Pages

Thursday, August 4, 2011

WebGoat - Client Side Filtering

Stage one:
Check page source code (or use firebug to check the source code for "Select user:"), we will find the following code:
"<select id="UserSelectonchange="selectUser()name="UserSelectonfocus="fetchUserData()">"

We can know from above that some script has been used, so we try to find out where are the function definition file for "selectUser()" and "fetchUserData()".
Use firebug to check “Script” and we will find function definition file "clientSideFiltering.js"
Check this file:
function fetchUserData(){
if(!dataFetched){
dataFetched = true;
ajaxFunction(document.getElementById("userID").value);
}
}

function ajaxFunction(userId)
{
var xmlHttp;
xmlHttp.open("GET","lessons/Ajax/clientSideFiltering.jsp?userId=" + userId,true);
xmlHttp.send(null);
}

As we can see from above, XMLHttpRequest object has been used here and we found that after we choose a user, the page will request data from URL: "http://x.x.x.x/WebGoat/lessons/Ajax/clientSideFiltering.jsp?userID=userID". Then filter the replay data to display.

Therefore, we can use firebug to monitor XMLHttpResponse and check the response data:

Alternatively, We can request the URL directly to get the response data:
Reference:
[1] http://www.w3schools.com/xml/xml_http.asp


Stage two [Remedy]:
 Find and open the file: 
“/owaspbwa/owaspbwa-svn/var/lib/tomcat6/webapps/webgoat-5.3-SNAPSHOT/lessons/Ajax/employees.xml”
You will find every employee has the property: managers 
That means only the related manager should have right to access employee’s information.

However, in the JSP file:
“/owaspbwa/owaspbwa-svn/var/lib/tomcat6/webapps/webgoat-5.3-SNAPSHOT/lessons/Ajax/clientSideFiltering.jsp”
The XPath expression didn't filter the manager access permission, so we need to change the related content as following:
StringBuffer sb = new StringBuffer();
     sb.append("/Employees/Employee[Managers/Manager/text()='" + userId + "']/UserID | ");
     sb.append("/Employees/Employee[Managers/Manager/text()='" + userId + "']/FirstName | ");
     sb.append("/Employees/Employee[Managers/Manager/text()='" + userId + "']/LastName | ");
     sb.append("/Employees/Employee[Managers/Manager/text()='" + userId + "']/SSN | ");
     sb.append("/Employees/Employee[Managers/Manager/text()='" + userId + "']/Salary ");

Reference:
[1] http://www.w3schools.com/xpath/xpath_intro.asp
[2]  http://www.w3schools.com/xpath/xpath_syntax.asp


No comments:

Post a Comment