Updated reflected/ stored XSS samples

dschadow · dschadow · commit a6c5446798b5 · 2014-01-02T11:45:46.000+01:00
diff --git a/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/beans/SearchBean.java b/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/beans/SearchBean.java
@@ -20,42 +20,54 @@
 
 import de.dominikschadow.webappsecurity.daos.CustomerDAO;
 import de.dominikschadow.webappsecurity.domain.Customer;
+import org.apache.commons.lang3.StringUtils;
 
 import javax.faces.bean.ManagedBean;
 import javax.faces.bean.RequestScoped;
+import javax.faces.context.FacesContext;
 import java.util.List;
+import java.util.Map;
 
 /**
+ * Searches customers by the given customer name. The search string can be passed via
+ * <code>customerName</code> setter method or as a <code>customerName</code> parameter.
  *
  * @author Dominik Schadow
  */
 @ManagedBean(name = "searchBean")
 @RequestScoped
 public class SearchBean {
-    private Customer customer;
+    private String customerName;
     private CustomerDAO customerDAO;
     private List<Customer> customers;
 
     public SearchBean() {
-        customer = new Customer();
         customerDAO = new CustomerDAO();
     }
 
-    public Customer getCustomer() {
-        return customer;
+    public String getCustomerName() {
+        return customerName;
     }
 
-    public void setCustomer(Customer customer) {
-        this.customer = customer;
+    public void setCustomerName(String customerName) {
+        this.customerName = customerName;
     }
 
     public List<Customer> getCustomers() {
         return customers;
     }
 
     public String search() {
-        customers = customerDAO.findCustomers(customer);
+        if (StringUtils.isEmpty(customerName)) {
+            Map requestMap = FacesContext.getCurrentInstance().getExternalContext().getRequestParameterMap();
+            customerName = (String) requestMap.get("customerName");
+        }
 
-        return "/searchCustomer.xhtml";
+        Customer search = new Customer();
+        search.setName(customerName);
+
+        customers = customerDAO.findCustomers(search);
+
+        return "searchCustomer";
     }
 }
diff --git a/Ch07_XSS/src/main/resources/customerDB.script b/Ch07_XSS/src/main/resources/customerDB.script
@@ -51,4 +51,4 @@ INSERT INTO CUSTOMER VALUES(3,'Tricia Trillian McMillan','C',1000,'')
 INSERT INTO CUSTOMER VALUES(4,'Zaphod Beeblebrox','D',500,'')
 INSERT INTO CUSTOMER VALUES(5,'Marvin','A',100000,'')
 INSERT INTO CUSTOMER VALUES(6,'Slartibartfast','D',100,'')
-INSERT INTO CUSTOMER VALUES(7,'Stored XSS','X',9999,'<script>alert("Stored XSS Session ID " + document.cookie)</script>')
+INSERT INTO CUSTOMER VALUES(7,'Stored XSS','X',9999,'<script>alert("Stored XSS - Session ID: " + document.cookie)</script>')
diff --git a/Ch07_XSS/src/main/webapp/index.xhtml b/Ch07_XSS/src/main/webapp/index.xhtml
@@ -1,7 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xmlns:h="http://java.sun.com/jsf/html">
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:h="http://java.sun.com/jsf/html"
+      xmlns:f="http://java.sun.com/jsf/core">
 <h:head>
     <title>Ch07_XSS</title>
 </h:head>
@@ -21,5 +22,18 @@
     </h:form>
 
     <h2>Attacks</h2>
+
+    <ul>
+        <li>Stored XSS</li>
+        <li>
+            <h:form>
+                <h:commandLink action="#{searchBean.search}" value="Relected XSS">
+                    <f:param name="customerName" value="Dummy&lt;script&gt;alert('Reflected XSS - Session ID: ' + document.cookie)&lt;/script&gt;" />
+                </h:commandLink>
+            </h:form>
+        </li>
+        <li>DOM Based XSS</li>
+    </ul>
+
 </h:body>
 </html>
diff --git a/Ch07_XSS/src/main/webapp/search.xhtml b/Ch07_XSS/src/main/webapp/search.xhtml
@@ -17,7 +17,7 @@
     <h:form id="searchCustomers">
         <h:panelGrid columns="2">
             <h:outputLabel value="Name" for="cName" />
-            <h:inputText value="#{searchBean.customer.name}" label="Name" id="cName"/>
+            <h:inputText value="#{searchBean.customerName}" label="Name" id="cName"/>
         </h:panelGrid>
         <h:commandButton value="Search" action="#{searchBean.search}" styleClass="send-button" />
     </h:form>
diff --git a/Ch07_XSS/src/main/webapp/searchCustomer.xhtml b/Ch07_XSS/src/main/webapp/searchCustomer.xhtml
@@ -15,7 +15,7 @@
         <h:link outcome="index" value="Home" /> | <h:link outcome="createCustomer" value="Create Customer" /> | <h:link outcome="showCustomers" value="Show Customers" /> | <h:link outcome="search" value="Search Customer" />
     </h:form>
 
-    <p>Your search for <strong><h:outputText value="#{searchBean.customer.name}" escape="false"/></strong> returned the following results:</p>
+    <p>Your search for <strong><h:outputText value="#{searchBean.customerName}" escape="false"/></strong> returned the following results:</p>
 
     <h:form>
         <h:dataTable var="customer" value="#{searchBean.customers}">
