1);
mockMvc = standaloneSetup(crossSiteScriptingLesson1).build();
}
@Test
void success() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH)
.param("checkboxAttack1", "value"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}
@Test
void failure() throws Exception {
mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH))
.andExpect(status().isOk())
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}