diff --git a/.github/workflows/ngsast-docker.yml b/.github/workflows/ngsast-docker.yml new file mode 100644 index 00000000..d633993e --- /dev/null +++ b/.github/workflows/ngsast-docker.yml @@ -0,0 +1,42 @@ +# This workflow integrates ShiftLeft Inspect with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft NG SAST Docker + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: Analyze code inside Docker context + run: | + docker build --build-arg BRANCH="${{ github.head_ref || steps.extract_branch.outputs.branch }}" --build-arg SHIFTLEFT_ACCESS_TOKEN=$SHIFTLEFT_ACCESS_TOKEN . + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + Build-Rules: + runs-on: ubuntu-20.04 + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: Validate Build Rules + run: ${GITHUB_WORKSPACE}/sl check-analysis --app flask-webgoat-docker --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" --report --github-pr-number=${{github.event.number}} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} diff --git a/.github/workflows/ngsast.yml b/.github/workflows/ngsast.yml new file mode 100644 index 00000000..3f4fe2d3 --- /dev/null +++ b/.github/workflows/ngsast.yml @@ -0,0 +1,49 @@ +# This workflow integrates ShiftLeft Inspect with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft NG SAST + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - uses: actions/setup-python@v2 + with: + python-version: '3.8.5' + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: Analyze codebase + run: | + python3 -m venv .venv + . .venv/bin/activate + pip install --upgrade setuptools wheel + pip install -r requirements.txt + ${GITHUB_WORKSPACE}/sl analyze --app flask-webgoat --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python --cpg --godmodeon . + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + Build-Rules: + runs-on: ubuntu-20.04 + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: Validate Build Rules + run: ${GITHUB_WORKSPACE}/sl check-analysis --app flask-webgoat --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" --report --github-pr-number=${{github.event.number}} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..88c66e27 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,20 @@ +FROM python:3.8.5-buster + +# docker build --build-arg SHIFTLEFT_ACCESS_TOKEN=$SHIFTLEFT_ACCESS_TOKEN +ARG SHIFTLEFT_ACCESS_TOKEN +ARG BRANCH=master + +WORKDIR /app +COPY . /app/ + +# Download ShiftLeft +RUN curl https://cdn.shiftleft.io/download/sl > sl && chmod a+rx sl + +# Create virtual env +RUN python3 -m venv .venv \ + && . .venv/bin/activate \ + && pip install --upgrade setuptools wheel \ + && pip install -r requirements.txt + +# Perform sl analysis +RUN ./sl analyze --app flask-webgoat-docker --tag branch=$BRANCH --python --cpg --beta . diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..80ea7dff --- /dev/null +++ b/LICENSE @@ -0,0 +1,203 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2021 ShiftLeft, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/README.md b/README.md new file mode 100644 index 00000000..f6bba4e1 --- /dev/null +++ b/README.md @@ -0,0 +1,57 @@ +# flask-webgoat + +flask-webgoat is a deliberately-vulnerable application written with the Flask +web framework. + +``` + (_( + /_/'_____/) + " | | + |""""""| +███████╗██╗ █████╗ ███████╗██╗ ██╗ ██╗ ██╗███████╗██████╗ ██████╗ ██████╗ █████╗ ████████╗ +██╔════╝██║ ██╔══██╗██╔════╝██║ ██╔╝ ██║ ██║██╔════╝██╔══██╗██╔════╝ ██╔═══██╗██╔══██╗╚══██╔══╝ +█████╗ ██║ ███████║███████╗█████╔╝ ██║ █╗ ██║█████╗ ██████╔╝██║ ███╗██║ ██║███████║ ██║ +██╔══╝ ██║ ██╔══██║╚════██║██╔═██╗ ██║███╗██║██╔══╝ ██╔══██╗██║ ██║██║ ██║██╔══██║ ██║ +██║ ███████╗██║ ██║███████║██║ ██╗ ╚███╔███╔╝███████╗██████╔╝╚██████╔╝╚██████╔╝██║ ██║ ██║ +╚═╝ ╚══════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚══════╝╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ +``` + +### Run + +``` +python -m venv .venv +. .venv/bin/activate +pip install -r requirements.txt +FLASK_APP=run.py flask run +``` + +### Vulnerabilities + +This project contains the following vulnerabilities: + +- Remote Code Execution +- SQL injection +- XSS +- Insecure Deserialization +- Directory Traversal +- Open Redirect +- Sensitive Data Exposure +- Broken Access Control +- Security Misconfiguration + +You can find each one in the codebase by grepping for the string +`vulnerability`: + +``` +$ grep vulnerability . -R -n | grep -v README +./flask_webgoat/actions.py:43: # vulnerability: Remote Code Execution +./flask_webgoat/users.py:37: # vulnerability: SQL Injection +./flask_webgoat/auth.py:17: # vulnerability: SQL Injection +./flask_webgoat/ui.py:14: # vulnerability: XSS +./flask_webgoat/actions.py:60: # vulnerability: Insecure Deserialization +./flask_webgoat/actions.py:35: # vulnerability: Directory Traversal +./flask_webgoat/auth.py:45: # vulnerability: Open Redirect +./flask_webgoat/__init__.py:12: # vulnerability: Sensitive Data Exposure +./run.py:7: # vulnerability: Broken Access Control +./run.py:9: # vulnerability: Security Misconfiguration +``` diff --git a/flask_webgoat/__init__.py b/flask_webgoat/__init__.py new file mode 100644 index 00000000..039144bb --- /dev/null +++ b/flask_webgoat/__init__.py @@ -0,0 +1,51 @@ +import os +import sqlite3 +from pathlib import Path + +from flask import Flask, g + +DB_FILENAME = "database.db" + + +def query_db(query, args=(), one=False, commit=False): + with sqlite3.connect(DB_FILENAME) as conn: + # vulnerability: Sensitive Data Exposure + conn.set_trace_callback(print) + cur = conn.cursor().execute(query, args) + if commit: + conn.commit() + return cur.fetchone() if one else cur.fetchall() + + +def create_app(): + app = Flask(__name__) + app.secret_key = "aeZ1iwoh2ree2mo0Eereireong4baitixaixu5Ee" + + db_path = Path(DB_FILENAME) + if db_path.exists(): + db_path.unlink() + + conn = sqlite3.connect(DB_FILENAME) + create_table_query = """CREATE TABLE IF NOT EXISTS user + (id INTEGER PRIMARY KEY, username TEXT, password TEXT, access_level INTEGER)""" + conn.execute(create_table_query) + + insert_admin_query = """INSERT INTO user (id, username, password, access_level) + VALUES (1, 'admin', 'maximumentropy', 0)""" + conn.execute(insert_admin_query) + conn.commit() + conn.close() + + with app.app_context(): + from . import actions + from . import auth + from . import status + from . import ui + from . import users + + app.register_blueprint(actions.bp) + app.register_blueprint(auth.bp) + app.register_blueprint(status.bp) + app.register_blueprint(ui.bp) + app.register_blueprint(users.bp) + return app diff --git a/flask_webgoat/actions.py b/flask_webgoat/actions.py new file mode 100644 index 00000000..4bcbc4d9 --- /dev/null +++ b/flask_webgoat/actions.py @@ -0,0 +1,62 @@ +import pickle +import base64 +from pathlib import Path +import subprocess + +from flask import Blueprint, request, jsonify, session + +bp = Blueprint("actions", __name__) + + +@bp.route("/message", methods=["POST"]) +def log_entry(): + user_info = session.get("user_info", None) + if user_info is None: + return jsonify({"error": "no user_info found in session"}) + access_level = user_info[2] + if access_level > 2: + return jsonify({"error": "access level < 2 is required for this action"}) + filename_param = request.form.get("filename") + if filename_param is None: + return jsonify({"error": "filename parameter is required"}) + text_param = request.form.get("text") + if text_param is None: + return jsonify({"error": "text parameter is required"}) + + user_id = user_info[0] + user_dir = "data/" + str(user_id) + user_dir_path = Path(user_dir) + if not user_dir_path.exists(): + user_dir_path.mkdir() + + filename = filename_param + ".txt" + path = Path(user_dir + "/" + filename) + with path.open("w", encoding="utf-8") as open_file: + # vulnerability: Directory Traversal + open_file.write(text_param) + return jsonify({"success": True}) + + +@bp.route("/grep_processes") +def grep_processes(): + name = request.args.get("name") + # vulnerability: Remote Code Execution + res = subprocess.run( + ["ps aux | grep " + name + " | awk '{print $11}'"], + shell=True, + capture_output=True, + ) + if res.stdout is None: + return jsonify({"error": "no stdout returned"}) + out = res.stdout.decode("utf-8") + names = out.split("\n") + return jsonify({"success": True, "names": names}) + + +@bp.route("/deserialized_descr", methods=["POST"]) +def deserialized_descr(): + pickled = request.form.get('pickled') + data = base64.urlsafe_b64decode(pickled) + # vulnerability: Insecure Deserialization + deserialized = pickle.loads(data) + return jsonify({"success": True, "description": str(deserialized)}) diff --git a/flask_webgoat/auth.py b/flask_webgoat/auth.py new file mode 100644 index 00000000..61d4a7e6 --- /dev/null +++ b/flask_webgoat/auth.py @@ -0,0 +1,48 @@ +from flask import Blueprint, request, jsonify, session, redirect +from . import query_db + +bp = Blueprint("auth", __name__) + + +@bp.route("/login", methods=["POST"]) +def login(): + username = request.form.get("username") + password = request.form.get("password") + if username is None or password is None: + return ( + jsonify({"error": "username and password parameter have to be provided"}), + 400, + ) + + # vulnerability: SQL Injection + query = ( + "SELECT id, username, access_level FROM user WHERE username = '%s' AND password = '%s'" + % (username, password) + ) + result = query_db(query, [], True) + if result is None: + return jsonify({"bad_login": True}), 400 + session["user_info"] = (result[0], result[1], result[2]) + return jsonify({"success": True}) + + +@bp.route("/login_and_redirect") +def login_and_redirect(): + username = request.args.get("username") + password = request.args.get("password") + url = request.args.get("url") + if username is None or password is None or url is None: + return ( + jsonify( + {"error": "username, password, and url parameters have to be provided"} + ), + 400, + ) + + query = "SELECT id, username, access_level FROM user WHERE username = ? AND password = ?" + result = query_db(query, (username, password), True) + if result is None: + # vulnerability: Open Redirect + return redirect(url) + session["user_info"] = (result[0], result[1], result[2]) + return jsonify({"success": True}) diff --git a/flask_webgoat/status.py b/flask_webgoat/status.py new file mode 100644 index 00000000..f3528508 --- /dev/null +++ b/flask_webgoat/status.py @@ -0,0 +1,13 @@ +from flask import Blueprint, jsonify + +bp = Blueprint("status", __name__) + + +@bp.route("/status") +def status(): + return jsonify({"success": True}) + + +@bp.route("/ping") +def ping(): + return jsonify({"success": True}) diff --git a/flask_webgoat/templates/base.html b/flask_webgoat/templates/base.html new file mode 100644 index 00000000..e89040da --- /dev/null +++ b/flask_webgoat/templates/base.html @@ -0,0 +1,9 @@ + +flask_webgoat + +
+ {% block content %}{% endblock %} +
+ diff --git a/flask_webgoat/templates/error.html b/flask_webgoat/templates/error.html new file mode 100644 index 00000000..c8d71cf1 --- /dev/null +++ b/flask_webgoat/templates/error.html @@ -0,0 +1,11 @@ +{% extends 'base.html' %} + +{% block header %} +

{% block title %}Register{% endblock %}

+{% endblock %} + +{% block content %} +
+ {{ message }} +
+{% endblock %} diff --git a/flask_webgoat/templates/search.html b/flask_webgoat/templates/search.html new file mode 100644 index 00000000..9203d4bd --- /dev/null +++ b/flask_webgoat/templates/search.html @@ -0,0 +1,14 @@ +{% extends 'base.html' %} + +{% block header %} +

{% block title %}Register{% endblock %}

+{% endblock %} + +{% block content %} +
+ Found {{ num_results }} results for query {{ query }}. + {% for result in results %} +
{{ result }}
+ {% endfor %} +
+{% endblock %} diff --git a/flask_webgoat/ui.py b/flask_webgoat/ui.py new file mode 100644 index 00000000..f7f107d9 --- /dev/null +++ b/flask_webgoat/ui.py @@ -0,0 +1,25 @@ +import sqlite3 + +from flask import Blueprint, request, render_template +from . import query_db + +bp = Blueprint("ui", __name__) + + +@bp.route("/search") +def search(): + query_param = request.args.get("query") + if query_param is None: + message = "please provide the query parameter" + # vulnerability: XSS + return render_template("error.html", message=message) + + try: + query = "SELECT username, access_level FROM user WHERE username LIKE ?;" + results = query_db(query, (query_param,)) + return render_template( + "search.html", results=results, num_results=len(results), query=query_param + ) + except sqlite3.Error as err: + message = "Error while executing query " + query_param + ": " + err + return render_template("error.html", message=message) diff --git a/flask_webgoat/users.py b/flask_webgoat/users.py new file mode 100644 index 00000000..a72e698e --- /dev/null +++ b/flask_webgoat/users.py @@ -0,0 +1,47 @@ +import sqlite3 + +from flask import Blueprint, jsonify, session, request + +from . import query_db + +bp = Blueprint("users", __name__) + + +@bp.route("/create_user", methods=["POST"]) +def create_user(): + user_info = session.get("user_info", None) + if user_info is None: + return jsonify({"error": "no user_info found in session"}) + + access_level = user_info[2] + if access_level != 0: + return jsonify({"error": "access level of 0 is required for this action"}) + username = request.form.get("username") + password = request.form.get("password") + access_level = request.form.get("access_level") + if username is None or password is None or access_level is None: + return ( + jsonify( + { + "error": "username, password and access_level parameters have to be provided" + } + ), + 400, + ) + if len(password) < 3: + return ( + jsonify({"error": "the password needs to be at least 3 characters long"}), + 402, + ) + + # vulnerability: SQL Injection + query = ( + "INSERT INTO user (username, password, access_level) VALUES ('%s', '%s', %d)" + % (username, password, int(access_level)) + ) + + try: + query_db(query, [], False, True) + return jsonify({"success": True}) + except sqlite3.Error as err: + return jsonify({"error": "could not create user:" + err}) diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 00000000..e4c5de6b --- /dev/null +++ b/requirements.txt @@ -0,0 +1,6 @@ +click==7.1.2 +Flask==1.1.2 +itsdangerous==1.1.0 +Jinja2==2.11.3 +MarkupSafe==1.1.1 +Werkzeug==1.0.1 diff --git a/run.py b/run.py new file mode 100644 index 00000000..d017f74d --- /dev/null +++ b/run.py @@ -0,0 +1,14 @@ +from flask_webgoat import create_app + +app = create_app() + +@app.after_request +def add_csp_headers(response): + # vulnerability: Broken Access Control + response.headers['Access-Control-Allow-Origin'] = '*' + # vulnerability: Security Misconfiguration + response.headers['Content-Security-Policy'] = "script-src 'self' 'unsafe-inline'" + return response + +if __name__ == '__main__': + app.run() diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 00000000..64a27f8d --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,12 @@ +build_rules: + - id: no-findings-allowed-rule + finding_types: + - vuln + - secret + - insight + - extscan + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0