RFC-6750

Controller/Controller.cs

@@ -178,7 +178,7 @@ Vérifie la validité du token JWT passé en paramètre
             bool Result = true;
             try
             {
-                var JwtSecurityToken = TokenHandler.ReadJwtToken(Token);
+                var JwtSecurityToken = TokenHandler.ReadJwtToken(Token.Substring("Bearer ".Length));
                 if (JwtSecurityToken.Header.Alg == "HS256" && JwtSecurityToken.Header.Typ == "JWT")
                 {
                     TokenHandler.ValidateToken(Token, new TokenValidationParameters
@@ -282,12 +282,12 @@ Retourne le résultat de l'opération mathématique sur le chiffre donné en par
             return Result;
         }
 
-        public static object VulnerableNoSQL(string UserStr)
+        public static object VulnerableNoSQL(string UserStr, string Token, string Secret)
         {
             /*
             Retourne le résultat de la requête NoSQL fournie en paramètre
             */
-            if (UserStr.Length > 250) return Results.Unauthorized();
+            if (!VulnerableValidateToken(Token, Secret)) return Results.Unauthorized();
             List<Employee> Employees = Data.GetEmployees();
             var Query = Employees.AsQueryable();
 

Program.cs

@@ -1,6 +1,4 @@
 using System.Web;
-using Microsoft.AspNetCore.OpenApi;
-using Swashbuckle.AspNetCore;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Builder;
@@ -10,6 +8,7 @@
 using Microsoft.AspNetCore.HttpOverrides;
 using VulnerableWebApplication.VLAModel;
 using VulnerableWebApplication.MidlWare;
+using Microsoft.AspNetCore.OpenApi;
 
 
 // Configuration :
@@ -46,23 +45,24 @@
 
 // Endpoints :
 
-app.MapGet("/", async (string? lang) => await Task.FromResult(VLAController.VulnerableHelloWorld(HttpUtility.UrlDecode(lang)))).WithOpenApi();
 
-app.MapGet("/Xml", async (string i, string t) => await Task.FromResult(VLAController.VulnerableXmlParser(HttpUtility.UrlDecode(i), t, Secret))).WithOpenApi();
+app.MapGet("/", async (string? lang) => await Task.FromResult(VLAController.VulnerableHelloWorld(HttpUtility.UrlDecode(lang))));
 
-app.MapGet("/Json", async (string i, string t) => await Task.FromResult(VLAController.VulnerableDeserialize(HttpUtility.UrlDecode(i), t, Secret))).WithOpenApi();
+app.MapPost("/Auth", [ProducesResponseType(StatusCodes.Status200OK)] async (HttpRequest request, [FromBody] VulnerableWebApplication.VLAModel.Creds login) => await Task.FromResult(VLAController.VulnerableQuery(login.User, login.Passwd, Secret, LogFile)).Result).WithOpenApi();
 
-app.MapGet("/Req", async (string? i) => await VLAController.VulnerableWebRequest(i)).WithOpenApi();
+app.MapGet("/Xml", async (string i, [FromHeader(Name="Authorization")] string t) => await Task.FromResult(VLAController.VulnerableXmlParser(HttpUtility.UrlDecode(i), t, Secret))).WithOpenApi();
 
-app.MapGet("/Addr", async (string i, string t) => await Task.FromResult(VLAController.VulnerableObjectReference(i, t, Secret))).WithOpenApi();
+app.MapGet("/Json", async (string i, [FromHeader(Name="Authorization")] string t) => await Task.FromResult(VLAController.VulnerableDeserialize(HttpUtility.UrlDecode(i), t, Secret))).WithOpenApi();
+
+app.MapGet("/Req", async (string? i) => await VLAController.VulnerableWebRequest(i)).WithOpenApi();
 
-app.MapGet("/Dns", async (string i, string t) => await Task.FromResult(VLAController.VulnerableCmd(HttpUtility.UrlDecode(i), t ,Secret))).WithOpenApi();
+app.MapGet("/Addr", async (string i, [FromHeader(Name="Authorization")] string t) => await Task.FromResult(VLAController.VulnerableObjectReference(i, t, Secret))).WithOpenApi();
 
-app.MapGet("/NoSQL", async (string s) => await Task.FromResult(VLAController.VulnerableNoSQL(HttpUtility.UrlDecode(s)))).WithOpenApi();
+app.MapGet("/Dns", async (string i, [FromHeader(Name="Authorization")] string t) => await Task.FromResult(VLAController.VulnerableCmd(HttpUtility.UrlDecode(i), t ,Secret))).WithOpenApi();
 
-app.MapPost("/Auth", [ProducesResponseType(StatusCodes.Status200OK)] async (HttpRequest request, [FromBody]VulnerableWebApplication.VLAModel.Creds login) => await Task.FromResult(VLAController.VulnerableQuery(login.User, login.Passwd, Secret, LogFile)).Result).WithOpenApi();
+app.MapGet("/NoSQL", async (string s, [FromHeader(Name="Authorization")] string t) => await Task.FromResult(VLAController.VulnerableNoSQL(HttpUtility.UrlDecode(s), t, Secret))).WithOpenApi();
 
-app.MapPatch("/Patch", async ([FromForm]IFormFile file, [FromHeader(Name="X-Forwarded-For")] string h, string t) => await VLAController.VulnerableHandleFileUpload(file, h, t, Secret, LogFile)).DisableAntiforgery();
+app.MapPost("/Patch", async ([FromHeader(Name="X-Forwarded-For")] string h, [FromHeader(Name = "Authorization")] string t, [FromForm] IFormFile file) => await VLAController.VulnerableHandleFileUpload(file, h, t, Secret, LogFile)).DisableAntiforgery().WithOpenApi();
 
 // Arguments :
 
@@ -73,7 +73,7 @@
     app.Urls.Add("http://localhost:4000");
     app.Urls.Add("https://localhost:3000");
 }
-else app.Urls.Add(url.Replace("--url=",""));
+else app.Urls.Add(url.Substring("--url=".Length));
 
 
 // Lancement :

VulnerableWebApplication.csproj

@@ -8,10 +8,10 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="8.0.4" />
+    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="8.0.5" />
     <PackageReference Include="Microsoft.CodeAnalysis.CSharp.Scripting" Version="4.8.0" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="6.6.2" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.2.0" />
     <PackageReference Include="System.Linq.Dynamic.Core" Version="1.2.25" />
   </ItemGroup>