package org.owasp.webgoat.lessons; import java.io.BufferedReader; import java.io.File; import java.io.FileReader; import java.io.IOException; import java.util.ArrayList; import java.util.List; import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; import org.apache.ecs.StringElement; import org.apache.ecs.html.A; import org.apache.ecs.html.BR; import org.apache.ecs.html.H1; import org.apache.ecs.html.IMG; import org.apache.ecs.html.Input; import org.apache.ecs.html.Script; import org.owasp.webgoat.session.*; public class DOMXSS extends SequentialLessonAdapter { public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com") .addElement( new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0) .setVspace(0)); private final static String PERSON = "person"; /** * Description of the Method * * @param s * Description of the Parameter * @return Description of the Return Value */ protected Element createContent(WebSession s) { return super.createStagedContent(s); } protected Element doStage1(WebSession s) throws Exception { ElementContainer ec = new ElementContainer(); StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, "")); ec.addElement(mainContent(s)); if (attackString.toString().toLowerCase().indexOf("img") != -1 && attackString.toString().toLowerCase().indexOf("images/logos/owasp.jpg") != -1) { getLessonTracker(s).setStage(2); s.setMessage("Stage 1 completed. "); } return (ec); } protected Element doStage2(WebSession s) throws Exception { ElementContainer ec = new ElementContainer(); StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, "")); ec.addElement(mainContent(s)); if (attackString.toString().toLowerCase().indexOf("img") != -1 && attackString.toString().toLowerCase().indexOf("onerror") != -1 && attackString.toString().toLowerCase().indexOf("alert") != -1) { getLessonTracker(s).setStage(3); s.setMessage("Stage 2 completed. "); } return (ec); } protected Element doStage3(WebSession s) throws Exception { ElementContainer ec = new ElementContainer(); StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, "")); ec.addElement(mainContent(s)); if (attackString.toString().toLowerCase().indexOf("iframe") != -1 && attackString.toString().toLowerCase().indexOf("javascript:alert") != -1) { getLessonTracker(s).setStage(4); s.setMessage("Stage 3 completed."); } return (ec); } protected Element doStage4(WebSession s) throws Exception { ElementContainer ec = new ElementContainer(); StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, "")); ec.addElement(mainContent(s)); if (attackString.toString().toLowerCase().indexOf("please enter your password:") != -1 && attackString.toString().toLowerCase().indexOf("javascript:alert") != -1) { getLessonTracker(s).setStage(5); s.setMessage("Stage 4 completed."); } return (ec); } protected Element doStage5(WebSession s) throws Exception { ElementContainer ec = new ElementContainer(); ec.addElement(mainContent(s)); /** * They pass iff: * * 1. If the DOMXSS.js file contains the lines "escapeHTML(name)" */ String file = s.getWebResource("javascript/DOMXSS.js"); String content = getFileContent(file); if (content.indexOf("escapeHTML(name)") != -1) { makeSuccess(s); } return ec; } protected ElementContainer mainContent(WebSession s) { StringBuffer attackString = null; ElementContainer ec = new ElementContainer(); try { ec.addElement(new Script().setSrc("javascript/DOMXSS.js")); ec.addElement(new Script().setSrc("javascript/escape.js")); ec.addElement(new H1().setID("greeting")); ec.addElement(new StringElement("Enter your name: ")); attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, "")); Input input = new Input(Input.TEXT, PERSON, attackString.toString()); input.setOnKeyUp("displayGreeting(" + PERSON + ".value)"); ec.addElement(input); ec.addElement(new BR()); ec.addElement(new BR()); Element b = ECSFactory.makeButton("Submit Solution"); ec.addElement(b); } catch (Exception e) { s.setMessage("Error generating " + this.getClass().getName()); e.printStackTrace(); } return ec; } /** * Gets the hints attribute of the HelloScreen object * * @return The hints value */ public List getHints(WebSession s) { List hints = new ArrayList(); hints.add("Try entering the following: " + "<IMG SRC=\"images/logos/owasp.jpg\"/>"); hints.add("Try entering the following: " + "<img src=x onerror=;;alert('XSS') />"); hints.add("Try entering the following: " + "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>"); hints .add("Try entering the following: " + "Please enter your password:<BR><input type = \"password\" name=\"pass\"/><button " + "onClick=\"javascript:alert('I have your password: ' + pass.value);\">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>"); // Attack Strings: // // // // Please enter your password:
















return hints; } /** * Gets the ranking attribute of the HelloScreen object * * @return The ranking value */ private final static Integer DEFAULT_RANKING = new Integer(10); protected Integer getDefaultRanking() { return DEFAULT_RANKING; } protected Category getDefaultCategory() { return Category.AJAX_SECURITY; } /** * Gets the title attribute of the HelloScreen object * * @return The title value */ public String getTitle() { return ("LAB: DOM-Based cross-site scripting"); } public String getInstructions(WebSession s) { String instructions = ""; if (getLessonTracker(s).getStage() == 1) { instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: OWASP IMAGE"; } else if (getLessonTracker(s).getStage() == 2) { instructions = "STAGE 2:\tNow, try to create a JavaScript alert using the image tag"; } else if (getLessonTracker(s).getStage() == 3) { instructions = "STAGE 3:\tNext, try to create a JavaScript alert using the IFRAME tag."; } else if (getLessonTracker(s).getStage() == 4) { instructions = "STAGE 4:\tUse the following to create a fake login form:

" + "Please enter your password:<BR><input type = \"password\" name=\"pass\"/><button " + "onClick=\"javascript:alert('I have your password: ' + pass.value);\">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>"; } else if (getLessonTracker(s).getStage() == 5) { instructions = "STAGE 5:\tPerform client-side HTML entity encoding to mitigate the DOM XSS vulnerability. A utility method is provided for you in WebContent/javascript/escape.js."; } return (instructions); } private String getFileContent(String content) { BufferedReader is = null; StringBuffer sb = new StringBuffer(); try { is = new BufferedReader(new FileReader(new File(content))); String s = null; while ((s = is.readLine()) != null) { sb.append(s); } } catch (Exception e) { e.printStackTrace(); } finally { if (is != null) { try { is.close(); } catch (IOException ioe) { } } } return sb.toString(); } public Element getCredits() { return super.getCustomCredits("", ASPECT_LOGO); } }