dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

XXE first attempt

Browse Source
This commit is contained in:
Nanne Baars
2016-11-17 16:27:41 +01:00
parent 6d45bbc09c
commit f698a2d6ae
14 changed files with 604 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
webgoat-lessons/xxe/src/main/resources/plugin/XXE/csv/flights.txt Normal file
View File

@ -0,0 +1,69 @@
price,destination,departure date,arrive date,departing from
1223,HNL,12/26/13,01/02/14,SFO
1223,HNL,12/26/13,01/02/14,SFO
1131,SJU,12/26/13,01/02/14,SFO
1175,SJU,12/26/13,01/02/14,SFO
1430,BCN,12/26/13,01/02/14,SFO
1180,FRA,12/26/13,01/02/14,SFO
1683,LIM,12/26/13,01/02/14,SFO
1119,LHR,12/26/13,01/02/14,SFO
858,CUN,12/26/13,01/02/14,SFO
888,SJD,12/26/13,01/02/14,SFO
1223,HNL,12/26/13,01/02/14,OAK
1208,SJU,12/26/13,01/02/14,OAK
1428,FRA,12/26/13,01/02/14,OAK
1864,LIM,12/26/13,01/02/14,OAK
1484,LHR,12/26/13,01/02/14,OAK
977,CUN,12/26/13,01/02/14,OAK
868,SJD,12/26/13,01/02/14,OAK
1394,HNL,12/26/13,01/02/14,BOS
734,SJU,12/26/13,01/02/14,BOS
1299,BCN,12/26/13,01/02/14,BOS
1141,FRA,12/26/13,01/02/14,BOS
944,CUN,12/26/13,01/02/14,BOS
1355,SJD,12/26/13,01/02/14,BOS
595,HNL,01/04/14,01/11/14,SFO
587,SJU,01/04/14,01/11/14,SFO
1385,BCN,01/04/14,01/11/14,SFO
1376,FRA,01/04/14,01/11/14,SFO
1005,LIM,01/04/14,01/11/14,SFO
1396,LHR,01/04/14,01/11/14,SFO
496,CUN,01/04/14,01/11/14,SFO
363,SJD,01/04/14,01/11/14,SFO
563,HNL,01/04/14,01/11/14,OAK
857,SJU,01/04/14,01/11/14,OAK
1743,BCN,01/04/14,01/11/14,OAK
1768,FRA,01/04/14,01/11/14,OAK
1355,LIM,01/04/14,01/11/14,OAK
2039,LHR,01/04/14,01/11/14,OAK
1035,HNL,01/04/14,01/11/14,BOS
533,SJU,01/04/14,01/11/14,BOS
1206,BCN,01/04/14,01/11/14,BOS
1180,LHR,01/04/14,01/11/14,BOS
432,CUN,01/04/14,01/11/14,BOS
612,SJD,01/04/14,01/11/14,BOS
473,HNL,1/09/14,01/17/14,SFO
417,SJU,1/09/14,01/17/14,SFO
864,BCN,1/09/14,01/17/14,SFO
953,LHR,1/09/14,01/17/14,SFO
450,CUN,1/09/14,01/17/14,SFO
363,SJD,1/09/14,01/17/14,SFO
417,HNL,1/09/14,01/17/14,OAK
577,SJU,1/09/14,01/17/14,OAK
993,LIM,1/09/14,01/17/14,OAK
1039,LHR,1/09/14,01/17/14,OAK
460,CUN,1/09/14,01/17/14,OAK
368,SJD,1/09/14,01/17/14,OAK
738,HNL,1/09/14,01/17/14,BOS
309,SJU,1/09/14,01/17/14,BOS
716,BCN,1/09/14,01/17/14,BOS
859,FRA,1/09/14,01/17/14,BOS
1121,LIM,1/09/14,01/17/14,BOS
591,SJD,1/09/14,01/17/14,BOS
422,HNL,01/14/14,01/23/14,SFO
385,SJU,01/14/14,01/23/14,SFO
892,BCN,01/14/14,01/23/14,SFO
956,FRA,01/14/14,01/23/14,SFO
723,LIM,01/14/14,01/23/14,SFO
894,LHR,01/14/14,01/23/14,SFO
397,HNL,01/14/14,01/23/14,OAK

109
webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html Normal file
View File

@ -0,0 +1,109 @@
<html xmlns:th="http://www.thymeleaf.org">
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:XXE_plan.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:XXE_intro.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<!-- reuse this block for each 'page' of content -->
<!-- sample ascii doc content for second page -->
<div class="adoc-content" th:replace="doc:XXE_simple.adoc"></div>
<!-- if including attack, reuse this section, leave classes in place -->
<div class="attack-container">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<form class="attack-form" accept-charset="UNKNOWN" prepareData="register" method="POST" name="form"
action="/WebGoat/XXE/simple" contentType="application/xml">
<script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
language="JavaScript"></script>
<div id="lessonContent">
<strong>Registration form</strong>
<form prepareData="register" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
<table>
<tr>
<td>Username</td>
<td><input name="username" value="" type="TEXT"/></td>
</tr>
<tr>
<td>E-mail</td>
<td><input name="email" value="" type="TEXT"/></td>
</tr>
<tr>
<td>Password</td>
<td><input name="email" value="" type="TEXT"/></td>
</tr>
<tr>
<td></td>
<td align="right"><input type="submit" id="registerButton" value="Sign up"/></td>
</tr>
</table>
<br/>
<strong>By signing up you agree to WebGoat's Terms of Service.</strong>
<br/>
</form>
</div>
</form>
<div id='registration_success'></div>
</div>
<!-- do not remove the two following div's, this is where your feedback/output will land -->
<div class="attack-feedback"></div>
<div class="attack-output"></div>
<!-- ... of course, you can move them if you want to, but that will not look consistent to other lessons -->
</div>
<div class="lesson-page-wrapper">
<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
<!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
<div class="adoc-content" th:replace="doc:XXE_changing_content_type.adoc"></div>
<div class="attack-container">
<!-- using attack-form class on your form will allow your request to be ajaxified and stay within the display framework for webgoat -->
<!-- you can write your own custom forms, but standard form submission will take you to your endpoint and outside of the WebGoat framework -->
<!-- of course, you can write your own ajax submission /handling in your own javascript if you like -->
<form class="attack-form" accept-charset="UNKNOWN" prepareData="registerJson" method="POST" name="form"
action="/WebGoat/XXE/content-type" contentType="application/json">
<script th:src="@{/plugin_lessons/plugin/XXE/js/xxe.js}"
language="JavaScript"></script>
<div id="lessonContent">
<strong>Registration form</strong>
<form prepareData="registerJson" accept-charset="UNKNOWN" method="POST" name="form" action="#attack/307/100">
<table>
<tr>
<td>Username</td>
<td><input name="username" value="" type="TEXT"/></td>
</tr>
<tr>
<td>E-mail</td>
<td><input name="email" value="" type="TEXT"/></td>
</tr>
<tr>
<td>Password</td>
<td><input name="email" value="" type="TEXT"/></td>
</tr>
<tr>
<td></td>
<td align="right"><input type="submit" value="Sign up"/></td>
</tr>
</table>
<br/>
<strong>By signing up you agree to WebGoat's Terms of Service.</strong>
<br/>
</form>
</div>
</form>
</div>
</div>
</html>

15
webgoat-lessons/xxe/src/main/resources/plugin/XXE/js/xxe.js Normal file
View File

@ -0,0 +1,15 @@
webgoat.customjs.register = function () {
var xml = '<?xml version="1.0"?>' +
'<user>' +
' <username>' + 'test' + '</username>' +
' <password>' + 'test' + '</password>' +
'</user>';
return xml;
}
webgoat.customjs.registerJson = function () {
var json = '{' +
' "user":' + '"test"' +
' "password":' + '"test"' +
'}';
return json;
}

4
webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_changing_content_type.adoc Normal file
View File

@ -0,0 +1,4 @@
== Modern REST framework
Again same exercise but try to enforce the same XML injection as we did in first lesson.

34
webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_intro.adoc Normal file
View File

@ -0,0 +1,34 @@
=== What is a XML entity?
An XML Entity allows tags to be defined that will be replaced by content when the XML Document is parsed.
In general there are three types of entities:
* internal entities
* external entities
* parameter entities.
An entity must be created in the Document Type Definition (DTD), let's start with an example:
[source]
----
<?xml version="1.0" standalone="yes" ?>
<!DOCTYPE author [
<!ELEMENT author (#PCDATA)>
<!ENTITY js "Jo Smith">
]>
<author>&js;</author>
----
So everywhere you use the entity ``&js;` the parser will replace it with the value defined in the entity.
=== What is an XXE injection?
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a
reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data,
denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative
paths in the system identifier. Since the attack occurs relative to the application processing the XML document, an attacker may use this
trusted application to pivot to other internal systems, possibly disclosing other internal content via http(s) requests or launching a CSRF attack to
any unprotected internal services. In some situations, an XML processor library that is vulnerable to client-side memory corruption issues
may be exploited by dereferencing a malicious URI, possibly allowing arbitrary code execution under the application account. Other attacks can access
local resources that may not stop returning data, possibly impacting application availability if too many threads or processes are not released.

11
webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_plan.adoc Normal file
View File

@ -0,0 +1,11 @@
= XML External Entity (XXE) Processing
== Concept
This lesson teaches how to perform a XML External Entity attack is and how it can be abused and protected against.
== Goals
* The user should have basic knowledge of XML
* The user will understand how XML parsers work
* The user will learn to perform a XXE attack and how to protected against it.

4
webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_simple.adoc Normal file
View File

@ -0,0 +1,4 @@
== Let't try
In this assignment you will need to sign up with a registration form. When submitting the form try to execute an XXE injection with the
username field. Try listing the root directory of the filesystem.

15
webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/temp.txt Normal file
View File

@ -0,0 +1,15 @@
- Describe how the attack works / should be some outpu
<p><b>Concept / Topic To Teach:</b> </p>
This lesson teaches how to perform XML External Entity Attacks.
<br>
<div align="Left">
<p>
<b>How the attacks works:</b>
</p>
An XML External Entity attack is a type of attack against an application that parses XML input.
This attack occurs when XML input containing a reference to an external entity is processed by a weakly
configured XML parser. This attack may lead to the disclosure of confidential data, denial of service,
server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.