Lab Cross-Site Scripting Stage 1 solution · Issue #176 · WebGoat/WebGoat · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lab Cross-Site Scripting Stage 1 solution #176

Closed
span opened this issue Jan 30, 2016 · 4 comments
Closed

Lab Cross-Site Scripting Stage 1 solution #176

span opened this issue Jan 30, 2016 · 4 comments

Comments

@span
Copy link

span commented Jan 30, 2016

The solution file for this lab does not render and is reported as missing. The stage has a solution in WebGoat 6 where the street field is injectable with a script but that solution does not work in WebGoat 7.

When injecting the field in WebGoat 7 with <script>alert(1)</script> the result is .script.alert(1)./script.. The brackets are turned into dots.

screen shot 2016-01-30 at 14 04 38

Also note that stage 1 in the second XSS lab "DB Cross-Site Scripting" also have the same issue.

Is this an intentional change of the behaviour so that is the reason the solution is missing or has the solution simply not been ported and the lesson is broken?
@span span mentioned this issue Jan 30, 2016
Closed
@span
Copy link
Author

span commented Jan 30, 2016

The imports used by CrossSiteScripting.java are using the versions from the base class GoatHillsFinancial for the view, edit, update and find actions. When removing these imports so the lesson-specific versions are used the injection works and I can XSS myself on the field as expected.

This revealed a new issue. When logging out of GHF and logging in as Jerry it seems the injected code is no longer saved. When viewing Tom's profile the real address for Tom is shown. The issue is the same even if not logging out and simply going to "List staff" and then "View profile" again.

I added some logging to the CreateDB.createEmployeeTable method and I can see the injected code in the db update and then the table is dropped.

try {
    String dropTable = "DROP TABLE employee";
    statement.executeUpdate(dropTable);
    System.out.println("Dropped employee table");
} catch (SQLException e) {
    System.out.println("Info - Could not drop employee table");
}

As you can see at the end the employee table is dropped and recrated. Not sure why this is happening yet.

INFO: WebGoat: Mon Feb 01 22:11:58 CET 2016
...
address1=<script>alert(1)</script>,address2=New York
...
2016-02-01 22:11:58,160 DEBUG - Mon Feb 01 22:11:58 CET 2016
...
address1=<script>alert(1)</script>,address2=New York
...
2016-02-01 22:11:58,160 DEBUG - Screen: LAB: Cross Site Scripting
2016-02-01 22:11:58,162 DEBUG - Leaving doPost: 
...
2016-02-01 22:11:59,427 INFO  - Role: user
2016-02-01 22:12:01,996 DEBUG - Entering doPost
2016-02-01 22:12:01,996 DEBUG - request: SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper@b92419a]
2016-02-01 22:12:01,996 DEBUG - principle: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@979218f8: Principal: org.springframework.security.core.userdetails.User@5e22dd8: Username: guest; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_WEBGOAT_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 27D093EED34F4FC1614D914A1F0CDB18; Granted Authorities: ROLE_WEBGOAT_USER
2016-02-01 22:12:01,996 DEBUG - HH Entering Session_id: E281573DD26B8F828DDBEF5B108BD43D
Successful connection to database
Dropped employee table
Success: creating tables.
Successfully refreshed the database.

@span span mentioned this issue Feb 1, 2016
Merged
@span
Copy link
Author

span commented Feb 2, 2016

After some more debugging I have found the following:

  • CrossSiteScripting class extends RandomLessonAdapter
  • RandomLessonAdapter has a method setStage that recreates the database
  • WebSession.update checks if the stage argument is precent on each request
  • When the stage argument is passed in, WebSession.update calls setStage on the RLA.
  • The stageargument is passed with every request in the GHF-form
  • It seems LessonContentView.js adds the arguments to all forms in makeFormsAjax by setting the url option for the form to url: this.model.urlRoot
  • Since the link to the xss-lesson stage 1 goes to #attack/279/900/1 the stage argument will be passed on for each request

Now; a few questions:

  1. Is the stage argument supposed to be passed along for each request so the WebSession.update?
  2. Can we remove the stage argument from the GHS requests?
  3. Should another argument be added to indicate that a lesson is "ongoing" and then update WebSession.update?
  4. Other?

span pushed a commit to span/WebGoat that referenced this issue Feb 4, 2016
Add stage parameter in the session to keep track of current stage so …
59549e3 
…that we do not reset the stage and recreate the database in the middle of a lesson. To do this a small refactor of WebSession was made which simply extracts some methods from the previously large update method. Ref WebGoat#176.
@span span mentioned this issue Feb 4, 2016
Merged
@mayhew64
Copy link
Contributor

Awesome sleuthing.

@span
Copy link
Author

span commented Feb 20, 2016

Merged so closing.

@span span closed this as completed Feb 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@span @mayhew64