From f2a114419adbfac31c04012096b559990eeb83f3 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Fri, 18 Nov 2016 10:39:39 +0100 Subject: [PATCH] XXE checkin --- pom.xml | 3 + .../org/owasp/webgoat/WebSecurityConfig.java | 11 +- .../webgoat/lessons/model/AttackResult.java | 11 +- .../plugin/BlindSendFileAssignment.java | 108 ++++++++++++++++++ .../java/org/owasp/webgoat/plugin/Ping.java | 67 +++++++++++ .../org/owasp/webgoat/plugin/SimpleXXE.java | 10 +- .../main/resources/plugin/XXE/html/XXE.html | 52 +++++++++ .../plugin/XXE/lessonPlans/en/XXE_blind.adoc | 55 +++++++++ .../lessonPlans/en/XXE_blind_assignment.adoc | 7 ++ .../en/XXE_changing_content_type.adoc | 4 +- .../plugin/XXE/lessonPlans/en/XXE_intro.adoc | 7 +- .../XXE/lessonPlans/en/XXE_overflow.adoc | 3 +- .../src/main/resources/plugin/XXE/secret.txt | 1 + 13 files changed, 329 insertions(+), 10 deletions(-) create mode 100644 webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java create mode 100644 webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind.adoc create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_blind_assignment.adoc create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/secret.txt diff --git a/pom.xml b/pom.xml index 3e0e29981..bb75eee32 100644 --- a/pom.xml +++ b/pom.xml @@ -106,6 +106,9 @@ + 1.8 + 1.8 + UTF-8 UTF-8 diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java index 92348f77a..51a9eecbf 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java @@ -35,6 +35,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; @@ -50,7 +51,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry security = http .authorizeRequests() - .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "plugin_lessons/**").permitAll() + .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**").permitAll() .antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") // .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") // .anyRequest().hasAnyRole("WEBGOAT_USER", "WEBGOAT_ADMIN", "SERVER_ADMIN"); @@ -65,8 +66,14 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { .logout() .permitAll(); security.and().csrf().disable(); - http.headers().cacheControl().disable(); + http.headers().cacheControl().disable(); + } + + //// TODO: 11/18/2016 make this a little bit more configurabe last part at least + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().antMatchers("/plugin_lessons/**", "/XXE/**"); } @Autowired diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java index d90bf8258..bfcc34c68 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/AttackResult.java @@ -43,17 +43,26 @@ public class AttackResult { } public static AttackResult success(String feedback) { + return success(feedback, ""); + } + + public static AttackResult success(String feedback, String output) { AttackResult attackResult = new AttackResult(); attackResult.lessonCompleted = true; attackResult.feedback = feedback; - attackResult.output = ""; + attackResult.output = output; return attackResult; } public static AttackResult failed(String feedback) { + return failed(feedback, ""); + } + + public static AttackResult failed(String feedback, String output) { AttackResult attackResult = new AttackResult(); attackResult.lessonCompleted = false; attackResult.feedback = feedback; + attackResult.output = output; return attackResult; } diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java new file mode 100644 index 000000000..0de89a992 --- /dev/null +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java @@ -0,0 +1,108 @@ +package org.owasp.webgoat.plugin; + +import org.apache.commons.lang.exception.ExceptionUtils; +import org.owasp.webgoat.lessons.Assignment; +import org.owasp.webgoat.lessons.model.AttackResult; +import org.springframework.http.MediaType; +import org.springframework.web.bind.annotation.RequestBody; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.ResponseBody; + +import java.io.File; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.List; + +import static org.owasp.webgoat.plugin.SimpleXXE.parseXml; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author nbaars + * @version $Id: $Id + * @since November 18, 2016 + */ +public class BlindSendFileAssignment extends Assignment { + + @Override + public String getPath() { + return "XXE/blind"; + } + + @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) + @ResponseBody + public AttackResult createNewUser(@RequestBody String userInfo) throws Exception { + String error = ""; + try { + parseXml(userInfo); + } catch (Exception e) { + error = ExceptionUtils.getFullStackTrace(e); + } + + File logFile = new File(getPluginDirectory(), "plugin/XXE/"); + List lines = Files.readAllLines(Paths.get(logFile.toURI())); + boolean solved = lines.stream().filter(l -> l.contains("WebGoat 8 rocks...")).findFirst().isPresent(); + if (solved) { + return AttackResult.success(); + } else { + return AttackResult.failed("Try again...", error); + } + } + + /** + * Solution: + * + * Create DTD: + * + * 

+     *     
+     *     
+     *     ">
+     *      %all;
+     *
+ * + * This will be reduced to: + * + * 
+     *     
+     *
+ * + * Wire it all up in the xml send to the server: + * + * 
+     *  
+     *  
+     *  %remote;
+     *   ]>
+     *  
+     *    test&send;
+     *  
+     *
+     *
+ * + */ +} diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java new file mode 100644 index 000000000..e72b99ffe --- /dev/null +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/Ping.java @@ -0,0 +1,67 @@ +package org.owasp.webgoat.plugin; + +import lombok.extern.slf4j.Slf4j; +import org.owasp.webgoat.lessons.Endpoint; +import org.springframework.web.bind.annotation.RequestHeader; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.ResponseBody; + +import java.io.File; +import java.io.FileNotFoundException; +import java.io.PrintWriter; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author nbaars + * @version $Id: $Id + * @since November 17, 2016 + */ +@Slf4j +public class Ping extends Endpoint { + + @Override + public String getPath() { + return "XXE/ping"; + } + + @RequestMapping(method = RequestMethod.GET) + @ResponseBody + public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) { + String logLine = String.format("%s %s %s", "GET", userAgent, text); + log.debug(logLine); + File logFile = new File(getPluginDirectory(), "plugin/XXE/"); + try { + try (PrintWriter pw = new PrintWriter(logFile)) { + pw.println(logLine); + } + } catch (FileNotFoundException e) { + log.error("Error occured while writing the logfile", e); + } + return ""; + } +} diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java index 148207395..e62afcd5e 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java @@ -59,9 +59,13 @@ public class SimpleXXE extends Assignment { public AttackResult createNewUser(@RequestBody String userInfo) throws Exception { User user = parseXml(userInfo); if (checkSolution(user)) { - return AttackResult.success(String.format("Congratulation, welcome %s", user.getUsername())); + return AttackResult.success("Congratulation", String.format("Welcome %s you can now login to our website", user.getUsername())); + } + if (userInfo.contains(" +

+ + +
+
+ +
+ + +
+
+ + + +
+ +
+ Registration form + + + + + + + + + + + + + + + + + + +
Username
E-mail
Password
+
+
+ +
+
+
+ +
+
+ +