b0b94c4688
divide by zero, inaccurate discount and totals, reflection of user input git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@273 4033779f-a91e-0410-96ef-6bf7bf53c507
267 lines
8.4 KiB
Java
267 lines
8.4 KiB
Java
package org.owasp.webgoat.lessons;
|
|
|
|
import java.io.BufferedReader;
|
|
import java.io.File;
|
|
import java.io.FileReader;
|
|
import java.io.IOException;
|
|
import java.util.ArrayList;
|
|
import java.util.List;
|
|
|
|
import org.apache.ecs.Element;
|
|
import org.apache.ecs.ElementContainer;
|
|
import org.apache.ecs.StringElement;
|
|
import org.apache.ecs.html.A;
|
|
import org.apache.ecs.html.BR;
|
|
import org.apache.ecs.html.H1;
|
|
import org.apache.ecs.html.IMG;
|
|
import org.apache.ecs.html.Input;
|
|
import org.apache.ecs.html.Script;
|
|
import org.owasp.webgoat.session.*;
|
|
|
|
public class DOMXSS extends SequentialLessonAdapter {
|
|
|
|
public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
|
|
|
|
|
|
private final static String PERSON = "person";
|
|
|
|
/**
|
|
* Description of the Method
|
|
*
|
|
* @param s Description of the Parameter
|
|
* @return Description of the Return Value
|
|
*/
|
|
protected Element createContent(WebSession s) {
|
|
return super.createStagedContent(s);
|
|
}
|
|
|
|
protected Element doStage1(WebSession s) throws Exception {
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
if (attackString.toString().toLowerCase().indexOf("img") != -1&& attackString.toString().toLowerCase().indexOf("images/logos/owasp.jpg") != -1) {
|
|
getLessonTracker(s).setStage(2);
|
|
s.setMessage("Stage 1 completed. ");
|
|
}
|
|
|
|
return (ec);
|
|
}
|
|
|
|
protected Element doStage2(WebSession s) throws Exception {
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
if (attackString.toString().toLowerCase().indexOf("img") != -1 && attackString.toString().toLowerCase().indexOf("onerror") != -1 && attackString.toString().toLowerCase().indexOf("alert") != -1) {
|
|
getLessonTracker(s).setStage(3);
|
|
s.setMessage("Stage 2 completed. ");
|
|
}
|
|
|
|
return (ec);
|
|
}
|
|
|
|
protected Element doStage3(WebSession s) throws Exception {
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
if (attackString.toString().toLowerCase().indexOf("iframe") != -1 && attackString.toString().toLowerCase().indexOf("javascript:alert") != -1) {
|
|
getLessonTracker(s).setStage(4);
|
|
s.setMessage("Stage 3 completed.");
|
|
}
|
|
return (ec);
|
|
}
|
|
|
|
protected Element doStage4(WebSession s) throws Exception {
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
StringBuffer attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
if (attackString.toString().toLowerCase().indexOf("please enter your password:") != -1&& attackString.toString().toLowerCase().indexOf("javascript:alert") != -1) {
|
|
getLessonTracker(s).setStage(5);
|
|
s.setMessage("Stage 4 completed.");
|
|
}
|
|
|
|
return (ec);
|
|
}
|
|
|
|
protected Element doStage5(WebSession s) throws Exception {
|
|
ElementContainer ec = new ElementContainer();
|
|
|
|
ec.addElement(mainContent(s));
|
|
|
|
/**
|
|
* They pass iff:
|
|
*
|
|
* 1. If the DOMXSS.js file contains the lines "escapeHTML(name)"
|
|
*/
|
|
String file = s.getWebResource("javascript/DOMXSS.js");
|
|
String content = getFileContent(file);
|
|
|
|
if(content.indexOf("escapeHTML(name)") != -1)
|
|
{
|
|
makeSuccess(s);
|
|
}
|
|
|
|
return ec;
|
|
}
|
|
|
|
protected ElementContainer mainContent(WebSession s) {
|
|
StringBuffer attackString = null;
|
|
|
|
ElementContainer ec = new ElementContainer();
|
|
try {
|
|
|
|
ec.addElement(new Script().setSrc("javascript/DOMXSS.js"));
|
|
|
|
ec.addElement(new Script().setSrc("javascript/escape.js"));
|
|
|
|
ec.addElement(new H1().setID("greeting"));
|
|
|
|
ec.addElement(new StringElement("Enter your name: "));
|
|
|
|
attackString = new StringBuffer(s.getParser().getStringParameter(PERSON, ""));
|
|
|
|
Input input = new Input(Input.TEXT, PERSON, attackString.toString());
|
|
input.setOnKeyUp("displayGreeting(" + PERSON + ".value)");
|
|
ec.addElement(input);
|
|
ec.addElement(new BR());
|
|
ec.addElement(new BR());
|
|
|
|
Element b = ECSFactory.makeButton("Submit Solution");
|
|
ec.addElement(b);
|
|
} catch (Exception e) {
|
|
s.setMessage("Error generating " + this.getClass().getName());
|
|
e.printStackTrace();
|
|
}
|
|
return ec;
|
|
|
|
}
|
|
|
|
/**
|
|
* Gets the hints attribute of the HelloScreen object
|
|
*
|
|
* @return The hints value
|
|
*/
|
|
public List<String> getHints(WebSession s) {
|
|
List<String> hints = new ArrayList<String>();
|
|
|
|
hints.add("Try entering the following: " + "<IMG SRC=\"images/logos/owasp.jpg\"/>");
|
|
|
|
hints.add("Try entering the following: " + "<img src=x onerror=;;alert('XSS') />");
|
|
|
|
hints.add("Try entering the following: " + "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>");
|
|
|
|
hints.add("Try entering the following: " + "Please enter your password:<BR><input type = \"password\" name=\"pass\"/><button " +
|
|
"onClick=\"javascript:alert('I have your password: ' + pass.value);\">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>");
|
|
|
|
|
|
|
|
//Attack Strings:
|
|
|
|
//<IMG SRC="images/logos/owasp.jpg"/>
|
|
|
|
//<img src=x onerror=;;alert('XSS') />
|
|
|
|
//<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
|
|
|
|
//Please enter your password:<BR><input type = "password" name="pass"/><button onClick="javascript:alert('I have your password: ' + pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>
|
|
|
|
|
|
return hints;
|
|
}
|
|
|
|
/**
|
|
* Gets the ranking attribute of the HelloScreen object
|
|
*
|
|
* @return The ranking value
|
|
*/
|
|
private final static Integer DEFAULT_RANKING = new Integer(10);
|
|
|
|
protected Integer getDefaultRanking() {
|
|
return DEFAULT_RANKING;
|
|
}
|
|
|
|
protected Category getDefaultCategory() {
|
|
return Category.AJAX_SECURITY;
|
|
}
|
|
|
|
/**
|
|
* Gets the title attribute of the HelloScreen object
|
|
*
|
|
* @return The title value
|
|
*/
|
|
public String getTitle() {
|
|
return ("LAB: DOM-Based cross-site scripting");
|
|
}
|
|
|
|
public String getInstructions(WebSession s) {
|
|
String instructions = "";
|
|
|
|
if (getLessonTracker(s).getStage() == 1) {
|
|
instructions = "STAGE 1:\tFor this exercise, your mission is to deface this website using the image at the following location: <a href = '/WebGoat/images/logos/owasp.jpg'>OWASP IMAGE</a>";
|
|
} else if (getLessonTracker(s).getStage() == 2) {
|
|
instructions = "STAGE 2:\tNow, try to create a JavaScript alert using the image tag";
|
|
} else if (getLessonTracker(s).getStage() == 3) {
|
|
instructions = "STAGE 3:\tNext, try to create a JavaScript alert using the IFRAME tag.";
|
|
} else if (getLessonTracker(s).getStage() == 4) {
|
|
instructions = "STAGE 4:\tUse the following to create a fake login form:<br><br>" + "Please enter your password:<BR><input type = \"password\" name=\"pass\"/><button " +
|
|
"onClick=\"javascript:alert('I have your password: ' + pass.value);\">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR><BR>";
|
|
} else if(getLessonTracker(s).getStage() == 5) {
|
|
instructions = "STAGE 5:\tPerform client-side HTML entity encoding to mitigate the DOM XSS vulnerability. A utility method is provided for you in WebContent/javascript/escape.js.";
|
|
}
|
|
return (instructions);
|
|
}
|
|
|
|
private String getFileContent(String content)
|
|
{
|
|
BufferedReader is = null;
|
|
StringBuffer sb = new StringBuffer();
|
|
|
|
try
|
|
{
|
|
is = new BufferedReader(new FileReader(new File(content)));
|
|
String s = null;
|
|
|
|
while((s = is.readLine()) != null)
|
|
{
|
|
sb.append(s);
|
|
}
|
|
}
|
|
catch (Exception e)
|
|
{
|
|
e.printStackTrace();
|
|
}
|
|
finally
|
|
{
|
|
if(is != null)
|
|
{
|
|
try
|
|
{
|
|
is.close();
|
|
}
|
|
catch (IOException ioe)
|
|
{
|
|
|
|
}
|
|
}
|
|
}
|
|
|
|
return sb.toString();
|
|
}
|
|
|
|
public Element getCredits()
|
|
{
|
|
return super.getCustomCredits("", ASPECT_LOGO);
|
|
}
|
|
}
|