implementing support for dom xss
This commit is contained in:
		| @ -36,13 +36,36 @@ define(['jquery', | ||||
|             menuView: menuView | ||||
|         }), | ||||
|  | ||||
|  | ||||
|         setUpCustomJS: function () { | ||||
|             webgoat.customjs.jquery = $; //passing jquery into custom js scope ... still klunky, but works for now | ||||
|  | ||||
|             // temporary shim to support dom-xss lesson | ||||
|             webgoat.customjs.phoneHome = function (e) { | ||||
|                 console.log('phoneHome invoked'); | ||||
|                 console.log(arguments.callee); | ||||
|                 // | ||||
|                 webgoat.customjs.jquery.ajax({ | ||||
|                       method:"POST", | ||||
|                       url:"/WebGoat/CrossSiteScripting/dom-xss", | ||||
|                       data:{param1:42,param2:24}, | ||||
|                       headers:{ | ||||
|                           "webgoat-requested-by":"dom-xss-vuln" | ||||
|                       }, | ||||
|                       contentType:'application/x-www-form-urlencoded; charset=UTF-8' | ||||
|                 }); | ||||
|             } | ||||
|         }, | ||||
|  | ||||
|         init:function() { | ||||
|             goatRouter =  new GoatAppRouter(); | ||||
|             this.lessonController.start(); | ||||
|             // this.menuController.initMenu(); | ||||
|             webgoat = {}; | ||||
|             webgoat.customjs = {}; | ||||
|             webgoat.customjs.jquery = $; //passing jquery into custom js scope ... still klunky, but works for now | ||||
|  | ||||
|             this.setUpCustomJS(); | ||||
|  | ||||
|  | ||||
|             goatRouter.on('route:lessonRoute', function(name) { | ||||
|                 this.lessonController.loadLesson(name,0); | ||||
|  | ||||
| @ -0,0 +1,39 @@ | ||||
| package org.owasp.webgoat.plugin; | ||||
|  | ||||
| import org.owasp.webgoat.lessons.Assignment; | ||||
| import org.owasp.webgoat.lessons.model.AttackResult; | ||||
| import org.springframework.web.bind.annotation.RequestMapping; | ||||
| import org.springframework.web.bind.annotation.RequestMethod; | ||||
| import org.springframework.web.bind.annotation.RequestParam; | ||||
| import org.springframework.web.bind.annotation.ResponseBody; | ||||
|  | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import java.io.IOException; | ||||
|  | ||||
| /** | ||||
|  * Created by jason on 11/23/16. | ||||
|  */ | ||||
| public class DOMCrossSiteScripting extends Assignment { | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|     public @ResponseBody | ||||
|     AttackResult completed(@RequestParam Integer param1, | ||||
|                            @RequestParam Integer param2, HttpServletRequest request) | ||||
|             throws IOException { | ||||
|          | ||||
|         if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) { | ||||
|             return trackProgress(AttackResult.success("well done!")); | ||||
|         } else { | ||||
|             return trackProgress(AttackResult.failed("keep trying!")); | ||||
|         } | ||||
|     } | ||||
|  | ||||
|     @Override | ||||
|     public String getPath() { | ||||
|         return "/CrossSiteScripting/dom-xss"; | ||||
|     } | ||||
| } | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
|  | ||||
| @ -0,0 +1,11 @@ | ||||
| //webgoat.customjs.phoneHome = function (e) { | ||||
| //    webgoat.customjs.jquery.ajax({ | ||||
| //        method:"POST", | ||||
| //        url:"/WebGoat/CrossSiteScripting/dom-xss", | ||||
| //        data:{param1:42,param2:24}, | ||||
| //        headers:{ | ||||
| //            "x-request-with":"dom-xss-vuln" | ||||
| //        }, | ||||
| //        contentType:'application/x-www-form-urlencoded; charset=UTF-8' | ||||
| //    }); | ||||
| //} | ||||
		Reference in New Issue
	
	Block a user