OWASP ModSecurity Securing WebGoat Section4 Sublesson 03.5

3. AJAX Security -> 3.5 XML Injection

Lesson overview
Refer to the zip file with the WebGoat lesson overviews. See Appendix A for more information.

Lesson solution
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.

Strategy
This WebGoat lesson adds more rewards to the allowed set of rewards by intercepting an AJAX response and appending these 2 entries to the XML list: WebGoat Core Duo Laptop 2000 Pts WebGoat Hawaii Cruise 3000 Pts

The lesson is broke on the back end:

When rewards are selected, a POST is sent, for example: accountID=836239&check1001=on&check1002=on&check1003=on&SUBMIT=Submit

The problem is that there is no association between a checked entry, e.g. 'check1001' and a reward. This is because in the callback routine of the Ajax request, numbers are assigned irrespective of the reward: for(var i=0; i< rewards.length; i++){ strHTML = strHTML + ' 

To prove it, I did not add the 2 high-priced point rewards, I substituted them for the 't-shirt 50 Pts' and 'Secure Kettle 30 pts'; the return message should be:

The following items will be shipped to your address: WebGoat Core Duo Laptop WebGoat Hawaii Cruise WebGoat Mug

But the return message was erroneous:

(screenshot lesson03-5_rewards.jpg)

Therefore, since the rewards cannot be distinguished from each other, the only choice is to count the number of rewards sent, and if that doesn't match the number of rewards in the original HTTP response - before manipulation in the web proxy - then an error is thrown.

Implementation
The

Comments
The