webgoat 8.0.0 M25 XSS (mitigated)

It’s your turn!
Try to prevent this kind of XSS by creating a clean string inside of the saveNewComment() function. Use the "antisamy-slashdot.xml" as policy file for this example:


====================  the following  doesn't pass the test ========

import org.owasp.validator.html.*;
import MyCommentDAO;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.Policy;


public class AntiSamyController {

    //aspantisamy/Java/antisamy-smoketest/src/main/webapp/WEB-INF/policies/antisamy-slashdot.xmu
    //static String policyFileName ="antisamy-slashdot.xml";
    //public static Policy policy ;
    //public static AntiSamy antisamy;
    //antisamy= new Antisamy();
    //policy=Policy.getInstance(policyFileName);
    //String XSSPossible ="<script> alert('vulnerable,');</script>";
    public void saveNewComment(int threadID, int userID, String newComment){
       // int thID = antiSamy.scan(XSSPossible , policy);
    //    int uID  = antiSamy.scan(XSSPossible , policy);
      //  policy
      //  antisamy.setPolicy("antisamy-slashdot.xml");

        String filename = Core.getConfiguration().getResourcesPath() +
        AntiSamy antisamy=new AntiSamy();
        Policy policy= Policy.getInstance("src/main/webapp/WEB-INF/policies/antisamy-slashdot.xml");
        CleanResults cr=antisamy.scan(  newComment  ,policy   );
        String nCom=  cr.getCleanHTML();
        MyCommentDAO.addComment(threadID, userID, cr.getCleanHTML());
    }
}

WEBGOAT 8.0.0.M25 XSS mitigated

Reflective XSS
See the HTML file below which passes data to a JSP file.

<html>
   <body>
      <form action = "main.jsp" method = "POST">
         First Name: <input type = "text" name = "first_name">
         <br />
         Last Name: <input type = "text" name = "last_name" />
         <input type = "submit" value = "Submit" />
      </form>
   </body>
</html>
Here is the JSP file:

<html>

<head>
    <title>Using GET and POST Method to Read Form Data</title>
</head>

<body>
    <h1>Using POST Method to Read Form Data</h1>
    <table>
        <tbody>
            <tr>
                <td><b>First Name:</b></td>
                <td><%= request.getParameter("first_name")%></td>
            </tr>
            <tr>
                <td><b>Last Name:</b></td>
                <td>
                    <%= request.getParameter("last_name")%>
                </td>
            </tr>
        </tbody>
    </table>
</body>

</html>
As you can see the JSP file prints unfiltered user input which is never a good idea. You want people to accesses the page like this:

http://hostname.com/mywebapp/main.jsp?first_name=John&last_name=Smith
But what happens if someone uses this link:

http://hostname.com/mywebapp/main.jsp?first_name=<script>alert("XSS Test")</script>
It is your turn!
Try to prevent this kind of XSS by escaping the url parameters in the JSP file:





<html>
<head>
    <title>Using GET and POST Method to Read Form Data</title>
</head>
<body>
    <h1>Using POST Method to Read Form Data</h1>
    <table>
        <tbody>
            <tr>
                <td><b>First Name:</b></td>
                <td>YOUR CODE HERE</td>
            </tr>
            <tr>
                <td><b>Last Name:</b></td>
                <td>YOUR CODE HERE</td>
            </tr>
        </tbody>
    </table>
</body>
</html>
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
<html>
<head>
<title>Using GET and POST Method to Read Form Data</title>
</head>
<body>
<h1>Using POST Method to Read Form Data</h1>
<table>
<tbody>
<tr>
<td><b>First Name:</b></td>
<td>${e:forHtml(param.first_name)}</td>
</tr>
<tr>
<td><b>Last Name:</b></td>
<td>${e:forHtml(param.last_name)}</td>
</tr>
</tbody>
</table>
</body>
</html>