diff --git a/AttackGrams.pptx b/AttackGrams.pptx index 9eaa2655..d5fd1bdb 100644 Binary files a/AttackGrams.pptx and b/AttackGrams.pptx differ diff --git a/insecureinc/src/main/resources/insecure/inc/validate.java b/insecureinc/src/main/resources/insecure/inc/validate.java new file mode 100644 index 00000000..e48106fa --- /dev/null +++ b/insecureinc/src/main/resources/insecure/inc/validate.java @@ -0,0 +1,9 @@ +// validate.java and validate.properties are the files that compose the validate.jar file that is part of challenge CWE-798 +class Validate { + public static void main(String[] a) { + System.out.println("Insecure Inc. Compatibility Validator Version 1.5"); + System.out.println("System Check in progress..."); + System.out.println("System Check completed."); + System.out.println("Your system is compatible!"); + } +} diff --git a/insecureinc/src/main/resources/insecure/inc/validate.properties b/insecureinc/src/main/resources/insecure/inc/validate.properties new file mode 100644 index 00000000..313c3a5c --- /dev/null +++ b/insecureinc/src/main/resources/insecure/inc/validate.properties @@ -0,0 +1,5 @@ +version=1.5 +retries=3 +user=svc.validate.insecure.inc +pass=V@lid@ti0n44! +directory=temp diff --git a/insecureinc/src/main/webapp/cwe798.jsp b/insecureinc/src/main/webapp/cwe798.jsp new file mode 100644 index 00000000..c98dd800 --- /dev/null +++ b/insecureinc/src/main/webapp/cwe798.jsp @@ -0,0 +1,67 @@ +<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> +<%@ page import="inc.insecure.*" %> +<%@ page import="insecure.inc.Constants" %> +<% +String alertVisibility="hidden"; +String usr = request.getParameter("usr"); +String pwd = request.getParameter("pwd"); + +if(usr!=null && pwd!=null){ + alertVisibility=""; + if(usr.equals("demo") && pwd.equals("demo1234")){ + request.getSession().setAttribute("cwe798loggedin", true); + response.sendRedirect("cwe798loggedin.jsp"); + } + + //see if the service account is tried + if(usr.equals("svc.validate.insecure.inc") && pwd.equals("V@lid@ti0n44!")){ + session.setAttribute(Constants.CHALLENGE_ID,"cwe798"); + response.sendRedirect(Constants.SECRET_PAGE); + } +} + + +%> + + + + +Use of Hard-coded Credentials + + + + + + + +
+

Welcome to CWE798 - Use of Hard-coded Credentials! You can use the following guest account credentials to login, +user: demo, password: demo1234

+
+
+ + +
+ +
+ + +
+ +

+
+ Invalid credentials! +
+
+
+ + \ No newline at end of file diff --git a/insecureinc/src/main/webapp/cwe798loggedin.jsp b/insecureinc/src/main/webapp/cwe798loggedin.jsp new file mode 100644 index 00000000..e0d424cb --- /dev/null +++ b/insecureinc/src/main/webapp/cwe798loggedin.jsp @@ -0,0 +1,44 @@ +<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> +<%@ page import="inc.insecure.*" %> +<% +if(session.getAttribute("cwe798loggedin")==null || !(boolean)session.getAttribute("cwe798loggedin") || request.getParameter("logout")!=null){ + session.setAttribute("cwe798loggedin",false); + response.sendRedirect("cwe798.jsp?loggedin=false"); +} +else{ +%> + + + + +Guest + + + + + + + +
+

Welcome to the guest section of the site.

+

In order to fully utilize Insecure Inc. you must perform a system test to confirm your system has the minimum operating requirements.

+

To perform the system test, you must have Java installed. Then download the Insecure Inc. System Validator and run the following command:

+
java -jar validate.jar
+
+ + +<% +} +%> \ No newline at end of file diff --git a/insecureinc/src/main/webapp/index.jsp b/insecureinc/src/main/webapp/index.jsp index 68e229eb..6c291ff4 100644 --- a/insecureinc/src/main/webapp/index.jsp +++ b/insecureinc/src/main/webapp/index.jsp @@ -63,6 +63,7 @@ body {
  • Missing Encryption for Sensitive Data
  • Use of a Broken or Risky Cryptographic Algorithm
  • Use of a One-Way Hash without a Salt
    • +
  • Use of Hard-coded Credentials
  • Improper Restriction of Excessive Authentication Attempts
  • Integer Overflow or Wraparound
  • Download of Code Without Integrity Check
    • @@ -102,4 +103,4 @@ body { - \ No newline at end of file + diff --git a/insecureinc/src/main/webapp/validate.jar b/insecureinc/src/main/webapp/validate.jar new file mode 100644 index 00000000..4c5b86ad Binary files /dev/null and b/insecureinc/src/main/webapp/validate.jar differ diff --git a/trainingportal/static/lessons/attack-grams/hardcodedpassword.png b/trainingportal/static/lessons/attack-grams/hardcodedpassword.png new file mode 100644 index 00000000..38d290fd Binary files /dev/null and b/trainingportal/static/lessons/attack-grams/hardcodedpassword.png differ diff --git a/trainingportal/static/lessons/blackBelt/cwe798.html b/trainingportal/static/lessons/blackBelt/cwe798.html new file mode 100644 index 00000000..23716f94 --- /dev/null +++ b/trainingportal/static/lessons/blackBelt/cwe798.html @@ -0,0 +1,13 @@ +

    + The purpose of this challenge is to demonstrate the MITRE Top 25 programming flaw: 'Use of Hard-coded Credentials'. +

    + +

    +

    + The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. +

    + +
    +

    + The developer of this part of the site has hardcoded credentials in order enable functionality, and you can see them if you go searching. +

    \ No newline at end of file diff --git a/trainingportal/static/lessons/blackBelt/cwe798.sol.md b/trainingportal/static/lessons/blackBelt/cwe798.sol.md new file mode 100644 index 00000000..1f515de0 --- /dev/null +++ b/trainingportal/static/lessons/blackBelt/cwe798.sol.md @@ -0,0 +1,11 @@ +### Solution for "Use of Hard-coded Credentials" challenge + +Application secrets need to be highly protected, as they will often allow privileged access to parts of the system. +Hardcoding the secrets as part of the application is a poor choice for protection, regardless of the application running client side or server side. + + +To pass this challenge: + +- Download the `Insecure Inc. System Validator` file after logging in with the guest account. +- Unarchive the .jar file by changing the extension to .zip or by running `jar xf validate.jar` +- Review the archived contents for credentials that can be used for authentication. \ No newline at end of file diff --git a/trainingportal/static/lessons/blackBelt/definitions.json b/trainingportal/static/lessons/blackBelt/definitions.json index b5d30447..ad6553d4 100644 --- a/trainingportal/static/lessons/blackBelt/definitions.json +++ b/trainingportal/static/lessons/blackBelt/definitions.json @@ -38,6 +38,16 @@ "mission":"Access the admin page from the account of the 'demo' user.", "codeBlockIds":["resourceSeparation"] }, + { + "id":"cwe798", + "name":"Use of Hard-coded Credentials", + "description": "cwe798.html", + "attackGram":"hardcodedpassword.png", + "solution":"cwe798.sol.md", + "playLink":"/cwe798.jsp", + "mission":"Authenticate to the website using the Insecure Inc. service account credentials.", + "codeBlockIds":["enforceSafeConfig"] + }, { "id":"cwe306", "name":"Missing Authentication for Critical Function", diff --git a/trainingportal/static/lessons/modules.json b/trainingportal/static/lessons/modules.json index 0fb24ff1..18356024 100644 --- a/trainingportal/static/lessons/modules.json +++ b/trainingportal/static/lessons/modules.json @@ -17,7 +17,7 @@ "name":"Black Belt", "summary":"Common software security flaws", "description":"This module is based on the SANS Top 25 - Most Dangerous Software Flaws. Lessons are entry level difficulty aimed at introducing the concepts of vulnerability, exploit and software defense.", - "description2":"Includes 22 lessons. Estimated duration 4 hours.", + "description2":"Includes 23 lessons. Estimated duration 4 hours.", "badgeInfo":{ "line1":"Secure Coding", "line2":"Black Belt",