一、写在前面
刚刚入职,适应了几天后抓紧开始学习,毕竟学无止境且自己太菜了……
面试的时候,负责人问了我一些关于Java代审的问题,不过之前接触的更多是php的代审。熟悉代审的小伙伴们大概都清楚,两者就不是一个难度等级……而且网上目前好像也没有一个比较系统的java代审学习路线和视频,在这里就慢慢摸索吧,学一点就记录一点,也希望哪一位大佬看到后,可以call我一下,哪怕点一点学习路线也好,实在是头绪不太够哈哈~
WebGoat是OWASP开源的一个Java且使用的Spring框架的开源靶场,就从这里开始吧。统一说一下环境搭建(这里走了不少弯路,java的脾气大家都知道,一点不合就撂摊子……):
- Maven——3.6.3
- jdk11
- WebGoat——8.0.0.M25
安装好后IDEA直接启动进入靶场,后面就不说这里了,主要还是代码漏洞的审计~
二、Xss代审(按题目顺序)
这里给了一个类似于购物车的表单提交功能,他这里放在了XSS漏洞下,那我们就从这里找XSS
这里可以看到,Quantity数量只在前端页面是无法修改的(抓包还没有尝试,这里暂定一下,回头补上,顺便提一下,这里的数量可以填写负数,很有可能会存在支付逻辑漏洞,也是回头再验证吧),那就考虑在下方的card number和access code处考虑插入XSS脚本。
开发团队也是很有意思了,我现在明明就是在攻击你啊……所以这样的利用方式估计是那里被过滤了(事后证明,确实是access code输入框存在着过滤),那就分开试~
可以看到,大概漏洞点在card number位置上,下面上代码寻找问题~
这里F12检查按钮,发现页面把表单提交给了/WebGoat/CrossSiteScripting/attack5a文件,在文件里找了下,确定了该功能的执行类,贴在下面~- 1 package org.owasp.webgoat.plugin;
- 2
- 3 import org.owasp.webgoat.assignments.AssignmentEndpoint;
- 4 import org.owasp.webgoat.assignments.AssignmentHints;
- 5 import org.owasp.webgoat.assignments.AssignmentPath;
- 6 import org.owasp.webgoat.assignments.AttackResult;
- 7 import org.owasp.webgoat.session.UserSessionData;
- 8 import org.springframework.beans.factory.annotation.Autowired;
- 9 import org.springframework.web.bind.annotation.RequestMapping;
- 10 import org.springframework.web.bind.annotation.RequestMethod;
- 11 import org.springframework.web.bind.annotation.RequestParam;
- 12 import org.springframework.web.bind.annotation.ResponseBody;
- 13
- 14 import javax.servlet.http.HttpServletRequest;
- 15 import java.io.IOException;
- 16
- 17
- 18
- 19 /***************************************************************************************************
- 20 *
- 21 *
- 22 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- 23 * please see http://www.owasp.org/
- 24 *
- 25 * Copyright (c) 2002 - 20014 Bruce Mayhew
- 26 *
- 27 * This program is free software; you can redistribute it and/or modify it under the terms of the
- 28 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- 29 * License, or (at your option) any later version.
- 30 *
- 31 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- 32 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- 33 * General Public License for more details.
- 34 *
- 35 * You should have received a copy of the GNU General Public License along with this program; if
- 36 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- 37 * 02111-1307, USA.
- 38 *
- 39 * Getting Source ==============
- 40 *
- 41 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- 42 * projects.
- 43 *
- 44 * For details, please see http://webgoat.github.io
- 45 *
- 46 * @author Bruce Mayhew <a target="_blank" href="http://code.google.com/p/webgoat">WebGoat</a>
- 47 * @created October 28, 2003
- 48 */
- 49 @AssignmentPath("/CrossSiteScripting/attack5a")
- 50 @AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"})
- 51 public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
- 52
- 53 @Autowired
- 54 UserSessionData userSessionData;
- 55
- 56 @RequestMapping(method = RequestMethod.GET)
- 57 public @ResponseBody AttackResult completed(@RequestParam Integer QTY1,
- 58 @RequestParam Integer QTY2, @RequestParam Integer QTY3,
- 59 @RequestParam Integer QTY4, @RequestParam String field1,
- 60 @RequestParam String field2, HttpServletRequest request)
- 61 throws IOException {
- 62
- 63 if (field2.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
- 64 return trackProgress(failed().feedback("xss-reflected-5a-failed-wrong-field").build());
- 65 }
- 66
- 67 double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
- 68
- 69 userSessionData.setValue("xss-reflected1-complete",(Object)"false");
- 70 StringBuffer cart = new StringBuffer();
- 71 cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />");
- 72 cart.append("<p>We have charged credit card:" + field1 + "<br />");
- 73 cart.append( " ------------------- <br />");
- 74 cart.append( " $" + totalSale);
- 75
- 76 //init state
- 77 if (userSessionData.getValue("xss-reflected1-complete") == null) {
- 78 userSessionData.setValue("xss-reflected1-complete",(Object)"false");
- 79 }
- 80
- 81 if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\)|alert\\(.*\\))<\\/script>")) {
- 82 //return trackProgress()
- 83 userSessionData.setValue("xss-reflected-5a-complete","true");
- 84 if(field1.toLowerCase().contains("console.log")) {
- 85 return trackProgress(success().feedback("xss-reflected-5a-success-console").output(cart.toString()).build());
- 86 } else {
- 87 return trackProgress(success().feedback("xss-reflected-5a-success-alert").output(cart.toString()).build());
- 88 }
- 89 } else {
- 90 userSessionData.setValue("xss-reflected1-complete","false");
- 91 return trackProgress(success()
- 92 .feedback("xss-reflected-5a-failure")
- 93 .output(cart.toString())
- 94 .build());
- 95 }
- 96 }
- 97 }
第72行可以看到,field1也就是card number参数,直接放到了执行语句中,没有经过过滤,这也是7等级主要想表现出的漏洞问题~
修复一下,在上图处添加html转义,查看结果,可以看到的确没有执行脚本。第7级完结~
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
