diff --git a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js b/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js index ee17193bc..b8eb7bb1e 100644 --- a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js +++ b/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js @@ -36,13 +36,36 @@ define(['jquery', menuView: menuView }), + + setUpCustomJS: function () { + webgoat.customjs.jquery = $; //passing jquery into custom js scope ... still klunky, but works for now + + // temporary shim to support dom-xss lesson + webgoat.customjs.phoneHome = function (e) { + console.log('phoneHome invoked'); + console.log(arguments.callee); + // + webgoat.customjs.jquery.ajax({ + method:"POST", + url:"/WebGoat/CrossSiteScripting/dom-xss", + data:{param1:42,param2:24}, + headers:{ + "webgoat-requested-by":"dom-xss-vuln" + }, + contentType:'application/x-www-form-urlencoded; charset=UTF-8' + }); + } + }, + init:function() { goatRouter = new GoatAppRouter(); this.lessonController.start(); // this.menuController.initMenu(); webgoat = {}; webgoat.customjs = {}; - webgoat.customjs.jquery = $; //passing jquery into custom js scope ... still klunky, but works for now + + this.setUpCustomJS(); + goatRouter.on('route:lessonRoute', function(name) { this.lessonController.loadLesson(name,0); diff --git a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java new file mode 100644 index 000000000..a339a258b --- /dev/null +++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java @@ -0,0 +1,39 @@ +package org.owasp.webgoat.plugin; + +import org.owasp.webgoat.lessons.Assignment; +import org.owasp.webgoat.lessons.model.AttackResult; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; + +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; + +/** + * Created by jason on 11/23/16. + */ +public class DOMCrossSiteScripting extends Assignment { + @RequestMapping(method = RequestMethod.POST) + public @ResponseBody + AttackResult completed(@RequestParam Integer param1, + @RequestParam Integer param2, HttpServletRequest request) + throws IOException { + + if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) { + return trackProgress(AttackResult.success("well done!")); + } else { + return trackProgress(AttackResult.failed("keep trying!")); + } + } + + @Override + public String getPath() { + return "/CrossSiteScripting/dom-xss"; + } +} + + + + + diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/js/dom-xss.js b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/js/dom-xss.js index e69de29bb..3658f5e98 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/js/dom-xss.js +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/js/dom-xss.js @@ -0,0 +1,11 @@ +//webgoat.customjs.phoneHome = function (e) { +// webgoat.customjs.jquery.ajax({ +// method:"POST", +// url:"/WebGoat/CrossSiteScripting/dom-xss", +// data:{param1:42,param2:24}, +// headers:{ +// "x-request-with":"dom-xss-vuln" +// }, +// contentType:'application/x-www-form-urlencoded; charset=UTF-8' +// }); +//} \ No newline at end of file