From f698a2d6ae177ac617affe04478c0c5da47f4234 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 17 Nov 2016 16:27:41 +0100 Subject: [PATCH] XXE first attempt --- webgoat-lessons/pom.xml | 1 + webgoat-lessons/xxe/pom.xml | 36 ++++++ .../webgoat/plugin/ContentTypeAssignment.java | 83 +++++++++++++ .../org/owasp/webgoat/plugin/SimpleXXE.java | 89 ++++++++++++++ .../java/org/owasp/webgoat/plugin/User.java | 65 +++++++++++ .../java/org/owasp/webgoat/plugin/XXE.java | 69 +++++++++++ .../main/resources/plugin/XXE/csv/flights.txt | 69 +++++++++++ .../main/resources/plugin/XXE/html/XXE.html | 109 ++++++++++++++++++ .../src/main/resources/plugin/XXE/js/xxe.js | 15 +++ .../en/XXE_changing_content_type.adoc | 4 + .../plugin/XXE/lessonPlans/en/XXE_intro.adoc | 34 ++++++ .../plugin/XXE/lessonPlans/en/XXE_plan.adoc | 11 ++ .../plugin/XXE/lessonPlans/en/XXE_simple.adoc | 4 + .../plugin/XXE/lessonPlans/en/temp.txt | 15 +++ 14 files changed, 604 insertions(+) create mode 100644 webgoat-lessons/xxe/pom.xml create mode 100644 webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java create mode 100644 webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java create mode 100644 webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/User.java create mode 100644 webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/csv/flights.txt create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/js/xxe.js create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_changing_content_type.adoc create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_intro.adoc create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_plan.adoc create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_simple.adoc create mode 100644 webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/temp.txt diff --git a/webgoat-lessons/pom.xml b/webgoat-lessons/pom.xml index 39a4a898e..f5ba493a3 100644 --- a/webgoat-lessons/pom.xml +++ b/webgoat-lessons/pom.xml @@ -17,6 +17,7 @@ client-side-filtering http-basics sql-injection + xxe diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml new file mode 100644 index 000000000..f01262e6e --- /dev/null +++ b/webgoat-lessons/xxe/pom.xml @@ -0,0 +1,36 @@ + + 4.0.0 + xxe + jar + + org.owasp.webgoat.lesson + webgoat-lessons-parent + 8.0-SNAPSHOT + + + + + + org.asciidoctor + asciidoctor-maven-plugin + 1.5.3 + + + + output-html + generate-resources + + process-asciidoc + + + html + src/main/resources/plugin/XXE/lessonPlans/en/ + + + + + + + + \ No newline at end of file diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java new file mode 100644 index 000000000..a2f0e3a5d --- /dev/null +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java @@ -0,0 +1,83 @@ +package org.owasp.webgoat.plugin; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.owasp.webgoat.lessons.Assignment; +import org.owasp.webgoat.lessons.model.AttackResult; +import org.springframework.http.MediaType; +import org.springframework.web.bind.annotation.RequestBody; +import org.springframework.web.bind.annotation.RequestHeader; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.ResponseBody; + +import java.io.IOException; + +import static org.owasp.webgoat.plugin.SimpleXXE.checkSolution; +import static org.owasp.webgoat.plugin.SimpleXXE.parseXml; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author nbaars + * @version $Id: $Id + * @since November 17, 2016 + */ +public class ContentTypeAssignment extends Assignment { + + @Override + public String getPath() { + return "XXE/content-type"; + } + + @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) + @ResponseBody + public AttackResult createNewUser(@RequestBody String userInfo, @RequestHeader("Content-Type") String contentType) throws Exception { + User user = new User(); + AttackResult attackResult = AttackResult.failed("Try again!"); + if (MediaType.APPLICATION_JSON_VALUE.equals(contentType)) { + user = parseJson(userInfo); + attackResult = AttackResult.failed("You are posting JSON which does not work with a XXE"); + } + if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) { + user = parseXml(userInfo); + attackResult = AttackResult.failed("You are posting XML but there is no XXE attack performed"); + } + + if (checkSolution(user)) { + attackResult = AttackResult.success(String.format("Welcome %s", user.getUsername())); + } + return attackResult; + } + + private User parseJson(String userInfo) { + ObjectMapper mapper = new ObjectMapper(); + try { + return mapper.readValue(userInfo, User.class); + } catch (IOException e) { + return new User(); + } + } + +} diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java new file mode 100644 index 000000000..06b3eb1f0 --- /dev/null +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java @@ -0,0 +1,89 @@ +package org.owasp.webgoat.plugin; + +import org.apache.commons.exec.OS; +import org.owasp.webgoat.lessons.Assignment; +import org.owasp.webgoat.lessons.model.AttackResult; +import org.springframework.http.MediaType; +import org.springframework.web.bind.annotation.RequestBody; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.ResponseBody; + +import javax.xml.bind.JAXBContext; +import javax.xml.bind.Unmarshaller; +import javax.xml.stream.XMLInputFactory; +import javax.xml.stream.XMLStreamReader; +import java.io.StringReader; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author nbaars + * @version $Id: $Id + * @since November 17, 2016 + */ +public class SimpleXXE extends Assignment { + + private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "opt", "var"}; + private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"}; + + @Override + public String getPath() { + return "XXE/simple"; + } + + @RequestMapping(method = RequestMethod.POST, consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE) + @ResponseBody + public AttackResult createNewUser(@RequestBody String userInfo) throws Exception { + User user = parseXml(userInfo); + if (checkSolution(user)) { + return AttackResult.success(String.format("Welcome %s", user.getUsername())); + } + return AttackResult.failed("Try again!"); + } + + public static User parseXml(String xml) throws Exception { + JAXBContext jc = JAXBContext.newInstance(User.class); + + XMLInputFactory xif = XMLInputFactory.newFactory(); + xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, true); + xif.setProperty(XMLInputFactory.SUPPORT_DTD, true); + XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml)); + + Unmarshaller unmarshaller = jc.createUnmarshaller(); + return (User) unmarshaller.unmarshal(xsr); + } + + public static boolean checkSolution(User userInfo) { + String[] directoriesToCheck = OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES; + boolean success = true; + for (String directory : directoriesToCheck) { + success &= userInfo.getUsername().contains(directory); + } + return success; + } + + +} diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/User.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/User.java new file mode 100644 index 000000000..d6d1dcdee --- /dev/null +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/User.java @@ -0,0 +1,65 @@ +package org.owasp.webgoat.plugin; + +import javax.xml.bind.annotation.XmlRootElement; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author nbaars + * @version $Id: $Id + * @since November 17, 2016 + */ +@XmlRootElement +public class User { + + private String username = ""; + private String password = ""; + private String email = ""; + + public String getPassword() { + return password; + } + + public void setPassword(String password) { + this.password = password; + } + + public String getUsername() { + return username; + } + + public void setUsername(String username) { + this.username = username; + } + + public String getEmail() { + return email; + } + + public void setEmail(String email) { + this.email = email; + } + +} diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java new file mode 100644 index 000000000..e8afa5410 --- /dev/null +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java @@ -0,0 +1,69 @@ +package org.owasp.webgoat.plugin; + +import org.owasp.webgoat.lessons.Category; +import org.owasp.webgoat.lessons.NewLesson; + +import java.util.ArrayList; +import java.util.List; + +/** + * ************************************************************************************************ + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * + * @author nbaars + * @version $Id: $Id + * @since November 17, 2016 + */ +public class XXE extends NewLesson { + + @Override + public Category getDefaultCategory() { + return Category.INJECTION; + } + + @Override + public List getHints() { + List hints = new ArrayList(); + hints.add("Try searching with BOS, SFO or OAK"); + hints.add("XXE stands for XML External Entity attack"); + hints.add("Look at the search form when you submit"); + hints.add("Try to include your own DTD"); + return hints; + } + + @Override + public Integer getDefaultRanking() { + return 1; + } + + @Override + public String getTitle() { + return "XXE"; + } + + @Override + public String getId() { + return "XXE"; + } +} diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/csv/flights.txt b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/csv/flights.txt new file mode 100644 index 000000000..1c7b6b37f --- /dev/null +++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/csv/flights.txt @@ -0,0 +1,69 @@ +price,destination,departure date,arrive date,departing from +1223,HNL,12/26/13,01/02/14,SFO +1223,HNL,12/26/13,01/02/14,SFO +1131,SJU,12/26/13,01/02/14,SFO +1175,SJU,12/26/13,01/02/14,SFO +1430,BCN,12/26/13,01/02/14,SFO +1180,FRA,12/26/13,01/02/14,SFO +1683,LIM,12/26/13,01/02/14,SFO +1119,LHR,12/26/13,01/02/14,SFO +858,CUN,12/26/13,01/02/14,SFO +888,SJD,12/26/13,01/02/14,SFO +1223,HNL,12/26/13,01/02/14,OAK +1208,SJU,12/26/13,01/02/14,OAK +1428,FRA,12/26/13,01/02/14,OAK +1864,LIM,12/26/13,01/02/14,OAK +1484,LHR,12/26/13,01/02/14,OAK +977,CUN,12/26/13,01/02/14,OAK +868,SJD,12/26/13,01/02/14,OAK +1394,HNL,12/26/13,01/02/14,BOS +734,SJU,12/26/13,01/02/14,BOS +1299,BCN,12/26/13,01/02/14,BOS +1141,FRA,12/26/13,01/02/14,BOS +944,CUN,12/26/13,01/02/14,BOS +1355,SJD,12/26/13,01/02/14,BOS +595,HNL,01/04/14,01/11/14,SFO +587,SJU,01/04/14,01/11/14,SFO +1385,BCN,01/04/14,01/11/14,SFO +1376,FRA,01/04/14,01/11/14,SFO +1005,LIM,01/04/14,01/11/14,SFO +1396,LHR,01/04/14,01/11/14,SFO +496,CUN,01/04/14,01/11/14,SFO +363,SJD,01/04/14,01/11/14,SFO +563,HNL,01/04/14,01/11/14,OAK +857,SJU,01/04/14,01/11/14,OAK +1743,BCN,01/04/14,01/11/14,OAK +1768,FRA,01/04/14,01/11/14,OAK +1355,LIM,01/04/14,01/11/14,OAK +2039,LHR,01/04/14,01/11/14,OAK +1035,HNL,01/04/14,01/11/14,BOS +533,SJU,01/04/14,01/11/14,BOS +1206,BCN,01/04/14,01/11/14,BOS +1180,LHR,01/04/14,01/11/14,BOS +432,CUN,01/04/14,01/11/14,BOS +612,SJD,01/04/14,01/11/14,BOS +473,HNL,1/09/14,01/17/14,SFO +417,SJU,1/09/14,01/17/14,SFO +864,BCN,1/09/14,01/17/14,SFO +953,LHR,1/09/14,01/17/14,SFO +450,CUN,1/09/14,01/17/14,SFO +363,SJD,1/09/14,01/17/14,SFO +417,HNL,1/09/14,01/17/14,OAK +577,SJU,1/09/14,01/17/14,OAK +993,LIM,1/09/14,01/17/14,OAK +1039,LHR,1/09/14,01/17/14,OAK +460,CUN,1/09/14,01/17/14,OAK +368,SJD,1/09/14,01/17/14,OAK +738,HNL,1/09/14,01/17/14,BOS +309,SJU,1/09/14,01/17/14,BOS +716,BCN,1/09/14,01/17/14,BOS +859,FRA,1/09/14,01/17/14,BOS +1121,LIM,1/09/14,01/17/14,BOS +591,SJD,1/09/14,01/17/14,BOS +422,HNL,01/14/14,01/23/14,SFO +385,SJU,01/14/14,01/23/14,SFO +892,BCN,01/14/14,01/23/14,SFO +956,FRA,01/14/14,01/23/14,SFO +723,LIM,01/14/14,01/23/14,SFO +894,LHR,01/14/14,01/23/14,SFO +397,HNL,01/14/14,01/23/14,OAK \ No newline at end of file diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html new file mode 100644 index 000000000..f6f97050d --- /dev/null +++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html @@ -0,0 +1,109 @@ + + +

+ + +
+
+ +
+ + +
+
+ +
+ + +
+ +
+ + + +
+ +
+ Registration form + + + + + + + + + + + + + + + + + + +
Username
E-mail
Password
+
+ By signing up you agree to WebGoat's Terms of Service. +
+ +
+ +
+
+ +
+
+ +
+ +
+ + +
+
+ + + +
+ +
+ Registration form + + + + + + + + + + + + + + + + + + +
Username
E-mail
Password
+
+ By signing up you agree to WebGoat's Terms of Service. +
+ +
+ +
+
+ + + \ No newline at end of file diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/js/xxe.js b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/js/xxe.js new file mode 100644 index 000000000..b38c2d9c2 --- /dev/null +++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/js/xxe.js @@ -0,0 +1,15 @@ +webgoat.customjs.register = function () { + var xml = '' + + '' + + ' ' + 'test' + '' + + ' ' + 'test' + '' + + ''; + return xml; +} +webgoat.customjs.registerJson = function () { + var json = '{' + + ' "user":' + '"test"' + + ' "password":' + '"test"' + + '}'; + return json; +} diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_changing_content_type.adoc b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_changing_content_type.adoc new file mode 100644 index 000000000..7c09235fc --- /dev/null +++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_changing_content_type.adoc @@ -0,0 +1,4 @@ +== Modern REST framework + +Again same exercise but try to enforce the same XML injection as we did in first lesson. + diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_intro.adoc b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_intro.adoc new file mode 100644 index 000000000..8bdba1591 --- /dev/null +++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_intro.adoc @@ -0,0 +1,34 @@ +=== What is a XML entity? + +An XML Entity allows tags to be defined that will be replaced by content when the XML Document is parsed. +In general there are three types of entities: +* internal entities +* external entities +* parameter entities. + +An entity must be created in the Document Type Definition (DTD), let's start with an example: + +[source] +---- + + + +]> +&js; +---- + +So everywhere you use the entity ``&js;` the parser will replace it with the value defined in the entity. + +=== What is an XXE injection? + +An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a +reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, +denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. + +Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative +paths in the system identifier. Since the attack occurs relative to the application processing the XML document, an attacker may use this +trusted application to pivot to other internal systems, possibly disclosing other internal content via http(s) requests or launching a CSRF attack to +any unprotected internal services. In some situations, an XML processor library that is vulnerable to client-side memory corruption issues +may be exploited by dereferencing a malicious URI, possibly allowing arbitrary code execution under the application account. Other attacks can access +local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released. \ No newline at end of file diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_plan.adoc b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_plan.adoc new file mode 100644 index 000000000..472150547 --- /dev/null +++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_plan.adoc @@ -0,0 +1,11 @@ += XML External Entity (XXE) Processing + +== Concept + +This lesson teaches how to perform a XML External Entity attack is and how it can be abused and protected against. + +== Goals + +* The user should have basic knowledge of XML +* The user will understand how XML parsers work +* The user will learn to perform a XXE attack and how to protected against it. diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_simple.adoc b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_simple.adoc new file mode 100644 index 000000000..df91f47bb --- /dev/null +++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_simple.adoc @@ -0,0 +1,4 @@ +== Let't try + +In this assignment you will need to sign up with a registration form. When submitting the form try to execute an XXE injection with the +username field. Try listing the root directory of the filesystem. diff --git a/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/temp.txt b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/temp.txt new file mode 100644 index 000000000..3b4a38c86 --- /dev/null +++ b/webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/temp.txt @@ -0,0 +1,15 @@ + + +- Describe how the attack works / should be some outpu + +

Concept / Topic To Teach:

+ This lesson teaches how to perform XML External Entity Attacks. +
+
+

+How the attacks works: +

+An XML External Entity attack is a type of attack against an application that parses XML input. +This attack occurs when XML input containing a reference to an external entity is processed by a weakly +configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, +server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.