dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix for #545

Browse Source 
Introduced new macro to make a clear distinction between /WebWolf with
context root and without.
This commit is contained in:
Nanne Baars 2019-01-16 11:07:30 +01:00
parent 81d6e12ae1
commit ed490a5ecf
5 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
View File

@ -37,6 +37,7 @@ import org.asciidoctor.Asciidoctor;
import org.asciidoctor.extension.JavaExtensionRegistry; import org.asciidoctor.extension.JavaExtensionRegistry;
import org.owasp.webgoat.asciidoc.WebGoatVersionMacro; import org.owasp.webgoat.asciidoc.WebGoatVersionMacro;
import org.owasp.webgoat.asciidoc.WebWolfMacro; import org.owasp.webgoat.asciidoc.WebWolfMacro;
import org.owasp.webgoat.asciidoc.WebWolfRootMacro;
import org.owasp.webgoat.i18n.Language; import org.owasp.webgoat.i18n.Language;
import org.thymeleaf.TemplateProcessingParameters; import org.thymeleaf.TemplateProcessingParameters;
import org.thymeleaf.resourceresolver.IResourceResolver; import org.thymeleaf.resourceresolver.IResourceResolver;
@ -87,6 +88,7 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
StringWriter writer = new StringWriter(); StringWriter writer = new StringWriter();
JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry(); JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class); extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class); extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes()); asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());

6
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java
View File

@ -45,6 +45,10 @@ public class WebWolfMacro extends InlineMacroProcessor {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest(); HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
String ip = request.getRemoteAddr(); String ip = request.getRemoteAddr();
String hostname = StringUtils.hasText(ip) ? ip : host; String hostname = StringUtils.hasText(ip) ? ip : host;
return "http://" + hostname + ":" + port + "/WebWolf"; return "http://" + hostname + ":" + port + (includeWebWolfContext() ? "/WebWolf" : "");
}
protected boolean includeWebWolfContext() {
return true;
} }
} }

20
webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfRootMacro.java Normal file
View File

@ -0,0 +1,20 @@
package org.owasp.webgoat.asciidoc;
import java.util.Map;
/**
* Usage in asciidoc:
* <p>
* webWolfLink:here[] will display a href with here as text
* webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
*/
public class WebWolfRootMacro extends WebWolfMacro {
public WebWolfRootMacro(String macroName, Map<String, Object> config) {
super(macroName, config);
}
protected boolean includeWebWolfContext() {
return false;
}
}

6
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
View File

@ -5,7 +5,7 @@ Or the resource you are trying to read contains illegal XML character which caus
Let's start with an example, in this case we reference an external DTD which we control on our own server. Let's start with an example, in this case we reference an external DTD which we control on our own server.
As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example As an attacker you have WebWolf under your control (*this can be any server under your control.*), you can for example
use this server to ping it using `webWolfLink:landing[noLink]` use this server to ping it using `webWolfRootLink:landing[noLink]`
How do we use this endpoint to verify whether we can perform XXE? How do we use this endpoint to verify whether we can perform XXE?
@ -14,7 +14,7 @@ We can again use WebWolf to host a file called `attack.dtd`, create this file wi
[source, subs="macros, specialcharacters"] [source, subs="macros, specialcharacters"]
---- ----
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!ENTITY ping SYSTEM 'webWolfLink:landing[noLink]'> <!ENTITY ping SYSTEM 'webWolfRootLink:landing[noLink]'>
---- ----
Now submit the form change the xml using to: Now submit the form change the xml using to:
@ -37,7 +37,7 @@ Now in WebWolf browse to 'Incoming requests' and you will see:
---- ----
{ {
"method" : "GET", "method" : "GET",
"path" : "/ping", "path" : "/landing",
"headers" : { "headers" : {
"request" : { "request" : {
"user-agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "user-agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",

2
webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
View File

@ -18,6 +18,6 @@ DTD.
|`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt` |`/home/webgoat/.webgoat-webGoatVersion:version[]/XXE/secret.txt`
|=== |===
Try to upload this file using WebWolf landing page for example: `webWolfLink:landing?text=contents_file[noLink]` Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]`
(NOTE: this endpoint is under your full control) (NOTE: this endpoint is under your full control)
Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson. Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.