A laboratory for learning secure web and mobile development in a practical manner.

The current directory organization is a little confusing. We have the folder owasp-top10-2017-apps that has only OWASP Top 10 2017 vulnerability list. What about OWASP API Security Top 10 2019 (or another lists)? If we create a new folder for Top 10 2019 how would we handle with vulnerabilities that belongs to both lists?

Through some of the apps, such as CopyNPaste API, Vulnerable Wordpress Misconfig, Stegonography and Amarelo Designs, the following tools are used to perform automated tasks: SQLMap, WPScan and Dirb.

Sometimes it can be a hassle for people to properly install these tools, some can be quite challenging to install on Mac OS. With that in mind, it would be great if we could build a container with all these security tools already installed and ready to go. Having that, all a developer would need to do is run the container and use the tools on the intentionally vulnerable apps of secDevLabs.

This solution refers to which of the apps?

a1 - camplake-api

What did you do to mitigate the vulnerability?

Replaces the manual parser with the jwt.ParseWithClaims() provided by the github.com/dgrijalva/jwt-go module as it already contains the signature and TTL validations necessary to ensure the legitimacy of the user-provided token.

Did you test your changes? What commands did you run?

After correction:

1. Created the user.

$ curl -s -H "Content-Type: application/json" -d '{"username":"campLakeAdmin","password":"campLake2021"}' http://localhost:20001/register
Register: success!

2. Logged in.

$ curl -s -H "Content-Type: application/json" -d '{"username":"campLakeAdmin","password":"campLake2021"}' http://localhost:20001/login
Hello, campLakeAdmin! This is your token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNhbXBMYWtlQWRtaW4iLCJleHAiOjE2NTA5OTQ5OTR9.TWf6_jpPSDTsCJ68MpkzWLIpVFr2H51-Cuf1A-VVsnE

3. Validated token

$ curl -s -H 'Content-Type: application/json' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNhbXBMYWtlQWRtaW4iLCJleHAiOjE2NTA5OTQ5OTR9.TWf6_jpPSDTsCJ68MpkzWLIpVFr2H51-Cuf1A-VVsnE' -d '{"title": "New member ", "post": "Today a new member ..."}' http://localhost:20001/newpost
"New post created successfully!\nCreated by: campLakeAdmin!"

4. Attempted validation with forged token.

$ curl -s -H 'Content-Type: application/json' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNhbXBMYWtlQWRtaW5uIiwiZXhwIjoxNjUwOTk0OTk0fQ.aBG86wE0Oi9yxZzYXjskBog5_AjfhqfAqMsqocKWupc' -d '{"title": "New member ", "post": "Today a new member ..."}' http://localhost:20001/newpost
"unautorized"

5. Validation attempt with original token, but expired.

$ curl -s -H 'Content-Type: application/json' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNhbXBMYWtlQWRtaW4iLCJleHAiOjE2NTA5OTQ5OTR9.TWf6_jpPSDTsCJ68MpkzWLIpVFr2H51-Cuf1A-VVsnE' -d '{"title": "New member ", "post": "Today a new member ..."}' http://localhost:20001/newpost
"unautorized"

This solution refers to which of the apps?

A/M# - owasp-top10-2017-apps/a9/cimentech

What did you do to mitigate the vulnerability?

This is a contribution to secDevLabs. For a better use of exercise a9, I made some changes to the Docker Compose file, so that it is possible to update Drupal through lines of code.

Did you test your changes? What commands did you run?

The vulnerability has not been mitigated :satisfied:

Motivation

SecDevLab's goal is to provide examples of how security vulnerabilities could be fixed, but we only have one example of Cross-Site Scripting from OWASP's 2017 Top 10.

It would be great if

We had another app illustrating this vulnerability and how it could be exploited by an attacker.

What we expect

The new app must have a complete README.md with all the steps on how to get the environment ready to run it, how it can be installed, and how an attacker could compromise it.

The app should be similar to the existing web apps, such as this one.

Note: It would be great if this app could be powered by anything other than Python. 🙂

Tips

• OWAST A7:2017 Cross-Site Scripting
• Google Application Security - Cross-Site Scripting
• App Spot - XSS Game

I'm trying to exploit the SQLi remotely but when I perform the dump after successfully exploit the vulnerability, it returns me no entries in the 'Users' table. But if I exploit it locally, it returns me the entries properly. I also noticed that I'm not able to register an user in a remote access via web browser, when I call the registration page, I got:

• "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:3000/register. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)." Are there any configs that I have to change to get to use the LAB remotely?

This solution refers to which of the apps?

A8 - Software and Data Integrity Failures - Python - Amarelo Designs

What did you do to mitigate the vulnerability?

Removed pickle library and implemented session (properly signed).

Did you test your changes? What commands did you run?

Yes. I followed the attack narrative.

This solution refers to which of the apps?

A/M# - owasp-top10-2017-apps/a8/amarelo-designs

What did you do to mitigate the vulnerability?

The pickle should only be used when we have a reliable source accessing that information. In this lab, we are using pickle to serialize a cookie, and this is not safe. To mitigate this vulnerability, I replaced the pickle with JWT, to generate the session token.

Did you test your changes? What commands did you run?

To mitigate this vulnerability, I used JWT to create and validate the user's session token. To test, I used the deserialization file created for the pickle. When we type the code on the command line, it does not return any information, as it does not have access to the application.

• Vulnerability test

The token that the command returns is generated in the code itself, and is not retrieved from the http request.

Closes #164

Altered ports for every application following the standard guidelines as listed in the issue mentioned above. Documentation was updated as well.

We currently only have one app for A1 (Injection) topic containing an SQL Injection vulnerability. Since Injection is a big topic, it would be awesome if we had another application approaching a different type of Injection, like:

• Command Injection
• Server-side Template Injection
• NOSQL Injection

and many more!

This new app could also be written in a different language than the current one (Golang). Some suggestions are:

• Ruby
• Python
• Java

You can check our Contributing Guidelines on creating a new app.

This solution refers to which of the apps?

A2 - Snake Pro

What did you do to mitigate the vulnerability?

Used the lib bcrypt to hash the password and changed the http to https with echo lib, using TLS and generate certificate + priv key in .pem extension

Did you test your changes? What commands did you run?

Yes, using the same commands of readme.md said:

• brew install tcpdump
• sudo tcpdump -i lo0 -X host localhost | grep -C 2 pass --color

This PR add a XSS owasp 2017 Rails app following #438.

Since this PR was open way back in 2020 referring Owasp 2017 I end up putting the code inside a folder called owasp-top10-2017-apps, let me know if i did it right.

I also took the liberty of using part of the exemple of Gossip World specifically the GO Keylogger for lack of imagination.

I looked at the whole project and checked the broken links.

In case I left a link that I couldn't verify. Please let me know that I merge with this PR.

NOTE I HAVE LOOKED AT THE ENTIRE GITHUB PROJECT

#588

Motivation

There are a lot of links inside SecDevLabs and everyone needs to work correctly with new users to follow the right directions.

It would be great if

Update broken links and add missing fix-mitigation PR's links.

What we expect

All normal links and the fix-mitigation PR's links works.

Motivation

SecDevLab provides exercises based on OWASP Top 10 since 2021 the vulnerable list has been updated, but some details inside the setup of the exercise don't be updated.

It would be great if

All exercise setups correspond to correct exercise names.

What we expect

Check and update all exercise setups to reflect the correct name.

For example, for exercise A1 - Broken Authentication (eCommerce-API) inside docker-compose.yml the container name doesn't correspond to the correct numeration, update a5 to a1: docker-compose.yml#5

Use gitpod to an option to setup.

Needs to change all Setup.md from exercises and explain the usage from Gitpod.

Needs to change all Makefiles and verify if users is using gitpod and show the link to the "localhost" inside Gitpod.

# to verify
$ whoami
gitpod
$ gp url <port>
https://<port>-globocom-secdevlabs-1qppj14zvqu.ws-us67.gitpod.io/