parsonsisconsulting

Parsons Software Security Consulting Blog

Reflected Cross Site Scripting in OWASP Web Goat source code

leave a comment »

I am doing another web goat vulnerability.  This time once again I scanned Web Goat with a commercial static code analyzer.   The tool is telling me that the below vulnerability is reflected cross site scripting.    With reflected XSS attacks an attacker tricks a user into sending malicious code to a vulnerable web server.   This could access the user’s cookie.


Description of the Exception

*/

public String getRawParameter(String name) throws ParameterNotFoundException

{

String[] values = request.getParameterValues(name);

if (values == null)

{

throw new ParameterNotFoundException(name + " not found");

}

else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); }

return (values[0]);


public String getRawParameter(String name, String def)

{

try

{

return getRawParameter(name);

} catch (Exception e)

{

return def;

}

}

/**

* Gets the rawParameter attribute of the ParameterParser object

*

String to = s.getParser().getRawParameter(HIDDEN_TO, "");

String gId = s.getParser().getRawParameter(GMAIL_ID, "");

String gPass = s.getParser().getRawParameter(GMAIL_PASS, "");

String message = s.getParser().getRawParameter(MESSAGE, "");

String subject = s.getParser().getRawParameter(SUBJECT, "");

boolean haveCredentials = !(YOUR_REAL_GMAIL_ID.equals(gId) || YOUR_REAL_GMAIL_PASSWORD.equals(gPass));

ec.addElement(new HR());

createGoogleCredentials(s, ec);

ec.addElement(new HR());

ec.addElement(new BR());

createMailMessage(s, subject, message, ec);

{

if (haveCredentials)

{

Message sentMessage = sendGoogleMail(to, subject, message, emailFromAddress, gId, gPass);

formatMail(ec, sentMessage);

}

else

{

sendSimulatedMail(ec, to, subject, message);

}

}

From reading the code it looks like it gets your gmail information and then sends the message without validating any inputs or encoding any outputs.

All of this takes place inside of the Web Goat file uncheckedemail.java.

Once again thanks to OWASP and Aspect Security for creating and supporting web goat.  It’s a great web application security to practice white box ethical hacking, secure code review without going to prison for real hacking.


msg.setRecipients(Message.RecipientType.TO, addressTo);

// Setting the Subject and Content Type

msg.setSubject(subject);

msg.setContent(message, "text/plain");

Transport.send(msg);

return msg;
<pre>

I couldn't find the page in Web goat that the above code references, but I was able to find the reflected XSS lesson in web goat.
I went to the recently retired from software security blogging, RSNAKE's hackers.org website.

I used the following script to attack it.   
 
<IMG SRC=`javascript:alert("Parsons Software Security Consulting says, 'XSS'")`>


Matt Parsons, CISSP, MSM
Parsons Software Security Consulting, LLC
mparsons1980@gmail.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: