Thursday, August 11, 2011

WebGoat - XML Injection


Check the source code first (use firebug to check  the TEXT input box), then you will find the following code:

<input id="accountID" type="TEXT" name="accountID" value="" onkeyup="getRewards();">

search the function "getRewards()" in source code:

function getRewards() {
  var accountIDField = document.getElementById('accountID');
  if (accountIDField.value.length &lt; 6 ) { return; }
  var url = 'attack?Screen=25&amp;menu=400&amp;from=ajax&amp;accountID=' + encodeURIComponent(accountIDField.value);
  ...'GET', url, true);
  req.onreadystatechange = callback;
function callback() {
  if (req.readyState == 4) {
    if (req.status == 200) {
      var rewards = req.responseXML.getElementsByTagName('reward');
      var rewardsDiv = document.getElementById('rewardsDiv');
      rewardsDiv.innerHTML = '';
      var strHTML='';
      strHTML = '&lt;tr&gt;&lt;td&gt;&amp;nbsp;&lt;/td&gt;&lt;td&gt;&lt;b&gt;Rewards&lt;/b&gt;&lt;/td&gt;&lt;/tr&gt;';
      for(var i=0; i&lt; rewards.length; i++){
        strHTML = strHTML + '&lt;tr&gt;&lt;td&gt;&lt;input name="check' + (i+1001) +'" type="checkbox"&gt;&lt;/td&gt;&lt;td&gt;';
        strHTML = strHTML + rewards[i].firstChild.nodeValue + '&lt;/td&gt;&lt;/tr&gt;';
      rewardsDiv.innerHTML = strHTML;

Now we know that the process:
1, client input account ID.
2, JSP function getRewards() send request with parameter accountID to the server and then server response with the current account's rewards in XML format (show below).
3, client Browser will load this XML data into the web page.

The attacking process:
1, launch Web proxy (WebScarab or Burp).
2, type accound ID and then Web proxy will capture the request, forward it.
3, then the Web proxy will capture response from server, check the content found that is XML data (Rewards information)
4, tamper this data (insert two items with 0 pts required), show as followed:

Then the result will be changed:


No comments:

Post a Comment