implementing support for dom xss

2016-11-23 17:24:59 -05:00 · 2016-11-23 17:24:59 -05:00 · e183c8d8b3
commit e183c8d8b3
parent 5347311319
3 changed files with 74 additions and 1 deletions
--- a/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js
+++ b/webgoat-container/src/main/resources/static/js/goatApp/view/GoatRouter.js
@ -36,13 +36,36 @@ define(['jquery',
            menuView: menuView
        }),
        setUpCustomJS: function () {
            webgoat.customjs.jquery = $; //passing jquery into custom js scope ... still klunky, but works for now
            // temporary shim to support dom-xss lesson
            webgoat.customjs.phoneHome = function (e) {
                console.log('phoneHome invoked');
                console.log(arguments.callee);
                //
                webgoat.customjs.jquery.ajax({
                      method:"POST",
                      url:"/WebGoat/CrossSiteScripting/dom-xss",
                      data:{param1:42,param2:24},
                      headers:{
                          "webgoat-requested-by":"dom-xss-vuln"
                      },
                      contentType:'application/x-www-form-urlencoded; charset=UTF-8'
                });
            }
        },
        init:function() {
            goatRouter =  new GoatAppRouter();
            this.lessonController.start();
            // this.menuController.initMenu();
            webgoat = {};
            webgoat.customjs = {};
-            webgoat.customjs.jquery = $; //passing jquery into custom js scope ... still klunky, but works for now
+
            this.setUpCustomJS();
            goatRouter.on('route:lessonRoute', function(name) {
                this.lessonController.loadLesson(name,0);
--- a/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
+++ b/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/DOMCrossSiteScripting.java
@ -0,0 +1,39 @@
 package org.owasp.webgoat.plugin;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.model.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 /**
 * Created by jason on 11/23/16.
 */
 public class DOMCrossSiteScripting extends Assignment {
    @RequestMapping(method = RequestMethod.POST)
    public @ResponseBody
    AttackResult completed(@RequestParam Integer param1,
                           @RequestParam Integer param2, HttpServletRequest request)
            throws IOException {
        if (param1 == 42 && param2 == 24 && request.getHeader("webgoat-requested-by").equals("dom-xss-vuln")) {
            return trackProgress(AttackResult.success("well done!"));
        } else {
            return trackProgress(AttackResult.failed("keep trying!"));
        }
    }
    @Override
    public String getPath() {
        return "/CrossSiteScripting/dom-xss";
    }
 }
--- a/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/js/dom-xss.js
+++ b/webgoat-lessons/cross-site-scripting/src/main/resources/plugin/CrossSiteScripting/js/dom-xss.js
@ -0,0 +1,11 @@
 //webgoat.customjs.phoneHome = function (e) {
 //    webgoat.customjs.jquery.ajax({
 //        method:"POST",
 //        url:"/WebGoat/CrossSiteScripting/dom-xss",
 //        data:{param1:42,param2:24},
 //        headers:{
 //            "x-request-with":"dom-xss-vuln"
 //        },
 //        contentType:'application/x-www-form-urlencoded; charset=UTF-8'
 //    });
 //}