merging
This commit is contained in:
@ -2,16 +2,15 @@ package org.owasp.webgoat.plugin;
|
||||
|
||||
import com.google.common.base.Joiner;
|
||||
import org.apache.commons.lang.exception.ExceptionUtils;
|
||||
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.endpoints.AssignmentPath;
|
||||
import org.owasp.webgoat.lessons.AttackResult;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.ws.rs.Path;
|
||||
import java.io.File;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Paths;
|
||||
@ -66,9 +65,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
|
||||
boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent();
|
||||
logFile.delete();
|
||||
if (solved) {
|
||||
return AttackResult.success(String.format("Contents of the file is: %s", Joiner.on('\n').join(lines)));
|
||||
return success().output("xxe.blind.output").outputArgs(Joiner.on('\n').join(lines)).build();
|
||||
} else {
|
||||
return AttackResult.failed("Try again...", error);
|
||||
return failed().output(error).build();
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1,9 +1,10 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.endpoints.AssignmentPath;
|
||||
import org.owasp.webgoat.lessons.AttackResult;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestHeader;
|
||||
@ -11,7 +12,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.ws.rs.Path;
|
||||
import java.io.IOException;
|
||||
|
||||
import static org.owasp.webgoat.plugin.SimpleXXE.checkSolution;
|
||||
@ -47,24 +47,25 @@ import static org.owasp.webgoat.plugin.SimpleXXE.parseXml;
|
||||
* @since November 17, 2016
|
||||
*/
|
||||
@AssignmentPath("XXE/content-type")
|
||||
@AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
|
||||
public class ContentTypeAssignment extends AssignmentEndpoint {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@ResponseBody
|
||||
public AttackResult createNewUser(@RequestBody String userInfo, @RequestHeader("Content-Type") String contentType) throws Exception {
|
||||
User user = new User();
|
||||
AttackResult attackResult = AttackResult.failed("Try again!");
|
||||
AttackResult attackResult = failed().build();
|
||||
if (MediaType.APPLICATION_JSON_VALUE.equals(contentType)) {
|
||||
user = parseJson(userInfo);
|
||||
attackResult = AttackResult.failed("You are posting JSON which does not work with a XXE");
|
||||
attackResult = failed().feedback("xxe.content.type.feedback.json").build();
|
||||
}
|
||||
if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) {
|
||||
user = parseXml(userInfo);
|
||||
attackResult = AttackResult.failed("You are posting XML but there is no XXE attack performed");
|
||||
attackResult = failed().feedback("xxe.content.type.feedback.xml").build();
|
||||
}
|
||||
|
||||
if (checkSolution(user)) {
|
||||
attackResult = AttackResult.success(String.format("Welcome %s", user.getUsername()));
|
||||
attackResult = success().output("xxe.content.output").outputArgs(user.getUsername()).build();
|
||||
}
|
||||
return attackResult;
|
||||
}
|
||||
|
@ -1,7 +1,7 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.owasp.webgoat.endpoints.Endpoint;
|
||||
import org.owasp.webgoat.assignments.Endpoint;
|
||||
import org.springframework.web.bind.annotation.RequestHeader;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
|
@ -1,16 +1,16 @@
|
||||
package org.owasp.webgoat.plugin;
|
||||
|
||||
import org.apache.commons.exec.OS;
|
||||
import org.owasp.webgoat.endpoints.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.endpoints.AssignmentPath;
|
||||
import org.owasp.webgoat.lessons.AttackResult;
|
||||
import org.owasp.webgoat.assignments.AssignmentEndpoint;
|
||||
import org.owasp.webgoat.assignments.AssignmentHints;
|
||||
import org.owasp.webgoat.assignments.AssignmentPath;
|
||||
import org.owasp.webgoat.assignments.AttackResult;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
|
||||
import javax.ws.rs.Path;
|
||||
import javax.xml.bind.JAXBContext;
|
||||
import javax.xml.bind.Unmarshaller;
|
||||
import javax.xml.stream.XMLInputFactory;
|
||||
@ -47,6 +47,7 @@ import java.io.StringReader;
|
||||
* @since November 17, 2016
|
||||
*/
|
||||
@AssignmentPath("XXE/simple")
|
||||
@AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4"})
|
||||
public class SimpleXXE extends AssignmentEndpoint {
|
||||
|
||||
private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"};
|
||||
@ -57,13 +58,11 @@ public class SimpleXXE extends AssignmentEndpoint {
|
||||
public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
|
||||
User user = parseXml(userInfo);
|
||||
if (checkSolution(user)) {
|
||||
return AttackResult.success("Congratulation", String.format("Welcome %s you can now login to our website", user.getUsername()));
|
||||
}
|
||||
if (userInfo.contains("<!DOCTYPE")) {
|
||||
return AttackResult.failed("Try again you did include a doctype in the xml!");
|
||||
} else {
|
||||
return AttackResult.failed(String.format("Welcome %s you can now login to our website", user.getUsername()));
|
||||
return trackProgress(success()
|
||||
.output("xxe.simple.output")
|
||||
.outputArgs(user.getUsername()).build());
|
||||
}
|
||||
return trackProgress(failed().build());
|
||||
}
|
||||
|
||||
public static User parseXml(String xml) throws Exception {
|
||||
|
@ -0,0 +1,37 @@
|
||||
#
|
||||
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
||||
# please see http://www.owasp.org/
|
||||
# <p>
|
||||
# Copyright (c) 2002 - 2017 Bruce Mayhew
|
||||
# <p>
|
||||
# This program is free software; you can redistribute it and/or modify it under the terms of the
|
||||
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
||||
# License, or (at your option) any later version.
|
||||
# <p>
|
||||
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
# <p>
|
||||
# You should have received a copy of the GNU General Public License along with this program; if
|
||||
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
||||
# 02111-1307, USA.
|
||||
# <p>
|
||||
# Getting Source ==============
|
||||
# <p>
|
||||
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
|
||||
# projects.
|
||||
# <p>
|
||||
#
|
||||
xxe.simple.output=Welcome {0} you can now login to our website
|
||||
xxe.content.type.feedback.json=You are posting JSON which does not work with a XXE
|
||||
xxe.content.type.feedback.xml=You are posting XML but there is no XXE attack performed
|
||||
xxe.content.output=Welcome {0} you can now login to our website
|
||||
xxe.blind.output=Contents of the file is:
|
||||
|
||||
xxe.hints.simple.xxe.1=Try submitting the form and see what happens
|
||||
xxe.hints.simple.xxe.2=XXE stands for XML External Entity attack
|
||||
xxe.hints.simple.xxe.3=Try to include your own DTD
|
||||
xxe.hints.simple.xxe.4=Try to include a doctype (<!DOCTYPE...) in the xml
|
||||
|
||||
xxe.hints.content.type.xxe.1=Take a look at the content type
|
||||
xxe.hints.content.type.xxe.2=Does the endpoint only accept json messages?
|
Reference in New Issue
Block a user