From 52db13dbb7d09583fe9fda93083423ebbd0cb805 Mon Sep 17 00:00:00 2001 From: SelectBillyFromC <61947286+SelectBillyFromC@users.noreply.github.com> Date: Mon, 14 Nov 2022 23:59:48 -0500 Subject: [PATCH] Added korean translation Maps to issue: https://github.com/SasanLabs/VulnerableApp/issues/420 --- .classpath | 7 + .settings/org.eclipse.buildship.core.prefs | 11 + .../SampleVulnerability.java | 108 +++++++ .../resources/i18n/messages_kr.properties | 287 ++++++++++++++++++ .../LEVEL_1/SampleVulnerability.css | 16 + .../LEVEL_1/SampleVulnerability.html | 9 + .../LEVEL_1/SampleVulnerability.js | 23 ++ 7 files changed, 461 insertions(+) create mode 100644 src/main/java/org/sasanlabs/service/vulnerability/sampleVulnerability/SampleVulnerability.java create mode 100644 src/main/resources/i18n/messages_kr.properties create mode 100644 src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.css create mode 100644 src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.html create mode 100644 src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.js diff --git a/.classpath b/.classpath index 467ef2f2..f00842bf 100644 --- a/.classpath +++ b/.classpath @@ -12,6 +12,13 @@ + + + + + + + diff --git a/.settings/org.eclipse.buildship.core.prefs b/.settings/org.eclipse.buildship.core.prefs index e8895216..6ceff53f 100644 --- a/.settings/org.eclipse.buildship.core.prefs +++ b/.settings/org.eclipse.buildship.core.prefs @@ -1,2 +1,13 @@ +arguments=--init-script C\:\\Users\\chan0\\AppData\\Local\\Temp\\d146c9752a26f79b52047fb6dc6ed385d064e120494f96f08ca63a317c41f94c.gradle --init-script C\:\\Users\\chan0\\AppData\\Local\\Temp\\52cde0cfcf3e28b8b7510e992210d9614505e0911af0c190bd590d7158574963.gradle --init-script C\:\\Users\\chan0\\AppData\\Local\\Temp\\bd95fba452cd16942039615189e617a1932f63d661f1f661840274c40bc05cbb.gradle +auto.sync=false +build.scans.enabled=false +connection.gradle.distribution=GRADLE_DISTRIBUTION(WRAPPER) connection.project.dir= eclipse.preferences.version=1 +gradle.user.home= +java.home=C\:/Program Files/Eclipse Foundation/jdk-11.0.12.7-hotspot +jvm.arguments= +offline.mode=false +override.workspace.settings=true +show.console.view=true +show.executions.view=true diff --git a/src/main/java/org/sasanlabs/service/vulnerability/sampleVulnerability/SampleVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/sampleVulnerability/SampleVulnerability.java new file mode 100644 index 00000000..3f15c150 --- /dev/null +++ b/src/main/java/org/sasanlabs/service/vulnerability/sampleVulnerability/SampleVulnerability.java @@ -0,0 +1,108 @@ +package org.sasanlabs.service.vulnerability.sampleVulnerability; + +import org.sasanlabs.internal.utility.LevelConstants; +import org.sasanlabs.internal.utility.Variant; +import org.sasanlabs.internal.utility.annotations.AttackVector; +import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping; +import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController; +import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean; +import org.sasanlabs.vulnerability.types.VulnerabilityType; +import org.springframework.http.ResponseEntity; +import org.springframework.web.bind.annotation.RequestParam; + +/** + * This is a sample vulnerability for helping developers in adding a new Vulnerability for + * VulnerableApp + * + * @author KSASAN preetkaran20@gmail.com + */ +/** + * {@code VulnerableAppRestController} annotation is similar to {@link + * org.springframework.stereotype.Controller} Annotation + */ +@VulnerableAppRestController( + /** + * "descriptionLabel" parameter of annotation is i18n label stored in {@link + * /VulnerableApp/src/main/resources/i18n/}. This descriptionLabel + * will be shown in the UI as the description of the Vulnerability. It helps students to + * learn about the vulnerability and can also include some of the useful references etc. + */ + descriptionLabel = "SAMPLE_VULNERABILITY", + /** + * "value" parameter of annotation is used to create the request mapping. e.g. for the below + * parameter value, /VulnerableApp/SampleVulnerability will be created as URI Path. + */ + value = "SampleVulnerability") +public class SampleVulnerability { + + /** + * {@code AttackVector} annotation is used to create the Hints section in the User Interface. + * This annotation can be mentioned multiple times in case the same vulnerability level + */ + @AttackVector( + /** + * "vulnerabilityExposed" parameter is used to depict the Vulnerability exposed by the + * level. For example say a level is exposing SQL_INJECTION. + */ + vulnerabilityExposed = VulnerabilityType.SAMPLE_VULNERABILITY, + /** + * "description" parameter of annotation is i18n label stored in {@link + * /VulnerableApp/src/main/resources/i18n/}. This description + * will be shown in the UI as hint to give some indication on how the level is handling + * input to help user to crack the level. + */ + description = "SAMPLE_VULNERABILITY_USER_INPUT_HANDLING_INJECTION", + + /** + * "payload" parameter of annotation is i18n label stored in {@link + * /VulnerableApp/src/main/resources/attackvectors/*.properties}. This payload will be + * shown in UI to help users find/exploit the vulnerability + */ + payload = "NOT_APPLICABLE") + /** + * This annotation is similar to {@link RequestMapping} SpringBoot annotation. It will map the + * endpoint to /VulnerableApp/SampleVulnerability/LEVEL_1 where LEVEL_1 is coming from the value + * parameter. + */ + @VulnerableAppRequestMapping( + /** + * "value" parameter is used to map the level to URI path + * /VulnerableApp/SampleVulnerability/${value}. + */ + value = LevelConstants.LEVEL_1, + + /** + * "htmlTemplate" is used to load the UI for the level for taking input from the user. + * It points to files in directory + * src/main/resource/static/templates/${VulnerabilityName} e.g. + * src/main/resource/static/templates/SampleVulnerability as ${htmlTemplate}.js, + * ${htmlTemplate}.css, ${htmlTemplate}.html. e.g. in this case it will be: + * src/main/resource/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability_Level1.js + * etc + * + *

CSS, JS and HTML are all loaded to render the UI. + */ + htmlTemplate = "LEVEL_1/SampleVulnerability") + public GenericVulnerabilityResponseBean sampleUnsecuredLevel(@RequestParam("name") String key) { + /** Add Business logic here */ + return new GenericVulnerabilityResponseBean<>("Not Implemented", true); + } + + /** For secured level there is no need for {@link AttackVector} annotation. */ + @VulnerableAppRequestMapping( + value = LevelConstants.LEVEL_2, + + // Can reuse the same UI template in case it doesn't change between levels + htmlTemplate = "LEVEL_1/SampleVulnerability", + /** + * "variant" parameter defines whether the level is secure or not and same is depicted + * in the UI as a closed lock and open lock icon. Default value of the variant is + * UNSECURE so in case a secure level is added, please add the variant as {@link + * Variant#SECURE} + */ + variant = Variant.SECURE) + public GenericVulnerabilityResponseBean sampleSecuredLevel(@RequestParam("name") String key) { + /** Add Business logic here */ + return new GenericVulnerabilityResponseBean<>("Not Implemented", true); + } +} \ No newline at end of file diff --git a/src/main/resources/i18n/messages_kr.properties b/src/main/resources/i18n/messages_kr.properties new file mode 100644 index 00000000..4ac593d9 --- /dev/null +++ b/src/main/resources/i18n/messages_kr.properties @@ -0,0 +1,287 @@ +EMPTY_LABEL= + +# Exception Code Labels +INVALID_END_POINT=다음 {0} 엔드포인트는 수행이 불가능합니다. allEndPoint 호출에서 엔드포인트 값을 확인하시고 재시도 해주십시오. +INVALID_LEVEL=다음 {0} 수준은 올바른 수준 값이 아닙니다. allEndPoint 호출에서 엔드포인트 값과 지원되는 수준값을 확인하시고 재시도 해주십시오. +UNAVAILABLE_LEVEL= {1} 엔드포인트 아래 다음 {0} 수준은 수행이 불가능합니다. allEndPoint 호출에서 엔드포인트 값과 지원되는 수준값을 확인하시고 재시도 해주십시오. +INVALID_ACCESS=다음 {0} 메서드는 접근이 불가합니다. 원인은 잘못된 접근성 또는 잘못된 메서드 정의일 수 있습니다. 로그를 확인해 주십시오. +INVALID_AGRUMENTS=다음 {0} 메서드는 올바른 인수 집합을 전달하지 않았습니다. 로그를 확인해 주십시오. +SYSTEM_ERROR=시스템 오류가 발생했습니다. 로그를 확인해 주십시오. + +# XSS based Injections +XSS_VULNERABILITY=크로스 사이트 스크립팅 (XSS)은 신뢰할 수 있는 웹 사이트에 악의적 스크립트를 주입하는 \ +주입 공격 유형입니다. XSS attacks occur when an attacker uses a web application to send malicious code, \ + generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed \ + are quite widespread and occur anywhere a web application uses input from a user within the output \ + it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. \ + The end user\u2019s browser has no way to know that the script should not be trusted, and will execute the script. \ + Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, \ + or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content \ + of the HTML page.

For more information on XSS:

  1. Owasp XSS \ +
  2. Google Application Security
+ +#### AttackVector description +PERSISTENT_XSS_HTML_TAG_URL_PARAM_DIRECTLY_INJECTED_IN_DIV_TAG=\"comment\" query param's value is directly added to \"div\" tag. +PERSISTENT_XSS_HTML_TAG_URL_PARAM_DIRECTLY_INJECTED_IN_DIV_TAG_REPLACING_IMG_AND_INPUT_TAG=\"comment\" query param's value is directly added to \"div\" tag after replacing " This vulnerability is related to Image Tag having XSS attacks. If .. +#### Attack Vector Description +XSS_DIRECT_INPUT_SRC_ATTRIBUTE_IMG_TAG=Url Parameters are added directly into the src attribute of Image Tag. +XSS_QUOTES_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG=Quotes are added to Url Parameters and then directly added into the src attribute of Image Tag +XSS_HTML_ESCAPE_ON_DIRECT_INPUT_SRC_ATTRIBUTE_IMG_TAG=HTML escaping is done on the Url Parameters and then directly added into the src attribute of Image Tag +XSS_HTML_ESCAPE_ON_DIRECT_INPUT_AND_REMOVAL_OF_VALUES_WITH_PARENTHESIS_SRC_ATTRIBUTE_IMG_TAG=HTML escaping along with removal of values containing paranthesis is done on the Url Parameters and then directly added into the src attribute of Image Tag. +XSS_QUOTES_AND_WITH_HTML_ESCAPE_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG=HTML escaping is done on the Url Parameters and then inserted inside Quotes into the src attribute of Image Tag. +XSS_HTML_ESCAPE_PLUS_FILTERING_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG_BUT_NULL_BYTE_VULNERABLE=Url Parameters are HTML escaped, validated against whitelist of filenames and inserted into the src attribute of Image Tag, However validator for validating filenames is vulnerable with Null Byte Injection. +XSS_QUOTES_AND_WITH_HTML_ESCAPE_PLUS_FILTERING_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG=Url Parameters are HTML escaped, validated against whitelist of filenames and inserted inside Quotes into the src attribute of Image Tag. + +## Html Tag Injection +XSS_HTML_TAG_INJECTION=Html Tag based XSS attack. +XSS_DIRECT_INPUT_DIV_TAG=Html Tag is directly injected into div tag. + +### Attack vectors +XSS_DIRECT_INPUT_DIV_TAG=Url Parameters are added directly into div tag. +XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ANCHOR_SCRIPT_AND_IMG_TAG=Url Parameters are added directly into the div tag if they are not having Script/Image and Anchor tag. +XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ANCHOR_SCRIPT_IMG_TAG_AND_ALERT_KEYWORD=Url Parameters are added directly into the div tag if they are not having Script/Image/Anchor tag and Javascript and Alert keywords. + +# URL Redirection +## Location Header Injection +OPEN_REDIRECTION_VULNERABILITY_3XX_BASED=Open redirection vulnerabilities arise when an application incorporates user-controllable \ +data into the target of a redirection in an unsafe way.
An attacker can construct a URL within the application that \ +causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.
\ +The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to \ +the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain. \ +

RFC 2616 - "Hypertext Transfer Protocol - HTTP/1.1" target="_blank" defines a variety \ + of 3xx status codes that will cause a browser to redirect to a specified location and this implementation is based on 3xx status codes

\ + Important Links:
    \ +
  1. WASC-38
  2. \ +
  3. CWE-601
  4. \ +
  5. Port Swigger's vulnerability documentation
  6. \ +
  7. Wiki link for describing the purpose of URL Redirection
  8. \ +
  9. Open Redirection payload list
  10. \ +
  11. Adding domain as prefix case study
  12. \ +
\ + Some myths: Are URL shorteners \u201Cvulnerable\u201D due to open redirects?
+ +OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER=\"returnTo\" query parameter's value is directly added to the \"Location\" header. +OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\",\"www\" and \"https\" or domain is same as the application. +OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_//_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\",\"www\", \"https\" and "//" or domain is same as the application. +OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_WWW_HTTPS_//_NULL_BYTE_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\",\"www\", \"https\", "//" and Null Byte or domain is same as the application. +OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_//_WWW_%_OR_DOMAIN_IS_SAME=\"returnTo\" query parameter's value is directly added to the \"Location\" header if it doesn't starts with \"http\",\"www\", \"https\", "//" and character less than ascii value 33 or domain is same as the application. +OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADDED_TO_LOCATION_HEADER_BY_ADDING_DOMAIN_AS_PREFIX=\"returnTo\" query parameter's value is directly added to the \"Location\" header by prefixing it will applications domain name. + + +## Meta Tag based URL Redirection +OPEN_REDIRECTION_VULNERABILITY_META_TAG_BASED=Open redirection vulnerabilities arise when an application incorporates user-controllable \ +data into the target of a redirection in an unsafe way.
An attacker can construct a URL within the application that \ +causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.
\ +The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to \ +the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain. \ +

An HTML meta element which specifies the time in seconds before the browser is to refresh the page. \ +Providing an alternate URI allows the element to be used as a timed URL redirector. \ +For example, in the following example the browser will redirect to example.com after 5 seconds:
\ + <meta http-equiv="refresh" content="5;url=http://example.com">

\ + Important Links:
    \ +
  1. WASC-38
  2. \ +
  3. CWE-601
  4. \ +
  5. Port Swigger's vulnerability documentation
  6. \ +
  7. Wiki link for describing the purpose of URL Redirection
  8. \ +
  9. Open Redirection payload list
  10. \ +
  11. Adding domain as prefix case study
  12. \ +
\ + Some myths: Are URL shorteners \u201Cvulnerable\u201D due to open redirects?
+ + +URL_REDIRECTION_META_TAG_BASED_INJECTION=Meta Tag based Url Redirection. +URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG=Url Parameter is directly added to Meta Tag. + + + +# UNRESTRICTED_FILE_UPLOAD_VULNERABILITY +UNRESTRICTED_FILE_UPLOAD_VULNERABILITY=Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed.\ +
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.\ +

\ +Important Links:
\ +
  1. Owasp Wiki Link \ +
  2. Ebrahim Hegazy talk on Unrestricted File Uploads \ +
  3. Sans rules to implement secure file uploads \ +
+ +#### Attack Vector Description +UNRESTRICTED_FILE_UPLOAD_NO_VALIDATION_FILE_NAME=There is no validation on uploaded file's name. +UNRESTRICTED_FILE_UPLOAD_IF_NOT_HTML_FILE_EXTENSION=All file extensions are allowed except .html extensions. +UNRESTRICTED_FILE_UPLOAD_IF_NOT_HTML_NOT_HTM_FILE_EXTENSION=All file extensions are allowed except .html and .htm extensions. +UNRESTRICTED_FILE_UPLOAD_IF_NOT_HTML_NOT_HTM_FILE_EXTENSION_CASE_INSENSITIVE=All file extensions are allowed except case insensitive .html, .htm extensions. +UNRESTRICTED_FILE_UPLOAD_IF_FILE_NAME_NOT_CONTAINS_.PNG_OR_.JPEG_CASE_INSENSITIVE=Only file name is allowed if it contains case insensitive .jpeg or .png. +UNRESTRICTED_FILE_UPLOAD_IF_FILE_NAME_NOT_ENDS_WITH_.PNG_OR_.JPEG_CASE_INSENSITIVE_AND_FILE_NAMES_CONSIDERED_BEFORE_NULL_BYTE=Only file name is allowed if it ends with case insensitive .jpeg or .png and it is considered before Null Bytes only. +UNRESTRICTED_FILE_UPLOAD_IF_FILE_NAME_NOT_ENDS_WITH_.PNG_OR_.JPEG_CASE_INSENSITIVE=Only file name is allowed if it ends with case insensitive .jpeg or .png. + + +# XXE Vulnerability +XXE_VULNERABILITY=An XML External Entity attack is a type of attack against an \ +application that parses XML input. This attack occurs when XML input containing \ +a reference to an external entity is processed by a weakly configured XML parser. \ +This attack may lead to the disclosure of confidential data, denial of service, \ +server side request forgery, port scanning from the perspective of the machine where \ +the parser is located, and other system impacts.\ +

\ +Important Links:
\ +
  1. Owasp Wiki Link \ +
  2. HackHappy's video tutorial \ +
  3. Medium article by OneHackMan\ +
  4. Portswigger XXE documentation \ +
  5. Owasp Prevention cheat sheet\ +
+#### Attack Vector Description +XXE_NO_VALIDATION=There is no validation on the XML passed in request body. +XXE_DISABLE_GENERAL_ENTITY=Parser is disabled from processing general external entities. +XXE_DISABLE_GENERAL_AND_PARAMETER_ENTITY=Parser is disabled from processing general and parameter entities. + +# Path Traversal Attack +PATH_TRAVERSAL_VULNERABILITY=A directory traversal (or path traversal) consists in exploiting insufficient security validation/sanitization of user-supplied input file names, \ +such that characters representing "traverse to parent directory" are passed through to the file APIs. \ +

\ +The goal of this attack is to use an affected application to gain unauthorized access to the file system.

\ +Important Links:
\ +
  1. Wiki Link \ +
  2. Owasp Wiki Link \ +
+ +#### AttackVector description +PATH_TRAVERSAL_URL_PARAM_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended to path to read the file. +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..". +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value is directly appended if it doesn't contains "..", takes care of URL encoding too. + +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended to path to read the file. +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_PARENT_DIRECTORY_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "../". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_OR_%2F_CASE_INSENSITIVE_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains ".." or "%2f" or "%2F" which is URL encoding of "/". +PATH_TRAVERSAL_URL_PARAM_BEFORE_NULL_BYTE_IF_DOT_DOT_PATH_WITH_OR_WITHOUT_URL_ENCODING_NOT_PRESENT_DIRECTLY_INJECTED=\"fileName\" query param's value before Null Byte is directly appended if it doesn't contains "..", takes care of URL encoding too. + + +# Command Injection Attack +COMMAND_INJECTION_VULNERABILITY=Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system \ +via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) \ +to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. \ +Command injection attacks are possible largely due to insufficient input validation.

\ +Important Links on Command Injection Vulnerability :
\ +
  1. CWE-77 \ +
  2. Owasp Wiki Link \ +
+ +#### Attack vectors +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED=\"ipaddress\" query param's value is directly executed. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\" or space characters are not present in it. +COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26_%3B_%7C_CASE_INSENSITIVE_NOT_PRESENT=\"ipaddress\" query param's value is directly executed if \";\", \"&\", \"%26\", \"%3B\", \"%3b\", \"%7C\", \"%7c\" or space characters are not present in it. + + +# Local File Injection +#URL_BASED_LFI_INJECTION=Url based Local File Injection attack. +#LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file. +#LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file. + +# Local File Injection with Null Byte +#URL_WITH_NULL_BYTE_BASED_LFI_INJECTION=Url with Null Byte Injection based Local File Injection attack. +#LFI_URL_PARAM_AND_NULL_BYTE_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file if containing Null Byte. +#LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file. + +# Remote File Injection +URL_BASED_RFI_INJECTION=Url based Local File Injection attack. + +# JWT Injection +JWT_INJECTION_VULNERABILITY=JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for \ +securely transmitting information between parties as a JSON object. This information can be verified and trusted because \ +it is digitally signed.There can be multiple things that can go wrong with the implementation of JWT and that can impact the Authentication or Authorization \ +of the application and result in complete compromise of the system.

Important Links on JWT : \ +
  1. Wiki Link \ +
  2. Jwt.io \ +
Important Links on Vulnerable implementations in JWT : \ +
    \
  1. JSON Web Token Best \ + Current Practices(ieft document) \ +
  2. \ + OWASP cheatsheet for vulnerabilities in JWT implementation \ +
  3. For \ + server side vulnerabilities in JWT implementations \ +
+ +#### AttackVector description +JWT_URL_EXPOSING_SECURE_INFORMATION=The request contains JWT token which is leaked in the URL. This can violate PCI and most organizational compliance policies. +COOKIE_CONTAINING_JWT_TOKEN_SECURITY_ATTRIBUTES_MISSING=Cookie based JWT token but without Secure/HttpOnly flags and also without cookie prefixes. +COOKIE_WITH_HTTPONLY_WITHOUT_SECURE_FLAG_BASED_JWT_VULNERABILITY=Cookie based JWT token but with HttpOnly flag but without Secure flag and also without cookie prefixes. +COOKIE_BASED_LOW_KEY_STRENGTH_JWT_VULNERABILITY=Cookie based JWT token signed using Weak key vulnerability. +COOKIE_BASED_NULL_BYTE_JWT_VULNERABILITY=Cookie based Null byte vulnerable JWT token validator. +COOKIE_BASED_NONE_ALGORITHM_JWT_VULNERABILITY=Cookie based None algorithm vulnerable JWT token validator. +COOKIE_BASED_KEY_CONFUSION_JWT_VULNERABILITY=Cookie based JWT token with Key confusion vulnerability. +COOKIE_BASED_FOR_JWK_HEADER_BASED_JWT_VULNERABILITY=Cookie based JWT token validator vulnerable to trusting JWK field without checking if public key provided is present in truststore or not. +COOKIE_BASED_EMPTY_TOKEN_JWT_VULNERABILITY=Cookie based JWT token, vulnerable to empty token vulnerability attack. + + + +# SQL Injection Vulnerability +SQL_INJECTION_VULNERABILITY=A SQL injection attack consists of insertion or "injection" of a SQL query via the input data \ +from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), \ +execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present \ +on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, \ +in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. \ +Important Links on SQLInjection : \ +
  1. Wiki Link \ +
  2. Owasp SQLInjection \ +
  3. Joe McCray talk on SQLInjection\ +
  4. SQL Injection cheat sheet by netsparker\ +


\ Important Links on Prevention techniques : \ +
    \
  1. Owasp Prevention cheatsheet \ +
  2. \ + SQL Injection knowledge base \ +
+ +#### AttackVector description +ERROR_SQL_INJECTION_URL_PARAM_APPENDED_DIRECTLY_TO_QUERY=Query param is directly appended to the SQL Query causing exception in certain scenarios \ + and hence exposes the application data. +ERROR_SQL_INJECTION_URL_PARAM_WRAPPED_WITH_SINGLE_QUOTE_APPENDED_TO_QUERY=Query param is wrapped around "'" and then appended to the SQL Query causing exception in certain scenarios \ + and hence exposes the application data. +ERROR_SQL_INJECTION_URL_PARAM_REMOVES_SINGLE_QUOTE_WRAPPED_WITH_SINGLE_QUOTE_APPENDED_TO_QUERY=Single Quote is removed from Query param and then appended to SQL Query by wrapping \ + with "'". +ERROR_SQL_INJECTION_URL_PARAM_APPENDED_TO_PARAMETERIZED_QUERY=Query param is appended directly to the SQL Query and then a parameterized query is formed. This is to depict that \ + proper usage of PreparedStatement is important. + +UNION_SQL_INJECTION_URL_PARAM_APPENDED_DIRECTLY_TO_QUERY=Query param is directly appended to the Query and hence \"Union\" keyword can be used to club the results and \ +extract the application data. +UNION_SQL_INJECTION_URL_PARAM_WRAPPED_WITH_SINGLE_QUOTE_APPENDED_TO_QUERY=Query param is wrapped around "'" and then appended to the Query and hence \"Union\" keyword can be used to club the results and \ +extract the application data. +UNION_SQL_INJECTION_URL_PARAM_REMOVES_SINGLE_QUOTE_WITH_SINGLE_QUOTE_APPENDED_TO_QUERY=Single Quote is removed from Query param and then appended to SQL Query by wrapping around "'"\ + hence \"Union\" keyword can be used to club the results and extract the application data. + +BLIND_SQL_INJECTION_URL_PARAM_APPENDED_DIRECTLY_TO_QUERY=Query param is directly appended to the Query hence Query can be manipulated. +BLIND_SQL_INJECTION_URL_PARAM_WRAPPED_WITH_SINGLE_QUOTE_APPENDED_TO_QUERY=Query param is wrapped around "'" and then appended to the SQL Query hence query can be manipulated. + + +#### SSRF Vulnerability +SSRF_VULNERABILITY=In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to \ +read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read \ +or submit data to, and by carefully selecting the URLs, the attacker may be able to read server \ +configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests \ +towards internal services which are not intended to be exposed. \ +Important Links on SSRF : \ +
    \ +
  1. Wiki Link \ +
  2. Owasp SSRF \ +
  3. SSRF (Server Side Request Forgery) by Musab Khan\ +
+SSRF_VULNERABILITY_URL_WITHOUT_CHECK=No validation on the provided URL. +SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL=file:// protocol is not allowed for the provided URL. +SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL_AND_169.254.169.254=file:// protocol as well as access to internal metadata service IP 169.254.169.254 is not allowed. +SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL_AND_INTERNAL_METADATA_URL=file:// protocol as well as access to internal metadata service is not allowed. +SSRF_VULNERABILITY_URL_ONLY_IF_IN_THE_WHITELIST=Only Whitelisted URL is allowed. \ No newline at end of file diff --git a/src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.css b/src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.css new file mode 100644 index 00000000..e5d57b25 --- /dev/null +++ b/src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.css @@ -0,0 +1,16 @@ +#SampleVulnerability { + color: black; + text-align: center; +} + +#fetchDetails { + background: blueviolet; + display: inline-block; + padding: 8px 8px; + margin: 10px; + border: 2px solid transparent; + border-radius: 3px; + transition: 0.2s opacity; + color: #FFF; + font-size: 12px; +} \ No newline at end of file diff --git a/src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.html b/src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.html new file mode 100644 index 00000000..dddeea7d --- /dev/null +++ b/src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.html @@ -0,0 +1,9 @@ +
+
+
+ This is a Sample Vulnerability. please add the UI components here. +
+ +
+
+
\ No newline at end of file diff --git a/src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.js b/src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.js new file mode 100644 index 00000000..78641721 --- /dev/null +++ b/src/main/resources/static/templates/SampleVulnerability/LEVEL_1/SampleVulnerability.js @@ -0,0 +1,23 @@ +function addingEventListenerToFetchData() { + document + .getElementById("fetchDetails") + .addEventListener("click", function () { + /** + * getUrlForVulnerabilityLevel() method provides url to call the Vulnerability Level + * of Sample Vulnerability. + * e.g. /VulnerableApp/SampleVulnerability/LEVEL_1 for LEVEL_1 + */ + let url = getUrlForVulnerabilityLevel(); + /** + * doGetAjaxCall() method is used to do the ajax get call to the Vulnerability Level + */ + doGetAjaxCall(fetchDataCallback, url + "?name=dummyInput", true); + }); +} +// Used to register event on the button or any other component +addingEventListenerToFetchData(); + +//Callback function to handle the response and render in the UI +function fetchDataCallback(data) { + document.getElementById("response").innerHTML = data.content; +}