package org.owasp.webgoat.lessons;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import java.util.zip.ZipEntry;
import java.util.zip.ZipException;
import java.util.zip.ZipFile;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.A;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*
* For details, please see http://webgoat.github.io
*
* @author Jakub Koperwas of <a href="http://www.sages.com.pl">Sages</a>
* @created October 31, 2014
*/
public class ZipBomb extends LessonAdapter {
public final static A SAGES_LOGO = new A().setHref(
"http://www.sages.com.pl").addElement(
new IMG("images/logos/sages.png").setAlt("Sages").setBorder(0)
.setHspace(0).setVspace(0).setStyle("width:180px; height:60px"));
protected Element createContent(WebSession s) {
ElementContainer ec = new ElementContainer();
if ("success".equalsIgnoreCase((String)s.get(ZIP_DOS))){
System.out.println("final success");
makeSuccess(s);
}
try {
ec.addElement(new P().addElement("Upload new File"));
Input input = new Input(Input.FILE, "myfile", "");
ec.addElement(input);
Element b = ECSFactory.makeButton("Start Upload");
ec.addElement(b);
} catch (Exception e) {
s.setMessage("Error generating " + this.getClass().getName());
e.printStackTrace();
}
return ec;
}
protected Category getDefaultCategory() {
return Category.DOS;
}
public List<String> getHints(WebSession s) {
List<String> hints = new ArrayList<String>();
hints
.add("You can upload up to 2MB file at once,see what can you insert INTO the file");
return hints;
}
public String getInstructions(WebSession s) {
String instructions = "";
instructions = "Server accepts only ZIP files, \n"
+ "extracts them after uploading, does something with them and deletes,"
+ "\n it provides 20 MB temporal storage to handle all request \n"
+ "try do perform DOS attack that consume all temporal storage with one request";
return (instructions);
}
private final static Integer DEFAULT_RANKING = new Integer(10);
private static final String ZIP_DOS = "ZIP_DOS";
protected Integer getDefaultRanking() {
return DEFAULT_RANKING;
}
public String getTitle() {
return ("ZipBomb");
}
public Element getCredits() {
return super.getCustomCredits("", SAGES_LOGO);
}
public void handleRequest(WebSession s) {
File tmpDir=(File)s.getRequest().getServletContext().getAttribute("javax.servlet.context.tempdir");
try {
if (ServletFileUpload.isMultipartContent(s.getRequest())) {
DiskFileItemFactory factory = new DiskFileItemFactory();
factory.setSizeThreshold(500000);
ServletFileUpload upload = new ServletFileUpload(factory);
List /* FileItem */items = upload.parseRequest(s.getRequest());
java.util.Iterator iter = items.iterator();
while (iter.hasNext()) {
FileItem item = (FileItem) iter.next();
if (!item.isFormField()) {
File uploadedFile= new File(tmpDir, item.getName());
if (item.getSize() < 2000 * 1024) {
if (item.getName().endsWith(".zip")) {
item.write(uploadedFile);
long total = unzippedSize(uploadedFile);
s.setMessage("File uploaded");
if (total > 20 * 1024 * 1024) {
s.add(ZIP_DOS, "success");
System.out.println("success");
makeMessages(s);
}else{
s.setMessage("I still have plenty of free storage on the server...");
}
} else {
s.setMessage("Only ZIP files are accepted");
}
} else {
s.setMessage("Only up to 2 MB files are accepted");
}
}
}
}
Form form = new Form(getFormAction(), Form.POST).setName("form")
.setEncType("multipart/form-data");
form.addElement(createContent(s));
setContent(form);
} catch (Exception e) {
e.printStackTrace(System.out);
}
}
private long unzippedSize(File uploadedFile) throws ZipException,
IOException {
ZipFile zf = new ZipFile(uploadedFile);
long total = 0;
Enumeration e = zf.entries();
while (e.hasMoreElements()) {
ZipEntry entry = (ZipEntry) e.nextElement();
total += entry.getSize();
}
return total;
}
}