Light

prevelate / dotnet Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 0.0 797 KB

C# 99.19% Dockerfile 0.64% Shell 0.17%

dotnet's Introduction

Vulnerable Java Web Application

This repository provides a simple and self-contained Java web application with security flaws common to mid-00's legacy projects that have not been updated.

The application uses Spring Boot and an embedded H2 database that resets every time it starts. If you break it just restart and everything will be reset.

The application will run on HTTPS port 9000. If this port is not available you will need to change the application.properties file on the source folder with the new one. (if you are using docker you just need to map the container's 9000 port to another port in the host).

Running the application manually

If you have a Java 8 + Maven 3.x development environment, just import the project on your IDE and run the class com.github.rafaelrpinto.vulnerablejavawebapp.config.AppLauncher.

Running with docker

If your workstation is not configured for Java 8 development the easiest way to run the application is with Docker.

# gets the code
git clone https://github.com/rafaelrpinto/VulnerableJavaWebApplication
cd VulnerableJavaWebApplication

# creates the docker image
docker build -t vulnerable-java-application:0.1 .

# creates/starts the container
docker run --name vulnerable-java-application -p 9000:9000 -d vulnerable-java-application:0.1

Testing the application with Arachni and ModSecurity

The ARACHNI.MD file has an example of default security scan with automatic login and other tweaks enabled. For more scanning options check https://github.com/Arachni/arachni.

The ModSecurity scripts to protect this application are available in my other repository.

The article that I wrote explaining how to use Arachni to check this application is available on linkedin.

If is there any problem running the application or you want to add more security flaws, feel free to open an issue or send a pull request.

dotnet's People

Contributors

dotnet's Issues

CX Insecure_Cookie @ dvcsharp-api-master/Startup.cs [master]

Insecure_Cookie issue exists @ dvcsharp-api-master/Startup.cs in branch master

The dvcsharp-api-master\Startup.cs application configuration file, at line 20, does not define sensitive application cookies with the "secure" flag, which could cause the client to send those cookies in plaintext over an insecure network communication (HTTP). This may lead to a Session Hijacking attack.

Severity: Medium

CWE:614

Vulnerability details and guidance

Lines: 20

Code (Line #20):

    public class Startup

CX Insufficiently_Protected_Credentials @ dvcsharp-api-master/Models/User.cs [master]

Insufficiently_Protected_Credentials issue exists @ dvcsharp-api-master/Models/User.cs in branch master

Method authorizeCreateAccessToken at line 79 of dvcsharp-api-master\Models\User.cs gets a user password from the FirstOrDefault element. This element’s value then flows through the code without being encrypted and is written to the database in } at line 29 of dvcsharp-api-master\Models\User.cs. This may enable passwords to be stolen by an attacker.

Severity: Low

CWE:522

Vulnerability details and guidance

Lines: 86

Code (Line #86):

            FirstOrDefault();

CX Heap_Inspection @ dvcsharp-api-master/Models/PasswordResetRequest.cs [master]

Heap_Inspection issue exists @ dvcsharp-api-master/Models/PasswordResetRequest.cs in branch master

Method } at line 11 of dvcsharp-api-master\Models\PasswordResetRequest.cs defines password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to password, this variable is never cleared from memory.

Severity: Medium

CWE:244

Vulnerability details and guidance

Lines: 11 12

Code (Line #11):

      public string password { get; set; }

Code (Line #12):

      public string passwordConfirmation { get; set; }

CX Improper_Resource_Shutdown_or_Release @ dvcsharp-api-master/Controllers/ProductsController.cs [master]

Improper_Resource_Shutdown_or_Release issue exists @ dvcsharp-api-master/Controllers/ProductsController.cs in branch master

The application's Import method in dvcsharp-api-master\Controllers\ProductsController.cs defines and initializes the reader object at 80. This object encapsulates a limited computing resource, such as open file streams, database connections, or network streams. This resource is not properly closed and released in all situations.

Severity: High

CWE:404

Vulnerability details and guidance

Lines: 82

Code (Line #82):

         XmlReader reader = XmlReader.Create(HttpContext.Request.Body);

CX Missing_HSTS_Header @ dvcsharp-api-master/Startup.cs [master]

Missing_HSTS_Header issue exists @ dvcsharp-api-master/Startup.cs in branch master

The web-application does not define an HSTS header, leaving it vulnerable to attack.

Severity: Medium

CWE:346

Vulnerability details and guidance

Lines: 20

Code (Line #20):

    public class Startup

CX Improper_Exception_Handling @ dvcsharp-api-master/Controllers/RegistrationsController.cs [master]

Improper_Exception_Handling issue exists @ dvcsharp-api-master/Controllers/RegistrationsController.cs in branch master

The method Post at line 22 of dvcsharp-api-master\Controllers\RegistrationsController.cs performs an operation that could be expected to throw an exception, and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling.

Severity: Low

CWE:248

Vulnerability details and guidance

Lines: 45 46 30

Code (Line #45):

         _context.Users.Add(user);

Code (Line #46):

         _context.SaveChanges();

Code (Line #30):

            Where(b => b.email == registrationRequest.email).

CX Improper_Exception_Handling @ dvcsharp-api-master/Controllers/ProductsController.cs [master]

Improper_Exception_Handling issue exists @ dvcsharp-api-master/Controllers/ProductsController.cs in branch master

The method Post at line 32 of dvcsharp-api-master\Controllers\ProductsController.cs performs an operation that could be expected to throw an exception, and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling.

Severity: Low

CWE:248

Vulnerability details and guidance

Lines: 48 49 40

Code (Line #48):

         _context.Products.Add(product);

Code (Line #49):

         _context.SaveChanges();

Code (Line #40):

            Where(b => (b.name == product.name) || (b.skuId == product.skuId)).

CX Improper_Exception_Handling @ dvcsharp-api-master/Controllers/TokensController.cs [master]

Improper_Exception_Handling issue exists @ dvcsharp-api-master/Controllers/TokensController.cs in branch master

The method TokenInfo at line 24 of dvcsharp-api-master\Controllers\TokensController.cs performs an operation that could be expected to throw an exception, and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling.

Severity: Low

CWE:248

Vulnerability details and guidance

Lines: 29

Code (Line #29):

               Where(b => b.email == email).

CX Blind_SQL_Injections @ dvcsharp-api-master/Controllers/ProductsController.cs [master]

Blind_SQL_Injections issue exists @ dvcsharp-api-master/Controllers/ProductsController.cs in branch master

The application's Search method executes an SQL query with query, at line 65 of dvcsharp-api-master\Controllers\ProductsController.cs. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
If an exception is thrown by the database code, it is caught and handled. An attacker could still use inferential or boolean exploitation techniques to retrieve the data, by altering the user input keyword. This is read in the Search method, at line 65 of dvcsharp-api-master\Controllers\ProductsController.cs, and used without sanitization in the SQL query that is sent to the database server.
This may enable a Blind SQL Injection attack.

Severity: Low

CWE:89

Vulnerability details and guidance

Lines: 65

Code (Line #65):

      public IActionResult Search(string keyword)

CX Heap_Inspection @ dvcsharp-api-master/Models/RegistrationRequest.cs [master]

Heap_Inspection issue exists @ dvcsharp-api-master/Models/RegistrationRequest.cs in branch master

Method } at line 17 of dvcsharp-api-master\Models\RegistrationRequest.cs defines password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to password, this variable is never cleared from memory.

Severity: Medium

CWE:244

Vulnerability details and guidance

Lines: 17 21

Code (Line #17):

      public string password { get; set; }

Code (Line #21):

      public string passwordConfirmation { get; set; }

CX Improper_Resource_Shutdown_or_Release @ dvcsharp-api-master/Controllers/ImportsController.cs [master]

Improper_Resource_Shutdown_or_Release issue exists @ dvcsharp-api-master/Controllers/ImportsController.cs in branch master

The application's Post method in dvcsharp-api-master\Controllers\ImportsController.cs defines and initializes the XmlTextReader object at 26. This object encapsulates a limited computing resource, such as open file streams, database connections, or network streams. This resource is not properly closed and released in all situations.

Severity: Low

CWE:404

Vulnerability details and guidance

Lines: 44

Code (Line #44):

            var reader = new XmlTextReader(new StringReader(xmlItem.InnerXml));

CX Heap_Inspection @ dvcsharp-api-master/Models/User.cs [master]

Heap_Inspection issue exists @ dvcsharp-api-master/Models/User.cs in branch master

Method } at line 29 of dvcsharp-api-master\Models\User.cs defines password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to password, this variable is never cleared from memory.

Severity: Medium

CWE:244

Vulnerability details and guidance

Lines: 29

Code (Line #29):

      public string password { get; set; }

CX Improper_Exception_Handling @ dvcsharp-api-master/Controllers/PasswordResetsController.cs [master]

Improper_Exception_Handling issue exists @ dvcsharp-api-master/Controllers/PasswordResetsController.cs in branch master

The method Put at line 23 of dvcsharp-api-master\Controllers\PasswordResetsController.cs performs an operation that could be expected to throw an exception, and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling.

Severity: Low

CWE:248

Vulnerability details and guidance

Lines: 51 85 86 71 56 57 43

Code (Line #51):

            Where(b => b.email == resetRequest.email).

Code (Line #85):

         _context.PasswordResetRequests.Add(passwordResetRequest);

Code (Line #86):

         _context.SaveChanges();

Code (Line #71):

            Where(b => b.email == passwordResetRequest.email).

Code (Line #56):

         _context.Users.Update(existingUser);

Code (Line #57):

         _context.SaveChanges();

Code (Line #43):

            Where(b => b.key == passwordResetRequest.key).FirstOrDefault();

CX Overly_Permissive_Cross_Origin_Resource_Sharing_Policy @ dvcsharp-api-master/Startup.cs [master]

Overly_Permissive_Cross_Origin_Resource_Sharing_Policy issue exists @ dvcsharp-api-master/Startup.cs in branch master

The method builder.AllowAnyOrigin found at line 37 in dvcsharp-api-master\Startup.cs sets an overly permissive CORS access control origin header.

Severity: Low

CWE:346

Vulnerability details and guidance

Lines: 37

Code (Line #37):

                    builder => builder.AllowAnyOrigin()

CX Improper_Exception_Handling @ dvcsharp-api-master/Controllers/UsersController.cs [master]

Improper_Exception_Handling issue exists @ dvcsharp-api-master/Controllers/UsersController.cs in branch master

The method Put at line 33 of dvcsharp-api-master\Controllers\UsersController.cs performs an operation that could be expected to throw an exception, and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling.

Severity: Low

CWE:248

Vulnerability details and guidance

Lines: 65 49 66 50

Code (Line #65):

         _context.Users.Remove(user);

Code (Line #49):

         _context.Users.Update(existingUser);

Code (Line #66):

         _context.SaveChanges();

Code (Line #50):

         _context.SaveChanges();

CX Improper_Restriction_of_XXE_Ref @ dvcsharp-api-master/Controllers/ImportsController.cs [master]

Improper_Restriction_of_XXE_Ref issue exists @ dvcsharp-api-master/Controllers/ImportsController.cs in branch master

The Post loads and parses XML using Load, at line 26 of dvcsharp-api-master\Controllers\ImportsController.cs.

Severity: Medium

CWE:611

Vulnerability details and guidance

Lines: 29

Code (Line #29):

         xmlDocument.Load(HttpContext.Request.Body);

CX HttpOnlyCookies @ dvcsharp-api-master/Startup.cs [master]

HttpOnlyCookies issue exists @ dvcsharp-api-master/Startup.cs in branch master

The web application's Startup method creates a cookie Startup, at line 20 of dvcsharp-api-master\Startup.cs, and returns it in the response. However, the application is not configured to automatically set the cookie with the "httpOnly" attribute, and the code does not explicitly add this to the cookie.

Severity: Medium

CWE:1004

Vulnerability details and guidance

Lines: 20

Code (Line #20):

    public class Startup

CX Unsafe_Object_Binding @ dvcsharp-api-master/Controllers/ProductsController.cs [master]

Unsafe_Object_Binding issue exists @ dvcsharp-api-master/Controllers/ProductsController.cs in branch master

The Post at dvcsharp-api-master\Controllers\ProductsController.cs in line 32 may unintentionally allow setting the value of SaveChanges in Post, in the object dvcsharp-api-master\Controllers\ProductsController.cs at line 32.

Severity: Medium

CWE:915

Vulnerability details and guidance

Lines: 32

Code (Line #32):

      public IActionResult Post([FromBody] Product product)

CX Improper_Exception_Handling @ dvcsharp-api-master/Models/User.cs [master]

Improper_Exception_Handling issue exists @ dvcsharp-api-master/Models/User.cs in branch master

The method authorizeCreateAccessToken at line 79 of dvcsharp-api-master\Models\User.cs performs an operation that could be expected to throw an exception, and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling.

Severity: Low

CWE:248

Vulnerability details and guidance

Lines: 85

Code (Line #85):

            Where(b => b.email == authorizationRequest.email).

CX Unsafe_Object_Binding @ dvcsharp-api-master/Controllers/PasswordResetsController.cs [master]

Unsafe_Object_Binding issue exists @ dvcsharp-api-master/Controllers/PasswordResetsController.cs in branch master

The Put at dvcsharp-api-master\Controllers\PasswordResetsController.cs in line 23 may unintentionally allow setting the value of SaveChanges in Put, in the object dvcsharp-api-master\Controllers\PasswordResetsController.cs at line 23.

Severity: Medium

CWE:915

Vulnerability details and guidance

Lines: 23 63

Code (Line #23):

      public IActionResult Put([FromBody] PasswordResetRequest passwordResetRequest)

Code (Line #63):

      public IActionResult Post([FromBody] PasswordResetRequest passwordResetRequest)

CX Use_Of_Broken_Or_Risky_Cryptographic_Algorithm @ dvcsharp-api-master/Models/User.cs [master]

Use_Of_Broken_Or_Risky_Cryptographic_Algorithm issue exists @ dvcsharp-api-master/Models/User.cs in branch master

In getHashedPassword, the application protects sensitive data using a cryptographic algorithm, ComputeHash, that is considered weak or even trivially broken, in dvcsharp-api-master\Models\User.cs at line 71.

Severity: Low

CWE:327

Vulnerability details and guidance

Lines: 74

Code (Line #74):

         var hash = md5.ComputeHash(System.Text.Encoding.ASCII.GetBytes(password));

CX Heap_Inspection @ dvcsharp-api-master/Models/UserUpdateRequest.cs [master]

Heap_Inspection issue exists @ dvcsharp-api-master/Models/UserUpdateRequest.cs in branch master

Method } at line 20 of dvcsharp-api-master\Models\UserUpdateRequest.cs defines password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to password, this variable is never cleared from memory.

Severity: Medium

CWE:244

Vulnerability details and guidance

Lines: 20 24

Code (Line #20):

      public string password { get; set; }

Code (Line #24):

      public string passwordConfirmation { get; set; }

CX Heap_Inspection @ dvcsharp-api-master/Models/AuthorizationRequest.cs [master]

Heap_Inspection issue exists @ dvcsharp-api-master/Models/AuthorizationRequest.cs in branch master

Method } at line 13 of dvcsharp-api-master\Models\AuthorizationRequest.cs defines password, which is designated to contain user passwords. However, while plaintext passwords are later assigned to password, this variable is never cleared from memory.

Severity: Medium

CWE:244

Vulnerability details and guidance

Lines: 13

Code (Line #13):

      public string password { get; set; }

CX SQL_Injection @ dvcsharp-api-master/Controllers/ProductsController.cs [master]

SQL_Injection issue exists @ dvcsharp-api-master/Controllers/ProductsController.cs in branch master

The application's Search method executes an SQL query with query, at line 65 of dvcsharp-api-master\Controllers\ProductsController.cs. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
An attacker would be able to inject arbitrary syntax and data into the SQL query, by crafting a malicious payload and providing it via the input keyword; this input is then read by the Search method at line 65 of dvcsharp-api-master\Controllers\ProductsController.cs. This input then flows through the code, into a query and to the database server - without sanitization.
This may enable an SQL Injection attack.

Severity: High

CWE:89

Vulnerability details and guidance

Lines: 65

Code (Line #65):

      public IActionResult Search(string keyword)

CX Use_Of_Broken_Or_Risky_Cryptographic_Algorithm @ dvcsharp-api-master/Controllers/PasswordResetsController.cs [master]

Use_Of_Broken_Or_Risky_Cryptographic_Algorithm issue exists @ dvcsharp-api-master/Controllers/PasswordResetsController.cs in branch master

In Post, the application protects sensitive data using a cryptographic algorithm, ComputeHash, that is considered weak or even trivially broken, in dvcsharp-api-master\Controllers\PasswordResetsController.cs at line 63.

Severity: Low

CWE:327

Vulnerability details and guidance

Lines: 80

Code (Line #80):

         var hash = md5.ComputeHash(System.Text.Encoding.ASCII.GetBytes(passwordResetRequest.email));

CX Unsafe_Object_Binding @ dvcsharp-api-master/Controllers/RegistrationsController.cs [master]

Unsafe_Object_Binding issue exists @ dvcsharp-api-master/Controllers/RegistrationsController.cs in branch master

The Post at dvcsharp-api-master\Controllers\RegistrationsController.cs in line 22 may unintentionally allow setting the value of SaveChanges in Post, in the object dvcsharp-api-master\Controllers\RegistrationsController.cs at line 22.

Severity: Medium

CWE:915

Vulnerability details and guidance

Lines: 22

Code (Line #22):

      public IActionResult Post([FromBody] RegistrationRequest registrationRequest)

CX Improper_Exception_Handling @ dvcsharp-api-master/Controllers/AuthorizationsController.cs [master]

Improper_Exception_Handling issue exists @ dvcsharp-api-master/Controllers/AuthorizationsController.cs in branch master

The method GetTokenSSO at line 41 of dvcsharp-api-master\Controllers\AuthorizationsController.cs performs an operation that could be expected to throw an exception, and is not properly wrapped in a try-catch block. This constitutes Improper Exception Handling.

Severity: Low

CWE:248

Vulnerability details and guidance

Lines: 58

Code (Line #58):

            Where(b => b.ID == userId.ToObject<int>()).

CX Unsafe_Object_Binding @ dvcsharp-api-master/Controllers/UsersController.cs [master]

Unsafe_Object_Binding issue exists @ dvcsharp-api-master/Controllers/UsersController.cs in branch master

The Put at dvcsharp-api-master\Controllers\UsersController.cs in line 33 may unintentionally allow setting the value of SaveChanges in Put, in the object dvcsharp-api-master\Controllers\UsersController.cs at line 33.

Severity: Medium

CWE:915

Vulnerability details and guidance

Lines: 33 57

Code (Line #33):

      public IActionResult Put(int id, [FromBody] Models.UserUpdateRequest user)

Code (Line #57):

      public IActionResult Delete(int id)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.