forked from WebGoat/WebGoat
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
117 additions
and
0 deletions.
There are no files selected for viewing
51 changes: 51 additions & 0 deletions
51
...s/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingQuiz.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| package org.owasp.webgoat.plugin; | ||
|
|
||
| import org.owasp.webgoat.assignments.AssignmentEndpoint; | ||
| import org.owasp.webgoat.assignments.AssignmentPath; | ||
| import org.owasp.webgoat.assignments.AttackResult; | ||
| import org.springframework.web.bind.annotation.RequestMapping; | ||
| import org.springframework.web.bind.annotation.RequestMethod; | ||
| import org.springframework.web.bind.annotation.RequestParam; | ||
| import org.springframework.web.bind.annotation.ResponseBody; | ||
|
|
||
| import java.io.IOException; | ||
|
|
||
|
|
||
| /** | ||
| * @TODO: Get JSON from file not from hardcoded string | ||
| * add a question: 1. Append new question to JSON string | ||
| * 2. add right solution to solutions array | ||
| * 3. add Request param with name of question to method head | ||
| */ | ||
| @AssignmentPath("/cross-site-scripting/quiz") | ||
| public class CrossSiteScriptingQuiz extends AssignmentEndpoint { | ||
|
|
||
| String[] solutions = {"Solution 4", "Solution 3", "Solution 1", "Solution 2", "Solution 4"}; | ||
|
|
||
| @RequestMapping(method = RequestMethod.POST) | ||
| @ResponseBody | ||
| public AttackResult completed(@RequestParam String[] question_0_solution, @RequestParam String[] question_1_solution, @RequestParam String[] question_2_solution, @RequestParam String[] question_3_solution, @RequestParam String[] question_4_solution) throws IOException { | ||
| boolean correct = false; | ||
| String[][] solutionsInput = {question_0_solution, question_1_solution, question_2_solution, question_3_solution, question_4_solution}; | ||
| int counter = 0; | ||
| for(String[] sa : solutionsInput) { | ||
| for(String s : sa) { | ||
| if(sa.length == 1 && s.contains(this.solutions[counter])) { | ||
| correct = true; | ||
| break; | ||
| } else { | ||
| correct = false; | ||
| continue; | ||
| } | ||
| } | ||
| if(!correct) break; | ||
| counter++; | ||
| } | ||
| if(correct) { | ||
| return trackProgress(success().build()); | ||
| } else { | ||
| return trackProgress(failed().build()); | ||
| } | ||
| } | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
43 changes: 43 additions & 0 deletions
43
...at-lessons/cross-site-scripting/src/main/resources/js/questions_cross_site_scripting.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| { | ||
| "questions": [{ | ||
| "text": "Are trusted websites immune to XSS attacks?", | ||
| "solutions": { | ||
| "1": "Yes, they're safe because the browser checks the code before executing.", | ||
| "2": "Yes, because Google has got an algorithm that blocks malicious code.", | ||
| "3": "No, because the script that's executed will break through the browser's defense algorithm.", | ||
| "4": "No, because the browser trusts the website if it's acknowledged trusted, then the browser doesn't know that the script is malicious." | ||
| } | ||
| }, { | ||
| "text": "When do XSS attacks occur?", | ||
| "solutions": { | ||
| "1": "Data enters a web application through a trusted source.", | ||
| "2": "Data enters a browser application through the website.", | ||
| "3": "The data is included in dynamic content that is sent to a web user without being validated for malicious content.", | ||
| "4": "The data is excluded in static content, that way it is sent without being validated." | ||
| } | ||
| }, { | ||
| "text": "What are Stored XSS attacks?", | ||
| "solutions": { | ||
| "1": "The script is permanently stored on the server and the victim gets the malicious script when requesting information from the server.", | ||
| "2": "The script stores itself on the victim's computer and executes locally the malicious code.", | ||
| "3": "The script stores a virus on the victim's computer. The attacker can perform various actions now.", | ||
| "4": "The script is stored in the browser and sends information to the attacker." | ||
| } | ||
| }, { | ||
| "text": "What are Reflected XSS attacks?", | ||
| "solutions": { | ||
| "1": "Reflected attacks reflect malicious code from the database to the web server and then reflect it back to the user.", | ||
| "2": "They reflect the injected script off the web server. That occurs when input sent to the web server is part of the request.", | ||
| "3": "Reflected attacks reflect from the server's firewall off to the database where the user requests information from.", | ||
| "4": "Reflected XSS is an attack where the injected script is reflected off the database and web server to the user." | ||
| } | ||
| }, { | ||
| "text": "Is Javascript the only way to perform XSS attacks?", | ||
| "solutions": { | ||
| "1": "Yes, you can only make use of tags through Javascript.", | ||
| "2": "Yes, otherwise you can't steal cookies.", | ||
| "3": "No, there's ECMAScript too.", | ||
| "4": "No, there're many other ways. Like HTML, Flash or any other type of code that the browser executes." | ||
| } | ||
| }] | ||
| } |
1 change: 1 addition & 0 deletions
1
...s-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_quiz.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Now it's time for a quiz! It's recommended to check the OWASP Cross Site Scripting explanations https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Answer all questions correctly to complete the assignment. |