XSS - LAB: Cross Site Scripting

Stage 1: Execute a Stored Cross Site Scripting (XSS) attack.

1. Login with Username Tom Cat, password tom


2. Click "ViewProfile" =>"EditProfile"

The form is XSS vulnerable so you can add XSS script to any entry, but to complete the lab we will need to put xss entry in Street field. 

Message : 

<script>alert('You are hacked by windowspeople')</script>

3. Update profile and logout. 

4. Login using another ID Jerry/jerry

and view Tom Cat's profile, it will trigger XSS script

Stage 2: Block Stored XSS using Input Validation

Goal: 

The Goal is to Implement a fix to block the stored XSS before it can be written to the database. Repeat stage 1 as 'Eric' with 'David' as the manager. Verify that 'David' is not affected by the attack.

Method: 

By modifying UpdateProfile.java to restrict the entry  the file is located on webgoat server

/root/.extract/webapps/WebGoat/plugin_extracted/org/owasp/webgoat/plugin/GoatHillsFinancial/UpdateProfile.java

Or http://webgoat_ip_address:8080/WebGoat/plugin_extracted/org/owasp/webgoat/plugin/GoatHillsFinancial/UpdateProfile.java

Modify the UpdateProfile.java to allow only

\s = whitspace: \t\n\x0B\f\r , \w = word: a-z A-Z_0-9 and the characters, the rest will be ignored

String regex = "[\\ s \\ w -,] *";

String stringToValidate = firstName + lastName + ssn + title + phone + address1 + address2 +

startDate ccn + + + disciplinaryActionDate

disciplinaryActionNotes + personalDescription;

Pattern pattern = Pattern.compile (regex);

Validate (stringToValidate, pattern);

String regex = "[\\ s \\ w -,] *";
String stringToValidate = firstName + lastName + ssn + title + phone + address1 + address2 +
startDate ccn + + + disciplinaryActionDate
disciplinaryActionNotes + personalDescription;
Pattern pattern = Pattern.compile (regex);
Validate (stringToValidate, pattern);

 
Stage 3: Execute a previously Stored Cross Site Scripting (XSS) attack.

The 'Bruce' employee profile is pre-loaded with a stored XSS attack. Verify that 'David' is affected by the attack even though the fix from stage 2 is in place. Just need to login as David and access Bruce's profile. 

 

Stage 4: Block Stored XSS using Output Encoding

Goal: 

Prevent a previously Stored Cross Site Scripting (XSS) attack

Method: 

By encoding all special characters with HtmlEncoder.java, it's located 

/root/.extract/webapps/WebGoat/WEB-INF/classes/org/owasp/webgoat/util/HtmlEncoder.java, we can modify ViewProfile.java and call for HtmlEncoder.java

profile = new Employee(answer_results.getInt("userid"), answer_results.getString("first_name"),

       answer_results.getString("last_name"), answer_results.getString("ssn"), answer_results

    .getString("title"), answer_results.getString("phone"), answer_results

    .getString("address1"), answer_results.getString("address2"), answer_results

    .getInt("manager"), answer_results.getString("start_date"), answer_results

    .getInt("salary"), answer_results.getString("ccn"), answer_results

    .getInt("ccn_limit"), answer_results.getString("disciplined_date"), answer_results

    .getString("disciplined_notes"),answer_results.getString("personal_description"));

Above extracted from ViewProfile.java, we will need to replace 

answer_results.getString("xxx")

With 

HtmlEncoder.encode(answer_results.getString("xxx"))      

profile = new Employee(answer_results.getInt("userid"), HtmlEncoder.encode(answer_results.getString("first_name")),HtmlEncoder.encode(answer_results.getString("last_name")), HtmlEncoder.encode(answer_results.getString("ssn")), HtmlEncoder.encode(answer_results

  .getString("title")), HtmlEncoder.encode(answer_results.getString("phone")), HtmlEncoder.encode(answer_results

  .getString("address1")), HtmlEncoder.encode(answer_results.getString("address2")), HtmlEncoder.encode(answer_results

  .getInt("manager")), HtmlEncoder.encode(answer_results.getString("start_date")), HtmlEncoder.encode(answer_results

  .getInt("salary")), HtmlEncoder.encode(answer_results.getString("ccn")), HtmlEncoder.encode(answer_results

  .getInt("ccn_limit")), HtmlEncoder.encode(answer_results.getString("disciplined_date")), HtmlEncoder.encode(answer_results

  .getString("disciplined_notes")), HtmlEncoder.encode(answer_results.getString("personal_description"));

 

Stage 5: Execute a Reflected XSS attack..

Use a vulnerability on the Search Staff page to craft a URL containing a reflected XSS attack. Verify that another employee using the link is affected by the attack.

Following below steps perform the xss attack

1. Login with user account Larry, password larry

2. Click search Staff and enter XSS scrip

 <script>alert('You are hacked by windowspeople')</script>

3. Script ran and pop up shown.


Stage 6:  Block Reflected XSS using Input Validation.

Goal: 

Implement a fix to block this reflected XSS attack. Repeat step 5. Verify that the attack URL is no longer effective.

Method: 

Here we will modify FindProfile.java, the fix is pretty  much same as Stage 2 fix. 

Protected String getRequestParameter (WebSession s, String name) throws ParameterNotFoundException,

    ValidationException

  {

    Return s.getParser (). GetRawParameter (name);

  }

Below shown script is after modification. 

Protected String getRequestParameter (WebSession s, String name) throws ParameterNotFoundException,

    ValidationException

  {

    String regex = "[\\ s \\ w -,] *";

    String parameter = s.getParser (). GetRawParameter (name);

    Pattern pattern = Pattern.compile (regex);

    Validate (parameter, pattern);                

    Return parameter;

  }

Please publish modules in offcanvas position.