From ed490a5ecfc7abbebe7329e0e680f0b607af9ba7 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 16 Jan 2019 11:07:30 +0100 Subject: [PATCH] Fix for #545 Introduced new macro to make a clear distinction between /WebWolf with context root and without. --- .../webgoat/AsciiDoctorTemplateResolver.java | 2 ++ .../owasp/webgoat/asciidoc/WebWolfMacro.java | 6 +++++- .../webgoat/asciidoc/WebWolfRootMacro.java | 20 +++++++++++++++++++ .../resources/lessonPlans/en/XXE_blind.adoc | 6 +++--- .../lessonPlans/en/XXE_blind_assignment.adoc | 2 +- 5 files changed, 31 insertions(+), 5 deletions(-) create mode 100644 webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java index ecb80bd43..df4c11e0b 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java @@ -37,6 +37,7 @@ import org.asciidoctor.Asciidoctor; import org.asciidoctor.extension.JavaExtensionRegistry; import org.owasp.webgoat.asciidoc.WebGoatVersionMacro; import org.owasp.webgoat.asciidoc.WebWolfMacro; +import org.owasp.webgoat.asciidoc.WebWolfRootMacro; import org.owasp.webgoat.i18n.Language; import org.thymeleaf.TemplateProcessingParameters; import org.thymeleaf.resourceresolver.IResourceResolver; @@ -87,6 +88,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver { StringWriter writer = new StringWriter(); JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry(); extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class); + extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class); extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class); asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java index 7f81d63d1..2d655ce58 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java @@ -45,6 +45,10 @@ public class WebWolfMacro extends InlineMacroProcessor { HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest(); String ip = request.getRemoteAddr(); String hostname = StringUtils.hasText(ip) ? ip : host; - return "http://" + hostname + ":" + port + "/WebWolf"; + return "http://" + hostname + ":" + port + (includeWebWolfContext() ? "/WebWolf" : ""); + } + + protected boolean includeWebWolfContext() { + return true; } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java new file mode 100644 index 000000000..b188c2a66 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java @@ -0,0 +1,20 @@ +package org.owasp.webgoat.asciidoc; + +import java.util.Map; + +/** + * Usage in asciidoc: + *

+ * webWolfLink:here[] will display a href with here as text + * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing + */ +public class WebWolfRootMacro extends WebWolfMacro { + + public WebWolfRootMacro(String macroName, Map config) { + super(macroName, config); + } + + protected boolean includeWebWolfContext() { + return false; + } +} diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc index 72c9e4886..e8cfe8f71 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc @@ -5,7 +5,7 @@ Or the resource you are trying to read contains illegal XML character which caus Let's start with an example, in this case we reference an external DTD which we control on our own server. As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example -use this server to ping it using `webWolfLink:landing[noLink]` +use this server to ping it using `webWolfRootLink:landing[noLink]` How do we use this endpoint to verify whether we can perform XXE? @@ -14,7 +14,7 @@ We can again use WebWolf to host a file called `attack.dtd`, create this file wi [source, subs="macros, specialcharacters"] ---- - + ---- Now submit the form change the xml using to: @@ -37,7 +37,7 @@ Now in WebWolf browse to 'Incoming requests' and you will see: ---- { "method" : "GET", - "path" : "/ping", + "path" : "/landing", "headers" : { "request" : { "user-agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc index dd5ae4194..168d26426 100644 --- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc +++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc @@ -18,6 +18,6 @@ DTD. |`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt` |=== -Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]` +Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]` (NOTE: this endpoint is under your full control) Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson. \ No newline at end of file