Merge pull request adeyosemanputra#180 from sumukhchitloor/master

Added XSS Lab and Modified Mitre Attack's Explaination

Author: adeyosemanputra

pygoat/app.log

@@ -38,7 +38,8 @@ <h4>DOM XSS</h4>
             attacker tries to inject malicious code into a sink , then this type of XSS is called the DOM Xss</p>
 
 
-
+            <br>
+            <br>
         <button class="coll btn btn-info">Lab Details</button>
         <div class="lab">
             <p class="bp">
@@ -80,8 +81,28 @@ <h4>Exploiting the Reflection of the search query </h4>
                     Lab</button></div>
 
             </p>
-        </div><br>
+        </div>
+        
+        <button class="coll btn btn-info">Lab Details</button>
+        <div class="lab">
+            <p class="bp">
+                This lab a demonstration of a stored XSS vulnerability. The challenge is to change the value of flag that is being stored as a cookie on the user's browser. The user input is taken as a POST parameter in the URL and is displayed on the page. The code tries to escape the user input to prevent XSS attacks, but there might still be a way for the attacker to inject malicious code into the page.
+            </p>
+            <p class="bp">The goal of this challenge is for the attacker to find a way to execute arbitrary JavaScript code on the page and retrieve the data stored in the cookie. The attacker must be able to bypass the escaping mechanism and find a way to inject their own code into the page.
+            </p> 
+            <p class="bp">But the problem is <code>&lt;script &gt;</code> tag is sanitised by the server so we have to use another method to bypass this. </p>
+            <div class="container"> <code> &lt;img src=x onerror=alert(document.cookie) &gt;</code></div>
+            <p class="bp">Try changing the value of cookie set flag=success</p>
+            <div class="container"> <code> &lt;img src=x onerror=document.cookie="flag=success";  &gt;</code></div>
+            <p class="bp">Now when a search query is performed with the above payload you can see that the browser is able to render the script tag and execute the javascript , thus alerting “xss” with a pop up</p>
+
+            <br>
+            <div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/xssL2'">Access
+                    Lab</button></div>
+        </div>
         <br>
+
+        
         <h4>Mitigation</h4><br>
         <p class="bp"> First let's analyse what part of the code has resulted in this vulnerability.
 

pygoat/db.sqlite3

@@ -0,0 +1,52 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+
+<title>XSS LAB 2</title>
+{% endblock %}
+<h1>Welcome to XSS Challenge</h1>
+<form  method="post" action="/xssL2">
+    {% csrf_token %}
+    <div class="jumbotron">
+        <label for="username">Comment:</label>
+        <input type="text" class="form-control" id="username" name="username" required>
+        <input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}">
+    </div>
+   <button class="btn btn-info" type="submit">
+                Go
+            </button>
+</form>
+<br>
+<p>Hello, {{ username|safe }}</p>
+<script>
+  function setCookie(name, value) {
+    document.cookie = name + "=" + value + ";path=/;";
+  }
+
+  function getCookie(name) {
+    var name = name + "=";
+    var decodedCookie = decodeURIComponent(document.cookie);
+    var ca = decodedCookie.split(';');
+    for (var i = 0; i < ca.length; i++) {
+      var c = ca[i];
+      while (c.charAt(0) == ' ') {
+        c = c.substring(1);
+      }
+      if (c.indexOf(name) == 0) {
+        return c.substring(name.length, c.length);
+      }
+    }
+    return "";
+  }
+</script>
+<script>
+  var flag = getCookie("flag");
+  if (flag === "success") {
+    alert("Congratulations! You have solved the XSS Challenge");
+  }
+</script>
+<br>
+<div align="right">
+  <button class="btn btn-info" type="button" onclick="window.location.href='/xss'">Back to Lab Details</button>
+</div>
+{% endblock content %}

pygoat/introduction/templates/Lab/XSS/xss.html

@@ -88,7 +88,7 @@ <h3>PyGoat</h3>
               aria-expanded="false"
               class="dropdown-toggle"
               id="owasp10_2021"
-              style="padding: 13% 0 0 0"
+              style="padding: 13% 10% 0 0"
             >
               <i class="fas fa-flag"></i>
               OWASP TOP 10 2021
@@ -351,7 +351,7 @@ <h3>PyGoat</h3>
               aria-expanded="false"
               class="dropdown-toggle"
               id="mitre25"
-              style="padding: 13% 0 0 0"
+              style="padding: 13% 10% 0 0"
             >
               <i class="fas fa-flag"></i>
               Mitre top 25 Vulns
@@ -518,7 +518,7 @@ <h3>PyGoat</h3>
               aria-expanded="false"
               class="dropdown-toggle"
               id="owasp10_2017"
-              style="padding: 13% 0 0 0"
+              style="padding: 13% 10% 0 0"
             >
               <i class="fas fa-flag"></i>
               OWASP TOP 10 2017

pygoat/introduction/templates/Lab/XSS/xss_lab_2.html

@@ -2,16 +2,16 @@
 {% load static %}
 {% block content %}
 {% block title %}
-<title> Unrestricted Upload of File with Dangerous Type </title>
+<title> Predictable Value Range from Previous Values </title>
 {% endblock %}
     <div class="container">
-        <h2 style="font-size:2.7rem">CWE-343: <span>Unrestricted Upload of File with Dangerous Type</span></h2>
+        <h2 style="font-size:2.7rem">CWE-343: <span>Predictable Value Range from Previous Values</span></h2>
     </div>
 
     <div class="box">
-        The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
+        The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.
         <br>
-        In vulnerability databases and other places, the term "unrestricted file upload" is used, however it is not specific enough. The statement could be taken to mean that there are no limitations on the amount or size of uploaded files, which is a problem with resource use.
+        The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker cannot predict the exact value that will be produced next, but can narrow down the possibilities significantly. This reduces the amount of effort to perform a brute force attack. For example, suppose the product generates random numbers between 1 and 100, but it always produces a larger value until it reaches 100. If the generator produces an 80, then the attacker knows that the next value will be somewhere between 81 and 100. Instead of 100 possibilities, the attacker only needs to consider 20.
     </div>
 
 {% endblock %}

pygoat/introduction/templates/introduction/base.html

@@ -8,8 +8,22 @@
         <h2 style="font-size:2.7rem">CWE-476: <span>	NULL Pointer Dereference</span></h2>
     </div>
     <div class="box">
-        When an application dereferences a pointer that it anticipates to be valid but is NULL, 
-        it results in a crash or programme exit. Issues with NULL pointer dereference can arise 
-        from a variety of bugs, such as race situations and straightforward programming errors.
+        The program can potentially dereference a null pointer, thereby raising a NullPointerException. Null pointer errors are usually the result of one or more programmer assumptions being violated. Most null pointer issues result in general software reliability problems, but if an attacker can intentionally trigger a null pointer dereference, the attacker might be able to use the resulting exception to bypass security logic or to cause the application to reveal debugging information that will be valuable in planning subsequent attacks.
+        <br>
+        <br>
+        A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area.
+        <br>
+        <br>
+        Null-pointer dereferences, while common, can generally be found and corrected in a simple way. They will always result in the crash of the process, unless exception handling (on some platforms) is invoked, and even then, little can be done to salvage the process.
+        <br>
+        <br>
+        <h4 id="example-1">Example 1</h4>
+
+In the following code, the programmer assumes that the system always has
+a property named “cmd” defined. If an attacker can control the program’s
+environment so that “cmd” is not defined, the program throws a null
+pointer exception when it attempts to call the trim() method.
+
+<p><code class="language-plaintext highlighter-rouge">   String cmd = System.getProperty("cmd");</code>
     </div>
 {% endblock %}

pygoat/introduction/templates/mitre/mitre_top10.html

@@ -11,7 +11,8 @@ <h2 style="font-size:2.7rem">CWE-190: <span>Integer Overflow or Wraparound</span
         The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
         <br>
         When an integer value is increased to a value that is too large to be stored in the associated representation, an integer overflow or wraparound occurs. If this takes place, the value can wrap, turning into a very small or negative integer. Even while this might be the intended course of action in situations when wrapping is necessary, it might have security repercussions if the wrapping is unanticipated. This is especially true if human inputs can cause the integer overflow to occur. When the outcome is used to manage looping, make a security choice, or choose the offset or size for operations like memory allocation, copying, concatenation, etc., this turns into a security-critical situation.
-        
+        <br>
+        "Integer overflow" is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains
     </div>
 
 {% endblock %}

pygoat/introduction/templates/mitre/mitre_top11.html

@@ -7,6 +7,12 @@
     <div class="container">
         <h2 style="font-size:2.7rem">CWE-276: <span>Incorrect Default Permissions</span></h2>
     </div>
-    <div class="box">During installation, installed file permissions are set to allow anyone to modify those files.</div>
+    <div class="box">During installation, installed file permissions are set to allow anyone to modify those files.
+        <br>
+        <br>
+        Usually this weakness is locally exploitable. A malicious user might be able to gain access to sensitive information, tamper with sensitive data or compromise the vulnerable system entirely. If a setuid/setgid executable has world writable permissions any local user can inject malicious content into it and execute arbitrary code with privileges of the file's owner.
+        <br>
+        Basically, any application writable by an unintended actor poses a threat to system security and might be used to elevate privileges on the system, e.g. if such application was modified by a malicious and unprivileged user before being executed by a privileged one.
+    </div>
 
 {% endblock %}

pygoat/introduction/templates/mitre/mitre_top13.html

@@ -27,5 +27,13 @@ <h2 style="font-size: 2.7rem">CWE-416: <span>User after free</span></h2>
   has a potential to contain a class. The execution of arbitrary code is
   possible if one of these function pointers is overwritten with an address to
   legitimate shellcode.
+  <br>
+  <br>
+  To prevent Use After Free vulnerabilities, software developers should carefully 
+  manage memory allocation and deallocation, validate user input to ensure that it 
+  does not trigger a double-free condition, and use safe programming practices that 
+  automatically detect and prevent the use of freed memory. Tools like memory-safe 
+  programming languages and memory-management libraries can also help prevent this 
+  type of vulnerability.
 </div>
 {% endblock %}