XSS Lesson one boolean response

Signed-off-by: Àngel Ollé Blázquez <[email protected]>
GLJones · Oct 1, 2021 · dfa0e1c · dfa0e1c
1 parent 8e6d87d
commit dfa0e1c
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 8 deletions.
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XSSTest.java
@@ -16,7 +16,7 @@ public void crossSiteScriptingAssignments() {
 
         Map<String, Object> params = new HashMap<>();
         params.clear();
-        params.put("answer_xss_1", "yes");
+        params.put("checkboxAttack1", "value");
         checkAssignment(url("/CrossSiteScripting/attack1"), params, true);
 
         params.clear();

diff --git a/...s/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java b/...s/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1.java
@@ -36,8 +36,8 @@ public class CrossSiteScriptingLesson1 extends AssignmentEndpoint {
 
     @PostMapping("/CrossSiteScripting/attack1")
     @ResponseBody
-    public AttackResult completed(@RequestParam String answer_xss_1) {
-        if (answer_xss_1.toString().toLowerCase().equals("yes")) {
+    public AttackResult completed(@RequestParam(value = "checkboxAttack1", required = false) String checkboxValue) {
+        if (checkboxValue != null) {
             return success(this).build();
         } else {
             return failed(this).feedback("xss.lesson1.failure").build();

diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html b/webgoat-lessons/cross-site-scripting/src/main/resources/html/CrossSiteScripting.html
@@ -15,8 +15,7 @@
 				  action="/WebGoat/CrossSiteScripting/attack1">
 				<table>
 					<tr>
-						<td>Were the cookies the same on each tab?</td>
-						<td><input name="answer_xss_1" value="" type="TEXT" /></td>
+						<td><input type="checkbox" name="checkboxAttack1"> The cookies are the same on each tab </td>
 						<td><input
 								name="answer" value="Submit" type="SUBMIT"/></td>
 						<td></td>

diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/cross-site-scripting/src/main/resources/i18n/WebGoatLabels.properties
@@ -17,7 +17,7 @@ xss-reflected-6a-hint-1=To search through the client side code, use the develope
 xss-reflected-6a-hint-2=Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes.
 xss-reflected-6a-hint-3=Make sure you add the base route at the start, when submitting your solution.
 xss-reflected-6a-hint-4=Still did not find it? Check the <a href="/WebGoat/js/goatApp/view/GoatRouter.js" target="_blank">GoatRouter.js</a> file. It should be pretty easy to determine.
-xss.lesson1.failure=Are you sure? Try using a tab from a different site.
+xss.lesson1.failure=The cookies should be the same on both tabs. Ensure that the tabs are from the same site.
 xss-dom-message-success=Correct, I hope you did not cheat, using the console!
 xss-dom-message-failure=Incorrect, keep trying. It should be obvious in the log when you are successful.
 xss-dom-message-hint-1=Open a new tab and navigate to the test-route you just figured out in the previous lesson.

diff --git a/...te-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc b/...te-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content1.adoc
@@ -28,5 +28,6 @@ alert(document.cookie);
 
 == Try It!  Using Chrome or Firefox
 
-* Open a second tab and use the same url as this page you are currently on (or any url within this instance of WebGoat)
-* Then, on that second that open the browser developer tools and open the javascript console. And type:  `alert(document.cookie);` .
+* Open a second tab and use the same url as this page you are currently on (or any URL within this instance of WebGoat).
+* Then, on that second tab open the browser developer tools and open the javascript console. And type:  `alert(document.cookie);`.
+* The cookies should be the same on each tab.
diff --git a/...oss-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java b/...oss-site-scripting/src/test/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson1Test.java
@@ -0,0 +1,76 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2021 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source
+ * ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.xss;
+
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+/**
+ *
+ * @author Angel Olle Blazquez
+ *
+ */
+
+@ExtendWith(MockitoExtension.class)
+class CrossSiteScriptingLesson1Test extends AssignmentEndpointTest {
+
+    private static final String CONTEXT_PATH = "/CrossSiteScripting/attack1";
+
+    @Autowired
+    private MockMvc mockMvc;
+
+    @BeforeEach
+    public void setup() {
+        CrossSiteScriptingLesson1 crossSiteScriptingLesson1 = new CrossSiteScriptingLesson1();
+        init(crossSiteScriptingLesson1);
+        mockMvc = standaloneSetup(crossSiteScriptingLesson1).build();
+    }
+
+    @Test
+    void success() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH)
+            .param("checkboxAttack1", "value"))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+
+    @Test
+    void failure() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post(CONTEXT_PATH))
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+
+}