181 lines
5.4 KiB
Java
181 lines
5.4 KiB
Java
/*
|
|
* Created on Jun 1, 2005
|
|
*
|
|
* TODO To change the template for this generated file go to
|
|
* Window - Preferences - Java - Code Style - Code Templates
|
|
*/
|
|
package org.owasp.webgoat.lessons;
|
|
|
|
import java.io.IOException;
|
|
import java.io.StringReader;
|
|
import java.util.ArrayList;
|
|
import java.util.List;
|
|
|
|
import org.apache.ecs.Element;
|
|
import org.apache.ecs.ElementContainer;
|
|
import org.apache.ecs.StringElement;
|
|
import org.apache.ecs.html.B;
|
|
import org.apache.ecs.html.Input;
|
|
import org.apache.ecs.html.P;
|
|
import org.apache.ecs.html.PRE;
|
|
|
|
import org.owasp.webgoat.session.ECSFactory;
|
|
import org.owasp.webgoat.session.WebSession;
|
|
import org.owasp.webgoat.util.HtmlEncoder;
|
|
import org.xml.sax.Attributes;
|
|
import org.xml.sax.InputSource;
|
|
import org.xml.sax.SAXException;
|
|
import org.xml.sax.XMLReader;
|
|
import org.xml.sax.helpers.DefaultHandler;
|
|
import org.xml.sax.helpers.XMLReaderFactory;
|
|
|
|
/**
|
|
* @author rdawes
|
|
*
|
|
* TODO To change the template for this generated type comment go to Window -
|
|
* Preferences - Java - Code Style - Code Templates
|
|
*/
|
|
public class WsSAXInjection extends LessonAdapter {
|
|
private final static String PASSWORD = "password";
|
|
|
|
private String password;
|
|
|
|
private static String template1 = "<?xml version='1.0' encoding='UTF-8'?>\n"
|
|
+ "<wsns0:Envelope\n"
|
|
+ " xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'\n"
|
|
+ " xmlns:xsd='http://www.w3.org/2001/XMLSchema'\n"
|
|
+ " xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'\n"
|
|
+ " xmlns:wsns1='http://lessons.webgoat.owasp.org'>\n"
|
|
+ " <wsns0:Body>\n"
|
|
+ " <wsns1:changePassword>\n"
|
|
+ " <id xsi:type='xsd:int'>101</id>\n"
|
|
+ " <password xsi:type='xsd:string'>";
|
|
|
|
private static String template2 = "</password>\n"
|
|
+ " </wsns1:changePassword>\n" + " </wsns0:Body>\n"
|
|
+ "</wsns0:Envelope>";
|
|
|
|
static boolean completed;
|
|
|
|
protected Category getDefaultCategory() {
|
|
return AbstractLesson.WEB_SERVICES;
|
|
}
|
|
|
|
protected List getHints() {
|
|
List<String> hints = new ArrayList<String>();
|
|
|
|
hints.add("The backend parses the XML received using a SAX parser.");
|
|
hints.add("SAX parsers often don't care if an element is repeated.");
|
|
hints.add("If there are repeated elements, the last one is the one that is effective");
|
|
hints.add("Try injecting matching 'close' tags, and creating your own XML elements");
|
|
|
|
return hints;
|
|
}
|
|
|
|
private final static Integer DEFAULT_RANKING = new Integer(150);
|
|
|
|
protected Integer getDefaultRanking() {
|
|
return DEFAULT_RANKING;
|
|
}
|
|
|
|
public String getTitle() {
|
|
return "Web Service SAX Injection";
|
|
}
|
|
|
|
protected Element makeInputLine(WebSession s) {
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
ec.addElement(new P().addElement("Please change your password: "));
|
|
|
|
Input input = new Input(Input.TEXT, PASSWORD);
|
|
ec.addElement(input);
|
|
|
|
Element b = ECSFactory.makeButton("Go!");
|
|
ec.addElement(b);
|
|
|
|
return ec;
|
|
}
|
|
|
|
protected Element createContent(WebSession s) {
|
|
ElementContainer ec = new ElementContainer();
|
|
try {
|
|
ec.addElement(makeInputLine(s));
|
|
|
|
password = s.getParser().getRawParameter(PASSWORD, null);
|
|
|
|
PRE pre = new PRE();
|
|
String xml = template1;
|
|
xml = xml + (password == null ? "[password]" : password);
|
|
xml = xml + template2;
|
|
pre.addElement(HtmlEncoder.encode(xml));
|
|
ec.addElement(pre);
|
|
|
|
if (password != null) {
|
|
ec.addElement(checkXML(s, xml));
|
|
}
|
|
} catch (Exception e) {
|
|
s.setMessage("Error generating " + this.getClass().getName());
|
|
e.printStackTrace();
|
|
}
|
|
return (ec);
|
|
}
|
|
|
|
private Element checkXML(WebSession s, String xml) {
|
|
try {
|
|
XMLReader reader = XMLReaderFactory.createXMLReader();
|
|
PasswordChanger changer = new PasswordChanger();
|
|
reader.setContentHandler(changer);
|
|
reader.parse(new InputSource(new StringReader(xml)));
|
|
if (!"101".equals(changer.getId())) {
|
|
makeSuccess(s);
|
|
return new B(HtmlEncoder.encode("You have changed the passsword for userid " + changer.getId() + " to '" + changer.getPassword() + "'"));
|
|
} else {
|
|
return new StringElement("You changed the password for userid 101. Try again.");
|
|
}
|
|
} catch (SAXException saxe) {
|
|
return new StringElement("The XML was not well formed: " + saxe.getLocalizedMessage());
|
|
} catch (IOException ioe) {
|
|
return new StringElement(ioe.getLocalizedMessage());
|
|
}
|
|
}
|
|
|
|
private static class PasswordChanger extends DefaultHandler {
|
|
private static String PASSWORD_TAG = "password";
|
|
private static String ID_TAG = "id";
|
|
|
|
private String id = null;
|
|
private String password = null;
|
|
|
|
private StringBuffer text = new StringBuffer();
|
|
|
|
public void startElement(String uri, String localName, String qName, Attributes atts) throws SAXException {
|
|
text.delete(0, text.length());
|
|
}
|
|
|
|
public void characters(char[] ch, int start, int length) throws SAXException {
|
|
text.append(ch, start, length);
|
|
}
|
|
|
|
public void endElement(String uri, String localName, String qName) throws SAXException {
|
|
if (localName.equals(ID_TAG))
|
|
id = text.toString();
|
|
if (localName.equals(PASSWORD_TAG))
|
|
password = text.toString();
|
|
text.delete(0, text.length());
|
|
}
|
|
|
|
public void ignorableWhitespace(char[] ch, int start, int length) throws SAXException {
|
|
text.append(ch, start, length);
|
|
}
|
|
|
|
public String getId() {
|
|
return id;
|
|
}
|
|
|
|
public String getPassword() {
|
|
return password;
|
|
}
|
|
|
|
}
|
|
}
|