Removed old unused files from XSS
This commit is contained in:
Benedikt - Desktop
Nanne Baars
parent
58dc5d2d41
commit
eb29ed00ff
@ -44,12 +44,6 @@ public class CrossSiteScripting extends NewLesson {
|
||||
@Override
|
||||
public List<String> getHints() {
|
||||
List<String> hints = new ArrayList<String>();
|
||||
|
||||
// hints.add(getLabelManager().get("SqlStringInjectionHint1"));
|
||||
// hints.add(getLabelManager().get("SqlStringInjectionHint2"));
|
||||
// hints.add(getLabelManager().get("SqlStringInjectionHint3"));
|
||||
// hints.add(getLabelManager().get("SqlStringInjectionHint4"));
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
|
||||
@ -1,74 +0,0 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
|
||||
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.owasp.webgoat.session.UserSessionData;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
|
||||
/***************************************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
* please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 20014 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with this program; if
|
||||
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
* 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
* projects.
|
||||
*
|
||||
* For details, please see http://webgoat.github.io
|
||||
*
|
||||
* @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
|
||||
* @created October 28, 2003
|
||||
*/
|
||||
@AssignmentPath("/CrossSiteScripting/attack5b")
|
||||
public class CrossSiteScriptingLesson5b extends AssignmentEndpoint {
|
||||
|
||||
@Autowired
|
||||
UserSessionData userSessionData;
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody
|
||||
AttackResult completed(@RequestParam String isReflectedXSS) throws IOException {
|
||||
// init
|
||||
System.out.println(userSessionData.getValue("xss-reflected5a-complete"));
|
||||
|
||||
//TODO
|
||||
// if (null == userSessionData.getValue("xss-reflected5a-complete") || userSessionData.getValue("xss-reflected-5a-complete").equals("false")) {
|
||||
// //userSessionData.setValue("xss-reflected1-complete",(Object)"false");
|
||||
// return trackProgress(success().feedback("xss-reflected-5b-do5a-first").build());
|
||||
// }
|
||||
|
||||
if (isReflectedXSS.toLowerCase().equals("no") || isReflectedXSS.toLowerCase().equals("n")) {
|
||||
//return trackProgress()
|
||||
return trackProgress(success().feedback("xss-reflected-5b-success").build());
|
||||
} else {
|
||||
return trackProgress(success().feedback("xss-reflected-5b-failure").build());
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -11,7 +11,6 @@ xss-reflected-5a-hint-2=Quantity inputs are probably processed as integer values
|
||||
xss-reflected-5a-hint-3=What information send to the application gets reflected back after being submitted?
|
||||
xss-reflected-5a-hint-4=Just try purchasing something. You want your script to be included in the purchase-confirmation.
|
||||
xss-reflected-5b-success=Correct ... because <ul><li>The script was not triggered by the URL/QueryString</li><li>Even if you use the attack URL in a new tab, it won't execute (becuase of response type). Try it if you like.</li></ul>
|
||||
xss-reflected-5b-failure=Nope, pretty easy to guess now though.
|
||||
xss-reflected-6a-success=Correct! Now, see if you can send in an exploit to that route in the next assignment.
|
||||
xss-reflected-6a-failure=Sorry that's not correct. Look at the example again to understand what a valid route looks like. If you're stuck... hints might help.
|
||||
xss-reflected-6a-hint-1=To search through the client side code, use the developer tools of your browser. (If you don't know how to use them, check the <i>Developer Tools</i> Lesson in the general category.)
|
||||
|
||||
@ -1,11 +0,0 @@
|
||||
//webgoat.customjs.phoneHome = function (e) {
|
||||
// webgoat.customjs.jquery.ajax({
|
||||
// method:"POST",
|
||||
// url:"/WebGoat/CrossSiteScripting/dom-xss",
|
||||
// data:{param1:42,param2:24},
|
||||
// headers:{
|
||||
// "x-request-with":"dom-xss-vuln"
|
||||
// },
|
||||
// contentType:'application/x-www-form-urlencoded; charset=UTF-8'
|
||||
// });
|
||||
//}
|
||||
@ -1,24 +0,0 @@
|
||||
== XSS Defense
|
||||
* HTML entity input encoding
|
||||
** Converting ‘<‘ and ‘>’ to < and > before storage
|
||||
* HTML entity output encoding
|
||||
** Converting ‘<‘ and ‘>’ to < and > before writing
|
||||
* Input validation
|
||||
** Positive model to allow valid characters only
|
||||
** New attacks found everyday
|
||||
*** negative filter not reliable
|
||||
* Setting HTTPOnly as a cookie attribute
|
||||
* Only allow post data to prevent reflected XSS
|
||||
* Use language specific built-in mechanisms
|
||||
** Page validation for .NET in web.config
|
||||
+
|
||||
----
|
||||
<%page ValidateRequest="true" %>
|
||||
----
|
||||
** Struts
|
||||
+
|
||||
----
|
||||
<bean:write ... >
|
||||
----
|
||||
|
||||
*Any problems with these approaches?*
|
||||
@ -1,19 +0,0 @@
|
||||
== Encoding Best Practices
|
||||
* Not as easy as it may seem
|
||||
** Web 2.0 apps (social networks, mashups, blogs, feeds, etc.)
|
||||
** HTML encoding, HTML attribute encoding, JavaScript encoding, URL encoding, …
|
||||
* Use a proven and tested framework
|
||||
** The OWASP AntiSamy project (Java & .NET)
|
||||
*** Very useful in social applications where HTML content is allowed as input from users
|
||||
*** http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
|
||||
** The OWASP ESAPI (Java, .NET, PHP, Classic ASP, Cold Fusion, Haskell)
|
||||
*** https://www.owasp.org/index.php/ESAPI
|
||||
** HTMLPurifier (PHP)
|
||||
*** http://htmlpurifier.org/
|
||||
** Anti-XSS Library from Microsoft
|
||||
*** Designed specifically for ASP.NET applications
|
||||
*** http://www.codeplex.com/AntiXSS
|
||||
* Some light reading:
|
||||
** http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java
|
||||
** https://www.owasp.org/index.php?title=XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
|
||||
|
||||
@ -1,8 +0,0 @@
|
||||
== The Samy Attack!
|
||||
|
||||
A very interesting XSS exploit. A single flaw led to a massive attack.
|
||||
|
||||
http://web.archive.org/web/20060208182348/namb.la/popular/tech.html
|
||||
|
||||
Only published AFTER MySpace resolved this issue. *He only wanted more friends!*
|
||||
|
||||
@ -1,19 +0,0 @@
|
||||
== XSS Phishing Example
|
||||
|
||||
* A search page displays the search string
|
||||
* Attacker types in:
|
||||
** ‘String to search”><script>alert(‘xss’)</script><!—
|
||||
** This will result in an ‘xss’ alert dialog
|
||||
* Attacker could create dynamic page content:
|
||||
+
|
||||
----
|
||||
password<form><br><br><HR><H3>
|
||||
This feature requires account login:</H3><br><br>
|
||||
Enter Username:<br><input type="text" id="user“
|
||||
name="user"><br>
|
||||
Enter Password:<br><input type="password"
|
||||
name = "pass"><br>
|
||||
</form><br><br><HR>
|
||||
----
|
||||
|
||||
*Attacker steals credentials and posts data to attacker site*
|
||||
@ -1,3 +0,0 @@
|
||||
== Try It! XSS Phishing
|
||||
|
||||
Place Holder
|
||||
@ -1,13 +0,0 @@
|
||||
== HTTPOnly
|
||||
|
||||
* Disallows access to cookie in most modern browsers
|
||||
** Even by the website that set the cookie in the first place
|
||||
|
||||
* HTTPOnly Cookies are still accessible through AJAX
|
||||
** This is accomplished using the XmlHttpRequest object
|
||||
** Cookie data can still be read from the headers
|
||||
|
||||
* Public web sites that support multiple browsers
|
||||
* Use a client-side script to determine the browser version for a visitor
|
||||
* The website can restrict sensitive information to visitors using browsers that mitigate cross site scripting attacks for cookies
|
||||
* Visitors with browsers that do not support HTTPOnly cookies can be given limited information or functionality along with a request to upgrade their software
|
||||
@ -1,31 +0,0 @@
|
||||
== HTTPOnly Implementation
|
||||
|
||||
* Java has limited support for HTTPOnly
|
||||
+
|
||||
----
|
||||
response.setHeader("Set-Cookie", UNIQUE2U + "=" + value + "; HTTPOnly");
|
||||
----
|
||||
* Draft Servlet 3.0 specification (JSR 315)
|
||||
** Support in Cookie and SessionCookieConfig
|
||||
|
||||
* ASP.NET 1.1 has no built-in support for HTTPOnly
|
||||
+
|
||||
----
|
||||
HttpCookie cookie = new HttpCookie("MyCookie");
|
||||
cookie.Value = cookieval;
|
||||
cookie.Path = FormsAuthentication.FormsCookiePath + "; HTTPOnly";
|
||||
context.Response.Cookies.Add(cookie);
|
||||
----
|
||||
* ASP.NET 1.1 EndRequest event listener
|
||||
+
|
||||
----
|
||||
private void OnEndRequest(object sender, EventArgs e)
|
||||
{
|
||||
HttpContext context = HttpContext.Current;
|
||||
foreach (string sCookie in context.Response.Cookies)
|
||||
{
|
||||
context.Response.Cookies[sCookie].Path += "; HTTPOnly";
|
||||
}
|
||||
}
|
||||
---
|
||||
* ASP.NET 2.0 has HTTPOnly property in Cookie class
|
||||
@ -1,3 +0,0 @@
|
||||
== Try It! HTTPOnly
|
||||
|
||||
Place Holder
|
||||
@ -1,3 +0,0 @@
|
||||
== Try It! XSS LAB
|
||||
|
||||
Place Holder
|
||||
@ -1,9 +0,0 @@
|
||||
== Was it Really Reflected XSS?
|
||||
|
||||
The last example was not truly reflected XSS ... Why you say?
|
||||
# Can you execute it by changing the URL? (No)
|
||||
# If you do follow the actual payload in a new tab, does it execute the script? (No ... go ahead and give it a try)
|
||||
|
||||
The reason for #2 is that the response type
|
||||
|
||||
|
||||
@ -1,20 +0,0 @@
|
||||
== DOM-based XSS Defense
|
||||
|
||||
* Attacker creates url:
|
||||
+
|
||||
----
|
||||
http://mylogin.com/login?error=<script>alert(“xss”)</script>
|
||||
----
|
||||
|
||||
* JavaScript must enforce input validation
|
||||
+
|
||||
----
|
||||
if ( errorMsg\[1\].match(/^[ a-zA-Z0-9:-]$/))
|
||||
{
|
||||
document.write(‘some error’);
|
||||
}
|
||||
else
|
||||
{
|
||||
document.write('<b>'+errorMsg\[1\]+'</b>');
|
||||
}
|
||||
----
|
||||
@ -1,8 +0,0 @@
|
||||
== Stored XSS Scenario
|
||||
* Attacker posts malicious script to a message board
|
||||
* Message is stored in a server database
|
||||
* Victim reads the message
|
||||
* The malicious script embedded in the message board post executes in the victim’s browser
|
||||
** The script steals sensitive information, like the session id, and releases it to the attacker
|
||||
|
||||
*Victim does not realize attack occurred*
|
||||
@ -1,5 +0,0 @@
|
||||
== Try It! Stored XSS
|
||||
|
||||
Identify which field is susceptible to XSS
|
||||
|
||||
It is always a good practice to scrub all input, especially those inputs that will later be used as parameters to OS commands, scripts, and database queries. It is particularly important for content that will be permanently stored somewhere in the application. Users should not be able to create message content that could cause another user to load an undesireable page or undesireable content when the user's message is retrieved.
|
||||
Loading…
x
Reference in New Issue
Block a user