diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..b65a6540 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,9 @@ +# Goal +Submitting my homework for lab# + +# Changes +- Added submissionXX.md + +# Checklist +- [x] Task 1 done +- [x] Task 2 done \ No newline at end of file diff --git a/labs/lab11/analysis/headers-http.txt b/labs/lab11/analysis/headers-http.txt new file mode 100644 index 00000000..32ecb29d --- /dev/null +++ b/labs/lab11/analysis/headers-http.txt @@ -0,0 +1,15 @@ +HTTP/1.1 308 Permanent Redirect +Server: nginx +Date: Tue, 12 May 2026 18:30:44 GMT +Content-Type: text/html +Content-Length: 164 +Connection: keep-alive +Location: https://localhost:8443/ +X-Frame-Options: DENY +X-Content-Type-Options: nosniff +Referrer-Policy: strict-origin-when-cross-origin +Permissions-Policy: camera=(), geolocation=(), microphone=() +Cross-Origin-Opener-Policy: same-origin +Cross-Origin-Resource-Policy: same-origin +Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' + diff --git a/labs/lab11/analysis/headers-https.txt b/labs/lab11/analysis/headers-https.txt new file mode 100644 index 00000000..206447ee --- /dev/null +++ b/labs/lab11/analysis/headers-https.txt @@ -0,0 +1,21 @@ +HTTP/2 200 +server: nginx +date: Tue, 12 May 2026 18:31:00 GMT +content-type: text/html; charset=UTF-8 +content-length: 75002 +feature-policy: payment 'self' +x-recruiting: /#/jobs +accept-ranges: bytes +cache-control: public, max-age=0 +last-modified: Tue, 12 May 2026 18:26:15 GMT +etag: W/"124fa-19e1d708bf8" +vary: Accept-Encoding +strict-transport-security: max-age=31536000; includeSubDomains; preload +x-frame-options: DENY +x-content-type-options: nosniff +referrer-policy: strict-origin-when-cross-origin +permissions-policy: camera=(), geolocation=(), microphone=() +cross-origin-opener-policy: same-origin +cross-origin-resource-policy: same-origin +content-security-policy-report-only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' + diff --git a/labs/lab11/analysis/rate-limit-test.txt b/labs/lab11/analysis/rate-limit-test.txt new file mode 100644 index 00000000..aec8f668 --- /dev/null +++ b/labs/lab11/analysis/rate-limit-test.txt @@ -0,0 +1,12 @@ +401 +401 +401 +401 +401 +401 +429 +429 +429 +429 +429 +429 diff --git a/labs/lab11/analysis/testssl.txt b/labs/lab11/analysis/testssl.txt new file mode 100644 index 00000000..a7340f6c --- /dev/null +++ b/labs/lab11/analysis/testssl.txt @@ -0,0 +1,227 @@ + +##################################################################### + testssl.sh version 3.2.3 from https://testssl.sh/ + + This program is free software. Distribution and modification under + GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! + + Please file bugs @ https://testssl.sh/bugs/ +##################################################################### + + Using OpenSSL 1.0.2-bad (Mar 28 2025) [~183 ciphers] + on RatPC:/home/testssl/bin/openssl.Linux.x86_64 + + Start 2026-05-12 18:36:40 -->> 127.0.0.1:8443 (localhost) <<-- + + A record via: /etc/hosts + rDNS (127.0.0.1): -- + Service detected: HTTP + + Testing protocols via sockets except NPN+ALPN  + + SSLv2 not offered (OK) + SSLv3 not offered (OK) + TLS 1 not offered + TLS 1.1 not offered + TLS 1.2 offered (OK) + TLS 1.3 offered (OK): final + NPN/SPDY not offered + ALPN/HTTP2 h2, http/1.1 (offered) + + Testing cipher categories  + + NULL ciphers (no encryption) not offered (OK) + Anonymous NULL Ciphers (no authentication) not offered (OK) + Export ciphers (w/o ADH+NULL) not offered (OK) + LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) + Triple DES Ciphers / IDEA not offered + Obsoleted CBC ciphers (AES, ARIA etc.) not offered + Strong encryption (AEAD ciphers) with no FS not offered + Forward Secrecy strong encryption (AEAD ciphers) offered (OK) + + + Testing server's cipher preferences  + +Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) +----------------------------------------------------------------------------------------------------------------------------- +SSLv2 + - +SSLv3 + - +TLSv1 + - +TLSv1.1 + - +TLSv1.2 (server order) + xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +TLSv1.3 (server order) + x1302 TLS_AES_256_GCM_SHA384 ECDH/MLKEM AESGCM 256 TLS_AES_256_GCM_SHA384 + x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH/MLKEM ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 + x1301 TLS_AES_128_GCM_SHA256 ECDH/MLKEM AESGCM 128 TLS_AES_128_GCM_SHA256 + + Has server cipher order? yes (OK) -- TLS 1.3 and below + + + Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4  + + FS is offered (OK)  TLS_AES_256_GCM_SHA384 + TLS_CHACHA20_POLY1305_SHA256 + ECDHE-RSA-AES256-GCM-SHA384 + TLS_AES_128_GCM_SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + KEMs offered X25519MLKEM768 + Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 + Finite field group: ffdhe2048 ffdhe3072 + TLS 1.2 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 + RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 + RSA+SHA512 RSA+SHA224 + TLS 1.3 sig_algs offered: RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 + RSA-PSS-RSAE+SHA512 + + Testing server defaults (Server Hello)  + + TLS extensions (standard) "server name/#0" "max fragment length/#1" + "supported_groups/#10" "EC point formats/#11" + "application layer protocol negotiation/#16" + "extended master secret/#23" "session ticket/#35" + "supported versions/#43" "key share/#51" + "renegotiation info/#65281" + Session Ticket RFC 5077 hint 600 seconds, session tickets keys seems to be rotated < daily + SSL Session ID support yes + Session Resumption Tickets: yes, ID: yes + TLS clock skew Random values, no fingerprinting possible + Certificate Compression none + Client Authentication none + Signature Algorithm SHA256 with RSA + Server key size RSA 2048 bits (exponent is 65537) + Server key usage -- + Server extended key usage -- + Serial 027BD549B41901039AD7D85B1422A72D3AB72F8A (OK: length 20) + Fingerprints SHA1 B1DE6E090444231B892E65993C27F29F690C3B71 + SHA256 58AAE04A77E079638D58AE16642F384E5F5627BE8E5D71741CC70A42EC3CCB62 + Common Name (CN) localhost  + subjectAltName (SAN) localhost 127.0.0.1 0:0:0:0:0:0:0:1  + Trust (hostname) Ok via SAN and CN (same w/o SNI) + Chain of trust NOT ok (self signed) + EV cert (experimental) no + Certificate Validity (UTC) 364 >= 60 days (2026-05-12 18:26 --> 2027-05-12 18:26) + ETS/"eTLS", visibility info not present + Certificate Revocation List -- + OCSP URI -- + NOT ok -- neither CRL nor OCSP URI provided + OCSP stapling not offered + OCSP must staple extension -- + DNS CAA RR (experimental) not offered + Certificate Transparency -- + Certificates provided 1 + Issuer localhost + Intermediate Bad OCSP (exp.) Ok + + + Testing HTTP header response @ "/"  + + HTTP Status Code  200 OK + HTTP clock skew 0 sec from localtime + Strict Transport Security 365 days=31536000 s, includeSubDomains, preload + Public Key Pinning -- + Server banner nginx + Application banner -- + Cookie(s) (none issued at "/") + Security headers X-Frame-Options: DENY + X-Content-Type-Options: nosniff + Content-Security-Policy-Report-Only: default-src + 'self'; img-src 'self' data:; script-src 'self' + 'unsafe-inline' 'unsafe-eval'; style-src 'self' + 'unsafe-inline' + Permissions-Policy: camera=(), geolocation=(), + microphone=() + Cross-Origin-Opener-Policy: same-origin + Cross-Origin-Resource-Policy: same-origin + Permissions-Policy: camera=(), geolocation=(), + microphone=() + Referrer-Policy: strict-origin-when-cross-origin + Cache-Control: public, max-age=0 + Reverse Proxy banner -- + + + Testing vulnerabilities  + + Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension + CCS (CVE-2014-0224) not vulnerable (OK) + Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) + ROBOT Server does not support any cipher suites that use RSA key transport + Secure Renegotiation (RFC 5746) supported (OK) + Secure Client-Initiated Renegotiation not vulnerable (OK) + CRIME, TLS (CVE-2012-4929) not vulnerable (OK) + BREACH (CVE-2013-3587) no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested + POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support + TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered + SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) + FREAK (CVE-2015-0204) not vulnerable (OK) + DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) + make sure you don't use this certificate elsewhere with SSLv2 enabled services, see + https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=58AAE04A77E079638D58AE16642F384E5F5627BE8E5D71741CC70A42EC3CCB62 + LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 + BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 + LUCKY13 (CVE-2013-0169), experimental not vulnerable (OK) + Winshock (CVE-2014-6321), experimental not vulnerable (OK) + RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) + + + Running client simulations (HTTP) via sockets  + + Browser Protocol Cipher Suite Name (OpenSSL) Forward Secrecy +------------------------------------------------------------------------------------------------ + Android 7.0 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 11/12 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 13/14 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Android 15 (native) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Chrome 101 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Chromium 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Firefox 100 (Win 10) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Firefox 137 (Win 11) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + IE 8 Win 7 No connection + IE 11 Win 7 No connection + IE 11 Win 8.1 No connection + IE 11 Win Phone 8.1 No connection + IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 253 bit ECDH (X25519) + Edge 101 Win 10 21H2 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Edge 133 Win 11 23H2 TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Safari 18.4 (iOS 18.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 15.4 (macOS 12.3.1) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Safari 18.4 (macOS 15.4) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 7u25 No connection + Java 8u442 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit ECDH (P-256) + Java 17.0.3 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + Java 21.0.6 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + go 1.17.8 TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + LibreSSL 3.3.6 (macOS) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.0.15 (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + OpenSSL 3.5.0 (git) TLSv1.3 TLS_AES_256_GCM_SHA384 X25519MLKEM768 + Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256 bit ECDH (P-256) + Thunderbird (91.9) TLSv1.3 TLS_AES_256_GCM_SHA384 253 bit ECDH (X25519) + + + Rating (experimental)  + + Rating specs (not complete) SSL Labs's 'SSL Server Rating Guide' (version 2009r from 2025-05-16) + Specification documentation https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide + Protocol Support (weighted) 0 (0) + Key Exchange (weighted) 0 (0) + Cipher Strength (weighted) 0 (0) + Final Score 0 + Overall Grade T + Grade cap reasons Grade capped to T. Issues with chain of trust + (self signed) + + Done 2026-05-12 18:37:17 [ 38s] -->> 127.0.0.1:8443 (localhost) <<-- + + diff --git a/labs/lab11/logs/access.log b/labs/lab11/logs/access.log new file mode 100644 index 00000000..93741253 --- /dev/null +++ b/labs/lab11/logs/access.log @@ -0,0 +1,22 @@ +172.19.0.1 - - [12/May/2026:18:26:12 +0000] "GET / HTTP/1.1" 308 164 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:30:44 +0000] "HEAD / HTTP/1.1" 308 0 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:31:00 +0000] "HEAD / HTTP/2.0" 200 0 "-" "curl/8.20.0" rt=0.007 uct=0.001 urt=0.007 +172.19.0.1 - - [12/May/2026:18:36:40 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.004 uct=0.001 urt=0.005 +172.19.0.1 - - [12/May/2026:18:36:57 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.002 uct=0.000 urt=0.001 +172.19.0.1 - - [12/May/2026:18:36:58 +0000] "GET / HTTP/1.1" 200 75002 "-" "TLS tester from https://testssl.sh/" rt=0.001 uct=0.000 urt=0.001 +172.19.0.1 - - [12/May/2026:18:37:04 +0000] "GET / HTTP/1.1" 200 75002 "https://google.com/" "TLS tester from https://testssl.sh/" rt=0.001 uct=0.000 urt=0.002 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.024 uct=0.000 urt=0.025 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.009 uct=0.000 urt=0.009 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.016 uct=0.000 urt=0.016 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.008 uct=0.000 urt=0.007 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.006 uct=0.001 urt=0.007 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.006 uct=0.000 urt=0.007 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:46:37 +0000] "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:46:37 +0000] "GET /favicon.ico HTTP/1.1" 400 248 "http://localhost:8443/" "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:47:21 +0000] "GET /rest/user/login HTTP/1.1" 400 248 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0" rt=0.000 uct=- urt=- diff --git a/labs/lab11/logs/error.log b/labs/lab11/logs/error.log new file mode 100644 index 00000000..d8ce593a --- /dev/null +++ b/labs/lab11/logs/error.log @@ -0,0 +1,55 @@ +2026/05/12 18:36:40 [crit] 32#32: *6 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:44 [crit] 31#31: *40 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:44 [crit] 31#31: *41 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:45 [crit] 31#31: *42 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:45 [crit] 31#31: *43 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:46 [crit] 32#32: *50 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:46 [crit] 32#32: *51 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:46 [crit] 32#32: *52 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:47 [crit] 32#32: *53 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:47 [crit] 32#32: *55 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:48 [crit] 32#32: *56 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:48 [crit] 32#32: *60 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:48 [crit] 32#32: *61 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:49 [crit] 32#32: *62 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:49 [crit] 33#33: *69 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:50 [crit] 33#33: *70 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:50 [crit] 33#33: *71 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:50 [crit] 33#33: *74 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:50 [crit] 33#33: *75 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:51 [crit] 33#33: *78 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:52 [crit] 33#33: *79 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:52 [crit] 33#33: *80 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:55 [crit] 34#34: *95 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:56 [crit] 35#35: *101 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:36:57 [crit] 35#35: *108 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:07 [crit] 37#37: *133 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:07 [crit] 37#37: *134 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:08 [crit] 37#37: *135 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:08 [crit] 37#37: *136 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:08 [crit] 37#37: *137 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:09 [crit] 37#37: *138 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:09 [crit] 37#37: *139 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:09 [crit] 37#37: *140 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:10 [crit] 37#37: *141 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:12 [crit] 38#38: *148 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:12 [crit] 38#38: *149 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:12 [crit] 38#38: *150 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:13 [crit] 38#38: *151 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:13 [crit] 38#38: *152 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:13 [crit] 38#38: *154 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:14 [crit] 38#38: *155 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:14 [crit] 38#38: *156 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:14 [crit] 38#38: *157 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:15 [crit] 38#38: *158 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:15 [crit] 38#38: *159 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:15 [crit] 38#38: *161 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:16 [crit] 38#38: *162 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:16 [crit] 38#38: *163 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:37:17 [crit] 39#39: *165 SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:8443 +2026/05/12 18:45:26 [warn] 39#39: *178 limiting requests, excess: 5.983 by zone "login", client: 172.19.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/12 18:45:26 [warn] 39#39: *179 limiting requests, excess: 5.982 by zone "login", client: 172.19.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/12 18:45:26 [warn] 39#39: *180 limiting requests, excess: 5.981 by zone "login", client: 172.19.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/12 18:45:26 [warn] 39#39: *181 limiting requests, excess: 5.980 by zone "login", client: 172.19.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/12 18:45:26 [warn] 39#39: *182 limiting requests, excess: 5.979 by zone "login", client: 172.19.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" +2026/05/12 18:45:26 [warn] 39#39: *183 limiting requests, excess: 5.978 by zone "login", client: 172.19.0.1, server: _, request: "POST /rest/user/login HTTP/2.0", host: "localhost:8443" diff --git a/labs/lab5/sqlmap/localhost/log b/labs/lab5/sqlmap/localhost/log new file mode 100644 index 00000000..4cabc56c --- /dev/null +++ b/labs/lab5/sqlmap/localhost/log @@ -0,0 +1,8 @@ +sqlmap identified the following injection point(s) with a total of 41 HTTP(s) requests: +--- +Parameter: #1* (URI) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: http://localhost:3000/rest/products/search?q=') AND 6254=6254 AND ('jcto' LIKE 'jcto +--- +back-end DBMS: SQLite diff --git a/labs/lab5/sqlmap/localhost/session.sqlite b/labs/lab5/sqlmap/localhost/session.sqlite new file mode 100644 index 00000000..bc78069a Binary files /dev/null and b/labs/lab5/sqlmap/localhost/session.sqlite differ diff --git a/labs/lab5/sqlmap/localhost/target.txt b/labs/lab5/sqlmap/localhost/target.txt new file mode 100644 index 00000000..757e9155 --- /dev/null +++ b/labs/lab5/sqlmap/localhost/target.txt @@ -0,0 +1,3 @@ +http://localhost:3000/rest/user/login (POST) # /sqlmap/sqlmap.py -u http://localhost:3000/rest/user/login --data {\"email\":\"*\",\"password\":\"test\"} --method POST "--headers=Content-Type: application/json" --dbms=sqlite --batch --level=5 --risk=3 --technique=BT --threads=5 --output-dir=/output --dump + +{"email":"*","password":"test"} \ No newline at end of file diff --git a/labs/submission11.md b/labs/submission11.md new file mode 100644 index 00000000..1f467564 --- /dev/null +++ b/labs/submission11.md @@ -0,0 +1,98 @@ +# Task 1 + +``` +docker compose ps +NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS +lab11-juice-1 bkimminich/juice-shop:v19.0.0 "/nodejs/bin/node /j…" juice 42 seconds ago Up 42 seconds 3000/tcp +lab11-nginx-1 nginx:stable-alpine "/docker-entrypoint.…" nginx 42 seconds ago Up 42 seconds 0.0.0.0:8080->8080/tcp, [::]:8080->8080/tcp, 80/tcp, 0.0.0.0:8443->8443/tcp, [::]:8443->8443/tcp +``` +As can be seen, juice shop isn't exposed + +Hiding direct app ports allows for an additional security level + +# Task 2 + +``` +X-Frame-Options: DENY +X-Content-Type-Options: nosniff +Referrer-Policy: strict-origin-when-cross-origin +Permissions-Policy: camera=(), geolocation=(), microphone=() +Cross-Origin-Opener-Policy: same-origin +Cross-Origin-Resource-Policy: same-origin +Content-Security-Policy-Report-Only: default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' +``` + +- X-Frame-Options: protects againts embedding in frames +- X-Content-Type-Options: protects against MIME-sniffing attacks +- Strict-Transport-Security (HSTS) (unused): protects against HTTPS downgrade and some MITM attacks by requiring future connections over HTTPS +- Referrer-Policy: protects against leaking sensitive URL/referrer data to other sites +- Permissions-Policy: protects against unwanted use of browser features (here: camera, microphone, and geolocation) +- COOP/CORP: COOP protects against cross-origin window interaction attacks; CORP protects resources from unwanted cross-origin inclusion and some side-channel attacks. +- CSP-Report-Only: does not block attacks itself, but reports potential CSP violations so unsafe script/content loading can be identified before enforcing CSP + +# Task 3 + +## TestSSL +- TLS 1.2 and 1.3 were offered, also ALPN/HTTP2 was offered +- Forward Secrecy strong encryption (AEAD ciphers) was offered + +### Supported cipher suites +- ECDHE-RSA-AES256-GCM-SHA384 +- ECDHE-RSA-AES128-GCM-SHA256 +- TLS_AES_256_GCM_SHA384 +- TLS_CHACHA20_POLY1305_SHA256 +- TLS_AES_128_GCM_SHA256 + +### TLS 1.0/1.1 are obsolete and weaker, while TLS 1.2+ provides modern secure cipher suites; TLS 1.3 is preferred because it improves security and simplifies the handshake. + +### Warnings / vulnerabilities +No tested TLS vulnerabilities were detected, but the certificate is self-signed, the trust chain is not valid, and no CRL/OCSP URI is provided + +## Rate limiting + +### Command line output +``` +[RatPC|rightrat lab11] for i in $(seq 1 12); do \ + curl -sk -o /dev/null -w "%{http_code}\n" \ + -H 'Content-Type: application/json' \ + -X POST https://localhost:8443/rest/user/login \ + -d '{"email":"a@a","password":"a"}'; \ +done | tee analysis/rate-limit-test.txt +401 +401 +401 +401 +401 +401 +429 +429 +429 +429 +429 +429 +``` +Total: 6 **401**s and 6 **429**s + +### access.log +``` +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.024 uct=0.000 urt=0.025 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.009 uct=0.000 urt=0.009 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.016 uct=0.000 urt=0.016 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.008 uct=0.000 urt=0.007 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.006 uct=0.001 urt=0.007 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 401 26 "-" "curl/8.20.0" rt=0.006 uct=0.000 urt=0.007 +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +172.19.0.1 - - [12/May/2026:18:45:26 +0000] "POST /rest/user/login HTTP/2.0" 429 162 "-" "curl/8.20.0" rt=0.000 uct=- urt=- +``` + +### Explaination +- ``rate=10r/m`` allows 10 requests per minute per IP +- ``burst=5`` allows up to 5 immediate requests before responding with 429 +- ``lient_body_timeout 10s``: Nginx waits at most 10 seconds between chunks of the request body +- ``client_header_timeout 10s``: Nginx waits up to 10 seconds for request headers +- ``proxy_read_timeout 30s``: Nginx waits up to 30 seconds between response reads from the upstream +- ``proxy_send_timeout 30s``: Nginx waits up to 30 seconds between writes while sending the request to the upstream