From e8920eda0623c51fa2b90ade820fc5b99c207e28 Mon Sep 17 00:00:00 2001
From: roxbeecoxb <roxbeecoxb@uni.coventry.ac.uk>
Date: Wed, 3 Mar 2021 17:58:54 +0000
Subject: [PATCH 1/4] Added level 8 & 9

---
 webapp/xss_trainer/app.py                     | 24 +++++++-
 .../xss_trainer/templates/levels/level8.html  | 57 +++++++++++++++++++
 .../xss_trainer/templates/levels/level9.html  | 45 +++++++++++++++
 3 files changed, 123 insertions(+), 3 deletions(-)
 create mode 100644 webapp/xss_trainer/templates/levels/level8.html
 create mode 100644 webapp/xss_trainer/templates/levels/level9.html

diff --git a/webapp/xss_trainer/app.py b/webapp/xss_trainer/app.py
index 7c40e21..c83d36b 100644
--- a/webapp/xss_trainer/app.py
+++ b/webapp/xss_trainer/app.py
@@ -26,7 +26,7 @@
 # My Selenium Driver
 import driver
 
-MAX_LEVEL = 6
+MAX_LEVEL = 9
 
 REDIS_URL = "redis://redis:6379/0"
 SECRET_KEY = b"foobarbaz"
@@ -55,7 +55,9 @@
           (3, "Simple Filter"),
           (4,"Regexp Filter"),
           (5,"PHP Filter"),
-          (6,"Script Filter")]
+          (6,"Script Filter"),
+          (8,"Escape Characters"),
+          (9, "Encoding")]
 #          (7,"Output")]
 
 import subprocess
@@ -239,9 +241,25 @@ def _filterData(level, data):
         #clean = evalPhp(theStr)
         
         payload = markdown.markdown(clean)
-        
+    
+    elif level == 8:
+        payload = (data.replace("'", "\\'")).replace('"', '\\"')  # This is more of a level 2/3 difficulty  
+
+    elif level == 9:
+        import base64               
+        payload = (data.replace("<", "")).replace(">","")
+        # We are expecting a b64 string, so we need to add out own padding if thats not what they give us
+        try:
+        # Rather than using .decode('base64') and leave it as bytex, let's format a nice string
+            decoded_payload = base64.b64decode(payload.encode('ascii')).decode('ascii')
+        except Exception:
+            decoded_payload = ("Input did not have correct encoding")
+        return (decoded_payload)
+
+    
     return payload
 
+
 def _renderPage(level, submitted, result, message, payload):
     """
     Helper Function to render a given page
diff --git a/webapp/xss_trainer/templates/levels/level8.html b/webapp/xss_trainer/templates/levels/level8.html
new file mode 100644
index 0000000..5e6e681
--- /dev/null
+++ b/webapp/xss_trainer/templates/levels/level8.html
@@ -0,0 +1,57 @@
+{% extends "levelBase.html" %}
+
+{% block content %}
+
+<h1>Level {{ level }}</h1>
+
+{% markdown %}
+
+In this level some characters are getting escaped using backslashes. How could you send your payload without using those characters?
+
+
+??? hint
+
+    In computing, data can be represented in many ways. What other ways can text be represented?
+
+
+### Filter
+
+```python
+def filter(data):
+    payload = (data.replace("'", "\\'"))
+    payload = payload.replace('"', '\\"')   
+    return data
+```
+
+Or (approximately) Equivalent PHP
+```php
+<?php
+function filter($data){
+    $payload = addslashes($data);
+    return $payload;
+}
+?>
+```
+
+{% endmarkdown %}
+{% endblock content%}
+
+
+{% block defaultForm %}
+<div class="card mt-3">
+  <div class="card-header">
+    <h3>Vulnerable Form</h3>
+  </div>
+  <div class="card-body">
+    <div class="border" id="theForm">
+      <form method="POST" action={{ url_for('levels', levelId=level) }}>
+	<div class="mt-2 mb-3">
+	  <label for="payload" class="form-label">Example User Input</label>
+	  <textarea class="form-control" type="email" name="payload" id="payload" placeholder="<script>alert('testing')</script>" rows=5></textarea>
+	</div>
+	<button type="submit" id="submitBtn"  class="btn btn-primary">Submit</button>
+      </form>
+    </div>
+  </div>
+</div>
+{% endblock defaultForm %}
diff --git a/webapp/xss_trainer/templates/levels/level9.html b/webapp/xss_trainer/templates/levels/level9.html
new file mode 100644
index 0000000..caab026
--- /dev/null
+++ b/webapp/xss_trainer/templates/levels/level9.html
@@ -0,0 +1,45 @@
+{% extends "levelBase.html" %}
+
+{% block content %}
+
+<h1>Level {{ level }}</h1>
+
+{% markdown %}
+
+Users usually submit data for a reason. This page does something with your inputted data. The admin of this page has also coded a filter to strip any < > characters from the input.  
+
+??? hint
+
+    When sending information on the web, data is often encoded/decoded.
+
+
+### Filter
+
+```python
+def filter(data):
+    payload = (data.replace('<', '')
+    payload = payload.replace('>', '')
+```
+
+{% endmarkdown %}
+{% endblock content%}
+
+
+{% block defaultForm %}
+<div class="card mt-3">
+  <div class="card-header">
+    <h3>Vulnerable Form</h3>
+  </div>
+  <div class="card-body">
+    <div class="border" id="theForm">
+      <form method="POST" action={{ url_for('levels', levelId=level) }}>
+	<div class="mt-2 mb-3">
+	  <label for="payload" class="form-label">Example User Input</label>
+	  <textarea class="form-control"name="payload" id="payload" placeholder="<script>alert('testing')</script>" rows=5></textarea>
+	</div>
+	<button type="submit" id="submitBtn" class="btn btn-primary">Submit</button>
+      </form>
+    </div>
+  </div>
+</div>
+{% endblock defaultForm %}

From d7789b880f8f61245124be428dfcfda6bf419529 Mon Sep 17 00:00:00 2001
From: sharkmoos <muddy117@gmail.com>
Date: Thu, 6 May 2021 15:27:48 +0100
Subject: [PATCH 2/4] Fixed level 7

---
 webapp/xss_trainer/levels/contrib.py                 | 1 +
 webapp/xss_trainer/templates/levels/EscapeChars.html | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/webapp/xss_trainer/levels/contrib.py b/webapp/xss_trainer/levels/contrib.py
index ab79f34..3378054 100644
--- a/webapp/xss_trainer/levels/contrib.py
+++ b/webapp/xss_trainer/levels/contrib.py
@@ -20,6 +20,7 @@ class EscapeChars(meta.BaseLevel):
     def sanitise(self, data):
         # This is more of a level 2/3 difficulty
         payload = (data.replace("'", "\\'")).replace('"', '\\"')
+        payload = (data.replace("<", "")).replace('>', '')
         return payload
 
 class Encoding(meta.BaseLevel):
diff --git a/webapp/xss_trainer/templates/levels/EscapeChars.html b/webapp/xss_trainer/templates/levels/EscapeChars.html
index 8a880d6..91c58d7 100644
--- a/webapp/xss_trainer/templates/levels/EscapeChars.html
+++ b/webapp/xss_trainer/templates/levels/EscapeChars.html
@@ -18,6 +18,8 @@
 def filter(data):
     payload = (data.replace("'", "\\'"))
     payload = payload.replace('"', '\\"')   
+    payload = payload.replace('<', '')   
+    payload = payload.replace('>', '')   
     return data
 ```
 
@@ -26,6 +28,8 @@
 <?php
 function filter($data){
     $payload = addslashes($data);
+    $payload = payload.replace("<", "")
+    $payload = payload.replace(">", "")
     return $payload;
 }
 ?>

From 7f6622174c41036d8887ff129702c049f0c3f29a Mon Sep 17 00:00:00 2001
From: sharkmoos <muddy117@gmail.com>
Date: Mon, 7 Mar 2022 19:13:45 +0000
Subject: [PATCH 3/4] Updated level 7 to close a loophole

---
 webapp/xss_trainer/levels/contrib.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/webapp/xss_trainer/levels/contrib.py b/webapp/xss_trainer/levels/contrib.py
index 3378054..7a99cfd 100644
--- a/webapp/xss_trainer/levels/contrib.py
+++ b/webapp/xss_trainer/levels/contrib.py
@@ -18,9 +18,11 @@ class EscapeChars(meta.BaseLevel):
     author = "Sharkmoos"
 
     def sanitise(self, data):
-        # This is more of a level 2/3 difficulty
-        payload = (data.replace("'", "\\'")).replace('"', '\\"')
-        payload = (data.replace("<", "")).replace('>', '')
+        try:
+            int(data)
+            payload = (data.replace("'", "\\'")).replace('"', '\\"')
+        except ValueError:
+            payload = "e("<", "")).replace('>', '')
         return payload
 
 class Encoding(meta.BaseLevel):

From 7727546f3f39374837f1fa6883cc1be0d5663a6e Mon Sep 17 00:00:00 2001
From: sharkmoos <muddy117@gmail.com>
Date: Mon, 7 Mar 2022 19:15:25 +0000
Subject: [PATCH 4/4] Trashed the changes

---
 webapp/xss_trainer/app.py                     | 359 ------------------
 webapp/xss_trainer/levels/contrib.py          |   2 +-
 .../templates/levels/EscapeChars.html         |   4 -
 .../xss_trainer/templates/levels/level8.html  |  57 ---
 .../xss_trainer/templates/levels/level9.html  |  45 ---
 5 files changed, 1 insertion(+), 466 deletions(-)
 delete mode 100644 webapp/xss_trainer/app.py
 delete mode 100644 webapp/xss_trainer/templates/levels/level8.html
 delete mode 100644 webapp/xss_trainer/templates/levels/level9.html

diff --git a/webapp/xss_trainer/app.py b/webapp/xss_trainer/app.py
deleted file mode 100644
index c83d36b..0000000
--- a/webapp/xss_trainer/app.py
+++ /dev/null
@@ -1,359 +0,0 @@
-"""
-Very simple Flask App.  For Testing
-"""
-
-
-import html
-import urllib.parse
-import logging
-
-import re
-
-import flask
-from flask import Flask, session
-import flask
-
-from flask_redis import FlaskRedis
-
-from jinja_markdown import MarkdownExtension
-import markdown
-
-#Well that fills me with confidence....
-#from flask.ext.session import Session
-#from flask_session import Session
-import redis
-
-# My Selenium Driver
-import driver
-
-MAX_LEVEL = 9
-
-REDIS_URL = "redis://redis:6379/0"
-SECRET_KEY = b"foobarbaz"
-
-app = flask.Flask(__name__)
-app.config.update(
-    REDIS_URL = REDIS_URL,
-    #SESSION_TYPE= "redis",
-    #SESSION_REDIS = redis.from_url(REDIS_URL),
-    SESSION_COOKIE_SAMESITE='Lax',
-    )
-
-app.config["SECRET_KEY"] = SECRET_KEY
-
-app.jinja_env.add_extension(MarkdownExtension)
-
-redis_client = FlaskRedis(app)
-#Session(app)
-
-#Last Request
-lastRequest = {}
-
-LEVELS = [(0,"Training"),
-          (1,"No Filter"),
-          (2,"ClientSide Filter"),
-          (3, "Simple Filter"),
-          (4,"Regexp Filter"),
-          (5,"PHP Filter"),
-          (6,"Script Filter"),
-          (8,"Escape Characters"),
-          (9, "Encoding")]
-#          (7,"Output")]
-
-import subprocess
-
-@app.route('/')
-def main():
-    """
-    Render the homepage
-    """
-    #flask.session["bleh"] = b"Bleh"
-    if "level" not in flask.session:
-        flask.session["level"] = 0
-        
-    level = flask.session.get("level")
-    return flask.render_template('index.html',
-                                 level=level,
-                                 navLevels = LEVELS)
-
-@app.route("/reset")
-def reset():
-    """
-    Clear the Session
-    """
-    flask.session.clear()
-    return flask.redirect(flask.url_for("main"))
-
-
-@app.route("/konami")
-def konami():
-    flask.session["level"] = 100
-    return flask.redirect(flask.url_for("main"))
-
-
-@app.route("/testPhp")
-def test():
-    """
-    Testing
-    """
-    #with open("/tmp/script.php","w") as fd:
-    theStr = ['$input = "<scRipt>Bleh</scRipt>"',
-              '$output = preg_replace("/<script>/i","", $input)',
-              '$output = preg_replace("/<\/script>/i","", $output)',
-              'echo $output']
-    #     app.logger.debug(theStr)
-    #     fd.writelines(theStr)
-    
-    # out = subprocess.check_output(["php", "/tmp/script.php"])
-    out = evalPhp(theStr)
-    return out
-
-def evalPhp(theCommands):
-    """
-    Evaluate a PHP command
-
-    @param theCommands:  List of commands to evaluate
-    @return: Output of PHP
-    """
-
-    with open("/tmp/script.php","w") as fd:
-        fd.write("<?php\n")
-        for item in theCommands:
-            fd.write("{0};\n".format(item))
-        fd.write("?>")
-        
-    out = subprocess.check_output(["php", "/tmp/script.php"])
-    return out
-                     
-
-
-@app.route("/training")
-@app.route("/training/<levelId>")
-def training(levelId=1):
-
-    
-    return flask.render_template("training/xss.html")
-    return "Not Yet Implemented {0}".format(levelId)
-
-
-@app.route("/level")
-@app.route("/level/<int:levelId>", methods=["GET","POST"])
-def levels(levelId=0):
-    #First check we are not beyond our level
-    userLevel = int(flask.session.get("level"))
-
-    app.logger.info("Request made Level ID %s User Level is %s", levelId, userLevel)
-    if levelId > userLevel:
-        #TODO add a page for this
-        flask.abort(403)
-    if levelId > MAX_LEVEL:
-        flask.abort(404)
-
-    
-    submitted = False
-    result = False
-    payload = None
-    message = None
-    filtered = None
-    
-    if flask.request.method == "POST":
-        payload = flask.request.form.get("payload", None)
-    else:
-        payload = flask.request.args.get("payload", None)
-
-
-    if payload:
-        submitted = True
-        app.logger.debug("PAYLOAD %s",payload)
-        
-        #Perform Filtering
-        filtered = _filterData(levelId, payload)
-
-        app.logger.debug("FILTERED %s",filtered)
-        #Check for XSS
-        result = _checkPayload(filtered)
-        
-        #Generic Success Message
-        if result:
-            app.logger.debug("Success")
-            message = "Success! You triggered an alert"
-
-            #Now do something sensible with incrementing the level Id
-            #Only increase if we are at the final level
-            if levelId == userLevel:
-                app.logger.debug("Increment Level")
-                flask.session['level'] = userLevel+1
-            
-        else:
-            message = "You didn't trigger an alert, try again"
-            
-
-    #And now render based on the level
-    return _renderPage(levelId,
-                       submitted,
-                       result,
-                       message,
-                       filtered
-                       )
-
-
-def _filterData(level, data):
-    """
-    Helper Function to filter the data
-    @param data
-    """
-    app.logger.debug("Filtering %s for level %s", data, level)
-
-    if level < 3:
-        payload = data
-    
-    elif level == 3:
-        payload = data.replace("<script>", "")
-        payload = payload.replace("</script>", "")
-
-    elif level == 4:
-        regexp = re.compile("<\/?script>", re.IGNORECASE)
-        payload = regexp.sub("", data)
-        
-    elif level == 5:
-        #PHP version of Level 4
-        theStr = ['$input = "{0}"'.format(data),
-                  '$output = preg_replace("/<script>/i","", $input)',
-                  '$output = preg_replace("/<\/script>/i","", $output)',
-                  'echo $output']
-        payload = evalPhp(theStr)
-
-    elif level == 6:
-        regexp = re.compile("script", re.IGNORECASE)
-        if regexp.search(data):
-            return "<div class='alert alert-critical'>XSS Detected!</div>"
-        else:
-            payload = data
-
-    elif level == 7:
-        #clean = html.escape(data, quote=False)
-        #Strip Angle Tags
-        clean = data.replace("&", "&amp;")
-        clean = clean.replace("<", "&lt;")
-        clean = clean.replace(">", "&gt;")
-        #theStr = ['$input = "{0}"'.format(data),
-        #          "echo htmlentities($input)"]
-        #clean = evalPhp(theStr)
-        
-        payload = markdown.markdown(clean)
-    
-    elif level == 8:
-        payload = (data.replace("'", "\\'")).replace('"', '\\"')  # This is more of a level 2/3 difficulty  
-
-    elif level == 9:
-        import base64               
-        payload = (data.replace("<", "")).replace(">","")
-        # We are expecting a b64 string, so we need to add out own padding if thats not what they give us
-        try:
-        # Rather than using .decode('base64') and leave it as bytex, let's format a nice string
-            decoded_payload = base64.b64decode(payload.encode('ascii')).decode('ascii')
-        except Exception:
-            decoded_payload = ("Input did not have correct encoding")
-        return (decoded_payload)
-
-    
-    return payload
-
-
-def _renderPage(level, submitted, result, message, payload):
-    """
-    Helper Function to render a given page
-    """
-    
-    if level == 0:
-        # Corner Case for the Intro
-        return flask.render_template("levels/intro.html",
-                                     level=0,
-                                     submitted = submitted,
-                                     result = result,
-                                     message = message,
-                                     payload = payload)
-    else:
-        templateName = f"levels/level{level}.html"
-        return flask.render_template(templateName,
-                                     level=level,
-                                     submitted = submitted,
-                                     result = result,
-                                     message = message,
-                                     payload = payload)  
-
-    
-def _checkPayload(payload):
-    """ Helper Method to check if a payload has triggered the input 
-
-    @param payload:  Whatever the user has input
-    """
-    
-    userIP = flask.request.remote_addr
-    app.logger.debug("--- PAYLOAD IP %s ---", userIP)
-    redis_client.set(userIP, payload)
-    
-    app.logger.debug("Checking Page")
-    qString = urllib.parse.urlencode({"ip": userIP})
-    theURL = "http://flask:5000/render?{0}".format(qString)
-    result = driver.checkPage(theURL)
-    app.logger.debug("Result %s", result)
-    return result
-    
-# ---------- TESTING CODE
-
-@app.route("/vuln")
-def vuln():
-    """
-    Create a TEsting page
-    """
-
-    payload = flask.request.args.get("textInput")
-    app.logger.info("Payload : {0}".format(payload))
-    
-    #Now we want to check if there is anything bad
-    if payload:
-
-        #We now store the data in the Redis DB
-        userIp = flask.request.remote_addr
-        redis_client.set(userIp, payload)
-        
-        app.logger.debug("Checking Page")
-        qString = urllib.parse.urlencode({"ip": userIp})
-        theURL = "http://flask:5000/render?{0}".format(qString)
-        app.logger.info("Checking Page %s", theURL)
-        pageText = False
-        pageText = driver.checkPage(theURL)
-        app.logger.debug("Result %s", pageText)
-    else:
-        pageText = None
-
-    return flask.render_template("vuln.html",
-                                 payload=payload,
-                                 result=pageText)
-
-@app.route("/render")
-def render():
-    """
-    Render a payload specified by a user
-    """
-    #Get the payload
-    theIp= flask.request.args.get("ip")
-    app.logger.info("RENDERING %s", theIp)
-    #Fetch the payload from Redis
-    try:
-        thePayload = redis_client.get(theIp)
-        app.logger.info("PAYLOAD IS: %s", thePayload)
-    except NameError:
-        app.logger.warning("Attempt to get non existant IP")
-        thePayload = None
-                        
-    #thePayload = "<script>alert(1)</script>"#
-    #app.logger.info("Last Request was")
-    return flask.render_template("render.html",
-                                 payload=thePayload)
-
-    
-# --------------- TESTING CODEZ ---------------
-
-
diff --git a/webapp/xss_trainer/levels/contrib.py b/webapp/xss_trainer/levels/contrib.py
index 7a99cfd..3701199 100644
--- a/webapp/xss_trainer/levels/contrib.py
+++ b/webapp/xss_trainer/levels/contrib.py
@@ -22,7 +22,7 @@ def sanitise(self, data):
             int(data)
             payload = (data.replace("'", "\\'")).replace('"', '\\"')
         except ValueError:
-            payload = "e("<", "")).replace('>', '')
+            payload = "You must enter a string payload for this level"
         return payload
 
 class Encoding(meta.BaseLevel):
diff --git a/webapp/xss_trainer/templates/levels/EscapeChars.html b/webapp/xss_trainer/templates/levels/EscapeChars.html
index 91c58d7..8a880d6 100644
--- a/webapp/xss_trainer/templates/levels/EscapeChars.html
+++ b/webapp/xss_trainer/templates/levels/EscapeChars.html
@@ -18,8 +18,6 @@
 def filter(data):
     payload = (data.replace("'", "\\'"))
     payload = payload.replace('"', '\\"')   
-    payload = payload.replace('<', '')   
-    payload = payload.replace('>', '')   
     return data
 ```
 
@@ -28,8 +26,6 @@
 <?php
 function filter($data){
     $payload = addslashes($data);
-    $payload = payload.replace("<", "")
-    $payload = payload.replace(">", "")
     return $payload;
 }
 ?>
diff --git a/webapp/xss_trainer/templates/levels/level8.html b/webapp/xss_trainer/templates/levels/level8.html
deleted file mode 100644
index 5e6e681..0000000
--- a/webapp/xss_trainer/templates/levels/level8.html
+++ /dev/null
@@ -1,57 +0,0 @@
-{% extends "levelBase.html" %}
-
-{% block content %}
-
-<h1>Level {{ level }}</h1>
-
-{% markdown %}
-
-In this level some characters are getting escaped using backslashes. How could you send your payload without using those characters?
-
-
-??? hint
-
-    In computing, data can be represented in many ways. What other ways can text be represented?
-
-
-### Filter
-
-```python
-def filter(data):
-    payload = (data.replace("'", "\\'"))
-    payload = payload.replace('"', '\\"')   
-    return data
-```
-
-Or (approximately) Equivalent PHP
-```php
-<?php
-function filter($data){
-    $payload = addslashes($data);
-    return $payload;
-}
-?>
-```
-
-{% endmarkdown %}
-{% endblock content%}
-
-
-{% block defaultForm %}
-<div class="card mt-3">
-  <div class="card-header">
-    <h3>Vulnerable Form</h3>
-  </div>
-  <div class="card-body">
-    <div class="border" id="theForm">
-      <form method="POST" action={{ url_for('levels', levelId=level) }}>
-	<div class="mt-2 mb-3">
-	  <label for="payload" class="form-label">Example User Input</label>
-	  <textarea class="form-control" type="email" name="payload" id="payload" placeholder="<script>alert('testing')</script>" rows=5></textarea>
-	</div>
-	<button type="submit" id="submitBtn"  class="btn btn-primary">Submit</button>
-      </form>
-    </div>
-  </div>
-</div>
-{% endblock defaultForm %}
diff --git a/webapp/xss_trainer/templates/levels/level9.html b/webapp/xss_trainer/templates/levels/level9.html
deleted file mode 100644
index caab026..0000000
--- a/webapp/xss_trainer/templates/levels/level9.html
+++ /dev/null
@@ -1,45 +0,0 @@
-{% extends "levelBase.html" %}
-
-{% block content %}
-
-<h1>Level {{ level }}</h1>
-
-{% markdown %}
-
-Users usually submit data for a reason. This page does something with your inputted data. The admin of this page has also coded a filter to strip any < > characters from the input.  
-
-??? hint
-
-    When sending information on the web, data is often encoded/decoded.
-
-
-### Filter
-
-```python
-def filter(data):
-    payload = (data.replace('<', '')
-    payload = payload.replace('>', '')
-```
-
-{% endmarkdown %}
-{% endblock content%}
-
-
-{% block defaultForm %}
-<div class="card mt-3">
-  <div class="card-header">
-    <h3>Vulnerable Form</h3>
-  </div>
-  <div class="card-body">
-    <div class="border" id="theForm">
-      <form method="POST" action={{ url_for('levels', levelId=level) }}>
-	<div class="mt-2 mb-3">
-	  <label for="payload" class="form-label">Example User Input</label>
-	  <textarea class="form-control"name="payload" id="payload" placeholder="<script>alert('testing')</script>" rows=5></textarea>
-	</div>
-	<button type="submit" id="submitBtn" class="btn btn-primary">Submit</button>
-      </form>
-    </div>
-  </div>
-</div>
-{% endblock defaultForm %}