From e42d3e07fbe813f22a8d334149ae5cc65a9b1e1f Mon Sep 17 00:00:00 2001 From: Surag <129796490+sip49@users.noreply.github.com> Date: Mon, 14 Aug 2023 22:52:52 -0700 Subject: [PATCH 1/3] Create ContactController.java --- .../ContactController.java | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java new file mode 100644 index 000000000..e3ecefe7d --- /dev/null +++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java @@ -0,0 +1,52 @@ +package org.owasp.webgoat.vulnerable_components; + + +import com.thoughtworks.xstream.XStream; +import org.owasp.webgoat.LessonDataSource; +import org.springframework.web.bind.annotation.*; + +import java.sql.*; + +/** Handle contact management */ +@RestController +public final class ContactController { + + private final LessonDataSource dataSource; + + public ContactController(LessonDataSource dataSource) { + this.dataSource = dataSource; + } + + @GetMapping("/get-contact-phone") + public @ResponseBody + String getContactPhone(@RequestParam String userId) throws SQLException { + // get the phone number from the database + Connection conn = dataSource.getConnection(); + String sql = "select phone from contacts where userid = '" + userId + "'"; + Statement statement = conn.createStatement(); + ResultSet rs = statement.executeQuery(sql); + if(!rs.next()) { + throw new IllegalArgumentException("invalid contact"); + } + return rs.getString("phone"); + } + + @GetMapping("/update-contact") + public @ResponseBody + void updateContact(@RequestBody String xml) throws SQLException { + // get the xml from our partner to update our contact record + Connection connection = dataSource.getConnection(); + XStream xstream = new XStream(); + Contact contact = (Contact) xstream.fromXML(xml); + String sql = "update contacts set phone = ? where userid = ?"; + PreparedStatement stmt = connection.prepareStatement(sql); + stmt.setString(1, contact.name); + stmt.setString(2, contact.phone); + stmt.executeUpdate(); + } + + private static class Contact { + private String name; + private String phone; + } +} From 7bdcd511cbe2cac4a783e0b32c6f8fa129bb621a Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com> Date: Tue, 15 Aug 2023 05:54:18 +0000 Subject: [PATCH 2/3] Hardened XStream with a converter to prevent exploitation --- pom.xml | 10 ++++++++++ .../vulnerablecomponents/ContactController.java | 2 ++ 2 files changed, 12 insertions(+) diff --git a/pom.xml b/pom.xml index eeff5b5df..a4dbcf0a4 100644 --- a/pom.xml +++ b/pom.xml @@ -147,6 +147,7 @@ 1.5.2 1.0.6 + 1.0.2 @@ -254,6 +255,11 @@ java-security-toolkit ${versions.java-security-toolkit} + + io.github.pixee + java-security-toolkit-xstream + ${versions.java-security-toolkit-xstream} + @@ -403,6 +409,10 @@ io.github.pixee java-security-toolkit + + io.github.pixee + java-security-toolkit-xstream + diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java index e3ecefe7d..1c38fca38 100644 --- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java +++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java @@ -2,6 +2,7 @@ import com.thoughtworks.xstream.XStream; +import io.github.pixee.security.xstream.HardeningConverter; import org.owasp.webgoat.LessonDataSource; import org.springframework.web.bind.annotation.*; @@ -37,6 +38,7 @@ void updateContact(@RequestBody String xml) throws SQLException { // get the xml from our partner to update our contact record Connection connection = dataSource.getConnection(); XStream xstream = new XStream(); + xstream.registerConverter(new HardeningConverter()); Contact contact = (Contact) xstream.fromXML(xml); String sql = "update contacts set phone = ? where userid = ?"; PreparedStatement stmt = connection.prepareStatement(sql); From 49ea8cbb88376b16fd980ff26afac3198eadd260 Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <23113631+pixeebot@users.noreply.github.com> Date: Tue, 15 Aug 2023 05:54:28 +0000 Subject: [PATCH 3/3] Refactored to use parameterized SQL APIs --- .../lessons/vulnerablecomponents/ContactController.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java index 1c38fca38..1d7cc614d 100644 --- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java +++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/ContactController.java @@ -3,6 +3,7 @@ import com.thoughtworks.xstream.XStream; import io.github.pixee.security.xstream.HardeningConverter; +import java.sql.PreparedStatement; import org.owasp.webgoat.LessonDataSource; import org.springframework.web.bind.annotation.*; @@ -23,9 +24,10 @@ public ContactController(LessonDataSource dataSource) { String getContactPhone(@RequestParam String userId) throws SQLException { // get the phone number from the database Connection conn = dataSource.getConnection(); - String sql = "select phone from contacts where userid = '" + userId + "'"; - Statement statement = conn.createStatement(); - ResultSet rs = statement.executeQuery(sql); + String sql = "select phone from contacts where userid = ?"; + PreparedStatement statement = conn.prepareStatement(sql); + statement.setString(1, userId); + ResultSet rs = statement.execute(); if(!rs.next()) { throw new IllegalArgumentException("invalid contact"); }