-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
uranium
committed
Oct 8, 2024
0 parents
commit 25d3da2
Showing
8 changed files
with
338 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
## Issue Template | ||
|
||
**Description:** | ||
<!-- Provide a detailed description of the issue. --> | ||
|
||
**Steps to Reproduce:** | ||
<!-- Outline the steps to reproduce the issue. --> | ||
|
||
**Expected Outcome:** | ||
<!-- Describe what you expected to happen. --> | ||
|
||
**Actual Outcome:** | ||
<!-- Describe what actually happened. --> | ||
|
||
**Additional Information:** | ||
<!-- Add any additional information or context. --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
## AppSec Wiki Pull Request | ||
|
||
**Change Description:** | ||
|
||
<!-- Describe the purpose of this wiki page and the changes made --> | ||
|
||
**Changes Made:** | ||
|
||
<!-- Provide a summary of the changes made to the wiki page --> | ||
|
||
**Reason for Change:** | ||
|
||
<!-- Explain why these changes were made and their significance --> | ||
|
||
**Checklist:** | ||
|
||
- [ ] I have tested the changes locally | ||
- [ ] Is Code changes ready for review | ||
- [ ] I have proofread the changes to ensure accuracy | ||
- [ ] I have tested any links or references within the wiki page | ||
- [ ] I have checked for consistency with other existing pages (if applicable) | ||
- [ ] I have updated any relevant cross-references or documentation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
name: Bot scan | ||
on: | ||
pull_request_target: | ||
types: [opened, reopened, synchronize, edited] | ||
issues: | ||
types: [opened, edited, milestoned] | ||
permissions: | ||
issues: write | ||
pull-requests: write | ||
|
||
jobs: | ||
Snyk_scanning: | ||
name: Snyk Bot scan | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
- name: Snyk Bot scan | ||
run: | | ||
rm -rf node_modules | ||
rm -f package-lock.json | ||
npm install | ||
echo "Downloading and authenticating Snyk CLI..." | ||
curl -Lo ./snyk "https://github.com/snyk/snyk/releases/download/v1.1100.0/snyk-linux" | ||
chmod +x snyk | ||
./snyk auth ${{ secrets.SNYK_TOKEN }} | ||
echo "Running Snyk test and monitor..." | ||
./snyk test --all-projects --color --json || true | ||
./snyk monitor --all-projects || true | ||
TruffleHog_scanning: | ||
name: TruffleHog Bot scan | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 # fetch all history so multiple commits can be scanned | ||
- name: TruffleHog Bot scan | ||
uses: trufflesecurity/TruffleHog-Enterprise-Github-Action@main | ||
with: | ||
args: ${{ github.event.repository.default_branch }} master --json | ||
BotCheck: | ||
name: Bot scan | ||
permissions: write-all | ||
runs-on: ubuntu-latest | ||
needs: [Snyk_scanning, TruffleHog_scanning] | ||
steps: | ||
- uses: itsarraj/pr-scan-action@master | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
# Node.js dependencies | ||
/node_modules | ||
/npm-debug.log | ||
/yarn-error.log | ||
/package-lock.json | ||
/pnpm-lock.yaml | ||
/.pnp | ||
.pnp.js | ||
|
||
# Logs | ||
logs | ||
*.log | ||
npm-debug.log* | ||
yarn-debug.log* | ||
yarn-error.log* | ||
pnpm-debug.log* | ||
|
||
# Environment variables | ||
.env | ||
|
||
# OS-generated files | ||
.DS_Store | ||
Thumbs.db | ||
|
||
# IDE/Editor settings | ||
.vscode | ||
.idea | ||
|
||
# Build output | ||
/dist | ||
/out | ||
/build | ||
|
||
# Coverage directory used by testing tools | ||
/coverage | ||
|
||
# Temporary files | ||
/tmp | ||
/.temp | ||
|
||
# Ignore SSH keys, sensitive files | ||
*.pem | ||
*.key | ||
|
||
# Specific custom files | ||
important_config_file | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
import java.sql.Connection; | ||
import java.sql.DriverManager; | ||
import java.sql.Statement; | ||
import java.nio.file.Files; | ||
import java.nio.file.Paths; | ||
|
||
public class VulnerableJavaFile { | ||
|
||
// Vulnerability 1: Hardcoded sensitive information | ||
private static final String DB_URL = "jdbc:mysql://localhost:3306/mydb"; | ||
private static final String USER = "root"; | ||
private static final String PASS = "password"; | ||
|
||
// Vulnerability 2: Hardcoded MongoDB connection string | ||
private static final String MONGO_URL = "mongodb://admin:password@localhost:27017/secureDB"; | ||
|
||
// Vulnerability 3: Hardcoded SSH private key | ||
private static final String SSH_PRIVATE_KEY = | ||
"-----BEGIN RSA PRIVATE KEY-----\n" + | ||
"MIIEpAIBAAKCAQEA7kjbBBkLmOWK1X8...\n" + | ||
"-----END RSA PRIVATE KEY-----"; | ||
|
||
public static void main(String[] args) { | ||
String userInput = args[0]; // Simulated user input | ||
|
||
// Vulnerability 4: SQL Injection | ||
try { | ||
Connection conn = DriverManager.getConnection(DB_URL, USER, PASS); | ||
Statement stmt = conn.createStatement(); | ||
String sql = "SELECT * FROM users WHERE username = '" + userInput + "'"; | ||
stmt.executeQuery(sql); | ||
} catch (Exception e) { | ||
e.printStackTrace(); | ||
} | ||
|
||
// Vulnerability 5: Insecure file access | ||
try { | ||
Files.setPosixFilePermissions(Paths.get("config.txt"), PosixFilePermissions.fromString("rwxrwxrwx")); // Overly permissive | ||
} catch (Exception e) { | ||
e.printStackTrace(); | ||
} | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
const { exec } = require('child_process'); | ||
const crypto = require('crypto'); | ||
const fs = require('fs'); | ||
const minimist = require('minimist'); | ||
const lodash = require('lodash'); | ||
const chalk = require('chalk'); | ||
|
||
// Vulnerability 1: Command Injection | ||
function runCommand(userInput) { | ||
exec(`ls ${userInput}`, (error, stdout, stderr) => { | ||
if (error) { | ||
console.error(`Command execution error: ${error}`); | ||
return; | ||
} | ||
console.log(`Output: ${stdout}`); | ||
}); | ||
} | ||
|
||
// Vulnerability 2: Insecure use of eval() | ||
function runEval(userInput) { | ||
eval(userInput); // Dangerous use of eval leading to code execution | ||
} | ||
|
||
// Vulnerability 3: Insecure randomness | ||
function generateWeakToken() { | ||
return Math.random().toString(36).substring(2); // Weak token generation | ||
} | ||
|
||
// Vulnerability 4: Hardcoded sensitive information | ||
const apiKey = '12345-SECRET-API-KEY'; // Hardcoded sensitive information | ||
|
||
// Vulnerability 5: Hardcoded MongoDB connection string | ||
const mongoUrl = 'mongodb://admin:password@localhost:27017/mydatabase'; // Hardcoded MongoDB connection | ||
|
||
// Vulnerability 6: Storing SSH Private Key insecurely | ||
const sshPrivateKey = ` | ||
-----BEGIN RSA PRIVATE KEY----- | ||
MIIEpAIBAAKCAQEA7kjbBBkLmOWK1X8... | ||
-----END RSA PRIVATE KEY----- | ||
`; // Hardcoded SSH key | ||
|
||
// Vulnerability 7: SQL Injection | ||
function getUserData(userInput) { | ||
const sqlQuery = `SELECT * FROM users WHERE name = '${userInput}'`; // SQL injection vulnerability | ||
console.log(sqlQuery); | ||
} | ||
|
||
// Vulnerability 8: Insecure file permissions | ||
function insecureFileAccess() { | ||
fs.chmodSync('important_config_file', 0o777); // Granting excessive permissions to a file | ||
} | ||
|
||
// Vulnerability 9: Prototype Pollution via lodash | ||
function exploitLodash() { | ||
const payload = '{"__proto__": {"isAdmin": true}}'; | ||
const obj = {}; | ||
lodash.merge(obj, JSON.parse(payload)); | ||
console.log("Prototype Pollution: ", obj.isAdmin); // Outputs: true | ||
} | ||
|
||
// Vulnerability 10: ReDoS via minimist | ||
function minimistReDoS() { | ||
const userInput = '--foo='.repeat(10000); // Large input to cause Regular Expression Denial of Service | ||
const argv = minimist([userInput]); | ||
console.log(argv); | ||
} | ||
|
||
// Vulnerability 11: Improper String Handling via chalk | ||
function chalkVuln() { | ||
const userInput = chalk.red("This is malicious ".repeat(10000)); // Potentially causing performance issues | ||
console.log(userInput); | ||
} | ||
|
||
// Example usage | ||
const args = minimist(process.argv.slice(2)); | ||
if (args.runCommand) { | ||
runCommand(args.runCommand); | ||
} | ||
if (args.runEval) { | ||
runEval(args.runEval); | ||
} | ||
if (args.lodashExploit) { | ||
exploitLodash(); | ||
} | ||
if (args.minimistReDoS) { | ||
minimistReDoS(); | ||
} | ||
if (args.chalkVuln) { | ||
chalkVuln(); | ||
} | ||
|
||
module.exports = { runCommand, runEval, generateWeakToken, getUserData, insecureFileAccess, exploitLodash, minimistReDoS, chalkVuln }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
{ | ||
"name": "vulnerable-app", | ||
"version": "1.0.0", | ||
"description": "A test app with vulnerable dependencies", | ||
"main": "index.js", | ||
"dependencies": { | ||
"express": "3.0.0", | ||
"lodash": "4.17.19", | ||
"minimist": "0.0.8", | ||
"marked": "0.3.6", | ||
"jquery": "3.4.0", | ||
"hoek": "4.2.1", | ||
"debug": "2.6.8", | ||
"underscore": "1.8.2", | ||
"handlebars": "4.0.5", | ||
"js-yaml": "3.13.0", | ||
"es6-promise": "3.0.2", | ||
"tough-cookie": "2.3.4" | ||
}, | ||
"devDependencies": { | ||
"mocha": "3.5.3", | ||
"sinon": "1.17.0" | ||
}, | ||
"scripts": { | ||
"start": "node index.js", | ||
"test": "mocha" | ||
}, | ||
"author": "Erik", | ||
"license": "ISC" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
<groupId>jenkins.mvn.demo</groupId> | ||
<artifactId>mvnwebapp</artifactId> | ||
<packaging>war</packaging> | ||
<version>0.0.1-SNAPSHOT</version> | ||
<name>mvnwebapp Maven Webapp</name> | ||
<url>http://maven.apache.org</url> | ||
<dependencies> | ||
<dependency> | ||
<groupId>junit</groupId> | ||
<artifactId>junit</artifactId> | ||
<version>3.8.1</version> | ||
<scope>test</scope> | ||
</dependency> | ||
|
||
<dependency> | ||
<groupId>javax.servlet</groupId> | ||
<artifactId>javax.servlet-api</artifactId> | ||
<version>3.0.1</version> | ||
</dependency> | ||
|
||
<dependency> | ||
<groupId>org.apache.maven</groupId> | ||
<artifactId>maven-embedder</artifactId> | ||
<version>2.0</version> | ||
</dependency> | ||
|
||
</dependencies> | ||
<build> | ||
<finalName>mvnwebapp</finalName> | ||
</build> | ||
</project> |