Add XPath Injection

README.md

@@ -27,7 +27,8 @@ This vulnerable application contains the following API/Web Service vulnerabiliti
 * Command Injection
 * Postmessage Security (JavaScript Security)
 * Prototype Pollution (JavaScript Security)
-
+* XPATH Injection
+* XML-RPC User Enumeration
 
 ## Set Up Instructions
 
@@ -105,8 +106,6 @@ Within your /etc/hosts file, ensure localhost resolves to dvws.local. This ensur
 
 ## To Do
 * XML Bomb Denial-of-Service
-* XPATH Injection
-* XML-RPC User Enumeration
 * API Endpoint Brute Forcing Challenges
 * CSV Injection
 * Path Traversal 

config.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+	<config>
+		<release>0.0.1</release>
+		<user>
+			<login>test</login>
+			<password>test</password>
+		</user>
+		<db>
+		    <type>mysql</type>
+			<login>root</login>
+			<password>mysecretpassword</password>
+		</db>
+		<db>
+		    <type>mongodb</type>
+			<login>null</login>
+			<password>null</password>
+		</db>
+		<location>
+		<url>http://dvws.local:9090/xmlrpc</url>
+		<url>http://dvws.local/api-docs/#/</url>
+		</location>
+	</config>

controllers/notebook.js

@@ -3,6 +3,21 @@ const mongoose = require('mongoose');
 const Note = require('../models/notebook');
 const jwt = require('jsonwebtoken')
 const { exec } = require('child_process');
+var xpath = require('xpath');
+const xml2js = require('xml2js');
+const fs = require('fs');
+dom = require('xmldom').DOMParser
+const parser = new xml2js.Parser({ attrkey: "ATTR" });
+
+
+let xml_string = fs.readFileSync("config.xml", "utf8");
+xml_string = xml_string.replace(/>\s*/g, '>');  // Replace "> " with ">"
+xml_string = xml_string.replace(/\s*</g, '<');  // Replace "< " with "<"
+
+var doc = new dom().parseFromString(xml_string)
+var node = null;
+
+
 const connUri = process.env.MONGO_LOCAL_CONN_URL;
 var MongoClient = require('mongodb').MongoClient;
 function set_cors(req, res) {
@@ -64,6 +79,27 @@ module.exports = {
       }
     });
   },
+  get_release: (req, res) => {
+
+    var uservalue = decodeURI(req.params.release.toString())
+    var xpath_result = xpath.evaluate(
+      "//config/*[local-name(.)='release' and //config//release/text()='" + uservalue + "']",            // xpathExpression
+      doc,                        // contextNode
+      null,                       // namespaceResolver
+      xpath.XPathResult.ANY_TYPE, // resultType
+      null                        // result
+    )
+
+    var result = [];
+    node = xpath_result.iterateNext();
+    while (node) {
+        result.push(node.toString());
+        node = xpath_result.iterateNext();
+    }
+
+    res.send(result.toString());
+
+  },
   create_a_note: (req, res) => {
     res = set_cors(req, res)
     res.set('Cache-Control', 'no-store, no-cache, must-revalidate, private')

package.json

@@ -35,7 +35,9 @@
     "mysql": "^2.18.1",
     "swagger-ui-express": "^4.1.4",
     "xml2js": "^0.4.23",
-    "xmlrpc": "^1.3.2"
+    "xmldom": "^0.4.0",
+    "xmlrpc": "^1.3.2",
+    "xpath": "0.0.32"
   },
   "devDependencies": {
     "cross-env": "^5.2.0",

public/admin.html

@@ -13,7 +13,7 @@
    <div class="sidenav">
       <div class="login-main-text">
          <h2>Damn Vulnerable Web Services<br> Admin Area</h2>
-         <p>Functionality only availiable to Admin Users</p>
+         <p>Functionality only available to Admin Users</p>
          <p></p>
       </div>
    </div>

public/home.html

@@ -20,6 +20,7 @@ <h2>Damn Vulnerable Web Services<br> Home Area</h2>
                var url = window.location.href; var hash = url.substring(url.indexOf('#') + 1);
                document.write('Welcome User: <b>' + hash + '</b>');
             </script>
+             <p>DVWS Release: {{ ResponseMessage  }}</p>
             <hr>
             <div>
                The following areas can be accessed:<br>
@@ -29,11 +30,45 @@ <h2>Damn Vulnerable Web Services<br> Home Area</h2>
                <a href="passphrasegen.html">Passphrase Generator</a><br>
                <a href="upload.html">File Upload Area</a><br>
             </div>
-
+            
          </div>
       </div>
    </div>
-
+  
 </div>
 
 
+
+
+<script type="text/javascript">
+
+
+   var app = angular.module('app', [])
+   app.controller('MyController', function ($scope, $http, $window) {
+      getFromServer();
+      function getFromServer() {
+         var get = $http({
+            method: "GET",
+            url: "/api/v2/0.0.1",
+            dataType: 'json',
+            headers: { "Content-Type": "application/json" }
+
+         });
+
+         get.success(function (data, status) {
+            if (data) {
+               $scope.ResponseMessage = data;
+
+      }
+   });
+
+
+   }
+
+});
+</script>
+
+
+</body>
+
+</html>

routes/notebook.js

@@ -13,6 +13,9 @@ module.exports = (router) => {
   router.route('/v2/info')
     .get(controller.get_info);
 
+  router.route('/v2/:release')
+    .get(controller.get_release);
+
   router.route('/v2/sysinfo/:command')
     .get(validateToken, controller.get_sysinfo);
 

startup_script.js

@@ -53,8 +53,27 @@ function createAdmin() {
       console.log(result.error);
     }
     // Close the connection after saving
+
+  });
+
+  const user2 = new User({
+    username: "test",
+    password: "test",
+    admin: false
+  });
+
+  user2.save((err, user2) => {
+    if (!err) {
+      console.log(user2);
+    } else {
+      result.error = err;
+      console.log(result.error);
+    }
+    // Close the connection after saving
     mongoose.disconnect();
   });
+
+
 });
 
 }