Add Insecure Design app to A4 from OWASP top 10 (#617)

* chore: add insecure design app in secDevLabs

* change: add insecure design app in readme and rename app folder

* fix: update readme.md

Author: thiagolotufo

README.md

@@ -32,27 +32,28 @@ After mitigating a vulnerability, you can send a Pull Request to gently ask the
 
 Disclaimer: You are about to install vulnerable apps in your machine! 🔥
 
-| Vulnerability                                 | Language       | Application                                                                    |
-| --------------------------------------------- | -------------- | ------------------------------------------------------------------------------ |
-| A1 - Broken Access Control                    | Golang         | [Vulnerable Ecommerce API](owasp-top10-2021-apps/a1/ecommerce-api)             |
-| A1 - Broken Access Control                    | NodeJS         | [Tic-Tac-Toe](owasp-top10-2021-apps/a1/tictactoe)                              |
-| A1 - Broken Access Control                    | Golang         | [Camplake-API](owasp-top10-2021-apps/a1/camplake-api)                          |
-| A2 - Cryptographic Failures                   | Golang         | [SnakePro](owasp-top10-2021-apps/a2/snake-pro)                                 |
-| A3 - Injection                                | Golang         | [CopyNPaste API](owasp-top10-2021-apps/a3/copy-n-paste)                        |
-| A3 - Injection                                | NodeJS         | [Mongection](owasp-top10-2021-apps/a3/mongection)                              |
-| A3 - Injection                                | Python         | [SSType](owasp-top10-2021-apps/a3/sstype)                                      |
-| A3 - Injection (XSS)                          | Python         | [Gossip World](owasp-top10-2021-apps/a3/gossip-world)                          |
-| A3 - Injection (XSS)                          | React          | [Comment Killer](owasp-top10-2021-apps/a3/comment-killer)                      |
-| A3 - Injection (XSS)                          | Angular/Spring | [Streaming](owasp-top10-2021-apps/a3/streaming)                                |
-| A5 - Security Misconfiguration (XXE)          | PHP            | [ViniJr Blog](owasp-top10-2021-apps/a5/vinijr-blog)                            |
-| A5 - Security Misconfiguration                | PHP            | [Vulnerable Wordpress Misconfig](owasp-top10-2021-apps/a5/misconfig-wordpress) |
-| A5 - Security Misconfiguration                | NodeJS         | [Stegonography](owasp-top10-2021-apps/a5/stegonography)                        |
-| A6 - Vulnerable and Outdated Components       | PHP            | [Cimentech](owasp-top10-2021-apps/a6/cimentech)                                |
-| A6 - Vulnerable and Outdated Components       | Python         | [Golden Hat Society](owasp-top10-2021-apps/a6/golden-hat)                      |
-| A7 - Identity and Authentication Failures     | Python         | [Saidajaula Monster Fit](owasp-top10-2021-apps/a7/saidajaula-monster)          |
-| A7 - Identity and Authentication Failures     | Golang         | [Insecure go project](owasp-top10-2021-apps/a7/insecure-go-project)            |
-| A8 - Software and Data Integrity Failures     | Python         | [Amarelo Designs](owasp-top10-2021-apps/a8/amarelo-designs)                    |
-| A9 - Security Logging and Monitoring Failures | Python         | [GamesIrados.com](owasp-top10-2021-apps/a9/games-irados)                       |
+| Vulnerability                                 | Language       | Application                                                                     |
+| --------------------------------------------- | -------------- | ------------------------------------------------------------------------------- |
+| A1 - Broken Access Control                    | Golang         | [Vulnerable Ecommerce API](owasp-top10-2021-apps/a1/ecommerce-api)              |
+| A1 - Broken Access Control                    | NodeJS         | [Tic-Tac-Toe](owasp-top10-2021-apps/a1/tictactoe)                               |
+| A1 - Broken Access Control                    | Golang         | [Camplake-API](owasp-top10-2021-apps/a1/camplake-api)                           |
+| A2 - Cryptographic Failures                   | Golang         | [SnakePro](owasp-top10-2021-apps/a2/snake-pro)                                  |
+| A3 - Injection                                | Golang         | [CopyNPaste API](owasp-top10-2021-apps/a3/copy-n-paste)                         |
+| A3 - Injection                                | NodeJS         | [Mongection](owasp-top10-2021-apps/a3/mongection)                               |
+| A3 - Injection                                | Python         | [SSType](owasp-top10-2021-apps/a3/sstype)                                       |
+| A3 - Injection (XSS)                          | Python         | [Gossip World](owasp-top10-2021-apps/a3/gossip-world)                           |
+| A3 - Injection (XSS)                          | React          | [Comment Killer](owasp-top10-2021-apps/a3/comment-killer)                       |
+| A3 - Injection (XSS)                          | Angular/Spring | [Streaming](owasp-top10-2021-apps/a3/streaming)                                 |
+| A4 - Insecure Design                          | React/Go       | [Super Recovery Password App](owasp-top10-2021-apps/a4/super-recovery-password) |
+| A5 - Security Misconfiguration (XXE)          | PHP            | [ViniJr Blog](owasp-top10-2021-apps/a5/vinijr-blog)                             |
+| A5 - Security Misconfiguration                | PHP            | [Vulnerable Wordpress Misconfig](owasp-top10-2021-apps/a5/misconfig-wordpress)  |
+| A5 - Security Misconfiguration                | NodeJS         | [Stegonography](owasp-top10-2021-apps/a5/stegonography)                         |
+| A6 - Vulnerable and Outdated Components       | PHP            | [Cimentech](owasp-top10-2021-apps/a6/cimentech)                                 |
+| A6 - Vulnerable and Outdated Components       | Python         | [Golden Hat Society](owasp-top10-2021-apps/a6/golden-hat)                       |
+| A7 - Identity and Authentication Failures     | Python         | [Saidajaula Monster Fit](owasp-top10-2021-apps/a7/saidajaula-monster)           |
+| A7 - Identity and Authentication Failures     | Golang         | [Insecure go project](owasp-top10-2021-apps/a7/insecure-go-project)             |
+| A8 - Software and Data Integrity Failures     | Python         | [Amarelo Designs](owasp-top10-2021-apps/a8/amarelo-designs)                     |
+| A9 - Security Logging and Monitoring Failures | Python         | [GamesIrados.com](owasp-top10-2021-apps/a9/games-irados)                        |
 
 ## OWASP Top 10 (2016) Mobile apps: 📲
 

owasp-top10-2021-apps/a4/super-recovery-password/.gitignore

@@ -0,0 +1,23 @@
+# dependencies
+src/app/node_modules/
+/.pnp
+.pnp.js
+
+# testing
+/coverage
+
+# production
+/build
+
+# misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+db
+.env

owasp-top10-2021-apps/a4/super-recovery-password/Makefile

@@ -0,0 +1,77 @@
+.SILENT:
+.DEFAULT_GOAL := help
+
+GO ?= go
+GOROOT ?= $(shell $(GO) env GOROOT)
+GOPATH ?= $(shell $(GO) env GOPATH)
+GOBIN ?= $(GOPATH)/bin
+GODEP ?= $(GOBIN)/dep
+GOLINT ?= $(GOBIN)/golint
+GOSEC ?= $(GOBIN)/gosec
+
+INSECUREBIN ?= insecureDesignA4
+
+COLOR_RESET = \033[0m
+COLOR_COMMAND = \033[36m
+COLOR_YELLOW = \033[33m
+COLOR_GREEN = \033[32m
+COLOR_RED = \033[31m
+
+
+## Installs a development environment
+install: compose msg
+
+## Runs a bruteforce attack
+bruteforce: 
+	docker-compose -f brute-force/docker-compose.yml down -v --remove-orphans
+	docker-compose -f brute-force/docker-compose.yml build
+	docker run --rm --network insecure_net -ti brute-force
+
+## Composes project using docker-compose
+compose:
+	docker-compose -f deployments/docker-compose.yml down -v --remove-orphans
+	docker-compose -f deployments/docker-compose.yml up -d --build --force-recreate
+
+## Prints initialization message after compose phase
+msg:
+	chmod +x deployments/check-init.sh
+	./deployments/check-init.sh
+
+## Gets all go test dependencies
+get-deps:
+	$(GO) get -u github.com/golang/dep/cmd/dep
+	$(GO) get -u golang.org/x/lint/golint
+	$(GO) get -u github.com/securego/gosec/cmd/gosec
+
+## Checks depencies of the project
+check-deps:
+	$(GODEP) ensure -v
+
+## Runs a security static analysis using Gosec
+check-sec:
+	$(GOSEC) ./... 2> /dev/null
+
+## Perfoms all make tests
+test: get-deps lint security-check
+
+## Runs lint
+lint:
+	$(GOLINT) $(shell $(GO) list ./...)
+
+## Builds Go project to the executable fil
+build:
+	$(GO) build -o "$(INSECUREBIN)"
+
+## Prints help message
+help:
+	printf "\n${COLOR_YELLOW}${PROJECT}\n------\n${COLOR_RESET}"
+	awk '/^[a-zA-Z\-\_0-9\.%]+:/ { \
+		helpMessage = match(lastLine, /^## (.*)/); \
+		if (helpMessage) { \
+			helpCommand = substr($$1, 0, index($$1, ":")); \
+			helpMessage = substr(lastLine, RSTART + 3, RLENGTH); \
+			printf "${COLOR_COMMAND}$$ make %s${COLOR_RESET} %s\n", helpCommand, helpMessage; \
+		} \
+	} \
+	{ lastLine = $$0 }' $(MAKEFILE_LIST) | sort
+	printf "\n"

owasp-top10-2021-apps/a4/super-recovery-password/README.md

@@ -0,0 +1,108 @@
+# Super Recovery Password App
+
+<b>Super Recovery Password App</b> is a simple Golang Web App that contains an example of a Insecure Design vulnerability, and its main goal is to illustrate how an attacker could explore it.
+
+## Index
+
+- [Definition](#what-is-insecure-design)
+- [Setup](#setup)
+- [Attack narrative](#attack-narrative)
+- [Objectives](#secure-this-app)
+- [Solutions](#pr-solutions)
+- [Contributing](#contributing)
+
+## What is Insecure Design?
+
+Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. Therefore, this security risk is focused on the potentials for damage associated with flaws in design and architecture.
+
+The main goal of this app is to discuss how **Insecure Design** vulnerabilities can be exploited and to encourage developers to send secDevLabs Pull Requests on how they would mitigate these flaws.
+
+## Setup
+
+To start this intentionally **insecure application**, you will need [Docker][docker install] and [Docker Compose][docker compose install]. After forking [secDevLabs](https://github.com/globocom/secDevLabs), you must type the following commands to start:
+
+```sh
+cd secDevLabs/owasp-top10-2021-apps/a4/super-recovery-password
+```
+
+```sh
+make install
+```
+
+Then simply visit [http://localhost:40001][app] ! 😆
+
+## Get to know the app
+
+To properly understand how this application works, you can follow these simple steps:
+
+- Register an user and make log in;
+- Click in `Forgot Password?` buttom and recovery your password.
+
+## Attack narrative
+
+Now that you know the purpose of this app, what could go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or its users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector!
+
+### Enumeration Users
+
+- In terminal, execute the following command to run `brute force` script.
+
+```sh
+make bruteforce
+```
+
+- Select the second option and wait until the script lists the users of the application.
+
+![enumeration users](./images/attack-1.png)
+
+### Change user password
+
+- In terminal, execute the following command to run `brute force` script.
+
+```sh
+make bruteforce
+```
+
+- Select the second option and enter a login discovered in the first step. The script will use word lists with answers to all password recovery questions to change the user’s password.
+
+![reseting user password](./images/attack-3.png)
+
+### Testing a user’s new password
+
+- Access `http://localhost:40001/login`
+
+![login form](./images/login-form.png)
+
+### Enter the admin credentials (use old password and new password)
+
+- Old admin password
+
+![old admin credentials](./images/attack-4.png)
+
+- New admin passowrd
+
+![new admin password](./images/attack-5.png)
+
+- Restricted route
+
+![new admin password](./images/restricted-1.png)
+
+## Secure this app
+
+How would you mitigate this vulnerability? After your changes, an attacker should not be able to:
+
+- Enumerate Users
+- Brute Force Passwords
+- Know password recovery questions of a user
+- Change a user’s password without a strong password recovery method
+
+## PR solutions
+
+[Spoiler alert 🚨] To understand how this vulnerability can be mitigated, check out [these pull requests](https://github.com/globocom/secDevLabs/pulls?q=is%3Apr+label%3A%22mitigation+solution+%F0%9F%94%92%22+label%3ASuper-Recovery-Password)!
+
+## Contributing
+
+We encourage you to contribute to SecDevLabs! Please check out the [Contributing to SecDevLabs](../../../docs/CONTRIBUTING.md) section for guidelines on how to proceed! 🎉
+
+[docker install]: https://docs.docker.com/install/
+[docker compose install]: https://docs.docker.com/compose/install/
+[app]: http://localhost:40001

owasp-top10-2021-apps/a4/super-recovery-password/brute-force/bf.Dockerfile

@@ -0,0 +1,9 @@
+FROM python:3.9.1
+
+WORKDIR /brute-force
+
+ADD ./brute-force /brute-force/
+
+RUN pip install -q -r requirements.txt
+
+ENTRYPOINT ["python3", "scripts.py"]

owasp-top10-2021-apps/a4/super-recovery-password/brute-force/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '3'
+
+networks:
+  default:
+    name: insecure_net
+    external: true
+
+services:
+    bf:
+      build:
+          context: ../
+          dockerfile: ./brute-force/bf.Dockerfile
+      image: brute-force:latest
+      external_links:
+        - api:api

owasp-top10-2021-apps/a4/super-recovery-password/brute-force/requirements.txt

@@ -0,0 +1 @@
+requests==2.28.0