From e42d3e07fbe813f22a8d334149ae5cc65a9b1e1f Mon Sep 17 00:00:00 2001
From: Surag <129796490+sip49@users.noreply.github.com>
Date: Mon, 14 Aug 2023 22:52:52 -0700
Subject: [PATCH 1/3] Create ContactController.java
---
.../ContactController.java | 52 +++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java
new file mode 100644
index 000000000..e3ecefe7d
--- /dev/null
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java
@@ -0,0 +1,52 @@
+package org.owasp.webgoat.vulnerable_components;
+
+
+import com.thoughtworks.xstream.XStream;
+import org.owasp.webgoat.LessonDataSource;
+import org.springframework.web.bind.annotation.*;
+
+import java.sql.*;
+
+/** Handle contact management */
+@RestController
+public final class ContactController {
+
+ private final LessonDataSource dataSource;
+
+ public ContactController(LessonDataSource dataSource) {
+ this.dataSource = dataSource;
+ }
+
+ @GetMapping("/get-contact-phone")
+ public @ResponseBody
+ String getContactPhone(@RequestParam String userId) throws SQLException {
+ // get the phone number from the database
+ Connection conn = dataSource.getConnection();
+ String sql = "select phone from contacts where userid = '" + userId + "'";
+ Statement statement = conn.createStatement();
+ ResultSet rs = statement.executeQuery(sql);
+ if(!rs.next()) {
+ throw new IllegalArgumentException("invalid contact");
+ }
+ return rs.getString("phone");
+ }
+
+ @GetMapping("/update-contact")
+ public @ResponseBody
+ void updateContact(@RequestBody String xml) throws SQLException {
+ // get the xml from our partner to update our contact record
+ Connection connection = dataSource.getConnection();
+ XStream xstream = new XStream();
+ Contact contact = (Contact) xstream.fromXML(xml);
+ String sql = "update contacts set phone = ? where userid = ?";
+ PreparedStatement stmt = connection.prepareStatement(sql);
+ stmt.setString(1, contact.name);
+ stmt.setString(2, contact.phone);
+ stmt.executeUpdate();
+ }
+
+ private static class Contact {
+ private String name;
+ private String phone;
+ }
+}
From 7bdcd511cbe2cac4a783e0b32c6f8fa129bb621a Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com>
Date: Tue, 15 Aug 2023 05:54:18 +0000
Subject: [PATCH 2/3] Hardened XStream with a converter to prevent exploitation
---
pom.xml | 10 ++++++++++
.../vulnerablecomponents/ContactController.java | 2 ++
2 files changed, 12 insertions(+)
diff --git a/pom.xml b/pom.xml
index eeff5b5df..a4dbcf0a4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -147,6 +147,7 @@
1.5.2
1.0.6
+ 1.0.2
@@ -254,6 +255,11 @@
java-security-toolkit
${versions.java-security-toolkit}
+
+ io.github.pixee
+ java-security-toolkit-xstream
+ ${versions.java-security-toolkit-xstream}
+
@@ -403,6 +409,10 @@
io.github.pixee
java-security-toolkit
+
+ io.github.pixee
+ java-security-toolkit-xstream
+
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java
index e3ecefe7d..1c38fca38 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java
@@ -2,6 +2,7 @@
import com.thoughtworks.xstream.XStream;
+import io.github.pixee.security.xstream.HardeningConverter;
import org.owasp.webgoat.LessonDataSource;
import org.springframework.web.bind.annotation.*;
@@ -37,6 +38,7 @@ void updateContact(@RequestBody String xml) throws SQLException {
// get the xml from our partner to update our contact record
Connection connection = dataSource.getConnection();
XStream xstream = new XStream();
+ xstream.registerConverter(new HardeningConverter());
Contact contact = (Contact) xstream.fromXML(xml);
String sql = "update contacts set phone = ? where userid = ?";
PreparedStatement stmt = connection.prepareStatement(sql);
From 49ea8cbb88376b16fd980ff26afac3198eadd260 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com>
Date: Tue, 15 Aug 2023 05:54:28 +0000
Subject: [PATCH 3/3] Refactored to use parameterized SQL APIs
---
.../lessons/vulnerablecomponents/ContactController.java | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java
index 1c38fca38..1d7cc614d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java
@@ -3,6 +3,7 @@
import com.thoughtworks.xstream.XStream;
import io.github.pixee.security.xstream.HardeningConverter;
+import java.sql.PreparedStatement;
import org.owasp.webgoat.LessonDataSource;
import org.springframework.web.bind.annotation.*;
@@ -23,9 +24,10 @@ public ContactController(LessonDataSource dataSource) {
String getContactPhone(@RequestParam String userId) throws SQLException {
// get the phone number from the database
Connection conn = dataSource.getConnection();
- String sql = "select phone from contacts where userid = '" + userId + "'";
- Statement statement = conn.createStatement();
- ResultSet rs = statement.executeQuery(sql);
+ String sql = "select phone from contacts where userid = ?";
+ PreparedStatement statement = conn.prepareStatement(sql);
+ statement.setString(1, userId);
+ ResultSet rs = statement.execute();
if(!rs.next()) {
throw new IllegalArgumentException("invalid contact");
}