Merge pull request #137 from timmyteo/feature/CWE-209

Feature/CWE 209

hackerden/front/network-utils.js

@@ -22,12 +22,10 @@ ping = (req,res)=> {
     //this deny list can likely be bypassed, is mainly here to make it harder to cheat than to pass the real challenges
     hostname = hostname.replace("''","")    
     hostname = hostname.replace('""',"")
-    if(hostname.match("FLAG") ||
-       hostname.match("passwd|shadow") ||
-       hostname.match("echo|\\bsed\\b|print|base64|\\bxxd\\b") ||
-       hostname.match("\\b(chmod|rm|mv|cp)\\b")){
-        console.log(`Bypass attempt with ${hostname}`)
-        res.status(400)
+    const disallowedPatterns = /(FLAG|passwd|shadow|echo|\bsed\b|print|base64|\bxxd\b|\b(chmod|rm|mv|cp)\b)/;
+    if (disallowedPatterns.test(hostname)) {
+        console.log(`Bypass attempt with ${hostname}`);
+        res.status(400);
         return res.send("Certain commands have been disallowed. There is a better way.");
     }
 

insecureinc/src/main/webapp/cwe209.jsp

@@ -0,0 +1,67 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
+<%@ page import="inc.insecure.*" %>
+<%@ page import="insecure.inc.Constants" %>
+<%
+String alertVisibility="hidden";
+String usr = request.getParameter("usr");
+String pwd = request.getParameter("pwd");
+
+if(usr!=null && pwd!=null){ 
+	alertVisibility="";
+	if(usr.equals("demo") && pwd.equals("demo1234")){
+		request.getSession().setAttribute("cwe209loggedin", true);
+		response.sendRedirect("cwe209loggedin.jsp");
+	}
+
+	//see if the database user account is tried
+	if(usr.equals("svc.database.insecure.inc") && pwd.equals("OWASP_R0ckZ!")){
+        session.setAttribute(Constants.CHALLENGE_ID,"cwe209");
+        response.sendRedirect(Constants.SECRET_PAGE);
+	}
+}
+
+
+%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Generation of Error Message Containing Sensitive Information</title>
+<link rel="stylesheet" href="public/bootstrap/css/bootstrap.min.css">
+<script src="public/jquery.min.js"></script>
+<script src="public/bootstrap/js/bootstrap.min.js"></script>
+
+</head>
+<body>
+<nav class="navbar navbar-inverse">
+  <div class="container-fluid">
+    <div class="navbar-header">
+      <a class="navbar-brand" href="index.jsp">Insecure Inc.</a>
+    </div>
+    <ul class="nav navbar-nav">
+      <li class="active"><a href="#">CWE209 - Generation of Error Message Containing Sensitive Information</a></li>
+    </ul>
+  </div>
+</nav>
+<div class="container"> 
+<p>Welcome to CWE209 - Generation of Error Message Containing Sensitive Information! You can use the following guest account credentials to login, 
+user: <code>demo</code>, password: <code>demo1234</code> </p>
+<form action="cwe209.jsp" autocomplete="off" method="POST">
+<div class="form-group">
+  <label for="usr">Name:</label>
+  <input type="text" class="form-control" id="usr" name="usr">
+</div>
+<!-- disables autocomplete --><input type="text" style="display:none">
+<div class="form-group">
+  <label for="pwd">Password:</label>
+  <input type="password" class="form-control" id="pwd" name="pwd">
+</div>
+<input type="submit" id="submit" class="btn" value="Submit">
+<br><br>
+<div class="alert alert-danger <%=alertVisibility%>">
+  Invalid credentials!
+</div>
+</form>
+</div>
+</body>
+</html>

insecureinc/src/main/webapp/cwe209loggedin.jsp

@@ -0,0 +1,69 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
+<%@ page import="inc.insecure.*" %>
+<%
+if(session.getAttribute("cwe209loggedin")==null || !(boolean)session.getAttribute("cwe209loggedin") || request.getParameter("logout")!=null){
+	session.setAttribute("cwe209loggedin",false);
+	response.sendRedirect("cwe209.jsp?loggedin=false");
+}
+else{
+    String alertVisibility="hidden";
+    String query = request.getParameter("query");
+
+    if(query!=null){ 
+        if(query.contains("'") || query.contains("<") || query.contains(">") || query.contains("#") || query.contains("-") || query.contains("=")){
+            try{
+                throw new RuntimeException("Error: unexpected character in query '" + query + "' using connection jdbc:mysql://localhost:3306/insecureinc?user=svc.database.insecure.inc&password=OWASP_R0ckZ!");
+            }
+            catch (Exception e){
+                e.printStackTrace(response.getWriter());
+            }
+        }
+        else{
+            alertVisibility="";
+        }
+    }
+%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>Guest</title>
+<link rel="stylesheet" href="public/bootstrap/css/bootstrap.min.css">
+<script src="public/jquery.min.js"></script>
+<script src="public/bootstrap/js/bootstrap.min.js"></script>
+
+</head>
+<body>
+<nav class="navbar navbar-inverse">
+  <div class="container-fluid">
+    <div class="navbar-header">
+      <a class="navbar-brand" href="index.jsp">Insecure Inc.</a>
+    </div>
+    <ul class="nav navbar-nav">
+      <li class="active"><a href="#">Guest</a></li>
+    </ul>
+    <ul class="nav navbar-nav navbar-right">
+        <li><a href="cwe209loggedin.jsp?logout=true"><span class="glyphicon glyphicon-log-out"></span> Logout</a></li>
+    </ul>
+  </div>
+</nav>
+<div class="container"> 
+<h1>Welcome to the guest section of the site.</h1>
+<p>Please enter your search term to return results from the Insecure Inc. archive.</p>
+<form action="cwe209loggedin.jsp" autocomplete="off" method="POST">
+    <div class="form-group">
+      <label for="search">Search:</label>
+      <input type="text" class="form-control" id="search" name="query">
+    </div>
+    <input type="submit" id="submit" class="btn" value="Submit">
+    <br><br>
+    <div class="alert alert-danger <%=alertVisibility%>">
+      No results found for '<%=query%>'!
+    </div>
+    </form>
+</div>
+</body>
+</html>
+<% 
+}
+%>

insecureinc/src/main/webapp/index.jsp

@@ -64,6 +64,7 @@ body {
 		          <li><a href="cwe327.jsp">Use of a Broken or Risky Cryptographic Algorithm</a></li>
 		          <li><a href="cwe759.jsp">Use of a One-Way Hash without a Salt</a></li>
               		  <li><a href="cwe798.jsp">Use of Hard-coded Credentials</a></li>
+                    <li><a href="cwe209.jsp">Generation of Error Message Containing Sensitive Information</a></li>
 		          <li><a href="cwe307.jsp">Improper Restriction of Excessive Authentication Attempts</a></li>
 		          <li><a href="cwe190.jsp">Integer Overflow or Wraparound</a></li>
 		          <li><a href="cwe494.jsp">Download of Code Without Integrity Check</a></li>

trainingportal/static/lessons/blackBelt/cwe209.html

@@ -0,0 +1,13 @@
+<p>
+  The purpose of this challenge is to demonstrate the MITRE Top 25 programming flaw: 'Generation of Error Message Containing Sensitive Information'. 
+<br><br>
+
+<blockquote>
+  <p>
+       <i>The product generates an error message that includes sensitive information about its environment, users, or associated data.</i>
+  </p>
+  <footer>From MITRE <a target="_blank" rel="noopener noreferrer" href="https://cwe.mitre.org/data/definitions/209.html">CWE 209</a></footer>
+</blockquote>
+<p>
+  The developer of this part of the site has not implemented secure error handling. As a result, sensitive information about how the application is built can leak and be exploited.
+</p>

trainingportal/static/lessons/blackBelt/cwe209.sol.md

@@ -0,0 +1,12 @@
+### Solution for "Generation of Error Message Containing Sensitive Information" challenge
+
+Error messages can contain detailed information about how the application operates, as well as sensitive information about its environment, users, or associated data.  
+Instead of allowing detailed error messages to be returned to the user, generic error messages with an error ID or code should be returned instead.  
+The details of the error can be saved to the application logs, accessible only to the application owners.
+
+
+To pass this challenge: 
+
+- Become familiar with the Insecure Inc. archive search after logging in with the guest account.
+- Invoke an error in the archive search by entering characters that might be problematic.
+- Review error details for credentials that can be used for authentication.

trainingportal/static/lessons/blackBelt/definitions.json

@@ -99,7 +99,17 @@
                 "solution":"cwe759.sol.md",
                 "playLink":"/cwe759.jsp",
                 "codeBlockIds":["useStrongDataEncryption"]
-            }  
+            },
+            {
+                "id":"cwe209",
+                "name":"Generation of Error Message Containing Sensitive Information", 
+                "description": "cwe209.html",
+                "attackGram":"errormessage.png",
+                "solution":"cwe209.sol.md",
+                "playLink":"/cwe209.jsp",
+                "mission":"Authenticate to the website using credentials discovered in detailed error messages.",
+                "codeBlockIds":["displayGenericErrorMessages"]
+            }
         ]
     },
     {

trainingportal/static/lessons/modules.json

@@ -17,7 +17,7 @@
         "name":"Black Belt",
         "summary":"Common software security flaws",
         "description":"This module is based on the SANS Top 25 - Most Dangerous Software Flaws. Lessons are entry level difficulty aimed at introducing the concepts of vulnerability, exploit and software defense.",
-        "description2":"Includes 23 lessons. Estimated duration 4 hours.",
+        "description2":"Includes 24 lessons. Estimated duration 4 hours.",
         "badgeInfo":{
             "line1":"Secure Coding",
             "line2":"Black Belt",