-
Notifications
You must be signed in to change notification settings - Fork 142
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #136 from timmyteo/feature/cwe-798
Feature/CWE 798
- Loading branch information
Showing
12 changed files
with
162 additions
and
2 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| // validate.java and validate.properties are the files that compose the validate.jar file that is part of challenge CWE-798 | ||
| class Validate { | ||
| public static void main(String[] a) { | ||
| System.out.println("Insecure Inc. Compatibility Validator Version 1.5"); | ||
| System.out.println("System Check in progress..."); | ||
| System.out.println("System Check completed."); | ||
| System.out.println("Your system is compatible!"); | ||
| } | ||
| } |
5 changes: 5 additions & 0 deletions
5
insecureinc/src/main/resources/insecure/inc/validate.properties
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| version=1.5 | ||
| retries=3 | ||
| user=svc.validate.insecure.inc | ||
| pass=V@lid@ti0n44! | ||
| directory=temp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> | ||
| <%@ page import="inc.insecure.*" %> | ||
| <%@ page import="insecure.inc.Constants" %> | ||
| <% | ||
| String alertVisibility="hidden"; | ||
| String usr = request.getParameter("usr"); | ||
| String pwd = request.getParameter("pwd"); | ||
| if(usr!=null && pwd!=null){ | ||
| alertVisibility=""; | ||
| if(usr.equals("demo") && pwd.equals("demo1234")){ | ||
| request.getSession().setAttribute("cwe798loggedin", true); | ||
| response.sendRedirect("cwe798loggedin.jsp"); | ||
| } | ||
| //see if the service account is tried | ||
| if(usr.equals("svc.validate.insecure.inc") && pwd.equals("V@lid@ti0n44!")){ | ||
| session.setAttribute(Constants.CHALLENGE_ID,"cwe798"); | ||
| response.sendRedirect(Constants.SECRET_PAGE); | ||
| } | ||
| } | ||
| %> | ||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> | ||
| <html> | ||
| <head> | ||
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> | ||
| <title>Use of Hard-coded Credentials</title> | ||
| <link rel="stylesheet" href="public/bootstrap/css/bootstrap.min.css"> | ||
| <script src="public/jquery.min.js"></script> | ||
| <script src="public/bootstrap/js/bootstrap.min.js"></script> | ||
|
|
||
| </head> | ||
| <body> | ||
| <nav class="navbar navbar-inverse"> | ||
| <div class="container-fluid"> | ||
| <div class="navbar-header"> | ||
| <a class="navbar-brand" href="index.jsp">Insecure Inc.</a> | ||
| </div> | ||
| <ul class="nav navbar-nav"> | ||
| <li class="active"><a href="#">CWE798 - Use of Hard-coded Credentials</a></li> | ||
| </ul> | ||
| </div> | ||
| </nav> | ||
| <div class="container"> | ||
| <p>Welcome to CWE798 - Use of Hard-coded Credentials! You can use the following guest account credentials to login, | ||
| user: <code>demo</code>, password: <code>demo1234</code> </p> | ||
| <form action="cwe798.jsp" autocomplete="off" method="POST"> | ||
| <div class="form-group"> | ||
| <label for="usr">Name:</label> | ||
| <input type="text" class="form-control" id="usr" name="usr"> | ||
| </div> | ||
| <!-- disables autocomplete --><input type="text" style="display:none"> | ||
| <div class="form-group"> | ||
| <label for="pwd">Password:</label> | ||
| <input type="password" class="form-control" id="pwd" name="pwd"> | ||
| </div> | ||
| <input type="submit" id="submit" class="btn" value="Submit"> | ||
| <br><br> | ||
| <div class="alert alert-danger <%=alertVisibility%>"> | ||
| Invalid credentials! | ||
| </div> | ||
| </form> | ||
| </div> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> | ||
| <%@ page import="inc.insecure.*" %> | ||
| <% | ||
| if(session.getAttribute("cwe798loggedin")==null || !(boolean)session.getAttribute("cwe798loggedin") || request.getParameter("logout")!=null){ | ||
| session.setAttribute("cwe798loggedin",false); | ||
| response.sendRedirect("cwe798.jsp?loggedin=false"); | ||
| } | ||
| else{ | ||
| %> | ||
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> | ||
| <html> | ||
| <head> | ||
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> | ||
| <title>Guest</title> | ||
| <link rel="stylesheet" href="public/bootstrap/css/bootstrap.min.css"> | ||
| <script src="public/jquery.min.js"></script> | ||
| <script src="public/bootstrap/js/bootstrap.min.js"></script> | ||
|
|
||
| </head> | ||
| <body> | ||
| <nav class="navbar navbar-inverse"> | ||
| <div class="container-fluid"> | ||
| <div class="navbar-header"> | ||
| <a class="navbar-brand" href="index.jsp">Insecure Inc.</a> | ||
| </div> | ||
| <ul class="nav navbar-nav"> | ||
| <li class="active"><a href="#">Guest</a></li> | ||
| </ul> | ||
| <ul class="nav navbar-nav navbar-right"> | ||
| <li><a href="cwe798loggedin.jsp?logout=true"><span class="glyphicon glyphicon-log-out"></span> Logout</a></li> | ||
| </ul> | ||
| </div> | ||
| </nav> | ||
| <div class="container"> | ||
| <h1>Welcome to the guest section of the site.</h1> | ||
| <p>In order to fully utilize Insecure Inc. you must perform a system test to confirm your system has the minimum operating requirements.</p> | ||
| <p>To perform the system test, you must have Java installed. Then download the <a href="validate.jar">Insecure Inc. System Validator</a> and run the following command:</p> | ||
| <pre class="pre-scrollable">java -jar validate.jar</pre> | ||
| </div> | ||
| </body> | ||
| </html> | ||
| <% | ||
| } | ||
| %> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| <p> | ||
| The purpose of this challenge is to demonstrate the MITRE Top 25 programming flaw: 'Use of Hard-coded Credentials'. | ||
| <br><br> | ||
|
|
||
| <blockquote> | ||
| <p> | ||
| <i>The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.</i> | ||
| </p> | ||
| <footer>From MITRE <a target="_blank" rel="noopener noreferrer" href="https://cwe.mitre.org/data/definitions/798.html">CWE 798</a></footer> | ||
| </blockquote> | ||
| <p> | ||
| The developer of this part of the site has hardcoded credentials in order enable functionality, and you can see them if you go searching. | ||
| </p> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| ### Solution for "Use of Hard-coded Credentials" challenge | ||
|
|
||
| Application secrets need to be highly protected, as they will often allow privileged access to parts of the system. | ||
| Hardcoding the secrets as part of the application is a poor choice for protection, regardless of the application running client side or server side. | ||
|
|
||
|
|
||
| To pass this challenge: | ||
|
|
||
| - Download the `Insecure Inc. System Validator` file after logging in with the guest account. | ||
| - Unarchive the .jar file by changing the extension to .zip or by running `jar xf validate.jar` | ||
| - Review the archived contents for credentials that can be used for authentication. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters