Open issues

Command injection lesson not working correctly
WEB-212
XSS - Phishing with CSS
WEB-163
Design 'heads-up' display for hints/params/cookies
WEB-17
CSFR lessons links not working
WEB-213
Lessons should be created against interfaces instead of abstract classes from the container
WEB-209
Stub-out documentation within GitHub environment - using Markdown
WEB-204
Adding how to work with WebGoat to the plugin project
WEB-200
Text of the lesson plan not above the assignment
WEB-198
Convert Angular html templates to backbone templates
WEB-195
Convert promises [back] to jquery
WEB-194
Backbone menu
WEB-193
Implement lesson class and supporting methods
WEB-192
Implement Routing for 'attack' view
WEB-191
Will be converting AngularJS to Backbone
WEB-190
Port and correct - CSRF content wrong
WEB-188
Create the plugins project in WebGoat
WEB-187
Publish WebGoat container to Central Repository
WEB-185
Determine Browser and Version Support
WEB-180
---------------------------- The Line -----------------------------------------------------
WEB-179
Create POC using a jekyll template.
WEB-175
Update current website to better demonstrate what WebGoat is, and what users can do.
WEB-174
Plugin - lesson packaging
WEB-173
LAB: Role Based Access Control logout window incorrect
WEB-172
HTTPOnly Test opens in new window without menu after changing to http only
WEB-161
Same Origin Policy Protection
WEB-156
DOM-Based cross-site scription
WEB-155
Window not correct after actions in the lesson
WEB-153
expired Auth not handled on call to attack.jsp
WEB-149
Lesson Menu Cleanup
WEB-140
Cookies and Parameters do not update correctly
WEB-129
Left Navigation does not reflect currently active lesson
WEB-128
Report Card does not reflect viewing hints
WEB-127
Lesson Testing
WEB-72
Review of functionality for all lessons
WEB-44
Auto Deploy to AWS instance
WEB-35
Port and enhance internationalization
WEB-31
Implement third tier ul/li for labs in menu rendering
WEB-13
Make role hiearchies work with spring security
WEB-3
showSource and showHints always true
WEB-199
Create maven archetype for developing plugins
WEB-196
Implement routing
WEB-189
Current Lesson Indicator lost on restart lesson
WEB-176
org.owasp.webgoat.servlets.Controller does not seem to be in use
WEB-171
org.owasp.webgoat.util.Interceptor - to be removed or kept?
WEB-170
Link to howSecureIsMyPassword site not working properly
WEB-169
main_new.jsp -> sidebar (left navigation bar): second-level nodes' indentation missing
WEB-168
Error in stage 2 block stored XSS
WEB-157
Error on any protocol other than TCP
WEB-152
consolidate js code in main_new.jsp and application.js into goat*.js files
WEB-147
?? instead of Characters in solution for DOM Injection
WEB-144
issue 1 of 58

Command injection lesson not working correctly

Description

From the mailinglist reported by Mitchell Fisher:

At Bruce's suggestion, here is another.

I couldn't get the Command Injection solution to work on Windows in WebGoat 6.0.1, Build: 247. The & separator between Windows command line commands is also the parameter separator in the POST data, and messed up the parameter parsing?

I was able to do the attack by using the || separator, which on Windows means that if the first command fails, execute the second command. So I misspelled the file name to type and followed it with my added command, and only one command:

HelpFile=AccessControlMatrixXX.help" || netstat -an&SUBMIT=View

Which returned the result of netstat to my screen but did not give me credit

Perhaps the test in the exec() methods could be changed from:

if ((command[2].indexOf("&") != -1 || command[2].indexOf(";") != -1) && !er.getError())

to:

if ((command[2].indexOf("netstat") != -1) && !er.getError())

Environment

None

Status

Assignee

Nanne Baars

Reporter

Nanne Baars

Labels

None

Components

Affects versions

WebGoat 6.1

Priority

Blocker
Configure