From 7d8ccc43834610152a82ed09154a82916dcf6744 Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Mon, 16 Nov 2020 16:48:14 +0530 Subject: [PATCH] Immediate release for testing --- .../VulnerableAppRestController.java | 5 +- .../internal/utility/GenericUtils.java | 2 + .../impl/EndPointsInformationProvider.java | 5 +- .../openRedirect/ClientSideInjection.java | 3 + .../Http3xxStatusCodeBasedInjection.java | 2 +- .../openRedirect/MetaTagBasedInjection.java | 68 +++++++++++++++++++ .../RefreshHeaderBasedInjection.java | 3 + .../urlRedirection/ClientSideInjection.java | 3 - .../urlRedirection/MetaTagBasedInjection.java | 38 ----------- .../RefreshHeaderBasedInjection.java | 3 - src/main/resources/i18n/messages.properties | 20 ++++++ .../resources/i18n/messages_en_US.properties | 20 ++++++ .../Http3xxStatusCodeBasedInjection.html | 4 +- .../LEVEL_1/MetaTagBasedInjection.css | 9 +++ .../LEVEL_1/MetaTagBasedInjection.html | 21 ++++++ .../LEVEL_1/MetaTagBasedInjection.js | 7 ++ src/main/resources/static/vulnerableApp.js | 8 +-- 17 files changed, 164 insertions(+), 57 deletions(-) create mode 100755 src/main/java/org/sasanlabs/service/vulnerability/openRedirect/ClientSideInjection.java rename src/main/java/org/sasanlabs/service/vulnerability/{urlRedirection => openRedirect}/Http3xxStatusCodeBasedInjection.java (99%) create mode 100644 src/main/java/org/sasanlabs/service/vulnerability/openRedirect/MetaTagBasedInjection.java create mode 100755 src/main/java/org/sasanlabs/service/vulnerability/openRedirect/RefreshHeaderBasedInjection.java delete mode 100755 src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/ClientSideInjection.java delete mode 100644 src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/MetaTagBasedInjection.java delete mode 100755 src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/RefreshHeaderBasedInjection.java create mode 100644 src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.css create mode 100644 src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.html create mode 100644 src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.js diff --git a/src/main/java/org/sasanlabs/controller/VulnerableAppRestController.java b/src/main/java/org/sasanlabs/controller/VulnerableAppRestController.java index b78bc998..1222013e 100755 --- a/src/main/java/org/sasanlabs/controller/VulnerableAppRestController.java +++ b/src/main/java/org/sasanlabs/controller/VulnerableAppRestController.java @@ -1,7 +1,6 @@ package org.sasanlabs.controller; import com.fasterxml.jackson.core.JsonProcessingException; -import java.net.InetAddress; import java.net.UnknownHostException; import java.util.Arrays; import java.util.List; @@ -9,6 +8,7 @@ import org.sasanlabs.beans.ScannerMetaResponseBean; import org.sasanlabs.beans.ScannerResponseBean; import org.sasanlabs.internal.utility.FrameworkConstants; +import org.sasanlabs.internal.utility.GenericUtils; import org.sasanlabs.internal.utility.JSONSerializationUtils; import org.sasanlabs.internal.utility.annotations.RequestParameterLocation; import org.sasanlabs.service.IEndPointsInformationProvider; @@ -111,7 +111,6 @@ public String sitemapForPassiveScanners() throws JsonProcessingException, Unknow new StringBuilder( FrameworkConstants.GENERAL_XML_HEADER + FrameworkConstants.SITEMAP_URLSET_TAG_START); - String ipAddress = InetAddress.getLocalHost().getHostAddress(); for (AllEndPointsResponseBean endPoint : allEndPoints) { endPoint.getLevelDescriptionSet() .forEach( @@ -122,7 +121,7 @@ public String sitemapForPassiveScanners() throws JsonProcessingException, Unknow .append(FrameworkConstants.SITEMAP_LOC_TAG_START) .append(FrameworkConstants.NEXT_LINE) .append(FrameworkConstants.HTTP) - .append(ipAddress) + .append(GenericUtils.LOCALHOST) .append(FrameworkConstants.COLON) .append(port) .append(FrameworkConstants.SLASH) diff --git a/src/main/java/org/sasanlabs/internal/utility/GenericUtils.java b/src/main/java/org/sasanlabs/internal/utility/GenericUtils.java index c768fab1..2c6f9de5 100755 --- a/src/main/java/org/sasanlabs/internal/utility/GenericUtils.java +++ b/src/main/java/org/sasanlabs/internal/utility/GenericUtils.java @@ -7,6 +7,8 @@ */ public class GenericUtils { + public static final String LOCALHOST = "127.0.0.1"; + /** * @deprecated * @param payload diff --git a/src/main/java/org/sasanlabs/service/impl/EndPointsInformationProvider.java b/src/main/java/org/sasanlabs/service/impl/EndPointsInformationProvider.java index a96f2b1f..3803b8ef 100755 --- a/src/main/java/org/sasanlabs/service/impl/EndPointsInformationProvider.java +++ b/src/main/java/org/sasanlabs/service/impl/EndPointsInformationProvider.java @@ -2,7 +2,6 @@ import com.fasterxml.jackson.core.JsonProcessingException; import java.lang.reflect.Method; -import java.net.InetAddress; import java.net.UnknownHostException; import java.util.ArrayList; import java.util.Arrays; @@ -15,6 +14,7 @@ import org.sasanlabs.configuration.VulnerableAppProperties; import org.sasanlabs.internal.utility.EnvUtils; import org.sasanlabs.internal.utility.FrameworkConstants; +import org.sasanlabs.internal.utility.GenericUtils; import org.sasanlabs.internal.utility.MessageBundle; import org.sasanlabs.internal.utility.annotations.AttackVector; import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping; @@ -111,7 +111,6 @@ public List getScannerRelatedEndPointInformation() throws JsonProcessingException, UnknownHostException { List allEndPointsResponseBeans = this.getSupportedEndPoints(); List scannerResponseBeans = new ArrayList<>(); - String ipAddress = InetAddress.getLocalHost().getHostAddress(); for (AllEndPointsResponseBean allEndPointsResponseBean : allEndPointsResponseBeans) { for (LevelResponseBean levelResponseBean : allEndPointsResponseBean.getLevelDescriptionSet()) { @@ -121,7 +120,7 @@ public List getScannerRelatedEndPointInformation() new ScannerResponseBean( new StringBuilder() .append(FrameworkConstants.HTTP) - .append(ipAddress) + .append(GenericUtils.LOCALHOST) .append(FrameworkConstants.COLON) .append(port) .append(FrameworkConstants.SLASH) diff --git a/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/ClientSideInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/ClientSideInjection.java new file mode 100755 index 00000000..62902726 --- /dev/null +++ b/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/ClientSideInjection.java @@ -0,0 +1,3 @@ +package org.sasanlabs.service.vulnerability.openRedirect; + +public class ClientSideInjection {} diff --git a/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/Http3xxStatusCodeBasedInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java similarity index 99% rename from src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/Http3xxStatusCodeBasedInjection.java rename to src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java index 57e2a107..6b101948 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/Http3xxStatusCodeBasedInjection.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjection.java @@ -1,4 +1,4 @@ -package org.sasanlabs.service.vulnerability.urlRedirection; +package org.sasanlabs.service.vulnerability.openRedirect; import static org.sasanlabs.vulnerability.utils.Constants.NULL_BYTE_CHARACTER; diff --git a/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/MetaTagBasedInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/MetaTagBasedInjection.java new file mode 100644 index 00000000..5da92d27 --- /dev/null +++ b/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/MetaTagBasedInjection.java @@ -0,0 +1,68 @@ +package org.sasanlabs.service.vulnerability.openRedirect; + +/** + * This class contains the vulnerabilities related to Open Redirects. Redirects implemented by this + * class are based on {@code Meta Tag}.
+ * Important Links:
+ * 1. WASC-38 + *
+ * 2. CWE-601
+ * 3. Port + * Swigger's vulnerability documentation
+ * 4. Wiki link for describing the purpose + * of URL Redirection
+ * 5. Payloads for Open + * Redirect
+ * 6. Meta tag + * based Redirects vs 3XX redirects
+ *
+ * Some myths: Are + * URL shorteners “vulnerable” due to open redirects?
+ *
+ * Note: as we have implemented entire architecture around the Ajax calls hence there is no direct + * way to provide the User Interface for URL Redirect Vulnerability hence these will be exposed as + * an API and user can follow instructions suggested in UI for exploiting this Vulnerability. + * + * @author preetkaran20@gmail.com KSASAN + */ +// @VulnerableAppRestController( +// descriptionLabel = "OPEN_REDIRECTION_VULNERABILITY_META_TAG_BASED", +// value = "MetaTagBasedInjection", +// type = {VulnerabilityType.OPEN_REDIRECT}) +public class MetaTagBasedInjection { + + // private static final String META_TAG_PAYLOAD = + // " + // VulnerableApp Job is Running %s "; + // + // private static final String STATUS = "status"; + // + // @VulnerableAppRequestMapping( + // value = LevelConstants.LEVEL_1, + // descriptionLabel = "URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG") + // public ResponseEntity getVulnerablePayloadLevel1( + // @RequestParam(value = STATUS, required = false) String statusUrl) { + // return new ResponseEntity<>( + // String.format( + // META_TAG_PAYLOAD, statusUrl == null ? "" : "url=" + statusUrl, new + // Date()), + // HttpStatus.OK); + // } + // + // @VulnerableAppRequestMapping( + // value = LevelConstants.LEVEL_2, + // descriptionLabel = "URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG") + // public ResponseEntity getVulnerablePayloadLevel( + // @RequestParam Map queryParams) { + // Iterator> iterator = queryParams.entrySet().iterator(); + // String metaTag = ""; + // if (iterator.hasNext()) { + // Entry entry = iterator.next(); + // metaTag = String.format(META_TAG_PAYLOAD, entry.getValue()); + // } + // return new ResponseEntity<>( + // GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(metaTag), + // HttpStatus.OK); + // } +} diff --git a/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/RefreshHeaderBasedInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/RefreshHeaderBasedInjection.java new file mode 100755 index 00000000..b1435517 --- /dev/null +++ b/src/main/java/org/sasanlabs/service/vulnerability/openRedirect/RefreshHeaderBasedInjection.java @@ -0,0 +1,3 @@ +package org.sasanlabs.service.vulnerability.openRedirect; + +public class RefreshHeaderBasedInjection {} diff --git a/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/ClientSideInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/ClientSideInjection.java deleted file mode 100755 index 581eeea1..00000000 --- a/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/ClientSideInjection.java +++ /dev/null @@ -1,3 +0,0 @@ -package org.sasanlabs.service.vulnerability.urlRedirection; - -public class ClientSideInjection {} diff --git a/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/MetaTagBasedInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/MetaTagBasedInjection.java deleted file mode 100644 index 22367ed1..00000000 --- a/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/MetaTagBasedInjection.java +++ /dev/null @@ -1,38 +0,0 @@ -package org.sasanlabs.service.vulnerability.urlRedirection; - -import java.util.Iterator; -import java.util.Map; -import java.util.Map.Entry; -import org.sasanlabs.internal.utility.GenericUtils; -import org.sasanlabs.internal.utility.LevelConstants; -import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping; -import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController; -import org.sasanlabs.vulnerability.types.VulnerabilityType; -import org.springframework.http.HttpStatus; -import org.springframework.http.ResponseEntity; -import org.springframework.web.bind.annotation.RequestParam; - -@VulnerableAppRestController( - descriptionLabel = "URL_REDIRECTION_META_TAG_BASED_INJECTION", - value = "MetaTagBasedInjection", - type = {VulnerabilityType.OPEN_REDIRECT}) -public class MetaTagBasedInjection { - - private static final String META_TAG_PAYLOAD = - ""; - - @VulnerableAppRequestMapping( - value = LevelConstants.LEVEL_1, - descriptionLabel = "URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG") - public ResponseEntity getVulnerablePayloadLevelUnsecure( - @RequestParam Map queryParams) { - Iterator> iterator = queryParams.entrySet().iterator(); - String metaTag = ""; - if (iterator.hasNext()) { - Entry entry = iterator.next(); - metaTag = String.format(META_TAG_PAYLOAD, entry.getValue()); - } - return new ResponseEntity<>( - GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(metaTag), HttpStatus.OK); - } -} diff --git a/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/RefreshHeaderBasedInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/RefreshHeaderBasedInjection.java deleted file mode 100755 index ab633539..00000000 --- a/src/main/java/org/sasanlabs/service/vulnerability/urlRedirection/RefreshHeaderBasedInjection.java +++ /dev/null @@ -1,3 +0,0 @@ -package org.sasanlabs.service.vulnerability.urlRedirection; - -public class RefreshHeaderBasedInjection {} diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties index 43178032..4c214aa3 100755 --- a/src/main/resources/i18n/messages.properties +++ b/src/main/resources/i18n/messages.properties @@ -94,6 +94,26 @@ OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADDED_TO_LOCATION_HEADER_BY_ADDING_DOMAIN_AS_ ## Meta Tag based URL Redirection +OPEN_REDIRECTION_VULNERABILITY_META_TAG_BASED=Open redirection vulnerabilities arise when an application incorporates user-controllable \ +data into the target of a redirection in an unsafe way.
An attacker can construct a URL within the application that \ +causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.
\ +The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to \ +the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain. \ +

An HTML meta element which specifies the time in seconds before the browser is to refresh the page. \ +Providing an alternate URI allows the element to be used as a timed URL redirector. \ +For example, in the following example the browser will redirect to example.com after 5 seconds:
\ + <meta http-equiv="refresh" content="5;url=http://example.com">

\ + Important Links:
    \ +
  1. WASC-38
    2. \ +
  2. CWE-601
    3. \ +
  3. Port Swigger's vulnerability documentation
    4. \ +
  4. Wiki link for describing the purpose of URL Redirection
    5. \ +
  5. Open Redirection payload list
    6. \ +
  6. Adding domain as prefix case study
    7. \ +
\ + Some myths: Are URL shorteners \u201Cvulnerable\u201D due to open redirects?
+ + URL_REDIRECTION_META_TAG_BASED_INJECTION=Meta Tag based Url Redirection. URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG=Url Parameter is directly added to Meta Tag. diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties index 43178032..4c214aa3 100755 --- a/src/main/resources/i18n/messages_en_US.properties +++ b/src/main/resources/i18n/messages_en_US.properties @@ -94,6 +94,26 @@ OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADDED_TO_LOCATION_HEADER_BY_ADDING_DOMAIN_AS_ ## Meta Tag based URL Redirection +OPEN_REDIRECTION_VULNERABILITY_META_TAG_BASED=Open redirection vulnerabilities arise when an application incorporates user-controllable \ +data into the target of a redirection in an unsafe way.
An attacker can construct a URL within the application that \ +causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.
\ +The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to \ +the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain. \ +

An HTML meta element which specifies the time in seconds before the browser is to refresh the page. \ +Providing an alternate URI allows the element to be used as a timed URL redirector. \ +For example, in the following example the browser will redirect to example.com after 5 seconds:
\ + <meta http-equiv="refresh" content="5;url=http://example.com">

\ + Important Links:
    \ +
  1. WASC-38
    2. \ +
  2. CWE-601
    3. \ +
  3. Port Swigger's vulnerability documentation
    4. \ +
  4. Wiki link for describing the purpose of URL Redirection
    5. \ +
  5. Open Redirection payload list
    6. \ +
  6. Adding domain as prefix case study
    7. \ +
\ + Some myths: Are URL shorteners \u201Cvulnerable\u201D due to open redirects?
+ + URL_REDIRECTION_META_TAG_BASED_INJECTION=Meta Tag based Url Redirection. URL_REDIRECTION_URL_PARAMETER_INJECTION_INTO_META_TAG=Url Parameter is directly added to Meta Tag. diff --git a/src/main/resources/static/templates/Http3xxStatusCodeBasedInjection/LEVEL_1/Http3xxStatusCodeBasedInjection.html b/src/main/resources/static/templates/Http3xxStatusCodeBasedInjection/LEVEL_1/Http3xxStatusCodeBasedInjection.html index cead7d12..562ab931 100644 --- a/src/main/resources/static/templates/Http3xxStatusCodeBasedInjection/LEVEL_1/Http3xxStatusCodeBasedInjection.html +++ b/src/main/resources/static/templates/Http3xxStatusCodeBasedInjection/LEVEL_1/Http3xxStatusCodeBasedInjection.html @@ -8,9 +8,9 @@ For Vulnerability scanning tools this might not be an issue as scanning tools can work on Api calls but to illustrate this attack to students/security enthusiasts we have provided a way to do the same. - Please Visit URL: + Please Visit URL:

To think on why - redirection is required or in other words usecase of the attack, + redirection is required or in other words usecase of the redirection functionality, consider a website which is having a login page and say you are logged in into the website but now due to 10 minutes of inactivity, website has forced logout and sent you to login page. Now when you login diff --git a/src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.css b/src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.css new file mode 100644 index 00000000..27c08a77 --- /dev/null +++ b/src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.css @@ -0,0 +1,9 @@ +#MetaTagBasedInjection { + color: black; + text-align: left; + font-size: 18px; + font-weight: normal; +} +#mindset { + font-weight: bold; +} \ No newline at end of file diff --git a/src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.html b/src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.html new file mode 100644 index 00000000..0cb148ac --- /dev/null +++ b/src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.html @@ -0,0 +1,21 @@ +
+
+ Interaction between frontend and backend is done using Ajax calls and + this generic structure applies everywhere across Owasp VulnerableApp. + Because of that all the http status code or header based redirects + doesn't work out of the box and hence we had not implemented it. +

+ For Vulnerability scanning tools this might not be an issue as + scanning tools can work on Api calls but to illustrate this attack to + students/security enthusiasts we have provided a way to do the same. + Please Visit URL: +

To think on why redirection using meta tag is required or in other words the usecase + of url redirection functionality, consider a website which is having a functionality to show the + progress/status of any background job and to achieve this website is refreshing the web page + every 5 seconds. +
+
+ Now the URL given above can be considered as a url of the web page which is depicting the progress/status of the background job. +
+
+
\ No newline at end of file diff --git a/src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.js b/src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.js new file mode 100644 index 00000000..09addbf7 --- /dev/null +++ b/src/main/resources/static/templates/MetaTagBasedInjection/LEVEL_1/MetaTagBasedInjection.js @@ -0,0 +1,7 @@ +function updatePlaceholderDiv() { + let placeholderAnchorElement = document.getElementById("placeholder"); + placeholderAnchorElement.href = getUrlForVulnerabilityLevel() + "?returnTo=/"; + placeholderAnchorElement.innerText = "Click here"; +} + +updatePlaceholderDiv(); diff --git a/src/main/resources/static/vulnerableApp.js b/src/main/resources/static/vulnerableApp.js index 415783d9..c424a563 100644 --- a/src/main/resources/static/vulnerableApp.js +++ b/src/main/resources/static/vulnerableApp.js @@ -11,10 +11,6 @@ let currentKey; function _loadDynamicJSAndCSS(urlToFetchHtmlTemplate) { let dynamicScriptsElement = document.getElementById("dynamicScripts"); - let jsElement = document.createElement("script"); - jsElement.type = "module"; - jsElement.src = urlToFetchHtmlTemplate + ".js?p=" + new Date().getTime(); - dynamicScriptsElement.appendChild(jsElement); let cssElement = document.createElement("link"); cssElement.href = urlToFetchHtmlTemplate + ".css"; cssElement.type = "text/css"; @@ -26,6 +22,10 @@ function _loadDynamicJSAndCSS(urlToFetchHtmlTemplate) { } else { document.getElementById("hideHelp").style.display = "inline-block"; document.getElementById("showHelp").style.display = "inline-block"; + let jsElement = document.createElement("script"); + jsElement.type = "module"; + jsElement.src = urlToFetchHtmlTemplate + ".js?p=" + new Date().getTime(); + dynamicScriptsElement.appendChild(jsElement); } }