Migrate JS and attribute to HtmlView

kravietz · kravietz · commit d3fd6a7fb033 · 2019-02-11T16:06:01.000Z
diff --git a/src/main/java/net/krvtz/resources/AttrXssResource.java b/src/main/java/net/krvtz/resources/AttrXssResource.java
@@ -1,26 +1,17 @@
 package net.krvtz.resources;
 
+import net.krvtz.views.HtmlView;
+
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
 
 @Path("/attr-xss")
 @Produces({MediaType.TEXT_HTML})
 @Consumes({MediaType.MULTIPART_FORM_DATA})
 public class AttrXssResource {
 
-    static final String MODULE = "AttrXssResource";
-
     @GET
-    public Response handle(@QueryParam("input") String input) {
-        // TODO: switch to https://github.com/spullara/mustache.java
-
-        String response = "<html><head><title>" + MODULE + "</title></head>" +
-                "<body><h1>" + MODULE + "</h1><div class=\"" + input + "\">div contents</div>" +
-                "<form><input name=input></form>" +
-                "</body></html>";
-        // The X-Xss-Protection header is disabled to prevent the XSS vector being blocked by the
-        // browser's built-in xSS auditor
-        return Response.ok(response).encoding("utf-8").header("X-Xss-Protection", "0").build();
+    public HtmlView handle(@QueryParam("input") String input) {
+        return new HtmlView("/AttrXss.ftl.html", input);
     }
 }
diff --git a/src/main/java/net/krvtz/resources/JsXssResource.java b/src/main/java/net/krvtz/resources/JsXssResource.java
@@ -1,25 +1,16 @@
 package net.krvtz.resources;
 
+import net.krvtz.views.HtmlView;
+
 import javax.ws.rs.*;
 import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
 
 @Path("/js-xss")
 @Produces({MediaType.TEXT_HTML})
 @Consumes({MediaType.MULTIPART_FORM_DATA})
 public class JsXssResource {
-    static final String MODULE = "JsXssResource";
-
     @GET
-    public Response handle(@QueryParam("input") String input) {
-        String response = "<html><head><title>" + MODULE + "</title></head>" +
-                "<body><h1>" + MODULE + "</h1><div id=output>original div contents</div>" +
-                "<script>var test=\"" + input + "\"; document.getElementById(\"output\").innerText=test;</script>" +
-                "<form><input name=input></form>" +
-                "</body></html>";
-        // The X-Xss-Protection header is disabled to prevent the XSS vector being blocked by the
-        // browser's built-in xSS auditor
-        return Response.ok(response).encoding("utf-8").header("X-Xss-Protection", "0").build();
+    public HtmlView handle(@QueryParam("input") String input) {
+        return new HtmlView("/JsXss.ftl.html", input);
     }
-
 }
diff --git a/src/main/resources/AttrXss.ftl.html b/src/main/resources/AttrXss.ftl.html
@@ -0,0 +1,54 @@
+<html>
+<head>
+    <meta charset="utf-8"/>
+    <title>TagEscapeResource</title>
+    <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
+    <link href="/app/assets/node_modules/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet">
+</head>
+<body>
+
+<main class="container" role="main">
+    <h1>HTML attribute XSS</h1>
+
+    <p>This views is vulnerable to a XSS by injection into a HTML attribute.</p>
+
+    <!-- this sink has Freemarker auto-escaping explicitly disabled and should cause an XSS -->
+    <div class="${content?no_esc}"></div>
+    <p>Input=<code>${content}</code></p>
+
+    <form>
+        <div class="form-group">
+            <!-- this sink does not disable auto-escaping and should be safe -->
+            <input class="form-control" name=input placeholder="%22><script>alert(1)</script>" value="${content}">
+        </div>
+        <input class="btn btn-primary" type="submit">
+    </form>
+</main>
+
+<div class="container">
+    <div class="row">
+        <div class="col">
+            <h2>Sample XSS vectors</h2>
+
+            <p>All the regular XSS will work if preceded by <code>%22&gt;</code> to break from the HTML
+                attribute context.</p>
+
+            <pre>
+"&gt;&lt;script&gt;alert(1)&lt;/script&gt;
+"&gt;&lt;img src=x onerror=alert(1)&gt;
+"&gt;&lt;video&gt;&lt;source onerror=&quot;alert(1)&quot;&gt;
+</pre>
+
+            <p>More exciting XSS vectors can be found on
+                <a href="http://heideri.ch/jso/" rel="external">HTML5 Security Cheatsheet</a></p>
+        </div>
+    </div>
+</div>
+
+<footer class="footer">
+    <div class="container">
+        <a href="/app/assets/index.html">Back to main</a>
+    </div>
+</footer>
+</body>
+</html>
diff --git a/src/main/resources/JsXss.ftl.html b/src/main/resources/JsXss.ftl.html
@@ -0,0 +1,64 @@
+<html>
+<head>
+    <meta charset="utf-8"/>
+    <title>TagEscapeResource</title>
+    <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
+    <link href="/app/assets/node_modules/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet">
+</head>
+<body>
+
+<main class="container" role="main">
+    <h1>JavaScript variable XSS</h1>
+
+    <p>This views is vulnerable to a XSS by injection into a JavaScript variable.</p>
+
+    <div id="output">
+        This is where input text goes when XSS does not work
+    </div>
+
+    <p>
+        Input=<code>${content}</code>
+    </p>
+
+    <form>
+        <div class="form-group">
+            <!-- this sink does not disable auto-escaping and should be safe -->
+            <input class="form-control" name=input placeholder="%22><script>alert(1)</script>" value="${content}">
+        </div>
+        <input class="btn btn-primary" type="submit">
+    </form>
+</main>
+
+<div class="container">
+    <div class="row">
+        <div class="col">
+            <h2>Sample XSS vectors</h2>
+
+            <p>We are injecting directly into JavaScript so simple <code>alert(1)</code> will work
+                once we escape the JavaScript variable context.</p>
+
+            <pre>
+a"; alert(1);"
+</pre>
+
+            <p>More exciting XSS vectors can be found on
+                <a href="http://heideri.ch/jso/" rel="external">HTML5 Security Cheatsheet</a></p>
+        </div>
+    </div>
+</div>
+
+<!-- this sink has Freemarker auto-escaping explicitly disabled and should cause an XSS -->
+<script>
+    // Trivial JavaScript to insert input into a div contents
+    var test = "${content?no_esc}";
+    document.getElementById("output").innerText = test;
+
+</script>
+
+<footer class="footer">
+    <div class="container">
+        <a href="/app/assets/index.html">Back to main</a>
+    </div>
+</footer>
+</body>
+</html>
diff --git a/src/main/resources/TagXss.ftl.html b/src/main/resources/TagXss.ftl.html
@@ -24,7 +24,7 @@ <h1>HTML tag XSS</h1>
     </form>
 </main>
 
-<div class="container-fluid">
+<div class="container">
     <div class="row">
         <div class="col">
             <h2>Sample XSS vectors</h2>
