main
project
JavaSource
org
owasp
webgoat
lessons
ClientSideFiltering
CrossSiteScripting
DBCrossSiteScripting
DBSQLInjection
GoatHillsFinancial
RoleBasedAccessControl
SQLInjection
admin
instructor
AbstractLesson.java
AccessControlMatrix.java
BackDoors.java
BasicAuthentication.java
BlindSqlInjection.java
BufferOverflow.java
CSRF.java
Category.java
Challenge2Screen.java
ClientSideValidation.java
CommandInjection.java
ConcurrencyCart.java
DOMInjection.java
DOMXSS.java
DOS_Login.java
DangerousEval.java
Encoding.java
FailOpenAuthentication.java
ForcedBrowsing.java
ForgotPassword.java
HiddenFieldTampering.java
HtmlClues.java
HttpBasics.java
HttpOnly.java
HttpSplitting.java
JSONInjection.java
JavaScriptValidation.java
LessonAdapter.java
LogSpoofing.java
NewLesson.java
PathBasedAccessControl.java
Phishing.java
RandomLessonAdapter.java
ReflectedXSS.java
RemoteAdminFlaw.java
SameOriginPolicyProtection.java
SequentialLessonAdapter.java
SilentTransactions.java
SoapRequest.java
SqlNumericInjection.java
SqlStringInjection.java
StoredXss.java
ThreadSafetyProblem.java
TraceXSS.java
UncheckedEmail.java
WSDLScanning.java
WeakAuthenticationCookie.java
WeakSessionID.java
WelcomeScreen.java
WsSAXInjection.java
WsSqlInjection.java
XMLInjection.java
XPATHInjection.java
servlets
session
util
Catcher.java
HammerHead.java
LessonSource.java
WebContent
config
doc
build.xml
Eclipse-Workspace.zip
HOW TO create the WebGoat workspace.txt
build.xml
eclipse.bat
readme.txt
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@287 4033779f-a91e-0410-96ef-6bf7bf53c507
304 lines
8.4 KiB
Java
304 lines
8.4 KiB
Java
|
|
package org.owasp.webgoat.lessons;
|
|
|
|
import java.io.BufferedReader;
|
|
import java.io.File;
|
|
import java.io.FileReader;
|
|
import java.io.IOException;
|
|
import java.util.ArrayList;
|
|
import java.util.List;
|
|
import org.apache.ecs.Element;
|
|
import org.apache.ecs.ElementContainer;
|
|
import org.apache.ecs.StringElement;
|
|
import org.apache.ecs.html.A;
|
|
import org.apache.ecs.html.BR;
|
|
import org.apache.ecs.html.H1;
|
|
import org.apache.ecs.html.IMG;
|
|
import org.apache.ecs.html.Input;
|
|
import org.apache.ecs.html.Script;
|
|
import org.owasp.webgoat.session.*;
|
|
|
|
|
|
public class DOMXSS extends SequentialLessonAdapter
|
|
{
|
|
|
|
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com")
|
|
.addElement(
|
|
new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0)
|
|
.setVspace(0));
|
|
|
|
private final static String PERSON = "person";
|
|
|
|
/**
|
|
* Description of the Method
|
|
*
|
|
* @param s
|
|
* Description of the Parameter
|
|
* @return Description of the Return Value
|
|
*/
|
|
protected Element createContent(WebSession s)
|
|
{
|
|
return super.createStagedContent(s);
|
|
}
|
|
|
|
protected Element doStage1(WebSession s) throws Exception
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
if (attackString.toString().toLowerCase().indexOf("img") != -1
|
|
&& attackString.toString().toLowerCase().indexOf("images/logos/owasp.jpg") != -1)
|
|
{
|
|
getLessonTracker(s).setStage(2);
|
|
s.setMessage("Stage 1 completed. ");
|
|
}
|
|
|
|
return (ec);
|
|
}
|
|
|
|
protected Element doStage2(WebSession s) throws Exception
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
if (attackString.toString().toLowerCase().indexOf("img") != -1
|
|
&& attackString.toString().toLowerCase().indexOf("onerror") != -1
|
|
&& attackString.toString().toLowerCase().indexOf("alert") != -1)
|
|
{
|
|
getLessonTracker(s).setStage(3);
|
|
s.setMessage("Stage 2 completed. ");
|
|
}
|
|
|
|
return (ec);
|
|
}
|
|
|
|
protected Element doStage3(WebSession s) throws Exception
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
if (attackString.toString().toLowerCase().indexOf("iframe") != -1
|
|
&& attackString.toString().toLowerCase().indexOf("javascript:alert") != -1)
|
|
{
|
|
getLessonTracker(s).setStage(4);
|
|
s.setMessage("Stage 3 completed.");
|
|
}
|
|
return (ec);
|
|
}
|
|
|
|
protected Element doStage4(WebSession s) throws Exception
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
if (attackString.toString().toLowerCase().indexOf("please enter your password:") != -1
|
|
&& attackString.toString().toLowerCase().indexOf("javascript:alert") != -1)
|
|
{
|
|
getLessonTracker(s).setStage(5);
|
|
s.setMessage("Stage 4 completed.");
|
|
}
|
|
|
|
return (ec);
|
|
}
|
|
|
|
protected Element doStage5(WebSession s) throws Exception
|
|
{
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
/**
|
|
* They pass iff:
|
|
*
|
|
* 1. If the DOMXSS.js file contains the lines "escapeHTML(name)"
|
|
*/
|
|
String file = s.getWebResource("javascript/DOMXSS.js");
|
|
String content = getFileContent(file);
|
|
|
|
if (content.indexOf("escapeHTML(name)") != -1)
|
|
{
|
|
makeSuccess(s);
|
|
}
|
|
|
|
return ec;
|
|
}
|
|
|
|
protected ElementContainer mainContent(WebSession s)
|
|
{
|
|
StringBuffer attackString = null;
|
|
|
|
ElementContainer ec = new ElementContainer();
|
|
try
|
|
{
|
|
|
|
ec.addElement(new Script().setSrc("javascript/DOMXSS.js"));
|
|
|
|
ec.addElement(new Script().setSrc("javascript/escape.js"));
|
|
|
|
ec.addElement(new H1().setID("greeting"));
|
|
|
|
ec.addElement(new StringElement("Enter your name: "));
|
|
|
|
attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
Input input = new Input(Input.TEXT, PERSON, attackString.toString());
|
|
input.setOnKeyUp("displayGreeting(" + PERSON + ".value)");
|
|
ec.addElement(input);
|
|
ec.addElement(new BR());
|
|
ec.addElement(new BR());
|
|
|
|
Element b = ECSFactory.makeButton("Submit Solution");
|
|
ec.addElement(b);
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage("Error generating " + this.getClass().getName());
|
|
e.printStackTrace();
|
|
}
|
|
return ec;
|
|
|
|
}
|
|
|
|
/**
|
|
* Gets the hints attribute of the HelloScreen object
|
|
*
|
|
* @return The hints value
|
|
*/
|
|
public List<String> getHints(WebSession s)
|
|
{
|
|
List<String> hints = new ArrayList<String>();
|
|
|
|
hints.add("Try entering the following: " + "<IMG SRC=\"images/logos/owasp.jpg\"/>");
|
|
|
|
hints.add("Try entering the following: " + "<img src=x onerror=;;alert('XSS') />");
|
|
|
|
hints.add("Try entering the following: " + "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>");
|
|
|
|
hints
|
|
.add("Try entering the following: "
|
|
+ "Please enter your password:<BR><input type = \"password\" name=\"pass\"/><button "
|
|
+ "onClick=\"javascript:alert('I have your password: ' + pass.value);\">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>");
|
|
|
|
// Attack Strings:
|
|
|
|
// <IMG SRC="images/logos/owasp.jpg"/>
|
|
|
|
// <img src=x onerror=;;alert('XSS') />
|
|
|
|
// <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
|
|
|
|
// Please enter your password:<BR><input type = "password" name="pass"/><button
|
|
// onClick="javascript:alert('I
|
|
// have your password: ' +
|
|
// pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
|
|
|
|
return hints;
|
|
}
|
|
|
|
/**
|
|
* Gets the ranking attribute of the HelloScreen object
|
|
*
|
|
* @return The ranking value
|
|
*/
|
|
private final static Integer DEFAULT_RANKING = new Integer(10);
|
|
|
|
protected Integer getDefaultRanking()
|
|
{
|
|
return DEFAULT_RANKING;
|
|
}
|
|
|
|
protected Category getDefaultCategory()
|
|
{
|
|
return Category.AJAX_SECURITY;
|
|
}
|
|
|
|
/**
|
|
* Gets the title attribute of the HelloScreen object
|
|
*
|
|
* @return The title value
|
|
*/
|
|
public String getTitle()
|
|
{
|
|
return ("LAB: DOM-Based cross-site scripting");
|
|
}
|
|
|
|
public String getInstructions(WebSession s)
|
|
{
|
|
String instructions = "";
|
|
|
|
if (getLessonTracker(s).getStage() == 1)
|
|
{
|
|
instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/WebGoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
|
|
}
|
|
else if (getLessonTracker(s).getStage() == 2)
|
|
{
|
|
instructions = "STAGE 2:\tNow, try to create a JavaScript alert using the image tag";
|
|
}
|
|
else if (getLessonTracker(s).getStage() == 3)
|
|
{
|
|
instructions = "STAGE 3:\tNext, try to create a JavaScript alert using the IFRAME tag.";
|
|
}
|
|
else if (getLessonTracker(s).getStage() == 4)
|
|
{
|
|
instructions = "STAGE 4:\tUse the following to create a fake login form:<br><br>"
|
|
+ "Please enter your password:<BR><input type = \"password\" name=\"pass\"/><button "
|
|
+ "onClick=\"javascript:alert('I have your password: ' + pass.value);\">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>";
|
|
}
|
|
else if (getLessonTracker(s).getStage() == 5)
|
|
{
|
|
instructions = "STAGE 5:\tPerform client-side HTML entity encoding to mitigate the DOM XSS vulnerability. A utility method is provided for you in WebContent/javascript/escape.js.";
|
|
}
|
|
return (instructions);
|
|
}
|
|
|
|
private String getFileContent(String content)
|
|
{
|
|
BufferedReader is = null;
|
|
StringBuffer sb = new StringBuffer();
|
|
|
|
try
|
|
{
|
|
is = new BufferedReader(new FileReader(new File(content)));
|
|
String s = null;
|
|
|
|
while ((s = is.readLine()) != null)
|
|
{
|
|
sb.append(s);
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
e.printStackTrace();
|
|
} finally
|
|
{
|
|
if (is != null)
|
|
{
|
|
try
|
|
{
|
|
is.close();
|
|
} catch (IOException ioe)
|
|
{
|
|
|
|
}
|
|
}
|
|
}
|
|
|
|
return sb.toString();
|
|
}
|
|
|
|
public Element getCredits()
|
|
{
|
|
return super.getCustomCredits("", ASPECT_LOGO);
|
|
}
|
|
}
|