ToB企服应用市场:ToB评测及商务社交产业平台
标题:
代码审计(Java)——WebGoat_Xss
[打印本页]
作者:
种地
时间:
2022-9-16 17:19
标题:
代码审计(Java)——WebGoat_Xss
一、写在前面
刚刚入职,适应了几天后抓紧开始学习,毕竟学无止境且自己太菜了……
面试的时候,负责人问了我一些关于Java代审的问题,不过之前接触的更多是php的代审。熟悉代审的小伙伴们大概都清楚,两者就不是一个难度等级……而且网上目前好像也没有一个比较系统的java代审学习路线和视频,在这里就慢慢摸索吧,学一点就记录一点,也希望哪一位大佬看到后,可以call我一下,哪怕点一点学习路线也好,实在是头绪不太够哈哈~
WebGoat是OWASP开源的一个Java且使用的Spring框架的开源靶场,就从这里开始吧。统一说一下环境搭建(这里走了不少弯路,java的脾气大家都知道,一点不合就撂摊子……):
Maven——3.6.3
jdk11
WebGoat——8.0.0.M25
安装好后IDEA直接启动进入靶场,后面就不说这里了,主要还是代码漏洞的审计~
二、Xss代审(按题目顺序)
之前的就不看了,都是一些说明,直接从7开始
这里给了一个类似于购物车的表单提交功能,他这里放在了XSS漏洞下,那我们就从这里找XSS
这里可以看到,Quantity数量只在前端页面是无法修改的(抓包还没有尝试,这里暂定一下,回头补上,顺便提一下,这里的数量可以填写负数,很有可能会存在支付逻辑漏洞,也是回头再验证吧),那就考虑在下方的card number和access code处考虑插入XSS脚本。
开发团队也是很有意思了,我现在明明就是在攻击你啊……所以这样的利用方式估计是那里被过滤了(事后证明,确实是access code输入框存在着过滤),那就分开试~
可以看到,大概漏洞点在card number位置上,下面上代码寻找问题~
这里F12检查按钮,发现页面把表单提交给了/WebGoat/CrossSiteScripting/attack5a文件,在文件里找了下,确定了该功能的执行类,贴在下面~
1 package org.owasp.webgoat.plugin;
2
3 import org.owasp.webgoat.assignments.AssignmentEndpoint;
4 import org.owasp.webgoat.assignments.AssignmentHints;
5 import org.owasp.webgoat.assignments.AssignmentPath;
6 import org.owasp.webgoat.assignments.AttackResult;
7 import org.owasp.webgoat.session.UserSessionData;
8 import org.springframework.beans.factory.annotation.Autowired;
9 import org.springframework.web.bind.annotation.RequestMapping;
10 import org.springframework.web.bind.annotation.RequestMethod;
11 import org.springframework.web.bind.annotation.RequestParam;
12 import org.springframework.web.bind.annotation.ResponseBody;
13
14 import javax.servlet.http.HttpServletRequest;
15 import java.io.IOException;
16
17
18
19 /***************************************************************************************************
20 *
21 *
22 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
23 * please see http://www.owasp.org/
24 *
25 * Copyright (c) 2002 - 20014 Bruce Mayhew
26 *
27 * This program is free software; you can redistribute it and/or modify it under the terms of the
28 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
29 * License, or (at your option) any later version.
30 *
31 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
32 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
33 * General Public License for more details.
34 *
35 * You should have received a copy of the GNU General Public License along with this program; if
36 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
37 * 02111-1307, USA.
38 *
39 * Getting Source ==============
40 *
41 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
42 * projects.
43 *
44 * For details, please see http://webgoat.github.io
45 *
46 * @author Bruce Mayhew <a target="_blank" href="http://code.google.com/p/webgoat">WebGoat</a>
47 * @created October 28, 2003
48 */
49 @AssignmentPath("/CrossSiteScripting/attack5a")
50 @AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
51 public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
52
53 @Autowired
54 UserSessionData userSessionData;
55
56 @RequestMapping(method = RequestMethod.GET)
57 public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
58 @RequestParam Integer QTY2, @RequestParam Integer QTY3,
59 @RequestParam Integer QTY4, @RequestParam String field1,
60 @RequestParam String field2, HttpServletRequest request)
61 throws IOException {
62
63 if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
64 return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
65 }
66
67 double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
68
69 userSessionData.setValue("xss-reflected1-complete",(Object)"false");
70 StringBuffer cart = new StringBuffer();
71 cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
72 cart.append("<p>We have charged credit card:" + field1 + "<br />");
73 cart.append( " ------------------- <br />");
74 cart.append( " $" + totalSale);
75
76 //init state
77 if (userSessionData.getValue("xss-reflected1-complete") == null) {
78 userSessionData.setValue("xss-reflected1-complete",(Object)"false");
79 }
80
81 if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
82 //return trackProgress()
83 userSessionData.setValue("xss-reflected-5a-complete","true");
84 if(field1.toLowerCase().contains("console.log")) {
85 return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
86 } else {
87 return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
88 }
89 } else {
90 userSessionData.setValue("xss-reflected1-complete","false");
91 return trackProgress(success()
92 .feedback("xss-reflected-5a-failure")
93 .output(cart.toString())
94 .build());
95 }
96 }
97 }
复制代码
第63行可以看到,确实使field2的参数经过了一个小写转换+匹配,也就能证明之前两个输入框输入的命令不正确了~
第72行可以看到,field1也就是card number参数,直接放到了执行语句中,没有经过过滤,这也是7等级主要想表现出的漏洞问题~
修复一下,在上图处添加html转义,查看结果,可以看到的确没有执行脚本。第7级完结~
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)
Powered by Discuz! X3.4
