dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improving lesson due to issue #845

Browse Source
This commit is contained in:
René Zubcevic
2020-07-05 13:13:34 +02:00
committed by Nanne Baars
parent 2d2dc22e19
commit ef6993c636
6 changed files with 64 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-lessons/vulnerable-components/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -1,7 +1,7 @@
vulnerable-components.title=Vulnerable Components
EnterYourName=Enter your Name
Go!=Go!
vulnerable.hint=Here is some explanation of someone trying the exercise in an earlier version: https://www.youtube.com/watch?v=iWcRR2WcBFU
vulnerable-components.close=Trying to deserialize null object.
vulnerable.hint=Did you search for CVE-2013-728 and read https://x-stream.github.io/CVE-2013-7285.html
vulnerable-components.close=The payload send could not be deserialized to a Contact class. Please try again.
vulnerable-components.success=You successfully tried to exploit the CVE-2013-7285 vulnerability
vulnerable-components.fromXML=You created contact {0}. This means you did not exploit the remote code execution.

7
webgoat-lessons/vulnerable-components/src/main/resources/lessonPlans/en/VulnerableComponents_content5a.adoc
View File

@ -1,6 +1,6 @@
== Exploiting http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285[CVE-2013-7285] (XStream)
WebGoat Sends an XML document to add contacts to a contacts database.
WebGoat uses an XML document to add contacts to a contacts database.
[source,xml]
----
<contact>
@ -11,5 +11,6 @@ WebGoat Sends an XML document to add contacts to a contacts database.
</contact>
----
For this example, we will let you enter the xml directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`.
So find information about the CVE vulnerability and sends some payload that triggers the vulnerability.
The java interface that you need for the exercise is: org.owasp.webgoat.vulnerable_components.Contact.
Start by sending the above contact to see what the normal response would be and then read the CVE vulnerability documentation (search the Internet) and try to trigger the vulnerability.
For this example, we will let you enter the XML directly versus intercepting the request and modifying the data. You provide the XML representation of a contact and WebGoat will convert it a Contact object using `XStream.fromXML(xml)`.