Parsons Software Security Consulting Blog

Reflected Cross Site Scripting in OWASP Web Goat source code

leave a comment »

I am doing another web goat vulnerability.  This time once again I scanned Web Goat with a commercial static code analyzer.   The tool is telling me that the below vulnerability is reflected cross site scripting.    With reflected XSS attacks an attacker tricks a user into sending malicious code to a vulnerable web server.   This could access the user’s cookie.

Description of the Exception


public String getRawParameter(String name) throws ParameterNotFoundException


String[] values = request.getParameterValues(name);

if (values == null)


throw new ParameterNotFoundException(name + " not found");


else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); }

return (values[0]);

public String getRawParameter(String name, String def)




return getRawParameter(name);

} catch (Exception e)


return def;




* Gets the rawParameter attribute of the ParameterParser object


String to = s.getParser().getRawParameter(HIDDEN_TO, "");

String gId = s.getParser().getRawParameter(GMAIL_ID, "");

String gPass = s.getParser().getRawParameter(GMAIL_PASS, "");

String message = s.getParser().getRawParameter(MESSAGE, "");

String subject = s.getParser().getRawParameter(SUBJECT, "");

boolean haveCredentials = !(YOUR_REAL_GMAIL_ID.equals(gId) || YOUR_REAL_GMAIL_PASSWORD.equals(gPass));

ec.addElement(new HR());

createGoogleCredentials(s, ec);

ec.addElement(new HR());

ec.addElement(new BR());

createMailMessage(s, subject, message, ec);


if (haveCredentials)


Message sentMessage = sendGoogleMail(to, subject, message, emailFromAddress, gId, gPass);

formatMail(ec, sentMessage);




sendSimulatedMail(ec, to, subject, message);



From reading the code it looks like it gets your gmail information and then sends the message without validating any inputs or encoding any outputs.

All of this takes place inside of the Web Goat file

Once again thanks to OWASP and Aspect Security for creating and supporting web goat.  It’s a great web application security to practice white box ethical hacking, secure code review without going to prison for real hacking.

msg.setRecipients(Message.RecipientType.TO, addressTo);

// Setting the Subject and Content Type


msg.setContent(message, "text/plain");


return msg;

I couldn't find the page in Web goat that the above code references, but I was able to find the reflected XSS lesson in web goat.
I went to the recently retired from software security blogging, RSNAKE's website.

I used the following script to attack it.   
<IMG SRC=`javascript:alert("Parsons Software Security Consulting says, 'XSS'")`>

Matt Parsons, CISSP, MSM
Parsons Software Security Consulting, LLC

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: