+
+
+
+
+
+
+This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!
diff --git a/Solutions/img/img4.png b/Solutions/img/img4.png
new file mode 100644
index 0000000..eaf7593
Binary files /dev/null and b/Solutions/img/img4.png differ
diff --git a/Solutions/img/pic1.png b/Solutions/img/pic1.png
new file mode 100644
index 0000000..092a7d8
Binary files /dev/null and b/Solutions/img/pic1.png differ
diff --git a/Solutions/img/pic2.png b/Solutions/img/pic2.png
new file mode 100644
index 0000000..6edc017
Binary files /dev/null and b/Solutions/img/pic2.png differ
diff --git a/Solutions/img/pic3.png b/Solutions/img/pic3.png
new file mode 100644
index 0000000..8234348
Binary files /dev/null and b/Solutions/img/pic3.png differ
diff --git a/Solutions/solution.md b/Solutions/solution.md
new file mode 100644
index 0000000..769ee62
--- /dev/null
+++ b/Solutions/solution.md
@@ -0,0 +1,546 @@
+# Solutions to all the Lab Exercise
+
+
+## A1: Injection
+### Sql Injection
+The user on accessing the lab is given with a login page,which challenges the user to login as admin.
+The user now has to identify some mechanism to login as admin.
+To test for sql injection ,the user can begin with a `'` or `"` based on the error generated he can confirm that it is an sql injection.
+Search for common sql injections payloads in google and try using them to break the functionality of the backend code.
+
+Since the challenge requires yout to login as admin, enter the `username` as `admin` . The user now can use a very common sql injection paylaod to bypass the login validation
+`anything' OR '1' ='1`.
+Click login and now you will see that you have successfully logged into admins account.
+
+#### Login :
+
+![image](https://user-images.githubusercontent.com/61360833/118371215-27758800-b5c9-11eb-8591-212f448ddc13.png)
+
+On Successful injection
+
+![image](https://user-images.githubusercontent.com/61360833/118371252-5986ea00-b5c9-11eb-9efb-6beedd558f56.png)
+
+
+### Command Injection Lab 1
+The user on accessing the lab is provided with a feature to perform a name server lookup on the given domain. The user has to give a domain name and the server would perform a ns lookup and return back to the client. If the user is running the lab, based on the OS he can select Windows or Linux.
+
+The user can cause the server to execute commands ,because of the lack of input validation.
+
+The user can give a domain say `google.com && [any cmd]` or `google.com; [any cmd]`
+
+If the OS is windows, lets give input as `google.com && ipconfig` and choose windows.
+
+If the OS is linux (Ubuntu, Kali, etc), lets give input as `google.com && ifconfig` and choose linux.
+
+This should give you the output for both`ns lookup` as well as for the `ifconfig`.
+
+![cmd_inj_1](https://user-images.githubusercontent.com/70275323/154504352-4833e37c-dcd2-4097-8f33-2c6a4c36cb76.png)
+
+![cmd_inj_2](https://user-images.githubusercontent.com/70275323/154504361-4baa73cb-f73b-44a8-8769-0af2e7b53c24.png)
+
+### Command Injection Lab 2
+We are given an input form where we can calculate basic arithmetic expressions. Our task is to exploit this functionality and achieve code execution.
+
+This lab is using `eval()` function in backend which is used to evaluate expression in python. If the expression is a legal python statement, then it will be executed.
+
+If we submit the expression `1 + 1`, we get the output as `2`. Similarly, on submitting the expression `7 * 7`, we get the output as `49`.
+
+Now, if we submit `os.system("id")`, we get nothing in the output. But if we check the terminal, we will see that the command gets executed and the result is printed on the terminal screen. You can also verify this by submitting `os.system("sleep 30")`, and you will notice that the request completes after 30 seconds.
+
+## A2:Broken Authentication
+
+The main aim of this lab is to login as admin, and to achieve this, exploit the lack of `rate limiting` feature in the otp verification flow. You can see that the otp is only of 3 digit(for demo purposes) and neither does the application have any captcha nor any restriction on number of tries for the otp.
+
+Now to send the otp to admins mail you need to figure out the admins mail id. Luckily the admin has left his email id for the developers in the page source. Admin's email id is `admin@pygoat.com` Enter this email in the send otp input box and hit send,you can see that the page says that otp is sent to the email id of the admin.
+
+In order to exploit the lack of rate limiting , we can try to Brute-force the 3 digit otp.
+
+#### Steps to Brute force:
+
+* Open Burpsuite and configure your browser to intercept the web trafic, but dont turn intercept on.
+* Send the otp to the admins mail id with the help of send otp feature.
+* In the enter the otp box enter a random 3 digit number.
+* Before your press login , turn intercept on on Burp suite and then press log in
+* Now you can see that the traffic is captured in Burpsuite.
+* Now use the send to intruder feature and send this request to the intruder.
+* Set the position of the payload to the otp= parameter.
+* Go to the payloads session and choose the payload type to number list
+* Fill the range to 100 to 999 with step 1.
+* Now click attack and you can see that the burp suite tries different combinations of otp and collects it response.
+* You can figure out if it has guessed the correct opt by seeing the difference in length of the response for each request.
+* The correct otp will have a small response length .
+* Using this otp you will be able to login into admins account.
+
+#### Brute forcing using BurpSuite
+
+After sending OTP to admins EmailID, start up, Start up `BurpSuite`, turn intercept on and send any randon OTP in send OTP box
+
+![bau_6](https://user-images.githubusercontent.com/70275323/154610459-92ccc2be-236d-4cb2-acc7-af9bd68b49a6.png)
+
+Once request is intercepted by burpsuite, click on `actions` and then `send to intruder`
+
+![bau_1](https://user-images.githubusercontent.com/70275323/154610104-a831f913-4374-49cf-8f2b-dcbaae1e0533.png)
+
+Your intruder screen should look something like this. Parameters enclosed by the `ยง` symbol will be brute forced.
+
+![bau_2](https://user-images.githubusercontent.com/70275323/154610112-39cc5fec-d407-4190-bd3f-9f4ee33f6c69.png)
+
+Select payload type as Numbers, enter range as 100-999 and step as 1. Then start attack.
+
+![bau_3](https://user-images.githubusercontent.com/70275323/154610117-7505d2fc-f1a0-418e-b87a-b676e3ecd791.png)
+
+When attack is going on, the correct OTP will have a different response length. In this case its smaller.
+
+We see that OTP value 136 gives us a different lenght.
+
+![bau_4](https://user-images.githubusercontent.com/70275323/154610121-29a2abc5-b3b8-49e2-9028-a5850cbaf9d9.png)
+
+It can also be found out by ordering by length
+
+![bau_5](https://user-images.githubusercontent.com/70275323/154610124-2d8d267a-a198-47af-9baa-5b632617e186.png)
+
+Lab 2
+
+
+## A3:Senstive Data Exposure
+
+The user has to find a way to trigger server error , so that the server throws some sensitive data in its error .
+Here the developer has forgoten to turn ```debug to false``` which resulted in showing the ```settings.py``` file whihc has some sensitive data.
+Try entering a ```random route``` to trigger the error and go through the settings.py file to find the sensitive data.
+
+##### Triggering Error:
+
+![image](https://user-images.githubusercontent.com/61360833/118371395-1da05480-b5ca-11eb-9d70-8a6d7708d039.png)
+
+##### Finding the routes:
+
+![image](https://user-images.githubusercontent.com/61360833/118371562-be8f0f80-b5ca-11eb-937f-b877ebfcc3a1.png)
+
+##### Finding the flag :
+
+![image](https://user-images.githubusercontent.com/61360833/118371534-a919e580-b5ca-11eb-8f7d-02d0c9322a94.png)
+
+
+## A4:XML External Entities
+
+When the user clicks the button to save his comments, the data is sent to the server in th from of xml post request. This can be seen , by intercepting the request done to the server by that button using BurpSuite.
+Sending data to the server in the form of XML is not actually vulnerable, the vulnerability lies in the way the xml is being parsed. An xml parsers which allows the DTD retrival is said to vulnerable to XXE injection if there arent any input validation done on the xml data.
+
+##### Exploiting the XML Parser
+
+* Open Burpsuite and make sure it is ready to capture the web traffic.
+* Enter your comments in the input box provided.
+* Before hiting the Let the world see button go to burpsuite and turn on intercept.
+* Now you should be able to see a post request containing a xml data with your comment inside your the text tag.
+* Now we need to introduce a DTD, which tries to fetch files from its server.
+* This can be done by using the document tag and defining the Entity.
+
+##### The Payload
+
+```
+
+
+
+]>
+
+&xxe;
+
+```
+
+* Incase if the server is running linux then use file path `file:///etc/passwd` and if its running windows, use `C:\windows\system32\drivers\etc\hosts`. This will dump sensitive data about all users.
+* Forward the request and turn off intercept.
+* Go to the see comments option and click view comments this should show you the requested files in your payload if the vulnerability exists.
+
+#### Solving with BurpSuite
+
+Enter a random Input
+
+![xee_1](https://user-images.githubusercontent.com/70275323/154611625-18372ba9-e9b8-49d0-8615-8483812e5ccd.png)
+
+The request is then intercepted in BurpSuite
+
+![xee_2](https://user-images.githubusercontent.com/70275323/154611629-6a27aecb-1986-480c-a562-5f5871ee9fc7.png)
+
+Change the XML to the Malicious Payload
+
+![xee_3](https://user-images.githubusercontent.com/70275323/154611636-7ae40776-091b-41d0-89d0-89ebbd364375.png)
+
+After forwarding and turning off the Intercept, return to browser and click on button to see your comments. Sensitive password data has been leaked.
+
+![xee_4](https://user-images.githubusercontent.com/70275323/154611640-dfbb7d37-95d7-4e52-9f06-56b978cd9209.png)
+
+
+## A5:Broken Access Control
+
+On accessing the lab the user is provided with a simple login in page which requires a username and password.
+
+The credentials for the user Jack is `jack:jacktheripper`
+
+Use the above info to log in.
+
+The main aim of this lab is to login with admin privileges to get the secret key.
+
+#### Exploiting the Broken Access
+
+Every time a valid user logs in,the user session is set with a cookie called `admin`
+When you notice the cookie value when logged in as jack it is set to `0`
+Use BurpSuite to intercept the request change the value of the admin cookie from `0` to `1`
+This should log you in as a admin user and display the `secret key`
+
+#### Solving Using BurpSuite
+
+We can log in as `jack:jacktheripper` and admin cookie is set to 0. This does not give us the secret key
+
+![bac_1](https://user-images.githubusercontent.com/70275323/154612894-cb5e0dfa-f6d4-426a-8b3e-e92d300951fd.png)
+
+To change admin cookie in request, we open up burpsuite and after logging in, refresh the page and change value of admin cookie to 1
+
+![bac_2](https://user-images.githubusercontent.com/70275323/154612900-a2903776-ac60-4f40-9654-760869dc4eb7.png)
+
+This results as being logged in as Admin
+
+![bac_3](https://user-images.githubusercontent.com/70275323/154612904-917c1501-1a8a-49db-90d0-7879235e7eee.png)
+
+#### Solving using Browser
+
+Once again, we log in as `jack:jacktheripper`
+
+![ba_1](https://user-images.githubusercontent.com/70275323/154613752-e2fc76a1-669b-46b2-a622-62c13c513d5d.png)
+
+In inspect section, change value of admin cookie to 1 and refresh the page.
+
+![ba_2](https://user-images.githubusercontent.com/70275323/154613760-6abaa18a-8f27-4c39-bb89-7c0dd320b5f6.png)
+
+![ba_3](https://user-images.githubusercontent.com/70275323/154613762-16b4d637-0bfc-4196-8fdd-70458bd46994.png)
+
+
+## A6:Security Misconfiguration
+
+The user is provided with a button which, on clicking, says that `"Only admin.localhost:8000 can access, Your X-Host is None"`
+
+With this information we can conclude that we need to have a header called `X-Host:` and its value should be ` admin.localhost:8000`.
+
+In order to add this header we can capture the requet of the button in `BurpSuite` and add the header to the request and forward it .
+
+This should give you the secret key.
+
+#### Solving with BurpSuite
+
+When request is initially intercepted in BurpSuite, the interceptor tab at the right of the screen should look like this
+
+![sec_1](https://user-images.githubusercontent.com/70275323/154617589-adc11cdb-5a18-49e3-a445-b68442cbc4e0.png)
+
+Click the small `+` button to add a header
+
+![sec_2](https://user-images.githubusercontent.com/70275323/154617594-1c54e141-c39e-4002-8438-18d9b79a74aa.png)
+
+After header `X-host: admin.localhost:8000` has been added the interceptor tab and request data tab should show the new header
+
+![sec_3](https://user-images.githubusercontent.com/70275323/154617597-b3098967-183b-4b49-b163-cb1a06fde967.png)
+![sec_4](https://user-images.githubusercontent.com/70275323/154617598-b5331bd6-cf6b-4d2c-8c7b-e94fe1a3b9b7.png)
+
+Now, click forward and turn off intercept to see Secret Key
+
+![sec_5](https://user-images.githubusercontent.com/70275323/154617602-8838dd71-45f4-4756-bbb2-fef2985c1a04.png)
+
+
+## A7:Cross Site Scripting
+
+* Instead of giving a search term try giving a html tag, ```
Hello
.```
+* Now you can see that the word Hello has been parsed as a Heading in the page.
+* This shows that the page is able to render the user given html tags.
+* In order to get an xss , the user needs to execute javascript code in the browser.
+* This can be acheived by using a script tag and malicious javascript code.
+* For now let's just use a basic javascript code to alert a text to prove that xss is possible .
+``
+* Now when a search query is performed with the above payload you can see that the browser is able to render the script tag and execute the javascript , thus alerting โxssโ with a pop up.
+
+#### Solving XSS in Browser
+
+Entering input with `h4` and `font color` tags to check for XSS
+
+![xss_1](https://user-images.githubusercontent.com/70275323/154513165-672255a5-8c67-4bc3-924d-1848de072b3a.png)
+
+Results page contains the word `TEXT` in Heading as well as Green color hence XSS Vulnerability is confirmed.
+
+![xss_2](https://user-images.githubusercontent.com/70275323/154513170-53ec9273-f310-45fd-b30a-b09794604f3a.png)
+
+Now you can go ahead and enter `` once XSS is confirmed.
+
+To see results on screen, make sure your browser has JavaScript enabled.
+
+**Lab 3**
+- ##### [ step- 1 ] Checking user input is being reflected or not
+ - Though alphanumeric characters are being escaped we can still write js code with these 6 character `![]()+`
+ - check [jsfuck](http://www.jsfuck.com/)
+
+
+## A8:Insecure Deserialization
+
+This Lab consists of a Page that has some content only available to for the admin to see, How can we access that page as admin? How is our role defined?
+
+If we check the cookie we see that it is base64 encoded, on decoding we realise it is pickle serialised and we can see some attributes, can you change the attributes to make the page readable?
+
+Try to flip the bit of the admin from ```...admin\x94K\x00... to ...admin\x94K\x00...```
+
+## A9:Using Components with Know Vulnerability
+
+The user on accessing the lab is provided with a feature to convert yaml files into json objects. The user needs to choose an yaml file and click upload to get the json data. There is also a get version feature which tells the user the version of the library the app uses.
+
+##### Exploiting the vulnerability.
+
+* The app uses```pyyaml 5.1 ``` Which is vulnerable to code execution.
+* You can google the library with the version to get the poc and vulnerability details
+* Create An yaml file with this payload:
+
+```
+!!python/object/apply:subprocess.check_output
+- ls
+```
+
+* On Uploading this file the user should be able to see the output of the command executed.
+
+
+## A10:Insufficient Logging & Monitoring
+
+The user on accessing the lab is given with a login page which says the log have been leaked. The user needs to find the leak and try to gain the credentials that have been leaked in the logs.
+
+##### Finding the Log
+
+* The log has been exposed in ```/debug route```
+* This can be found out with subdomain brute-forcing or just by guess
+* On seeing the Log try to get the required login details as there is a leak and the logging is improperly handled.
+* On looking at the log we can see a get request ot the server that has a username and password to it
+``` INFO "GET /a10_lab?username=Hacker&password=Hacker HTTP/1.1" 301 0 ```
+* Now use the credentials to log in .
+
+#### Solving using WebBrowser
+ Route used is
+![a10_1](https://user-images.githubusercontent.com/70275323/154619101-d1c4d744-098b-4500-b705-a21841f8b0e4.png)
+
+The Sensitive info is `INFO "GET /a10_lab?username=Hacker&password=Hacker HTTP/1.1" 301 0`
+
+And this info can be used to log in with credentials `Hacker:Hacker`
+![a10_2](https://user-images.githubusercontent.com/70275323/154619295-7d390db2-b047-4fae-8ff5-d34dcb9dad7f.png)
+
+
+# OWASP TOP 10 2021
+
+## A4 : Insecure Design
+This website is giving everyone free tickets ( upto 5 per person ). And the movie will be public when all the tickets will be sold.
+
+Now, the ticket generating system is quite secure itself, and one can't get more than 5 tickets for free.
+But there is a large design flaw. One can get all the tickets by creating multiple accounts. In this particular case, 5 tickets per page, and a total 60 required, so we need to create 12 accounts only and claim 5 tickets from each.
+
+If the sign up process is lame, then this process can be automated. Strong verification/kyc verification needs to be taken in such situations .
+
+## A10 : SSRF
+This websites serves some vlog, user need to figuer it out how this process is going
+
+* open dev tool and inspect the buttons
+![ssrf_pic1](./img/pic1.png)
+* Here we can see there is a hidden input tag which is taking file path of the blog as a parameter.
+* now, if the path is not filltered correctly we can put file path of any file and access that.We just have to change the value.
+* some example --
+
+![url.py](./img/pic2.png)
+![url_img](./img/pic3.png)
+
+#### Now about our main Objective, finding the .env file
+* normaly .env file is used to store all important credentials and configurations
+* Usally this hidden file is saved a base directory
+* So , this an trial and error method of searching
+* example : .env , ../.env, ../../.env
+* solution : ( ../.env)
+![img4](./img/img4.png)
+
+
+# Solutions to 2021 Challenges
+
+
+## 2021-A1:Broken Access Control
+
+**Lab 1**
+
+On accessing the lab the user is provided with a simple login in page which requires a username and password.
+
+The credentials for the user Jack is `jack:jacktheripper`
+
+Use the above info to log in.
+
+The main aim of this lab is to login with admin privileges to get the secret key.
+
+#### Exploiting the Broken Access
+
+Every time a valid user logs in,the user session is set with a cookie called `admin`
+When you notice the cookie value when logged in as jack it is set to `0`
+Use BurpSuite to intercept the request change the value of the admin cookie from `0` to `1`
+This should log you in as a admin user and display the `secret key`
+
+#### Solving Using BurpSuite
+
+We can log in as `jack:jacktheripper` and admin cookie is set to 0. This does not give us the secret key
+
+![bac_1](https://user-images.githubusercontent.com/70275323/154612894-cb5e0dfa-f6d4-426a-8b3e-e92d300951fd.png)
+
+To change admin cookie in request, we open up burpsuite and after logging in, refresh the page and change value of admin cookie to 1
+
+![bac_2](https://user-images.githubusercontent.com/70275323/154612900-a2903776-ac60-4f40-9654-760869dc4eb7.png)
+
+This results as being logged in as Admin
+
+![bac_3](https://user-images.githubusercontent.com/70275323/154612904-917c1501-1a8a-49db-90d0-7879235e7eee.png)
+
+#### Solving using Browser
+
+Once again, we log in as `jack:jacktheripper`
+
+![ba_1](https://user-images.githubusercontent.com/70275323/154613752-e2fc76a1-669b-46b2-a622-62c13c513d5d.png)
+
+In inspect section, change value of admin cookie to 1 and refresh the page.
+
+![ba_2](https://user-images.githubusercontent.com/70275323/154613760-6abaa18a-8f27-4c39-bb89-7c0dd320b5f6.png)
+
+![ba_3](https://user-images.githubusercontent.com/70275323/154613762-16b4d637-0bfc-4196-8fdd-70458bd46994.png)
+
+**Lab 2**
+
+#### Exploiting the Broken Access
+
+In this lab the broken access control is that an Admin field is Authenticated by the user agent field that can easily be changed
+Use BurpSuite to intercept the request change the value of the `user-agent` to `pygoat_admin`
+This should log you in as a admin user and display the `secret key`
+
+#### Solving Using BurpSuite
+
+We log in with `jack:jacktheripper` with request capturing on in Burpsuite.
+
+![brokenaccess21](https://user-images.githubusercontent.com/70275323/163706569-dc3dc3e7-af3d-428d-8d80-58f431f541a0.png)
+![brokenaccess22](https://user-images.githubusercontent.com/70275323/163706575-b58db6b5-01e0-47b7-acdd-ccbb8139802b.png)
+
+We find a comment that leads us to finding critical info related to login
+
+![brokenaccess26](https://user-images.githubusercontent.com/70275323/163707600-6fd747a8-fbb3-4bc5-8d46-425fc118c057.png)
+
+Then Change the user Agent Field.
+
+![brokenaccess23](https://user-images.githubusercontent.com/70275323/163707610-438393d5-d4b2-4882-bb1b-31cbfebab82a.png)
+![brokenaccess24](https://user-images.githubusercontent.com/70275323/163707613-a97349ce-04e7-4f8a-be0e-f206e3f57831.png)
+
+This results as being logged in as Admin
+
+![brokenaccess25](https://user-images.githubusercontent.com/70275323/163707622-8cb3f1d7-2185-43b1-84c1-0c66591bc2f6.png)
+
+**Lab 3**
+#### We have an admin credential and a normal user credentails
+- We can 1st login using admin credential, then we can see there is a page at /broken_access_controle/secret containing secret
+- ![image](https://user-images.githubusercontent.com/75058161/177593540-c299ac0a-35a7-41d1-b64e-5ef143a927bb.png)
+- ![image](https://user-images.githubusercontent.com/75058161/177593818-2adfa56e-05e7-4315-acc0-e90ed93aaefe.png)
+- Now if we logout from admin account and login to user account, we can't see the option for secret anymore.
+- Unfortunately if we browse to /broken_access_controle/secret we can still access the page because no authentication check was implemented at that page.
+#### If real case senario hacker won't have admin credential, but he can still brute force with some existing text-list or common path dictionary
+- Some tools to bruteforce file path
+ - [GoBuster](https://www.kali.org/tools/gobuster/)
+ - [Burpsuit](https://portswigger.net/burp)
+
+## 2021-A2:Cryptographic Failure
+
+**Lab 1**
+- Give material --> some user id and hash
+- ##### [ step- 1 ] Identification of the hash
+ - the hash is 32 charecter long
+ - most probably the hash is from MD* family
+ - which is pretty weak hash ( weak in the sense , it have hash collision )
+ - we can use [hash_identifier](https://hashes.com/en/tools/hash_identifier) to identify the hash
+- ##### [ step - 2 ] Search the hash in google
+ - Got the hash of admin password, ie : `admin1234`
+- ##### Using online Hash lookup service
+ - Using online hash decoder we can serach for commmon hash password.
+- Final output
+ - ![image](https://user-images.githubusercontent.com/75058161/177600545-bdbad8bc-f884-4ffe-b0f2-15ff555d95a4.png)
+#
+**Lab 2**
+- Given material --> some user id and hash
+- ##### [ step- 1 ] Identification of the hash
+ - the hash is 64 charecter long
+ - most probably the hash is SHA256
+ - we can use [hash_identifier](https://hashes.com/en/tools/hash_identifier) to identify the hash
+ - ![image](https://user-images.githubusercontent.com/75058161/177693254-6b3bf112-e1f6-4c71-972a-b04f54c4c90a.png)
+- ##### [ step - 2 ] Search the hash in google
+ - Didn't got any result
+ - ![image](https://user-images.githubusercontent.com/75058161/177693323-a915bf6a-0df0-44b6-8573-ade92b6a64d8.png)
+- ##### Using online Hash lookup service
+ - Using online hash decoder we can serach for commmon hash password.
+ - No result found [ in this case ]
+- ##### Using some password cracking tools [ Jhon the ripper ] or [ hashcat ]
+ - No result
+- ##### From the code we can see a custom function is used
+ - After reversing the admin hash and searching in online dictionary
+ - ![image](https://user-images.githubusercontent.com/75058161/177696721-7587bcc8-d483-47ac-a0cb-a3cab07ca868.png)
+ - So `password777` is passowrd for admin, this gives use the admin access
+- ##### Other solution ( bcause it quite difficult to guess custom hash function ) :
+ - Brute force the login page ( no delay implemented so it would be better idea) using burp, Zed etc.
+#
+**Lab 3**
+- Given material --> Normal user credential
+- admin user name --> unkown, password --> unkown
+- ##### Some ovservation
+ - ![image](https://user-images.githubusercontent.com/75058161/177697795-aa7071d9-b672-4527-af55-231f3612dad7.png)
+ - there is a cookie named `cookie` with a value `"User|2022-07-07 06:24:08.802299"` in the format "{username}|{timestamp}"
+ - We can chage the cookie value with `"Admin|2022-07-07 06:24:08.802299"` ( Admin/admin/some other common admin name )
+ - after some guessing we got "admin|2022-07-07 06:24:08.802299" is the admin cookie , which gives us admin access.
+ - ![image](https://user-images.githubusercontent.com/75058161/177698238-b564faa9-7a98-4333-8498-0069c41a85d1.png)
+#
+## 2021-A6:Using Components with Known Vulnerabilities
+
+**lab-2**
+- Given an utility to apply some math expression on an image
+- ![image](https://user-images.githubusercontent.com/75058161/178036849-aae96b02-9633-47e5-a605-0a07ffb17919.png)
+- From the lab descripting we found this module uses pillow 8
+- After some OSINT and dorking
+- ![image](https://user-images.githubusercontent.com/75058161/178037399-7ac55275-6af8-45d6-a0da-e679a2744cd8.png)
+- Let's try `exec(exit())`
+- ![image](https://user-images.githubusercontent.com/75058161/178037554-e8935a19-538d-41ae-9a1e-59d31e50c080.png)
+- ![image](https://user-images.githubusercontent.com/75058161/178037626-4925debd-5c96-4e10-83b8-267df7199488.png)
+- Successfully triggerd a server error.
+
+
+
+
+### 2021-A3:Server side Template Injection
+
+`{% load log %}
+{% get_admin_log 5 as log %}
+{% for e in log %}
+ {{e.user.get_username}} : {{e.user.password}}
+{% endfor %}`
+
+add a post which includes this content
+
+The result would look like this -->
+![Screenshot from 2022-06-10 21-04-29](https://user-images.githubusercontent.com/75058161/173106213-9e218e81-d4b2-4447-9570-4aa8de3dea88.png)
+
+### 2021-A8: Software and Data Integrity failure
+This data is a demonstration that how an XSS attack can deceive users to download any malicious file. The lab consists of a page to download a file, and a direct link to that page is also given (from a hacker). Let's download both files and compare the hash before opening that.
+![image](https://user-images.githubusercontent.com/75058161/190912308-1d26fb2e-2c6c-4c67-bf2a-9bb0f4abbfd0.png)
+So as we can see the hashes don't match. So as a user we should always cross-check signatures for verification of Data Integrity.
+
+More more information about the attack itself you can look into the url -->
+```http://127.0.0.1:8000/2021/A8/lab2?username=user+%3Cscript%3Edocument.getElementById%28%22download_link%22%29.setAttribute%28%22href%22%2C%22%2Fstatic%2Ffake.txt%22%29%3B%3C%2Fscript%3Euser+%3Cscript%3Edocument.getElementById%28%22download_link%22%29.setAttribute%28%22href%22%2C%22%2Fstatic%2Ffake.txt%22%29%3B%3C%2Fscript%3E```
+It have a file url and XXS attack to replace the actual file url.
+
+### 2021-A9: Insufficient Logging & Monitoring
+This lab have active logging and have a login page ( we don't have credential )
+So every fake entry is logged so the user name is printed in the file itself..
+```ERROR:root:2022-07-04 07:21:50.906938:127.0.0.1:User1:Hash1```
+this is a sample hash ..
+So we can Enter user name anything and password = ```pass\nERROR:root:2022-07-04 07:21:50.906938:127.0.0.1:User1:Hash1```
+It will create one fake log and also it can cause log overflow also by passing lots of data in injection.
+
+### 2021:A10 : SSRF lab2
+This lab have a local page at ```/ssrf_target``` that can be only accesed from localhost. Now if we do ```python manage.py runserver``` that page will be accisible
+but if we start the server by ```python manage.py runserver 0:8000``` the page wont be accessble from ```http://[your ip]/ssrf_target```
+
+Now comes the utility that takes the URL and fetch the data, if we give the localhost url to this utility it can fetch the data easily and we can see the page from outside localhost.
+
diff --git a/chatbot/README.md b/chatbot/README.md
new file mode 100644
index 0000000..8f26e5a
--- /dev/null
+++ b/chatbot/README.md
@@ -0,0 +1,12 @@
+# How to run PyGoatBot in Google Colab
+
+Follow these steps to run the PyGoatBot code in Google Colab:
+1. Open a new Google Colab notebook.
+2. Install the ChatterBot library by running the following command: `!pip install chatterbot`
+3. Copy and paste the code into a new cell.
+4. Run the code cell.
+
+## Usage
+1. The PyGoatBot will prompt you to select a question from a list of available questions.
+2. Type the number of the question you want to ask, and the chatbot will respond.
+3. To exit the chatbot, type 'q' or 'exit' when prompted.
diff --git a/chatbot/pygoatbot.ipynb b/chatbot/pygoatbot.ipynb
new file mode 100644
index 0000000..4b7c1c4
--- /dev/null
+++ b/chatbot/pygoatbot.ipynb
@@ -0,0 +1,410 @@
+{
+ "nbformat": 4,
+ "nbformat_minor": 0,
+ "metadata": {
+ "colab": {
+ "provenance": [],
+ "authorship_tag": "ABX9TyMFbN9Hl74O897o7MFKnACj",
+ "include_colab_link": true
+ },
+ "kernelspec": {
+ "name": "python3",
+ "display_name": "Python 3"
+ },
+ "language_info": {
+ "name": "python"
+ },
+ "gpuClass": "standard"
+ },
+ "cells": [
+ {
+ "cell_type": "markdown",
+ "metadata": {
+ "id": "view-in-github",
+ "colab_type": "text"
+ },
+ "source": [
+ ""
+ ]
+ },
+ {
+ "cell_type": "code",
+ "source": [
+ "pip install chatterbot==1.0.2\n"
+ ],
+ "metadata": {
+ "colab": {
+ "base_uri": "https://localhost:8080/"
+ },
+ "id": "uYnWRxB0KzVe",
+ "outputId": "f2994ae9-d748-4c3c-d7dd-6bcb4d144ff8"
+ },
+ "execution_count": 1,
+ "outputs": [
+ {
+ "output_type": "stream",
+ "name": "stdout",
+ "text": [
+ "Looking in indexes: https://pypi.org/simple, https://us-python.pkg.dev/colab-wheels/public/simple/\n",
+ "Collecting chatterbot==1.0.2\n",
+ " Downloading ChatterBot-1.0.2-py2.py3-none-any.whl (65 kB)\n",
+ "\u001b[2K \u001b[90mโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\u001b[0m \u001b[32m65.8/65.8 KB\u001b[0m \u001b[31m2.0 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n",
+ "\u001b[?25hCollecting sqlalchemy<1.3,>=1.2\n",
+ " Downloading SQLAlchemy-1.2.19.tar.gz (5.7 MB)\n",
+ "\u001b[2K \u001b[90mโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\u001b[0m \u001b[32m5.7/5.7 MB\u001b[0m \u001b[31m33.6 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n",
+ "\u001b[?25h Preparing metadata (setup.py) ... \u001b[?25l\u001b[?25hdone\n",
+ "Requirement already satisfied: nltk<4.0,>=3.2 in /usr/local/lib/python3.9/dist-packages (from chatterbot==1.0.2) (3.8.1)\n",
+ "Collecting mathparse<0.2,>=0.1\n",
+ " Downloading mathparse-0.1.2-py3-none-any.whl (7.2 kB)\n",
+ "Collecting pymongo<4.0,>=3.3\n",
+ " Downloading pymongo-3.13.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (515 kB)\n",
+ "\u001b[2K \u001b[90mโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\u001b[0m \u001b[32m515.5/515.5 KB\u001b[0m \u001b[31m9.9 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n",
+ "\u001b[?25hCollecting python-dateutil<2.8,>=2.7\n",
+ " Downloading python_dateutil-2.7.5-py2.py3-none-any.whl (225 kB)\n",
+ "\u001b[2K \u001b[90mโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\u001b[0m \u001b[32m225.7/225.7 KB\u001b[0m \u001b[31m12.9 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n",
+ "\u001b[?25hCollecting pint>=0.8.1\n",
+ " Downloading Pint-0.20.1-py3-none-any.whl (269 kB)\n",
+ "\u001b[2K \u001b[90mโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\u001b[0m \u001b[32m269.5/269.5 KB\u001b[0m \u001b[31m4.1 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n",
+ "\u001b[?25hCollecting chatterbot-corpus<1.3,>=1.2\n",
+ " Downloading chatterbot_corpus-1.2.0-py2.py3-none-any.whl (117 kB)\n",
+ "\u001b[2K \u001b[90mโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\u001b[0m \u001b[32m117.3/117.3 KB\u001b[0m \u001b[31m4.2 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n",
+ "\u001b[?25hCollecting PyYAML<4.0,>=3.12\n",
+ " Downloading PyYAML-3.13.tar.gz (270 kB)\n",
+ "\u001b[2K \u001b[90mโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\u001b[0m \u001b[32m270.6/270.6 KB\u001b[0m \u001b[31m13.3 MB/s\u001b[0m eta \u001b[36m0:00:00\u001b[0m\n",
+ "\u001b[?25h Preparing metadata (setup.py) ... \u001b[?25l\u001b[?25hdone\n",
+ "Requirement already satisfied: regex>=2021.8.3 in /usr/local/lib/python3.9/dist-packages (from nltk<4.0,>=3.2->chatterbot==1.0.2) (2022.10.31)\n",
+ "Requirement already satisfied: tqdm in /usr/local/lib/python3.9/dist-packages (from nltk<4.0,>=3.2->chatterbot==1.0.2) (4.65.0)\n",
+ "Requirement already satisfied: joblib in /usr/local/lib/python3.9/dist-packages (from nltk<4.0,>=3.2->chatterbot==1.0.2) (1.1.1)\n",
+ "Requirement already satisfied: click in /usr/local/lib/python3.9/dist-packages (from nltk<4.0,>=3.2->chatterbot==1.0.2) (8.1.3)\n",
+ "Requirement already satisfied: six>=1.5 in /usr/local/lib/python3.9/dist-packages (from python-dateutil<2.8,>=2.7->chatterbot==1.0.2) (1.16.0)\n",
+ "Building wheels for collected packages: sqlalchemy, PyYAML\n",
+ " Building wheel for sqlalchemy (setup.py) ... \u001b[?25l\u001b[?25hdone\n",
+ " Created wheel for sqlalchemy: filename=SQLAlchemy-1.2.19-cp39-cp39-linux_x86_64.whl size=1157816 sha256=922b29a3390946efcb35b47ccdfe5d923eeb8a2052229f7e2b11130708e7c628\n",
+ " Stored in directory: /root/.cache/pip/wheels/12/75/ee/52355e3658b18c812a419a7fdf581ab885b01c0675e25e9b01\n",
+ " Building wheel for PyYAML (setup.py) ... \u001b[?25l\u001b[?25hdone\n",
+ " Created wheel for PyYAML: filename=PyYAML-3.13-cp39-cp39-linux_x86_64.whl size=43098 sha256=59a2dbcb61dc3619f01f5798fde2819e7f5314a91a2486497a6bc9521f1d3afa\n",
+ " Stored in directory: /root/.cache/pip/wheels/81/6e/87/725bed1db7f86e1c7091ef5f4a4f11b0fcf7023c2be4fc29db\n",
+ "Successfully built sqlalchemy PyYAML\n",
+ "Installing collected packages: sqlalchemy, PyYAML, mathparse, python-dateutil, pymongo, pint, chatterbot-corpus, chatterbot\n",
+ " Attempting uninstall: sqlalchemy\n",
+ " Found existing installation: SQLAlchemy 1.4.47\n",
+ " Uninstalling SQLAlchemy-1.4.47:\n",
+ " Successfully uninstalled SQLAlchemy-1.4.47\n",
+ " Attempting uninstall: PyYAML\n",
+ " Found existing installation: PyYAML 6.0\n",
+ " Uninstalling PyYAML-6.0:\n",
+ " Successfully uninstalled PyYAML-6.0\n",
+ " Attempting uninstall: python-dateutil\n",
+ " Found existing installation: python-dateutil 2.8.2\n",
+ " Uninstalling python-dateutil-2.8.2:\n",
+ " Successfully uninstalled python-dateutil-2.8.2\n",
+ "\u001b[31mERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.\n",
+ "prophet 1.1.2 requires python-dateutil>=2.8.0, but you have python-dateutil 2.7.5 which is incompatible.\n",
+ "pandas 1.4.4 requires python-dateutil>=2.8.1, but you have python-dateutil 2.7.5 which is incompatible.\n",
+ "pandas-profiling 3.2.0 requires PyYAML>=5.0.0, but you have pyyaml 3.13 which is incompatible.\n",
+ "flax 0.6.8 requires PyYAML>=5.4.1, but you have pyyaml 3.13 which is incompatible.\n",
+ "dask 2022.12.1 requires pyyaml>=5.3.1, but you have pyyaml 3.13 which is incompatible.\u001b[0m\u001b[31m\n",
+ "\u001b[0mSuccessfully installed PyYAML-3.13 chatterbot-1.0.2 chatterbot-corpus-1.2.0 mathparse-0.1.2 pint-0.20.1 pymongo-3.13.0 python-dateutil-2.7.5 sqlalchemy-1.2.19\n"
+ ]
+ }
+ ]
+ },
+ {
+ "cell_type": "code",
+ "source": [
+ "pip install nltk"
+ ],
+ "metadata": {
+ "colab": {
+ "base_uri": "https://localhost:8080/"
+ },
+ "id": "Dgn025lMxOLq",
+ "outputId": "5de3b172-ff9c-4d54-f723-34d3c9ed8318"
+ },
+ "execution_count": 2,
+ "outputs": [
+ {
+ "output_type": "stream",
+ "name": "stdout",
+ "text": [
+ "Looking in indexes: https://pypi.org/simple, https://us-python.pkg.dev/colab-wheels/public/simple/\n",
+ "Requirement already satisfied: nltk in /usr/local/lib/python3.9/dist-packages (3.8.1)\n",
+ "Requirement already satisfied: regex>=2021.8.3 in /usr/local/lib/python3.9/dist-packages (from nltk) (2022.10.31)\n",
+ "Requirement already satisfied: tqdm in /usr/local/lib/python3.9/dist-packages (from nltk) (4.65.0)\n",
+ "Requirement already satisfied: joblib in /usr/local/lib/python3.9/dist-packages (from nltk) (1.1.1)\n",
+ "Requirement already satisfied: click in /usr/local/lib/python3.9/dist-packages (from nltk) (8.1.3)\n"
+ ]
+ }
+ ]
+ },
+ {
+ "cell_type": "code",
+ "source": [
+ "pip install logger"
+ ],
+ "metadata": {
+ "colab": {
+ "base_uri": "https://localhost:8080/"
+ },
+ "id": "aCCtNKLj6J8a",
+ "outputId": "fba612a7-0870-41e4-b670-751d1490319b"
+ },
+ "execution_count": 34,
+ "outputs": [
+ {
+ "output_type": "stream",
+ "name": "stdout",
+ "text": [
+ "Looking in indexes: https://pypi.org/simple, https://us-python.pkg.dev/colab-wheels/public/simple/\n",
+ "Collecting logger\n",
+ " Downloading logger-1.4.tar.gz (1.2 kB)\n",
+ " Preparing metadata (setup.py) ... \u001b[?25l\u001b[?25hdone\n",
+ "Building wheels for collected packages: logger\n",
+ " Building wheel for logger (setup.py) ... \u001b[?25l\u001b[?25hdone\n",
+ " Created wheel for logger: filename=logger-1.4-py3-none-any.whl size=1780 sha256=375578a39f0783a695470050f7bfeed4759edc359a2f928ea57bbcf181fe7a17\n",
+ " Stored in directory: /root/.cache/pip/wheels/d6/2c/20/0bf3428f60a053875adaf43bee20695fff6e5d5a2cffaceaad\n",
+ "Successfully built logger\n",
+ "Installing collected packages: logger\n",
+ "Successfully installed logger-1.4\n"
+ ]
+ }
+ ]
+ },
+ {
+ "cell_type": "code",
+ "source": [
+ "training_data = [\n",
+ " 'What is OWASP PyGoat?',\n",
+ " 'OWASP PyGoat is an intentionally vulnerable web application used for learning web security testing.',\n",
+ " 'Why should I learn web security testing?',\n",
+ " 'Learning web security testing can help you understand how to identify and prevent web application attacks.',\n",
+ " 'What types of vulnerabilities can PyGoat help me learn about?',\n",
+ " 'PyGoat can help you learn about various types of web application vulnerabilities, including injection attacks, cross-site scripting (XSS), and broken authentication and session management.',\n",
+ " 'How can I use PyGoat to learn web security testing?',\n",
+ " 'PyGoat includes a series of lessons and challenges designed to teach you about web security testing techniques and common vulnerabilities.',\n",
+ " 'Is PyGoat suitable for beginners?',\n",
+ " 'Yes, PyGoat is designed to be accessible to beginners and experienced professionals alike.',\n",
+ " 'Where can I download PyGoat?',\n",
+ " 'You can download PyGoat from the official GitHub repository at https://github.com/OWASP/PyGoat',\n",
+ " 'Are there any resources available to help me get started with PyGoat?',\n",
+ " 'Yes, the PyGoat documentation includes a Getting Started guide and a list of additional resources to help you learn about web security testing.',\n",
+ " 'Can I contribute to PyGoat?',\n",
+ " 'Yes, PyGoat is an open-source project and welcomes contributions from anyone interested in improving the application.',\n",
+ "]\n"
+ ],
+ "metadata": {
+ "id": "o0XoIqiSxHDt"
+ },
+ "execution_count": 35,
+ "outputs": []
+ },
+ {
+ "cell_type": "code",
+ "source": [
+ "import nltk\n",
+ "import logging\n",
+ "from collections import Counter\n",
+ "from operator import itemgetter\n",
+ "from chatterbot import ChatBot\n",
+ "from chatterbot.trainers import ListTrainer\n",
+ "from chatterbot.logic import BestMatch\n",
+ "from nltk.tokenize import word_tokenize\n",
+ "from nltk.corpus import stopwords\n",
+ "\n",
+ "# Download the required NLTK packages\n",
+ "nltk.download(\"punkt\")\n",
+ "nltk.download(\"averaged_perceptron_tagger\")\n",
+ "nltk.download(\"maxent_ne_chunker\")\n",
+ "nltk.download(\"words\")\n",
+ "\n",
+ "# Define your training data here\n",
+ "\n",
+ "# Create a new chatbot\n",
+ "logging.getLogger('chatterbot').setLevel(logging.ERROR)\n",
+ "chatbot = ChatBot(\n",
+ " \"PyGoatBot\",\n",
+ " storage_adapter=\"chatterbot.storage.SQLStorageAdapter\",\n",
+ " database_uri=\"sqlite:///database.sqlite3\",\n",
+ " logic_adapters=[\n",
+ " {\n",
+ " \"import_path\": \"chatterbot.logic.BestMatch\",\n",
+ " \"default_response\": \"I'm sorry, I'm not sure I understand.\",\n",
+ " \"maximum_similarity_threshold\": 0.90,\n",
+ " }\n",
+ " ],\n",
+ ")\n",
+ "\n",
+ "# Train the chatbot with the training data\n",
+ "trainer = ListTrainer(chatbot)\n",
+ "trainer.train(training_data)\n",
+ "nltk.download('stopwords')\n",
+ "\n",
+ "print(\"Welcome to PyGoatBot! Type 'q or exit' to quit.\")\n",
+ "print()\n",
+ "print(\"How can I help?\")\n",
+ "while True:\n",
+ " try:\n",
+ " user_input = input(\"You: \")\n",
+ " if user_input.lower() == \"exit\" or user_input.lower()==\"q\":\n",
+ " break\n",
+ " sentence = user_input\n",
+ " sentence = sentence.lower()\n",
+ " words = word_tokenize(sentence)\n",
+ " stop_words = set(stopwords.words('english'))\n",
+ " words = [word for word in words if not word in stop_words]\n",
+ " tagged_words = nltk.pos_tag(words)\n",
+ " keywords = []\n",
+ " for word, tag in tagged_words:\n",
+ " if tag.startswith('N') or tag.startswith('J'):\n",
+ " keywords.append(word)\n",
+ "\n",
+ "\n",
+ " if not keywords:\n",
+ " print(\"I'm sorry, I didn't find any important keywords in your input.\")\n",
+ " continue\n",
+ "\n",
+ " dict_que={}\n",
+ " for i in range(0, len(training_data), 2):\n",
+ " keyword_counts = 0\n",
+ " for keyword in keywords:\n",
+ " if keyword.lower() in training_data[i].lower():\n",
+ " keyword_counts += 1\n",
+ " dict_que[training_data[i]]=keyword_counts\n",
+ "\n",
+ " sorted_dict = sorted(dict_que.items(), key=lambda x: x[1], reverse=True)\n",
+ " top_questions=sorted_dict[0:4]\n",
+ "\n",
+ " if not top_questions:\n",
+ " print(\"I'm sorry, I couldn't find any relevant questions in my database.\")\n",
+ " continue\n",
+ " print()\n",
+ " print(\"--Available questions:--\")\n",
+ " for i, question in enumerate(top_questions):\n",
+ " print(f\" {i+1}. {question[0]}\")\n",
+ " print(\" 5. Main Menu\")\n",
+ " print()\n",
+ "\n",
+ " while True:\n",
+ " try:\n",
+ " question_index = int(input(\"Enter a number to select a question: \"))\n",
+ " if 1 <= question_index <= 4:\n",
+ " break\n",
+ " elif question_index==5:\n",
+ " print(\"Taking you to the main menu\")\n",
+ " break\n",
+ " \n",
+ " else:\n",
+ " print(\"Please enter a number between 1 and 4.\")\n",
+ "\n",
+ " except ValueError:\n",
+ " print(\"Please enter a valid number.\")\n",
+ "\n",
+ " if question_index!=5:\n",
+ " question = top_questions[question_index - 1][0]\n",
+ " response = chatbot.get_response(question)\n",
+ "\n",
+ " # Output\n",
+ " print(f\"PyGoatBot: {response}\")\n",
+ "\n",
+ " except (KeyboardInterrupt, EOFError):\n",
+ " break\n"
+ ],
+ "metadata": {
+ "colab": {
+ "base_uri": "https://localhost:8080/"
+ },
+ "id": "dklscBXxWCUB",
+ "outputId": "6953214c-1855-4b9f-9f7c-026c43f12850"
+ },
+ "execution_count": 46,
+ "outputs": [
+ {
+ "output_type": "stream",
+ "name": "stdout",
+ "text": [
+ "List Trainer: [####################] 100%"
+ ]
+ },
+ {
+ "output_type": "stream",
+ "name": "stderr",
+ "text": [
+ "[nltk_data] Downloading package punkt to /root/nltk_data...\n",
+ "[nltk_data] Package punkt is already up-to-date!\n",
+ "[nltk_data] Downloading package averaged_perceptron_tagger to\n",
+ "[nltk_data] /root/nltk_data...\n",
+ "[nltk_data] Package averaged_perceptron_tagger is already up-to-\n",
+ "[nltk_data] date!\n",
+ "[nltk_data] Downloading package maxent_ne_chunker to\n",
+ "[nltk_data] /root/nltk_data...\n",
+ "[nltk_data] Package maxent_ne_chunker is already up-to-date!\n",
+ "[nltk_data] Downloading package words to /root/nltk_data...\n",
+ "[nltk_data] Package words is already up-to-date!\n",
+ "[nltk_data] Downloading package averaged_perceptron_tagger to\n",
+ "[nltk_data] /root/nltk_data...\n",
+ "[nltk_data] Package averaged_perceptron_tagger is already up-to-\n",
+ "[nltk_data] date!\n",
+ "[nltk_data] Downloading package punkt to /root/nltk_data...\n",
+ "[nltk_data] Package punkt is already up-to-date!\n",
+ "[nltk_data] Downloading package stopwords to /root/nltk_data...\n",
+ "[nltk_data] Package stopwords is already up-to-date!\n",
+ "[nltk_data] Downloading package stopwords to /root/nltk_data...\n",
+ "[nltk_data] Package stopwords is already up-to-date!\n"
+ ]
+ },
+ {
+ "output_type": "stream",
+ "name": "stdout",
+ "text": [
+ "\r\n",
+ "Welcome to PyGoatBot! Type 'q or exit' to quit.\n",
+ "You: How to contribute in pygoat?\n",
+ "\n",
+ "--Available questions:--\n",
+ " 1. Can I contribute to PyGoat?\n",
+ " 2. What is OWASP PyGoat?\n",
+ " 3. What types of vulnerabilities can PyGoat help me learn about?\n",
+ " 4. How can I use PyGoat to learn web security testing?\n",
+ " 5. Main Menu\n",
+ "\n",
+ "Enter a number to select a question: 1\n",
+ "PyGoatBot: Yes, PyGoat is an open-source project and welcomes contributions from anyone interested in improving the application.\n",
+ "You: How to download pygoat?\n",
+ "\n",
+ "--Available questions:--\n",
+ " 1. Where can I download PyGoat?\n",
+ " 2. What is OWASP PyGoat?\n",
+ " 3. What types of vulnerabilities can PyGoat help me learn about?\n",
+ " 4. How can I use PyGoat to learn web security testing?\n",
+ " 5. Main Menu\n",
+ "\n",
+ "Enter a number to select a question: how to download?\n",
+ "Please enter a valid number.\n",
+ "Enter a number to select a question: 1\n",
+ "PyGoatBot: You can download PyGoat from the official GitHub repository at https://github.com/OWASP/PyGoat\n",
+ "You: what is web security testing?\n",
+ "\n",
+ "--Available questions:--\n",
+ " 1. Why should I learn web security testing?\n",
+ " 2. How can I use PyGoat to learn web security testing?\n",
+ " 3. What is OWASP PyGoat?\n",
+ " 4. What types of vulnerabilities can PyGoat help me learn about?\n",
+ " 5. Main Menu\n",
+ "\n",
+ "Enter a number to select a question: 2\n",
+ "PyGoatBot: PyGoat includes a series of lessons and challenges designed to teach you about web security testing techniques and common vulnerabilities.\n"
+ ]
+ }
+ ]
+ },
+ {
+ "cell_type": "code",
+ "source": [],
+ "metadata": {
+ "id": "jpYCc8FL6Gzi"
+ },
+ "execution_count": null,
+ "outputs": []
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..3d39f83
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,29 @@
+version: "3.3"
+
+services:
+ db:
+ image: postgres
+ volumes:
+ - ./data/db:/var/lib/postgresql/data
+ environment:
+ - POSTGRES_DB=postgres
+ - POSTGRES_USER=postgres
+ - POSTGRES_PASSWORD=postgres
+ web:
+ build: .
+ image: pygoat/pygoat
+ command: gunicorn --bind 0.0.0.0:8000 --workers 6 pygoat.wsgi
+ ports:
+ - "8000:8000"
+ volumes:
+ - .:/app
+ depends_on:
+ - migration
+ - db
+ migration:
+ image: pygoat/pygoat
+ command: python pygoat/manage.py migrate --noinput
+ volumes:
+ - .:/app
+ depends_on:
+ - db
diff --git a/docs/dev_guide.md b/docs/dev_guide.md
new file mode 100644
index 0000000..3497ff7
--- /dev/null
+++ b/docs/dev_guide.md
@@ -0,0 +1,207 @@
+# Developer's Guide
+
+PyGoat is an intentionally vulnerable web application written using the Python-Django Framework. We welcome Developers to contribute to the project.
+
+## Project Structure
+
+![image](https://user-images.githubusercontent.com/70275323/154626667-be93c711-47ca-45db-be8d-4ce62e7fbfbb.png)
+
+`installer.sh` is the installer bash file. It downloads and installs requirements that are necessary for the project.
+
+`uninstaller.sh` is the uninstaller bash file. It will uninstall the project and and requirements that were installed along with it.
+
+`requirements.txt` is the python3 requirements file.
+
+### Django Folder Structure
+
+The `pygoat` folder is the main folder that contains the Django Project. The project has 2 apps - `introduction` and `pygoat`, and both of them have their own folders. Apart from them there's another folder - `Solutions` which contains solutions to all scenarios.
+
+* The Inroduction folder contains the main workings of the project and consists of HTML templates, CSS files, and Python code that forms the backend of the application
+* The pygoat folder is the Django default folder and it contains all important settings/configurations essential to running the apps.
+* The Solutions folder has `solutions.md` and has solutions to all scenarios presented in application
+
+### Contents of the `introdution` folder
+
+The `introduction` folder has a few more folders and files
+
+![image](https://user-images.githubusercontent.com/70275323/154636031-c5bd01de-82ac-4fff-836a-b44e01c0e415.png)
+
+#### Folders
+
+* `lab_code` - This contains `test.py` which can be used to test a piece of code before implementing it in the app.
+* `static` - Contains CSS files that give the pages styling
+* `templates` - Contains all HTML templates used by the we app. This has 3 folders
+* * `introduction` - Contains the base html code that is used throughout the app.
+* * `lab` - contains HTML code for the 10 Scenarios that can be solved
+* * `registration` - Contains HTML code for registration and login pages
+*
+#### Files
+
+* `models.py` - Has different models eg - FAANG, login, etc
+* `urls.py` - List of URLS and how to route them
+* `views.py` - Main Backend Code that runs the Web App
+
+## Understanding how the templates work
+
+All templates are located in `pygoat/introduction/templates` and main CSS used for the project is located in `pygoat/introduction/static/introduction/style4.css`
+
+There are 3 folders in templates
+- introduction - Contains `base.html` and `home.html`
+- Lab - contains 12 folders. All folders except AUTH contain templates that will be displayed for the 10 labs
+- registration - contains templates for registration, login and logout
+
+`base.html` - Contains Base layout for the entire website. This is extended by most other templates and the base layout, CSS and formatting will be dictated by this template. CSS that is included for this template is automatically applied to the all other templates that extend this one.
+
+The following image shows a few parts that `base.html` defines in the website.
+
+![front_1](https://user-images.githubusercontent.com/70275323/154678332-ada4935f-a970-4ca3-a8be-f4babda8cb3b.png)
+
+The different lab folders inside `Lab` contain templates related to labs
+
+![image](https://user-images.githubusercontent.com/70275323/154682348-d51c521f-e885-4b81-958d-38c2f73ba9be.png)
+
+## Understanding how `views.py` works (Working of Backend)
+
+Navigate to `views.py` located in the introduction folder of the Django Project. This file will be your main concern when it comes to backend development
+
+How views.py works -
+
+The python file is divided into sections depending on which purpose they're being used for.
+
+For example lets take the function `cmd_lab`
+
+The function is as follows
+
+```python3
+def cmd_lab(request):
+ if request.user.is_authenticated: # checks if the user is authenticated
+ if(request.method=="POST"):
+ domain=request.POST.get('domain') # this is the input of the user
+ domain=domain.replace("https://www.",'')
+ os=request.POST.get('os')
+ print(os)
+ if(os=='win'):
+ command="nslookup {}".format(domain)
+ else:
+ command = "dig {}".format(domain)
+
+ try:
+ # output=subprocess.check_output(command,shell=True,encoding="UTF-8")
+ process = subprocess.Popen(
+ command,
+ shell=True,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
+ stdout, stderr = process.communicate()
+ data = stdout.decode('utf-8')
+ stderr = stderr.decode('utf-8')
+ # res = json.loads(data)
+ # print("Stdout\n" + data)
+ output = data + stderr
+ print(data + stderr)
+ except:
+ output = "Something went wrong"
+ return render(request,'Lab/CMD/cmd_lab.html',{"output":output}) # this renders the template - cmd_lab.html
+ print(output)
+ return render(request,'Lab/CMD/cmd_lab.html',{"output":output}) # this renders the template - cmd_lab.html
+ else:
+ return render(request, 'Lab/CMD/cmd_lab.html') # this renders the template - cmd_lab.html
+ else:
+ return redirect('login') # if user wasn't logged in the first if statement of the function then redirect to login
+```
+
+The first statement checks if the user is authenticated. If not, it directs to the login page.
+
+The syntax to take input from user through a web page using POST request is
+
+```python3
+value=request.POST.get('value_name')
+```
+This syntax is used twice in the above function
+
+```python3
+domain=request.POST.get('domain')
+os=request.POST.get('os')
+```
+
+The function usually ends with rendering a particular template along with giving it a few values. Lets see how this works.
+
+Lets take the snippet
+
+```python3
+output = "Something went wrong"
+return render(request,'Lab/CMD/cmd_lab.html',{"output":output})
+```
+
+And lets take the snippet from `'Lab/CMD/cmd_lab.html'` that will display the `output` variable
+
+```html
+
+ {% if output %}
+
Output
+
+
{{output}}
+
+ {% endif %}
+
+```
+
+Lets see what these two snippets acheive
+
+The python3 code from views.py renders this template and a variable 'output' with value of output ( which in this case is "Something went wrong") is made available in the HTML template
+
+The `output` variable can be accessed from the HTML template by using tags provided in the the [Django Template Language](https://docs.djangoproject.com/en/4.0/ref/templates/language/) (the link contains vital info. It's recommended to check it out)
+
+What this achieves in this case, is -
+- Checking if output variable exists
+- If it exists, displays value of output variable in preformatted way
+
+## Understanding request authentication
+
+To ensure every page is rendered to an authenticated user, all functions in `views.py` begin with an authentication check that looks something like
+
+```python3
+if request.user.is_authenticated:
+ # Logic of the program here!
+ else:
+ return redirect('login')
+ # Rediects to login page if a request is not authenticated
+```
+
+To Add a new function to views.py, please make sure to include a check for authentication.
+
+## Understanding routing with `urls.py`
+
+There are 2 `urls.py` files in the project.
+
+These are located in `pygoat/pygoat` and `pygoat/introduction`
+
+These files are responsibele for routing the website urls to the correct template and backend function.
+
+Let's take an example from a code snippet from `pygoat/introduction/urls.py`
+
+```python3
+ path('', views.home, name='homepage'),
+ path('xss', views.xss,name="xss"),
+ path('xssL',views.xss_lab,name='xss_lab'),
+```
+
+What this code does -
+
+- When user navigates to 127.0.0.1/ in web browser, function views.home is executed
+- When user navigates to 127.0.0.1/xss in web browser, function views.xss is executed
+- When user navigates to 127.0.0.1/xssL in web browser, function views.xss_lab is executed
+
+Let's take an example from a code snippet from `pygoat/pygoat/urls.py`
+
+```python3
+ path('', views.home, name='homepage'),
+ path('xss', views.xss,name="xss"),
+ path('xssL',views.xss_lab,name='xss_lab'),
+```
+
+There are a few lines in urls.py that do not look like these. They're for special purposes like implementing django-allAuth and other features
+
+If theres any doubt or issue feel free to raise an Issue, or correct an existing issue and send PR. Feel free to join the [PyGoat Devs channel](https://t.me/+WpqLBwviT00xZDI1) on telegram
+
+Happy Coding!
diff --git a/gh-md-toc b/gh-md-toc
new file mode 100755
index 0000000..ef389e7
--- /dev/null
+++ b/gh-md-toc
@@ -0,0 +1,361 @@
+#!/usr/bin/env bash
+
+#
+# Steps:
+#
+# 1. Download corresponding html file for some README.md:
+# curl -s $1
+#
+# 2. Discard rows where no substring 'user-content-' (github's markup):
+# awk '/user-content-/ { ...
+#
+# 3.1 Get last number in each row like ' ... sitemap.js.*<\/h/)+2, RLENGTH-5)
+#
+# 5. Find anchor and insert it inside "(...)":
+# substr($0, match($0, "href=\"[^\"]+?\" ")+6, RLENGTH-8)
+#
+
+gh_toc_version="0.7.0"
+
+gh_user_agent="gh-md-toc v$gh_toc_version"
+
+#
+# Download rendered into html README.md by its url.
+#
+#
+gh_toc_load() {
+ local gh_url=$1
+
+ if type curl &>/dev/null; then
+ curl --user-agent "$gh_user_agent" -s "$gh_url"
+ elif type wget &>/dev/null; then
+ wget --user-agent="$gh_user_agent" -qO- "$gh_url"
+ else
+ echo "Please, install 'curl' or 'wget' and try again."
+ exit 1
+ fi
+}
+
+#
+# Converts local md file into html by GitHub
+#
+# -> curl -X POST --data '{"text": "Hello world github/linguist#1 **cool**, and #1!"}' https://api.github.com/markdown
+#
What does Insufficient Logging & Monitoring means?
+
+ Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely
+ on the lack of monitoring and timely response to achieve their goals without being detected.
+ Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the
+ likelihood of successful exploit to nearly 100%.
+ In 2016, identifying a breach took an average of 191 days โ plenty of time for damage to be inflicted.
+
+
+
+
+ This lab helps you to get an idea of how sometimes improper logging can result in information disclosure.
+
+ The user on accessing the lab is given with a login page which tells us that the logs have been leaked.
+ The user needs to find the leak and try to gain the credentials that have been leaked in the logs.
+
+ Finding the Log
+
+
The log has been exposed in /debug route
+
This can be found out with subdomain brute-forcing or just by guess
+
On seeing the Log try to get the required login details as there is a leak and the logging is improperly
+ handled.
+
+
+
+
+
+
+
+
+
+
+ It seems this application is logging every action performed in this logging page.
+ But is there a way to inject some fake logs to the application?
+
+
+ Login credentials are same as lab1
+
+
+
+
+
Mitigation
+
+
+
Ensure that logs are created in a format that can be easily used by central log management tools.
+
High-value transactions should have an audit trail with integrity controls to prevent manipulation or
+ deletion.
+
Effective monitoring and alerting should be established so that suspicious activities can be detected and
+ responded to in a timely manner.
+
Make sure that there aren't any sensitive information like passwords are being logged
+
+
+
+
+
+
+
+
+
+ {% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/A10/a10_lab.html b/introduction/templates/Lab/A10/a10_lab.html
new file mode 100644
index 0000000..d4e905c
--- /dev/null
+++ b/introduction/templates/Lab/A10/a10_lab.html
@@ -0,0 +1,44 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Insufficient Logging & Monitoring
+{% endblock %}
+
+
+
+
The Logs have been Leaked.
+
+
+
+
+
+
+
+
+ {% if name %}
+
Success! Logged in as
+
{{name}}
+
+ {% else %}
+
+
{{error}}
+
+ {% endif %}
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/A10/a10_lab2.html b/introduction/templates/Lab/A10/a10_lab2.html
new file mode 100644
index 0000000..d0acadb
--- /dev/null
+++ b/introduction/templates/Lab/A10/a10_lab2.html
@@ -0,0 +1,78 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Insufficient Logging & Monitoring
+{% endblock %}
+
+
+
+
Logs are strickty monitored
+
+
+
+
+
+
+
+
+ {% if name %}
+
Success! Logged in as
+
{{name}}
+
+ {% else %}
+
+
{{error}}
+
+ {% endif %}
+
+
+
+
+
+
+
+ logging.basicConfig(level=logging.DEBUG,filename='app.log')
+
+ @authentication_decorator
+ def a10_lab2(request):
+ now = datetime.datetime.now()
+ if request.method == "GET":
+ x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
+
+ if x_forwarded_for:
+ ip = x_forwarded_for.split(',')[0]
+ else:
+ ip = request.META.get('REMOTE_ADDR')
+ logging.info(f"{now}:{ip}")
+ return render (request,"Lab/A10/a10_lab2.html")
+ else:
+ user=request.POST.get("name")
+ password=request.POST.get("pass")
+ x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
+
+ if x_forwarded_for:
+ ip = x_forwarded_for.split(',')[0]
+ else:
+ ip = request.META.get('REMOTE_ADDR')
+
+ if login.objects.filter(user=user,password=password):
+ if ip != '127.0.0.1':
+ logging.warning(f"{now}:{ip}:{user}")
+ logging.info(f"{now}:{ip}:{user}")
+ return render(request,"Lab/A10/a10_lab2.html",{"name":user})
+ else:
+ logging.error(f"{now}:{ip}:{user}")
+ return render(request, "Lab/A10/a10_lab2.html", {"error": " Wrong username or Password"})
+
+
+
+ Insecure design is a broad category representing different weaknesses,
+ expressed as โmissing or ineffective control design.โ Insecure design is
+ not the source for all other Top 10 risk categories. There is a difference
+ between insecure design and insecure implementation. We differentiate
+ between design flaws and implementation defects for a reason, they have
+ different root causes and remediation. A secure design can still have
+ implementation defects leading to vulnerabilities that may be exploited.
+ An insecure design cannot be fixed by a perfect implementation as by
+ definition, needed security controls were never created to defend against
+ specific attacks. One of the factors that contribute to insecure design is
+ the lack of business risk profiling inherent in the software or system
+ being developed, and thus the failure to determine what level of security
+ design is required.
+
+
+
+
+ This lab helps you to get an idea of how Insecure Design can result in major Security flaw.
+
+ In the next page,user can get 5 free tickets for a Movie. But he/she have to wait untill all the tickets are sold out.
+ For this particular situation, we can get advantage of the Insecure Design and somehow get all the tickets for the movie.
+
+
Hint
+
Logout and then think.
+
+
+
+
+
+
+
Mitigation
+
+
+
Establish and use a secure development lifecycle with AppSec professionals to help evaluate and design security and privacy-related controls
+
Establish and use a library of secure design patterns or paved road ready to use components
+
Use threat modeling for critical authentication, access control, business logic, and key flows
+
Integrate security language and controls into user stories
+
Integrate plausibility checks at each tier of your application (from frontend to backend)
+
Write unit and integration tests to validate that all critical flows are resistant to the threat model. Compile use-cases and misuse-cases for each tier of your application.s
+
Segregate tier layers on the system and network layers depending on the exposure and protection needs
+
Segregate tenants robustly by design throughout all tiers
+
+{% endblock %}
diff --git a/introduction/templates/Lab/A9/a9.html b/introduction/templates/Lab/A9/a9.html
new file mode 100644
index 0000000..840fedc
--- /dev/null
+++ b/introduction/templates/Lab/A9/a9.html
@@ -0,0 +1,94 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Using Components with Known Vulnerabilities
+{% endblock %}
+
+
Using Components with Known Vulnerabilities
+
+
+
What does Using Components with Know Vulnerability means?
+
When a developer uses a piece of code or library which already has a known vulnerability, then
+ this may result in compromise of the entire application. This occurs when the components such as libraries
+ and frameworks used within the app mostly execute with full privileges. If a vulnerable component is
+ exploited, it makes the hackerโs job easier to cause a serious data loss or server takeover.
+
+
+
+
+
+
+ This lab helps us to understand why components with known vulnerabilities can be a serious issue.
+
+ The user on accessing the lab is provided with a feature to convert yaml files into json objects.
+ A yaml file needs to be chosen and uploaded to get the json data.
+ There is also a get version feature which tells the user the version of the library the app uses.
+
+ Exploiting the vulnerability.
+
+
The app uses pyyaml 5.1 Which is vulnerable to code execution.
+
You can google the library with the version to get the poc and vulnerability details
+
Libraries known for the infamous code injection vulnerabilities are PyYAML 5.4 and Log4J
+
Create An yaml file with this payload:
+ !!python/object/apply:subprocess.Popen
+ - ls
+
+
On Uploading this file the user should be able to see the output of the command executed in the
+ Terminal running Django.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This lab helps us to understand why components with known vulnerabilities can be a serious issue.
+
+ This is website for some image manupulation.
+
+ Exploiting the vulnerability.
+
+
The app uses Pillow 8.0.0 Which is vulnerable to code execution.
+
You can google the library with the version to get the poc and vulnerability details
+
+
+
+
+
+
+
+
+
+
Mitigation
+
+
+
Remove unused dependencies, unnecessary features, components, files, and documentation.
+
Only obtain components from official sources over secure links. Prefer signed packages to reduce the
+ chance of including a modified, malicious component.
+
Monitor for libraries and components that are unmaintained or do not create security patches for older
+ versions. If patching is not possible, consider deploying a virtual patch to monitor, detect, or protect
+ against the discovered issue.
+
Use Library scanners to test for Vulnerabilities in packages.
+
+
+
+
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/A9/a9_lab.html b/introduction/templates/Lab/A9/a9_lab.html
new file mode 100644
index 0000000..5a70b46
--- /dev/null
+++ b/introduction/templates/Lab/A9/a9_lab.html
@@ -0,0 +1,37 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+A9
+{% endblock %}
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/AUTH/auth_home.html b/introduction/templates/Lab/AUTH/auth_home.html
new file mode 100644
index 0000000..28422e3
--- /dev/null
+++ b/introduction/templates/Lab/AUTH/auth_home.html
@@ -0,0 +1,54 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Broken Authentication
+{% endblock %}
+
+
Description
+
+
+
What is Broken Authentication
+
+ Broken authentication is an umbrella term for several vulnerabilities that attackers exploit to impersonate
+ legitimate users online. Broadly, broken authentication refers to weaknesses in two areas: session management
+ and credential management. Both are classified as broken authentication because attackers can use either
+ avenue to masquerade as a user: hijacked session IDs or stolen login credentials.
+
+
Broken Authentication errors occur when:
+
+
Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames
+ and passwords.
+
Permits brute force or other automated attacks.
+
Permits default, weak, or well-known passwords, such as โPassword1โ or โadmin/adminโ.
+
Uses weak or ineffective credential recovery and forgot-password processes, such as โknowledge-based
+ answersโ, which cannot be made safe.
+
Uses plain text, encrypted, or weakly hashed passwords.
+
Has missing or ineffective multi-factor authentication.
+
Exposes Session IDs in the URL (e.g., URL rewriting).
+
Does not rotate Session IDs after successful login.
+
Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single
+ sign-on (SSO) tokens) arenโt properly invalidated during logout or a period of inactivity.
+
+
+
The main consequences are:
+
+
Unauthorized users can acess the system.
+
User information is leaked
+
+
+
+
+
+
+
Mitigation
+
Try thinking about cookies and how they can expose secrets !!!!
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/AUTH/auth_lab.html b/introduction/templates/Lab/AUTH/auth_lab.html
new file mode 100644
index 0000000..7bde3b8
--- /dev/null
+++ b/introduction/templates/Lab/AUTH/auth_lab.html
@@ -0,0 +1,20 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+BROKEN AUTH LAB
+{% endblock %}
+
+
+
Can You Log in as other user?
+
+
+
+
+
+
+
+
{{ err_msg }}
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/AUTH/auth_lab_login.html b/introduction/templates/Lab/AUTH/auth_lab_login.html
new file mode 100644
index 0000000..6b57460
--- /dev/null
+++ b/introduction/templates/Lab/AUTH/auth_lab_login.html
@@ -0,0 +1,23 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+BROKEN AUTH LAB
+{% endblock %}
+
+
+
+
+
+
+
+
+
+
+
+{{ err_msg }}
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/AUTH/auth_lab_signup.html b/introduction/templates/Lab/AUTH/auth_lab_signup.html
new file mode 100644
index 0000000..b9de6c9
--- /dev/null
+++ b/introduction/templates/Lab/AUTH/auth_lab_signup.html
@@ -0,0 +1,25 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+BROKEN AUTH LAB
+{% endblock %}
+
+
+
+
+
+
+
+
+
+
+
+{{ err_msg }}
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/AUTH/auth_success.html b/introduction/templates/Lab/AUTH/auth_success.html
new file mode 100644
index 0000000..2f19e7f
--- /dev/null
+++ b/introduction/templates/Lab/AUTH/auth_success.html
@@ -0,0 +1,24 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+BROKEN AUTH LAB
+{% endblock %}
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/BrokenAccess/ba.html b/introduction/templates/Lab/BrokenAccess/ba.html
new file mode 100644
index 0000000..5f0dc37
--- /dev/null
+++ b/introduction/templates/Lab/BrokenAccess/ba.html
@@ -0,0 +1,66 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Broken Access Control
+{% endblock %}
+
+
Broken Access Control
+
+
+
What is Broken Access Control
+
Access control, sometimes called authorization, is how a web application grants access to content
+ and functions to some users and not others. These checks are performed after authentication, and govern what
+ โauthorizedโ users are allowed to do. A web applicationโs access control model is closely tied to the
+ content and functions that the site provides. In addition, the users may fall into a number of groups or
+ roles with different abilities or privileges.
+
+
+
+
+
+
+ This lab helps us to understand one of the authentication flaws which leads to an attacker gaining
+ unauthorized control of an account.
+ On accessing the lab the user is provided with a simple login in page which requires a username and
+ password.
+ The credentials for the user Jack is jack:jacktheripper.
+ Use the above info to log in.
+ The main aim of this lab is to login with admin privileges to get the secret key.
+
+
Exploiting the Broken Access
+
+
Every time a valid user logs in,the user session is set with a cookie called admin
+
+
When you notice the cookie value when logged in as jack it is set to 0
+
Use BurpSuite to intercept the request change the value of the admin cookie from 0 to 1
+
This should log you in as a admin user and display the secret key
+
+
+
+
+
+
+
+
+
+
+
Mitigation
+
+
+
Using proper Session management techniques
+
Using Tokens such as JWT to authorize the users.
+
Unless a resource is intended to be publicly accessible, deny access by default
+
Thoroughly audit and test access controls to ensure they are working as designed
+
+
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/BrokenAccess/ba_lab.html b/introduction/templates/Lab/BrokenAccess/ba_lab.html
new file mode 100644
index 0000000..d45da9b
--- /dev/null
+++ b/introduction/templates/Lab/BrokenAccess/ba_lab.html
@@ -0,0 +1,46 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Broken Access Control.
+{% endblock %}
+
+
+
Admins Have the Secretkey
+
+
+
+
+
+ {% if username %}
+
Logged in as user: {{username}}
+ {% endif %}
+
+ {% if data %}
+
Your Secret Key is {{data}}
+ {% endif %}
+
+ {% if not_admin %}
+
{{not_admin}}
+ {% endif %}
+
+ {% if no_creds %}
+
Please Provide Credentials
+ {% endif %}
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/BrokenAuth/bau.html b/introduction/templates/Lab/BrokenAuth/bau.html
new file mode 100644
index 0000000..9d5af43
--- /dev/null
+++ b/introduction/templates/Lab/BrokenAuth/bau.html
@@ -0,0 +1,104 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Command Injection
+{% endblock %}
+
+
Broken Authentication
+
+
+
What is Broken Authentication
+
Broken authentication is an umbrella term for several vulnerabilities that attackers exploit to
+ impersonate legitimate users online. Broadly, broken authentication refers to weaknesses in two areas:
+ session management and credential management. Both are classified as broken authentication because attackers
+ can use either avenue to masquerade as a user: hijacked session IDs or stolen login credentials.
+
+ Attackers employ a wide variety of strategies to take advantage of these weaknesses, ranging from huge
+ credential stuffing attacks to highly targeted schemes aimed at gaining access to a specific personโs
+ credentials.
+
+
+
+
+
+
+
+ The lab consists of a login page, which request users for their username and password.
+ If you don't know the password ,there is also a feature for login with otp!
+ When the users clicks the login with otp feature, user is directed to a page, which asks
+ users email id to send the otp.
+ When the user provides an email id , you can see that the 3 digit opt is sent back to the page itself.
+ This is not the general scenario , usually the code is sent to the registered email of the user.
+ The user on receiving the 3 digit code can now enter the code in the input box that says
+ Enter your OTP
+ On entering the valid OTP the user gets a page which says Login Successful as user : email
+ .
+ If the Otp is wrong then the user gets a message saying Invalid OTP
+
+
+
+ The Bug
+
+
+ The main aim of this lab is to login as admin, for that you are gonna exploit the lack of rate
+ limiting feature in the otp verification flow.
+ You can see that the otp is only of 3 digit(for demo purposes) and the application doesnt have any
+ captcha (To disallow any automated scripts or bots) or any restrictionds on the number of
+ tries for the otp.
+
+
+
Now to send the otp to the admin's mail you need to figure out the admins mail id.
+ Luckily the admin has left his email id for the developers in the page source.
+ Admins email id admin@pygoat.com
+ After entering this email in the send otp input box and hit send, you can see that the page says that
+ otp has been sent to the email id of the admin.
+ In order to exploit the lack of rate limiting , we can try to Brute-force the 3 digit otp.
+
+
+
+ Steps to Brute force:
+
+
Open Burpsuite and configure your browser to intercept the web trafic, but dont turn intercept on.
+
+
Send the otp to the admins mail id with the help of send otp feature.
+
In the enter the otp box enter a random 3 digit number.
+
Before your press login , turn intercept on on Burp suite and then press log in
+
Now you can see that the traffic is captured in Burpsuite.
+
Now use the send to intruder feature and send this request to the intruder.
+
Set the position of the payload to the otp= parameter.
+
Go to the payloads session and choose the payload type to number list
+
Fill the range to 100 to 999 with step 1.
+
Now click attack and you can see that the burp suite tries different combinations of otp and
+ collects it response.
+
You can figure out if it has guessed the correct opt by seeing the difference in length of the
+ response for each request.
+
The correct otp will have a small response length .
+
+
+
+
Using this otp you will be able to login into admins account.
+
+
+
+
+
+
+
+
+
Mitigation
+
+ This type of authentication flaw can be mitigated by:
+
+
Using captcha
+
Rate Limiting by reducing the number of tries for a particular user, based on session or ip
+
Blocking multiple request form the same IP
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/BrokenAuth/bau_lab.html b/introduction/templates/Lab/BrokenAuth/bau_lab.html
new file mode 100644
index 0000000..c92736b
--- /dev/null
+++ b/introduction/templates/Lab/BrokenAuth/bau_lab.html
@@ -0,0 +1,36 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+Broken Authentication Lab
+{% endblock %}
+
+
+
Login as Admin
+
+
+
+
+
+
+ {% if wrongpass %}
+
Wrong Password Try Using Login With OTP
+ {% endif %}
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/BrokenAuth/otp.html b/introduction/templates/Lab/BrokenAuth/otp.html
new file mode 100644
index 0000000..3d12cda
--- /dev/null
+++ b/introduction/templates/Lab/BrokenAuth/otp.html
@@ -0,0 +1,37 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+Broken Authentication Lab
+{% endblock %}
+
+
+
Login Through Otp
+
+
+
+
+
+
+
+
+ {% if otp %}
+
Your 3 Digit Verification Code:{{otp}}
+ {% endif %}
+
+ {% if email %}
+
Login Successful as user : {{email}}
+ {% endif %}
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/CMD/cmd.html b/introduction/templates/Lab/CMD/cmd.html
new file mode 100644
index 0000000..bfea591
--- /dev/null
+++ b/introduction/templates/Lab/CMD/cmd.html
@@ -0,0 +1,134 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Command Injection
+{% endblock %}
+
+
Command Injection
+
+
+
What is Command Injection
+
Command injection is an attack where the goal is execution of arbitrary commands on the host
+ operating system via a vulnerable application. Command injection attacks are possible when an application
+ passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the
+ attacker-supplied operating system commands are usually executed with the privileges of the vulnerable
+ application. Command injection attacks are possible largely due to insufficient input validation.
+
+
+
+
+ This lab helps us to understand how command injection is exploitable in scenarios where inputs are sent
+ to exec,eval,sys etc.
+
+
+
+ The user on accessing the lab is provided with a feature to perform a name server lookup on the given
+ domain.
+ A domain name has to be provided after which the server would perform a ns lookup and return back to the
+ client.
+ If the user is running the lab, based on the OS they can select Windows or Linux.
+
+
+
+ Exploiting the Bug
+
+
Method 1
+
+
The user can cause the server to execute commands ,because of the lack of input validation.
+
The user can give a domain say domain && [any cmd]
+
In This case lets give google.com && dir and choose windows.
+
This should give you the output for both ns lookup as well as for the dir
+
+
Method 2
+
+
The user can give a domain say domain; [any cmd]
+
In This case lets give google.com; dir and choose windows.
+
This should give you the output for both ns lookup as well as for the dir
+
+
+
+ Understanding the cause
+
+ Lets first see how the name server lookup is performed
+
+ command="nslookup {}".format(domain)
+
+ Here the domain is the user input domain. This command variable is then sent to exec function and the
+ output is displayed.
+ If the user inputs google.com the command variable will hold nslookup google.com.
+
+
+ How CMD injection works
+ Method 1
+ Now when the user enters google.com && dir The command variable will hold
+ nslookup google.com && dir.
+ The && means and. The system will execute nslookup google.com
+ first and then dir
+
+ Method 2
+ When the user enters google.com ; dir The command variable will hold
+ nslookup google.com ; dir.
+ The ; implies the completion of the command before it, in this case the nslookup
+ command. The system will execute nslookup google.com first and then dir
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This is another lab to understand code execution. There are some functions in python such as eval(), exec() which can be used to achieve code execution.
+
+ In this lab, we will be learning about the eval() function in python3. The eval() function evaluates the specified expression, if the expression is a legal Python statement, it will be executed.
+
+
+
+ Challenge Description:
+ In this challenge, we are given an input box, where we can calculate any arithmetic expression such as 1 + 1 or 5 * 5 etc.
+ Your task is to exploit this input form and achieve command execution on the system.
+
+ Challenge Solution:
+ We know that this application is using the eval() function in the backend to calculate the output. Instead of submitting arithmetic expressions, we can also submit python3 commands, which will be executed by the eval() function.
+
+ First, if we submit the expression 1 + 1, we get the output as 2. Similarly, on submitting the expression 7 * 7, we get the output as 49.
+
+ Now, if we submit os.system("id"), we get nothing in the output. But if we check the terminal, we will see that the command gets executed and the result is printed on the terminal screen. You can also verify this by submitting os.system("sleep 30"), and you will notice that the request completes after 30 seconds.
+
+
+
+
+
+
+
+
+
+
+
Mitigation
+
+
+
Input validation
+
Parameterization of user input
+
Do not call os commands directly.
+
Validating against a whitelist of permitted values.
+
+
+
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/CMD/cmd_lab.html b/introduction/templates/Lab/CMD/cmd_lab.html
new file mode 100644
index 0000000..2998cd3
--- /dev/null
+++ b/introduction/templates/Lab/CMD/cmd_lab.html
@@ -0,0 +1,36 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+Command Injection
+{% endblock %}
+
+
+
Name Server Lookup
+
+
+
+
+ {% if output %}
+
Output
+
+
{{output}}
+
+ {% endif %}
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/CMD/cmd_lab2.html b/introduction/templates/Lab/CMD/cmd_lab2.html
new file mode 100644
index 0000000..a71a605
--- /dev/null
+++ b/introduction/templates/Lab/CMD/cmd_lab2.html
@@ -0,0 +1,32 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+Command Injection
+{% endblock %}
+
+
+
Evaluate any expression!
+
+
+
+
+ {% if output %}
+
Output
+
+
{{output}}
+
+ {% endif %}
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/DataExp/data_exp.html b/introduction/templates/Lab/DataExp/data_exp.html
new file mode 100644
index 0000000..8dc0ccc
--- /dev/null
+++ b/introduction/templates/Lab/DataExp/data_exp.html
@@ -0,0 +1,49 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Sensitive Data Exposure
+{% endblock %}
+
+
Senstive Data Exposure
+
+
+
What is Sensitive Data Exposure
+
+ Information disclosure, also known as information leakage, is when a website unintentionally reveals sensitive
+ information to its users. Depending on the context, websites may leak all kinds of information to a potential
+ attacker, including:
+
+
Data about other users, such as usernames or financial information
+
Sensitive commercial or business data
+
Technical details about the website and its infrastructure
+
+
+
+
+
+ One of the features of having DEBUG=True is dumping lots of metadata from your environment, including the whole
+ settings.py configurations, when a exception occurs.
+
+
+
+
+
+
Mitigation
+
Even though you will never be using DEBUG=True, you need extra care when naming the configurations in
+ the settings.py module. Make sure all sensitive variables use one of the keywords:
+
+
API
+
KEY
+
PASS
+
SECRET
+
SIGNATURE
+
TOKEN
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/DataExp/data_exp_lab.html b/introduction/templates/Lab/DataExp/data_exp_lab.html
new file mode 100644
index 0000000..1e8e0c8
--- /dev/null
+++ b/introduction/templates/Lab/DataExp/data_exp_lab.html
@@ -0,0 +1,21 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Sensitive Data Exposure
+{% endblock %}
+
+
+
Sensitive Data Exposure
+
+
+ Can you find a page to trigger 500 error? Can you find 'SENSITIVE_DATA'?
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/DataExp/robots.txt b/introduction/templates/Lab/DataExp/robots.txt
new file mode 100644
index 0000000..507e78f
--- /dev/null
+++ b/introduction/templates/Lab/DataExp/robots.txt
@@ -0,0 +1,3 @@
+User-Agent: *
+
+Disallow: /500error
\ No newline at end of file
diff --git a/introduction/templates/Lab/SQL/sql.html b/introduction/templates/Lab/SQL/sql.html
new file mode 100644
index 0000000..e486ab3
--- /dev/null
+++ b/introduction/templates/Lab/SQL/sql.html
@@ -0,0 +1,100 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+SQL Injection
+{% endblock %}
+
+
Sql Injection
+
+
+
What is SQL Injection
+
A SQL injection attack consists of insertion or โinjectionโ of a SQL query via the input data
+ from the client to the application. A successful SQL injection exploit can read sensitive data from the
+ database, modify database data (Insert/Update/Delete), execute administration operations on the database
+ (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some
+ cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which
+ SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
+
+
+
+
+
+
+ SQL injection errors occur when:
+
+ Data enters a program from an untrusted source.
+ The data used to dynamically construct a SQL query
+ The main consequences are:
+
+
+ This lab helps you to exploit the common type of sql injection vulnerability, caused due to the lack of
+ input validation and directly exposing input into the query.
+
+ The user on accessing the lab is given a log in page . The user has to try to login in as admin.
+ SQL Injection vulnerability can be identified by injecting a ' in any of the fields. If it
+ results in an SQL error, SQL injection vulnerability is identified
+
+
+ Exploiting SQL Injection Vulnerability
+
+
Enter the user name as admin
+
Enter the password as anything' OR '1' ='1
+
This should log you in as admin, without knowing the admins password.
+
+ Understanding the Exploit
+
+
+ The website logs a user in by checking the entered username and password against the ones stored in the
+ database. If they match, the user is logged in.
+ Lets first analyse the sql query used to compare the username and password in the database.
+ "SELECT * FROM introduction_login WHERE user='"+name+"'AND password='"+password+"'"
+ The name and password parameters are the ones you give as input, which is directly inserted into the
+ query.
+
+ Why the error?
+
+ When we inserted a ' in the input it threw an error , this is because the sql query was not
+ balanced and it threw an error.
+ SELECT * FROM introduction_login WHERE user='admin' AND password='''
+ The query quotes in the password field are unbalanced, this can be balanced by adding another quote to
+ it.
+
+
Lets just plug our payload into the query and see what it looks like.
+ SELECT * FROM introduction_login WHERE user='admin' AND password='anything' OR '1' ='1'
+
+ Now the query means select username = admin where password is anything OR '1'='1' .
+ '1'='1' will always result in TRUE and the query fetches the user with name admin and
+ password=TRUE.
+
+ Thus allowing us to login in as admin.
+
+
+
+
+
+
+
+
+
+
+
+
Mitigation
+
+
+
Use of Prepared Statements (with Parameterized Queries)
+
Use of Stored Procedures
+
Allow-list Input Validation
+
Escaping All User Supplied Input.
+
+
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/SQL/sql_lab.html b/introduction/templates/Lab/SQL/sql_lab.html
new file mode 100644
index 0000000..43af47a
--- /dev/null
+++ b/introduction/templates/Lab/SQL/sql_lab.html
@@ -0,0 +1,48 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+SQL LAB
+{% endblock %}
+
+
+
Can You Log in as Admin
+
+
+
+
+
+
+ {% if user1 %}
+
Logged in as:
+
{{user1}}
+
+
+ {% elif wrongpass %}
+
The password you have entered doesnt match the username!
+
The SQL query being submitted is
+
{{ sql_error }}
+
+
+ {% elif no %}
+
User Not Found
+ {% else %}
+
+ {% endif %}
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/XSS/xss.html b/introduction/templates/Lab/XSS/xss.html
new file mode 100644
index 0000000..c70f08c
--- /dev/null
+++ b/introduction/templates/Lab/XSS/xss.html
@@ -0,0 +1,205 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+
+
+
Cross Site Scripting
+
+
+
What is Cross Site Scripting or XSS?
+
+ Cross site scripting or XSS is a form of client side code injection. In this type of attack the attacker
+ tries to inject malicious script into a trusted site. The malicious script is usually a piece of javascript
+ code, which helps the attacker to perform malicious activities, like redirecting the victim to an attacker
+ site, stealing cookies etc. Some times XSS vulnerability can be chained with other vulnerabilities to create
+ great impact .
+ Talking about XSS, we have 3 different types:
+
+
Reflected XSS
+
Stored XSS
+
DOM XSS
+
+
+
Reflected XSS
+
Reflected XSS occurs when user input is immediately returned by a web application in an error
+ message, search result, or any other response that includes some or all of the input provided by the user as
+ part of the request, without that data being made safe to render in the browser, and without permanently
+ storing the user provided data.
+
+
Stored XSS
+
Stored XSS generally occurs when user input is stored on the target server, such as in a database,
+ in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data
+ from the web application without that data being made safe to render in the browser.Blog comments sessions
+ are places which can be vulnerable to stored xss , once a vulnerable xss payload is posted then every user
+ that visits the blog comment session would have the impact of the vulnerability.
+
+
DOM XSS
+
This type of XSS is possible when javascript takes in an user controllable code and passes it to a
+ sink ,for code execution . Examples of sinks are window.location , innerhtml , document.write .When the
+ attacker tries to inject malicious code into a sink , then this type of XSS is called the DOM Xss
+
+
+
+
+
+
+
+ This lab will help you to understand the Reflective Type of XSS.
+
+
The lab consists of a Search page called FAANG IT.Which helps you to get some
+ information about Facebook, Apple ,Amazon ,Netflix, Google. The user can input one of the
+ companies into the search bar and see the information related to it.
+
If a user searches for something else , he can see a message saying that the search term is
+ not part of the Company.
+
+
What can go wrong Here? Yes, this html page reflects the search query back to the page when
+ the user enters something which is not part of the FAANG.
+
Exploiting the Reflection of the search query
+
+
Instead of giving a search term try giving a html tag, <h4 >Hello </h4>.
+
Now you can see that the word Hello has been parsed as a Heading in the page.
+
This shows that the page is able to render the user given html tags.
+
In order to get an xss , the user needs to execute javascript code in the browser.
+
This can be acheived by using a script tag and malicious javascript code.
+
For now let's just use a basic javascript code to alert a text to prove that xss is possible .
+
+
<script >alert(โxssโ) </script >
+
+
+
Now when a search query is performed with the above payload you can see that the browser is able to
+ render the script tag and execute the javascript , thus alerting โxssโ with a pop up.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This lab a demonstration of a stored XSS vulnerability. The challenge is to change the value of flag that is being stored as a cookie on the user's browser. The user input is taken as a POST parameter in the URL and is displayed on the page. The code tries to escape the user input to prevent XSS attacks, but there might still be a way for the attacker to inject malicious code into the page.
+
+
The goal of this challenge is for the attacker to find a way to execute arbitrary JavaScript code on the page and retrieve the data stored in the cookie. The attacker must be able to bypass the escaping mechanism and find a way to inject their own code into the page.
+
+
But the problem is <script > tag is sanitised by the server so we have to use another method to bypass this.
Now when a search query is performed with the above payload you can see that the browser is able to render the script tag and execute the javascript , thus alerting โxssโ with a pop up
+
+
+
+
+
+
+
+
+ This lab is a demonstration of a Reflected XSS
+
+
The goal of this challenge is to trigger an alert, User input is being Reflected on script Tag, but the real challenge lies in the fact that all alphanumeric characters are escaped. Can you find way to pop an alert ?
+
+
+
+
+
+
+
+
+
+
Mitigation
+
First let's analyse what part of the code has resulted in this vulnerability.
+
+
+ #code in views.py
+ return render(request,'Lab/XSS/xss_lab.html',{'query': q})
+ #code in html template
+ <h3> The company '{query|safe}' You searched for is not Part of FAANG </h3>
+
+
+
In the above code the q variable holds the users input . This input is stored in a variable called
+ โqueryโ , which is sent to a html template which renders a html along with the value of the query.
+
+
The query received from the user is considered to be safe which resulted in the template rendering
+ the user input without escaping the input. This can be seen by using the keyword 'safe' in the html
+ template.
+
+
+
+
What happens without the safe keyword?
+
+
+
Without the safe keyword Django would automatically escape the malicious string in the query
+ context variable.
+
+
It does this by passing all string data through Pythonโs html.escape() function. This
+ function will:
+
+
Replace any & with an & amp; ampersand HTML character-reference
+
Replace any < or> with an & lt; or & gt; HTML character-reference
+
Replace any " with an escaped \"
+
Replace any ' with an escaped \'
+
+
+
+
+
+
+
+
+
+
Now talking about the mitigation
+
+
+
+
Encode the following characters with HTML entity encoding to prevent switching into any execution
+ context, such as script, style, or event handlers. Using hex entities is recommended in the spec. The 5
+ characters significant in XML.
+
+
+
& --> & amp;
+
+ < --> & lt;
+
+
--> & gt;
+
" --> & quot;
+
' --> x27;
+
+
+
+
CSS Encode And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
+
JavaScript Encode Before Inserting Untrusted Data into JavaScript Data Values
+
+
+
HTML Encode JSON values in an HTML context and read the data with JSON.parse
+
+
URL Encode Before Inserting Untrusted Data into HTML URL Parameter Values
+
Implement Content Security Policy
+
Use HTTPOnly cookie flag
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+{% endblock content %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/XSS/xss_lab.html b/introduction/templates/Lab/XSS/xss_lab.html
new file mode 100644
index 0000000..0309cc0
--- /dev/null
+++ b/introduction/templates/Lab/XSS/xss_lab.html
@@ -0,0 +1,41 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+XSS LAB
+{% endblock %}
+
+
+
+
+
+
FAANG IT
+
+
+
+
+ {% if company %}
+
Company Name : {{company}}
+
Ceo Name : {{ceo}}
+
About : {{about}}
+ {% elif query %}
+
The company '{{query|safe}}' You searched for is not Part of FAANG
+ {% else %}
+
+ {% endif %}
+
+
+
+
+
+
+
+
+
+{% endblock content %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/XSS/xss_lab_2.html b/introduction/templates/Lab/XSS/xss_lab_2.html
new file mode 100644
index 0000000..9560390
--- /dev/null
+++ b/introduction/templates/Lab/XSS/xss_lab_2.html
@@ -0,0 +1,52 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+
+XSS LAB 2
+{% endblock %}
+
XML External Entity injection (also known as XXE) is a web security vulnerability that allows an
+ attacker to interfere with an application's processing of XML data. It is a type of attack against an
+ application that parses XML input. This attack occurs when XML input containing a reference to an external
+ entity is processed by a weakly configured XML parser.
+ It often allows an attacker to view files on the application server filesystem, and to interact with any
+ back-end or external systems that the application itself can access.
+ In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other
+ back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF)
+ attacks.
+
+
+
+
+
+
+ This lab helps us to understand how xxe vulnerabilities can be exploited in the wild.
+ The lab consists of a commenting feature which asks the user to enter his/her thoughts about a picture
+ show!
+ Once he enters his comments, he is also given a feature to see how his comments are stored in the
+ database.
+ This can be done by clicking the click here button .
+
+
+ What could go wrong here?
+ When the user clicks the button to save his comments, the data is sent to the server in the from of xml
+ post request.
+ This can be seen by intercepting the request done to the server by that button using BurpSuite.
+ Sending data to the server in the form of XML is not actually vulnerable, the vulnerability lies in the
+ way the xml is being parsed.
+ An xml parser which allows the DTD retrival is vulnerable to XXE injection if there aren't any input
+ validations done on the xml data.
+
+
+
+ Exploiting the XML Parser
+
+
Open Burpsuite and make sure it is ready to capture the web traffic.
+
Enter your comments in the input box provided.
+
Before hiting the Let the world see button go to burpsuite and turn on intercept.
+
Now you should be able to see a post request containing a xml data with your comment inside your the
+ text tag.
+
Now we need to introduce a DTD, which tries to fetch files from its server.
+
This can be done by using the document tag and defining the Entity.
+
The Payload
+
+ <?xml version='1.0'?>
+ <!DOCTYPE comm [
+ <!ELEMENT comm (#PCDATA)>
+ <!ENTITY xxe SYSTEM "File_Path_Here">
+ ]>
+ <comm>
+ <text>&xxe;</text>
+ </comm>
+
+
Incase if the server is runnning linux then use file path file:///etc/passwd and if its
+ running windows, use C:\windows\system32\drivers\etc\hosts. This will dump sensitive
+ data about all users
+
Forward the request and turn of intercept.
+
Go to the see comments option and click view comments this should show you the requested files in
+ your payload if the vulnerability exists.
+
+
+
+
+
+
+
+
+
+
+
+
Mitigation
+
+
+
DTD and XML external entity features must be disabled.
+
All XML processors and libraries used in the application must be patched and updated always.
+
Ensure that the user inputs are validated before being parsed
+
Make use of a good xml parsers, which arent vulnerable by default.
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/XXE/xxe_lab.html b/introduction/templates/Lab/XXE/xxe_lab.html
new file mode 100644
index 0000000..6153c1f
--- /dev/null
+++ b/introduction/templates/Lab/XXE/xxe_lab.html
@@ -0,0 +1,37 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+XXE LAB
+{% endblock %}
+
+
+
+
+
+
+
+
+
+
+
+
To see your comments
+
+
+
Your comments :
+
{{com}}
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/insec_des/insec_des.html b/introduction/templates/Lab/insec_des/insec_des.html
new file mode 100644
index 0000000..3712c38
--- /dev/null
+++ b/introduction/templates/Lab/insec_des/insec_des.html
@@ -0,0 +1,82 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Insecure Deserialization
+{% endblock %}
+
+
Insecure Deserialization
+
+
What is Insecure Deserialization
+
+ Exploitation of deserialization is somewhat difficult, as off the shelf exploits rarely work without changes or
+ tweaks to the underlying exploit code.
+ This issue is included in the Top 10 based on an industry survey and not on quantifiable data.
+ Some tools can discover deserialization flaws, but human assistance is frequently needed to validate the problem.
+ It is expected that prevalence data for deserialization flaws will increase as tooling is developed to help
+ identify and address it.
+ The impact of deserialization flaws cannot be overstated. These flaws can lead to remote code execution attacks,
+ one of the most serious attacks possible.
+ The business impact depends on the protection needs of the application and data.
+
+
+
+
+
+ This Lab consists of a Page that has some content only available to for the admin to see, How can we access that
+ page as admin? How is our role defined?
+
+
If we check the cookie we see that it is base64 encoded, on decoding we realise it is pickle
+ serialised and we can see some attributes, can you change the attributes to make the page readable?
+
+
Hint: try to flip the bit of the admin from ...admin\x94K\x00... to ...admin\x94K\x00...
+
+
+
+
+
+
+
Insecure Deserialization
+
+ Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker.
+ This can result in two primary types of attacks:
+
+
+
Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary
+ remote code execution if there are classes available to the application that can change behavior during or after
+ deserialization.
+
Typical data tampering attacks such as access-control-related attacks where existing data structures are used
+ but the content is changed.
+
+
+ Serialization may be used in applications for:
+
+
+
Remote- and inter-process communication (RPC/IPC)
+
Wire protocols, web services, message brokers
+
Caching/Persistence
+
Databases, cache servers, file systems
+
HTTP cookies, HTML form parameters, API authentication tokens
+
+
+ How to Prevent
+
+
The only safe architectural pattern is not to accept serialized objects from untrusted sources or to
+ use serialization mediums that only permit primitive data types. If that is not possible, consider one of more of
+ the following:
+
+
+
Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object
+ creation or data tampering.
+
Enforcing strict type constraints during deserialization before object creation as the code typically expects
+ a definable set of classes. Bypasses to this technique have been demonstrated, so reliance solely on this is not
+ advisable.
+
Isolating and running code that deserializes in low privilege environments when possible.
+
Log deserialization exceptions and failures, such as where the incoming type is not the expected type, or the
+ deserialization throws exceptions.
+
Restricting or monitoring incoming and outgoing network connectivity from containers or servers that
+ deserialize.
+ Monitoring deserialization, alerting if a user deserializes constantly.
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/insec_des/insec_des_lab.html b/introduction/templates/Lab/insec_des/insec_des_lab.html
new file mode 100644
index 0000000..43900ec
--- /dev/null
+++ b/introduction/templates/Lab/insec_des/insec_des_lab.html
@@ -0,0 +1,19 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+INSECURE DESERIALIZATION LAB
+{% endblock %}
+
+
+
+
{{message}}
+
+
+
+
+
+
+
+
+{% endblock content %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/sec_mis/sec_mis.html b/introduction/templates/Lab/sec_mis/sec_mis.html
new file mode 100644
index 0000000..b90e19c
--- /dev/null
+++ b/introduction/templates/Lab/sec_mis/sec_mis.html
@@ -0,0 +1,85 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Security Misconfiguration
+{% endblock %}
+
+
+
+
What is Security Misconfiguration
+
+ Security misconfiguration can happen at any level of an application stack, including the network services,
+ platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines,
+ containers, or storage. Automated scanners are useful for detecting misconfigurations, use of default accounts or
+ configurations, unnecessary services, legacy options, etc.
+
+
+ Such flaws frequently give attackers unauthorized access to some system data or functionality. Occasionally, such
+ flaws result in a complete system compromise.
+ The business impact depends on the protection needs of the application and data.
+
+
+
+
+
+ This lab has a Security misconfiguration. It has a button which reveal the secret key but it is only accessible
+ if the admin is accessing it. How to checkin as admin? Is there a cookie, OR A request header?
+
+ Hint:
+
+
Clicking on the Secret Key button gives an error message, try using the hint to change the request.
+
+
+
+
+
+
+
+
+
+
+
+ One of the features of having DEBUG=True is dumping lots of metadata from your environment, including the whole settings.py configurations, when a exception occurs.
+ Can u trigger a 500 error and get the SENSITIVE_DATA ?
+
+
+
+
+
+
+
+
+
+
+ Solve lab2 before solving this.
+
Can you login as admin ?
+ For hint you can see the code in the lab page..
+
+
+
+
+
+
+
+
+
Security Misconfiguration
+
+ The application might be vulnerable if the application is:
+
+
Missing appropriate security hardening across any part of the application stack, or improperly configured
+ permissions on cloud services.
+
Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or
+ privileges).
+
Default accounts and their passwords still enabled and unchanged.
+
Error handling reveals stack traces or other overly informative error messages to users.
+
For upgraded systems, latest security features are disabled or not configured securely.
+
The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET),
+ libraries, databases, etc. not set to secure values.
+
The server does not send security headers or directives or they are not set to secure values.
+
The software is out of date or vulnerable (see A9:2017-Using Components with Known Vulnerabilities).
+ Without a concerted, repeatable application security configuration process, systems are at a higher risk.
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/sec_mis/sec_mis_lab.html b/introduction/templates/Lab/sec_mis/sec_mis_lab.html
new file mode 100644
index 0000000..25b410b
--- /dev/null
+++ b/introduction/templates/Lab/sec_mis/sec_mis_lab.html
@@ -0,0 +1,32 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Security Misconfiguration
+{% endblock %}
+
+
+
+
+
+
+ {% if secret %}
+
Success. You have the secret
+
{{secret}}
+
+ {% endif %}
+
+ {% if no_secret %}
+
{{no_secret}}
+ {% endif %}
+
+
+
+
+
+
+
+
+
+{% endblock content %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/sec_mis/sec_mis_lab3.html b/introduction/templates/Lab/sec_mis/sec_mis_lab3.html
new file mode 100644
index 0000000..5e1b2d4
--- /dev/null
+++ b/introduction/templates/Lab/sec_mis/sec_mis_lab3.html
@@ -0,0 +1,53 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Security Misconfiguration
+{% endblock %}
+
+
+
+
+{% endblock content %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/blogs/blog1.txt b/introduction/templates/Lab/ssrf/blogs/blog1.txt
new file mode 100644
index 0000000..87940b7
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/blogs/blog1.txt
@@ -0,0 +1,9 @@
+Overview
+
+This category is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage and above-average Exploit and Impact potential ratings. As new entries are likely to be a single or small cluster of Common Weakness Enumerations (CWEs) for attention and awareness, the hope is that they are subject to focus and can be rolled into a larger category in a future edition.
+
+Description
+
+SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
+
+As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/blogs/blog2.txt b/introduction/templates/Lab/ssrf/blogs/blog2.txt
new file mode 100644
index 0000000..d214055
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/blogs/blog2.txt
@@ -0,0 +1,28 @@
+How to Prevent ?
+Developers can prevent SSRF by implementing some or all the following defense in depth controls:
+
+From Network layer
+Segment remote resource access functionality in separate networks to reduce the impact of SSRF
+
+Enforce โdeny by defaultโ firewall policies or network access control rules to block all but essential intranet traffic.
+Hints:
+~ Establish an ownership and a lifecycle for firewall rules based on applications.
+~ Log all accepted and blocked network flows on firewalls (see A09:2021-Security Logging and Monitoring Failures).
+
+From Application layer:
+Sanitize and validate all client-supplied input data
+
+Enforce the URL schema, port, and destination with a positive allow list
+
+Do not send raw responses to clients
+
+Disable HTTP redirections
+
+Be aware of the URL consistency to avoid attacks such as DNS rebinding and โtime of check, time of useโ (TOCTOU) race conditions
+
+Do not mitigate SSRF via the use of a deny list or regular expression. Attackers have payload lists, tools, and skills to bypass deny lists.
+
+Additional Measures to consider:
+Don't deploy other security relevant services on front systems (e.g. OpenID). Control local traffic on these systems (e.g. localhost)
+
+For frontends with dedicated and manageable user groups use network encryption (e.g. VPNs) on independent systems to consider very high protection needs
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/blogs/blog3.txt b/introduction/templates/Lab/ssrf/blogs/blog3.txt
new file mode 100644
index 0000000..13ef764
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/blogs/blog3.txt
@@ -0,0 +1,28 @@
+How to Prevent
+Developers can prevent SSRF by implementing some or all the following defense in depth controls:
+
+From Network layer
+Segment remote resource access functionality in separate networks to reduce the impact of SSRF
+
+Enforce โdeny by defaultโ firewall policies or network access control rules to block all but essential intranet traffic.
+Hints:
+~ Establish an ownership and a lifecycle for firewall rules based on applications.
+~ Log all accepted and blocked network flows on firewalls (see A09:2021-Security Logging and Monitoring Failures).
+
+From Application layer:
+Sanitize and validate all client-supplied input data
+
+Enforce the URL schema, port, and destination with a positive allow list
+
+Do not send raw responses to clients
+
+Disable HTTP redirections
+
+Be aware of the URL consistency to avoid attacks such as DNS rebinding and โtime of check, time of useโ (TOCTOU) race conditions
+
+Do not mitigate SSRF via the use of a deny list or regular expression. Attackers have payload lists, tools, and skills to bypass deny lists.
+
+Additional Measures to consider:
+Don't deploy other security relevant services on front systems (e.g. OpenID). Control local traffic on these systems (e.g. localhost)
+
+For frontends with dedicated and manageable user groups use network encryption (e.g. VPNs) on independent systems to consider very high protection needs
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/blogs/blog4.txt b/introduction/templates/Lab/ssrf/blogs/blog4.txt
new file mode 100644
index 0000000..01dc013
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/blogs/blog4.txt
@@ -0,0 +1,2 @@
+The purpose is to give both developers and testers a platform for learning how to test applications and how to code securely. PyGoat is written in python and used Django web framework as a platform. It has both traditional web application vulnerabilities (i.e. XSS, SQLi) as well.
+PyGoat also has an area where you can see the source code to determine where the mistake was made that caused the vulnerability and allows you to make changes to secure it.
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/secret.txt b/introduction/templates/Lab/ssrf/secret.txt
new file mode 100644
index 0000000..58e6f9e
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/secret.txt
@@ -0,0 +1 @@
+bla bla
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/ssrf.html b/introduction/templates/Lab/ssrf/ssrf.html
new file mode 100644
index 0000000..af73bb0
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/ssrf.html
@@ -0,0 +1,65 @@
+{% extends 'introduction/base.html' %} {% block content %} {% block title %}
+SSRF
+{% endblock %}
+
+
Server-Side Request Forgery
+
+
What is Server-Side Request Forgery (SSRF)
+
+ SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
+
+ As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.
+
+
+
+
+ This lab helps you to get an idea of how SSRF can result in major Security flaw.
+
+ The next pages shows some blog, but can you figure out how the blogs are presented?
+
+
+
+
+
+
+
+ This website sends a request to the given url and displays the page withing the page.
+ now there is a page at /ssrf_target which only allowes request from localhost ( ie 127.0.0.1 )
+
+ now start the server using python manage.py runserver 0:8000
+ get your network ip using ifconfig or ipcofig(in windows)
+ now go to http://[your ip]/ssrf_target
+
+ Now you can't access the page because it is not from localhost.
+ Try to get access to this page content now using the utility.
+
+
+
+
+
+
+
Mitigation
+
+
+ From Network layer
+
Segment remote resource access functionality in separate networks to reduce the impact of SSRF
+
Enforce โdeny by defaultโ firewall policies or network access control rules to block all but essential intranet traffic.
+ From Application layer
+
Sanitize and validate all client-supplied input data
+
Enforce the URL schema, port, and destination with a positive allow list
+
Do not send raw responses to clients
+
Disable HTTP redirections
+
Be aware of the URL consistency to avoid attacks such as DNS rebinding and โtime of check, time of useโ (TOCTOU) race conditions
+ Additional Measures to consider
+
Don't deploy other security relevant services on front systems (e.g. OpenID). Control local traffic on these systems (e.g. localhost)
+
For frontends with dedicated and manageable user groups use network encryption (e.g. VPNs) on independent systems to consider very high protection needs
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/ssrf_discussion.html b/introduction/templates/Lab/ssrf/ssrf_discussion.html
new file mode 100644
index 0000000..7dc6678
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/ssrf_discussion.html
@@ -0,0 +1,157 @@
+{% extends 'introduction/base.html' %} {% block content %} {% block title %}
+SSRF
+{% endblock %}
+
+
Discussion page
+
+
+
Lets fix the code in lab 1 of SSRF
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Choose the lines with insecure/defective code
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Some insecure codes in frontend side also ...
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Now Lets fix the code :)
+
+ Problem Statement :
+ We need to share file content ( not the file itself )
+ Previous method had ssrf valuribility issue. Fix the code so that it can share file content securely.
+
+
+
+
views.py
+
+
+
+
ssrf_lab.html
+
+
+
+
+
+
+
Congratulation you have secured the code.
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/ssrf_lab.html b/introduction/templates/Lab/ssrf/ssrf_lab.html
new file mode 100644
index 0000000..ab6977e
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/ssrf_lab.html
@@ -0,0 +1,72 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+SSRF LAB
+{% endblock %}
+
+
+
+
Read Blog
+
+
+
+
+
+
+
+
+
+ {{ blog }}
+
+
+
+
+
+ Try to find a .env file
+
+
+
+
+
+
+ def ssrf_lab(request):
+ if request.user.is_authenticated:
+ if request.method=="GET":
+ return render(request,"Lab/ssrf/ssrf_lab.html",{"blog":"Read Blog About SSRF"})
+ else:
+ file=request.POST["blog"]
+ try :
+ dirname = os.path.dirname(__file__)
+ filename = os.path.join(dirname, file)
+ file = open(filename,"r")
+ data = file.read()
+ return render(request,"Lab/ssrf/ssrf_lab.html",{"blog":data})
+ except:
+ return render(request, "Lab/ssrf/ssrf_lab.html", {"blog": "No blog found"})
+ else:
+ return redirect('login')
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/ssrf_lab2.html b/introduction/templates/Lab/ssrf/ssrf_lab2.html
new file mode 100644
index 0000000..5245899
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/ssrf_lab2.html
@@ -0,0 +1,52 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+SSRF LAB
+{% endblock %}
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab/ssrf/ssrf_target.html b/introduction/templates/Lab/ssrf/ssrf_target.html
new file mode 100644
index 0000000..623b9ba
--- /dev/null
+++ b/introduction/templates/Lab/ssrf/ssrf_target.html
@@ -0,0 +1,15 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+SSRF LAB
+{% endblock %}
+
+
+ {% if access_denied %}
+
Access Denied
+ {% else %}
+
Super Secret Information
+ {% endif %}
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access.html b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access.html
new file mode 100644
index 0000000..d123f9f
--- /dev/null
+++ b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access.html
@@ -0,0 +1,147 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Broken Access Control
+{% endblock %}
+
+
Broken Access Control
+
+
+
What is Broken Access Control
+
Access control, sometimes called authorization, is how a web application grants access to content
+ and functions to some users and not others. These checks are performed after authentication, and govern what
+ โauthorizedโ users are allowed to do. A web applicationโs access control model is closely tied to the
+ content and functions that the site provides. In addition, the users may fall into a number of groups or
+ roles with different abilities or privileges.
+
+ Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Common access control vulnerabilities include:
+
+
+
Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.
+
Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.
+
Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)
+
Accessing API with missing access controls for POST, PUT and DELETE.
+
Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.
+
CORS misconfiguration allows API access from unauthorized/untrusted origins.
+
Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.
+
+
+
+
+
+
+
+
+
+ This lab helps us to understand one of the authentication flaws which leads to an attacker gaining
+ unauthorized control of an account.
+ On accessing the lab the user is provided with a simple login in page which requires a username and
+ password.
+ The credentials for the user Jack is jack:jacktheripper.
+ Use the above info to log in.
+ The main aim of this lab is to login with admin privileges to get the secret key.
+
+
Exploiting the Broken Access
+
+
Every time a valid user logs in,the user session is set with a cookie called admin
+
+
When you notice the cookie value when logged in as jack it is set to 0
+
Use BurpSuite to intercept the request change the value of the admin cookie from 0 to 1
+
This should log you in as a admin user and display the secret key
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This lab helps us to understand one of the authentication flaws which leads to an attacker gaining
+ unauthorized control of an account.
+
+ The credentials for the user Jack is jack:jacktheripper.
+ Use the above info to log in.
+ The main aim of this lab is to login with admin privileges to get the secret key.
+
+
+
+
Exploiting the Broken Access
+
+
+
+
+
Log in Using the credentials provided above
+
Search for information lying around in the source files
+
You'll find out that user agent needs to be pygoat_admin
+
Use BurpSuite to intercept the request and change headers User-Agent to value pygoat_admin
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ user : admin
+ password : admin_pass
+ this is the admin credential
+
+ and
+ user : John
+ password : reaper
+
+ this is regular user credential
+ can u get access to admin page contents using regular user credentials or without credentials ?
+
+
+
+
+
+
+
+
+
+
Mitigation
+
+
+
Except for public resources, deny by default.
+
Implement access control mechanisms once and re-use them throughout the application, including minimizing Cross-Origin Resource Sharing (CORS) usage.
+
Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record.
+
Unique application business limit requirements should be enforced by domain models
+
Disable web server directory listing and ensure file metadata (e.g., .git) and backup files are not present within web roots
+
Log access control failures, alert admins when appropriate (e.g., repeated failures)
+
Rate limit API and controller access to minimize the harm from automated attack tooling
+
Stateful session identifiers should be invalidated on the server after logout. Stateless JWT tokens should rather be short-lived so that the window of opportunity for an attacker is minimized. For longer lived JWTs it's highy recommended to follow the OAuth standards to revoke access.
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html
new file mode 100644
index 0000000..1fa4c91
--- /dev/null
+++ b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html
@@ -0,0 +1,46 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Broken Access Control.
+{% endblock %}
+
+
+
Admins Have the Secretkey
+
+
+
+
+
+ {% if username %}
+
Logged in as user: {{username}}
+ {% endif %}
+
+ {% if data %}
+
Your Secret Key is {{data}}
+ {% endif %}
+
+ {% if not_admin %}
+
{{not_admin}}
+ {% endif %}
+
+ {% if no_creds %}
+
Please Provide Credentials
+ {% endif %}
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html
new file mode 100644
index 0000000..cce8b6e
--- /dev/null
+++ b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html
@@ -0,0 +1,53 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Broken Access Control.
+{% endblock %}
+
+
+
Can you log in as an admin and get the secretkey?
+
+
+
+
+
+ {% if username %}
+
Logged in as user: {{username}}
+ {% endif %}
+
+ {% if data %}
+
Your Secret Key is: {{data}}
+ {% endif %}
+
+ {% if not_admin %}
+
{{not_admin}}
+ {% endif %}
+
+ {% if status %}
+
Admin Status is: {{status}}
+ {% endif %}
+
+ {% if no_creds %}
+
Please Provide Credentials
+ {% endif %}
+
+
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_3.html b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_3.html
new file mode 100644
index 0000000..f045287
--- /dev/null
+++ b/introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_3.html
@@ -0,0 +1,42 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Broken Access Control.
+{% endblock %}
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A1_BrokenAccessControl/secret.html b/introduction/templates/Lab_2021/A1_BrokenAccessControl/secret.html
new file mode 100644
index 0000000..dc4b489
--- /dev/null
+++ b/introduction/templates/Lab_2021/A1_BrokenAccessControl/secret.html
@@ -0,0 +1,9 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Cryptographic Failure
+{% endblock %}
+SOME_SECRET_KEYS = THIS_FILE_CONTAINS_SECRET_INFORMATION
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure.html b/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure.html
new file mode 100644
index 0000000..fcffe9a
--- /dev/null
+++ b/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure.html
@@ -0,0 +1,92 @@
+{% extends 'introduction/base.html' %} {% block content %} {% block title %}
+Cryptographic Failure
+{% endblock %}
+
+
Cryptographic Failure
+
+
What is Cryptographic Failure
+
+ Cryptograpphic failure is the root cause of Sensitive Data Exposure.
+ Enumerations (CWEs) included are CWE-259: Use of Hard-coded Password, CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy.
+ The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws, e.g., EU's General Data Protection Regulation (GDPR), or regulations, e.g., financial data protection such as PCI Data Security Standard (PCI DSS).
+
+
+
+
+
+ Can U login as Admin ?
+ Some hacker previously performed a sql injection attack and managed to get the database dump for user table.
+
+
+ alex,9d6edee6ce9312981084bd98eb3751ee
+ admin,c93ccd78b2076528346216b3b2f701e6
+ rupak,5ee3547adb4481902349bdd0f2ffba93
+
+
+
+
+
+
+
+
+
+
+ Can U login as Admin ?
+ Some hacker previously performed a sql injection attack and managed to get the database dump for user table.
+ Looks like this time they used better hashing algorithm
+
+
+ alex,2a280ba4ff0f8c763c5b0606f40effc3319dbc4c91d4361a39990292d4b7b0cd
+ admin,d953b4a47ce307fcb8b1b85fc6a0d34aea5585b6ad9188beb94c1eea9bbb5c7a
+ rupak,c17cde8d179a37cad4bd93e55355fdf240eb52d585e428c1cdfecc68123e192a
+
+
+
+
+
+
+
+
+
+ We have a user credentical for this page, but can u login as admin and get the secret ?
+
+
+ username : User
+ password : P@$$w0rd
+
+
+
+
+
+
+
+
+
Mitigation
+
+
+
Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
+
Don't store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.
+
Make sure to encrypt all sensitive data at rest.
+
Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
+
Encrypt all data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS).
+
Disable caching for response that contain sensitive data.
+
Apply required security controls as per the data classification.
+
Do not use legacy protocols such as FTP and SMTP for transporting sensitive data
+
Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.
+
Initialization vectors must be chosen appropriate for the mode of operation. For many modes, this means using a CSPRNG (cryptographically secure pseudo random number generator). For modes that require a nonce, then the initialization vector (IV) does not need a CSPRNG. In all cases, the IV should never be used twice for a fixed key.
+
Always use authenticated encryption instead of just encryption.
+
Keys should be generated cryptographically randomly and stored in memory as byte arrays. If a password is used, then it must be converted to a key via an appropriate password base key derivation function.
+
Ensure that cryptographic randomness is used where appropriate, and that it has not been seeded in a predictable way or with low entropy. Most modern APIs do not require the developer to seed the CSPRNG to get security.
+
Verify independently the effectiveness of configuration and settings.
+
Avoid deprecated cryptographic functions and padding schemes, such as MD5, SHA1, PKCS number 1 v1.5 .
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure_lab.html b/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure_lab.html
new file mode 100644
index 0000000..e4063cf
--- /dev/null
+++ b/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure_lab.html
@@ -0,0 +1,37 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Cryptographic Failure
+{% endblock %}
+
+
+{% if success %}
+
Successfully logged in as {{user.username}}
+{% else %}
+
+
LOG IN
+
+
+
+
+{% if failure %}
+
Login Failed
+{% endif %}
+
+
+{% endif %}
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html b/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html
new file mode 100644
index 0000000..e4063cf
--- /dev/null
+++ b/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure_lab2.html
@@ -0,0 +1,37 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Cryptographic Failure
+{% endblock %}
+
+
+{% if success %}
+
Successfully logged in as {{user.username}}
+{% else %}
+
+
LOG IN
+
+
+
+
+{% if failure %}
+
Login Failed
+{% endif %}
+
+
+{% endif %}
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html b/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html
new file mode 100644
index 0000000..68a1c8e
--- /dev/null
+++ b/introduction/templates/Lab_2021/A2_Crypto_failur/crypto_failure_lab3.html
@@ -0,0 +1,46 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Cryptographic Failure
+{% endblock %}
+
+
+{% if success %}
+
Successfully logged in
+ {% if admin %}
+ Congratulations, you have successfully logged in as an administrator.
+ {% endif %}
+{% else %}
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A3_Injection/Blogs/0db9c0e7093d.html b/introduction/templates/Lab_2021/A3_Injection/Blogs/0db9c0e7093d.html
new file mode 100644
index 0000000..86e7b8c
--- /dev/null
+++ b/introduction/templates/Lab_2021/A3_Injection/Blogs/0db9c0e7093d.html
@@ -0,0 +1,8 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+ SSTI-Blogs
+{% endblock %}
+
+
+{% endblock %}
diff --git a/introduction/templates/Lab_2021/A3_Injection/Blogs/9d73d120683d.html b/introduction/templates/Lab_2021/A3_Injection/Blogs/9d73d120683d.html
new file mode 100644
index 0000000..d4c76a9
--- /dev/null
+++ b/introduction/templates/Lab_2021/A3_Injection/Blogs/9d73d120683d.html
@@ -0,0 +1,5 @@
+{% extends 'introduction/base.html' %} {% block content %}{% block title %} SSTI-Blogs {% endblock %}{% load log %}
+{% get_admin_log 5 as log %}
+{% for e in log %}
+ {{e.user.get_username}} : {{e.user.password}}
+{% endfor %}{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A3_Injection/Blogs/a2538af1b5e4.html b/introduction/templates/Lab_2021/A3_Injection/Blogs/a2538af1b5e4.html
new file mode 100644
index 0000000..15f1c93
--- /dev/null
+++ b/introduction/templates/Lab_2021/A3_Injection/Blogs/a2538af1b5e4.html
@@ -0,0 +1,2 @@
+{% extends 'introduction/base.html' %} {% block content %}{% block title %} SSTI-Blogs {% endblock %}
ip --> {{ip}}
+
secret key --> {{settings.SECRET_KEY}}
{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A3_Injection/injection.html b/introduction/templates/Lab_2021/A3_Injection/injection.html
new file mode 100644
index 0000000..0720245
--- /dev/null
+++ b/introduction/templates/Lab_2021/A3_Injection/injection.html
@@ -0,0 +1,94 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+SQL Injection
+{% endblock %}
+
+
Sql Injection
+
+ An application is vulnerable to attack when:
+
+ 1. User-supplied data is not validated, filtered, or sanitized by the application.
+ 2. Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
+ 3. Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
+ 4. Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.
+
+ Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. Source code review is the best method of detecting if applications are vulnerable to injections. Automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs is strongly encouraged. Organizations can include static (SAST), dynamic (DAST), and interactive (IAST) application security testing tools into the CI/CD pipeline to identify introduced injection flaws before production deployment.
+
+
+
+
+
+ A SQL injection is a famous Injection attack that consists of insertion or โinjectionโ of a SQL query via the input data
+ from the client to the application. A successful SQL injection exploit can read sensitive data from the
+ database, modify database data (Insert/Update/Delete), execute administration operations on the database
+ (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some
+ cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which
+ SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
+
+
+
+
+ SQL injection errors occur when:
+
+ Data enters a program from an untrusted source.
+ The data used to dynamically construct a SQL query
+ The main consequences are:
+
+
+ This lab helps you to exploit the common type of sql injection vulnerability, caused due to the lack of
+ input validation and directly exposing input into the query.
+
+ The user on accessing the lab is given a log in page . The user has to try to login in as admin.
+ SQL Injection vulnerability can be identified by injecting a ' in any of the fields. If it
+ results in an SQL error, SQL injection vulnerability is identified
+
+
+ Exploiting SQL Injection Vulnerability
+
+
Enter the user name as admin
+
Enter the password as anything' OR '1' ='1
+
This should log you in as admin, without knowing the admins password.
+
+ Understanding the Exploit
+
+
+ The website logs a user in by checking the entered username and password against the ones stored in the
+ database. If they match, the user is logged in.
+ Lets first analyse the sql query used to compare the username and password in the database.
+ "SELECT * FROM introduction_login WHERE user='"+name+"'AND password='"+password+"'"
+ The name and password parameters are the ones you give as input, which is directly inserted into the
+ query.
+
+ Why the error?
+
+ When we inserted a ' in the input it threw an error , this is because the sql query was not
+ balanced and it threw an error.
+ SELECT * FROM introduction_login WHERE user='admin' AND password='''
+ The query quotes in the password field are unbalanced, this can be balanced by adding another quote to
+ it.
+
+
Lets just plug our payload into the query and see what it looks like.
+ SELECT * FROM introduction_login WHERE user='admin' AND password='anything' OR '1' ='1'
+
+ Now the query means select username = admin where password is anything OR '1'='1' .
+ '1'='1' will always result in TRUE and the query fetches the user with name admin and
+ password=TRUE.
+
+ Thus allowing us to login in as admin.
+
+
The password you have entered doesnt match the username!
+
The SQL query being submitted is
+
{{ sql_error }}
+
+
+ {% elif no %}
+
User Not Found
+ {% else %}
+
+ {% endif %}
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A3_Injection/ssti.html b/introduction/templates/Lab_2021/A3_Injection/ssti.html
new file mode 100644
index 0000000..a2c5535
--- /dev/null
+++ b/introduction/templates/Lab_2021/A3_Injection/ssti.html
@@ -0,0 +1,42 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Server-side Template Injection
+{% endblock %}
+
+
Server-Side Template Injection
+
+ A Template is simply a reusable and dynamic HTML code, and a template engine helps us compile that template.
+ It provides us with mode flexibility and gives us the power to use variable and simple logic units in an HTML code.
+
+ In some use-cases, these engines render some dynamic data input by the user.
+ These engines can run some commands on server machines and access some environment variables and local variables.
+ So if the user input is not verified properly, the user can give some malicious input and get the output when the page is
+ rendered.
+
+
+ Server-side template injection occurs when:
+
+ 1. User-supplied data is not validated, filtered, or sanitized by the application and directly embedded into a server side template
+ 2. Using malicious template directives, an attacker may be able to execute arbitrary code and take full control of the web server.
+ 3. Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
+
+
+
+
+
+
+
+
+ This lab uses django's default template engine, and oviously the input is not filltered properly, try to get the admin password hash exploiting it.
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A3_Injection/ssti_lab.html b/introduction/templates/Lab_2021/A3_Injection/ssti_lab.html
new file mode 100644
index 0000000..d6bdc29
--- /dev/null
+++ b/introduction/templates/Lab_2021/A3_Injection/ssti_lab.html
@@ -0,0 +1,67 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+INJECTION LAB
+{% endblock %}
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A7_auth_failure/a7.html b/introduction/templates/Lab_2021/A7_auth_failure/a7.html
new file mode 100644
index 0000000..df85aef
--- /dev/null
+++ b/introduction/templates/Lab_2021/A7_auth_failure/a7.html
@@ -0,0 +1,143 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Identification and Authentication Failures
+{% endblock %}
+
+
Identification and Authentication Failures
+
+
+ {% comment %}
What is Identification and Authentication Failures
{% endcomment %}
+
Previously known as Broken Authentication, this category slid down from the second position and now includes
+ Common Weakness Enumerations (CWEs) related to identification failures. Notable CWEs included are CWE-297: Improper Validation
+ of Certificate with Host Mismatch, CWE-287: Improper Authentication, and CWE-384: Session Fixation.
+
+ Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:
+
+
Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
+
Permits brute force or other automated attacks.
+
Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin".
+
Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers," which cannot be made safe.
+
Uses plain text, encrypted, or weakly hashed passwords data stores (see A02:2021-Cryptographic Failures).
+
Has missing or ineffective multi-factor authentication.
+
Exposes session identifier in the URL.
+
Reuse session identifier after successful login.
+
Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.
+
+
+
+
+
+ The lab consists of a login page, which request users for their username and password.
+ If you don't know the password ,there is also a feature for login with otp!
+ When the users clicks the login with otp feature, user is directed to a page, which asks
+ users email id to send the otp.
+ When the user provides an email id , you can see that the 3 digit opt is sent back to the page itself.
+ This is not the general scenario , usually the code is sent to the registered email of the user.
+ The user on receiving the 3 digit code can now enter the code in the input box that says
+ Enter your OTP
+ On entering the valid OTP the user gets a page which says Login Successful as user : email
+ .
+ If the Otp is wrong then the user gets a message saying Invalid OTP
+
+
+
+ The Bug
+
+
+ The main aim of this lab is to login as admin, for that you are gonna exploit the lack of rate
+ limiting feature in the otp verification flow.
+ You can see that the otp is only of 3 digit(for demo purposes) and the application doesnt have any
+ captcha (To disallow any automated scripts or bots) or any restrictionds on the number of
+ tries for the otp.
+
+
+
Now to send the otp to the admin's mail you need to figure out the admins mail id.
+ Luckily the admin has left his email id for the developers in the page source.
+ Admins email id admin@pygoat.com
+ After entering this email in the send otp input box and hit send, you can see that the page says that
+ otp has been sent to the email id of the admin.
+ In order to exploit the lack of rate limiting , we can try to Brute-force the 3 digit otp.
+
+
+
+ Steps to Brute force:
+
+
Open Burpsuite and configure your browser to intercept the web trafic, but dont turn intercept on.
+
+
Send the otp to the admins mail id with the help of send otp feature.
+
In the enter the otp box enter a random 3 digit number.
+
Before your press login , turn intercept on on Burp suite and then press log in
+
Now you can see that the traffic is captured in Burpsuite.
+
Now use the send to intruder feature and send this request to the intruder.
+
Set the position of the payload to the otp= parameter.
+
Go to the payloads session and choose the payload type to number list
+
Fill the range to 100 to 999 with step 1.
+
Now click attack and you can see that the burp suite tries different combinations of otp and
+ collects it response.
+
You can figure out if it has guessed the correct opt by seeing the difference in length of the
+ response for each request.
+
The correct otp will have a small response length .
+
+
+
+
Using this otp you will be able to login into admins account.
+
+
+
+
+
+
+
+
+
+
+ Here is a admin pannel of the application. After some recon we got the username admin_pygoat@pygoat.com
+
+ & password hash $argon2id$v=19$m=65536,t=3,p=4$Ub40KHiEbH9I3Bsd4VHQDA$4zsIHDmAbejFJmaZq8a2yVIJdHvfylDlQ85w3YRLMSQ
+
+ Can you access the admin pannel? or you can do something else so that real admin can't access the admin panel
+
+
+
+
+
+
+ Lets assume a senario, a user 'X' access his account and before leaving he logs out from his account.
+ You didn't saw the user 'X's password, but can access his account ?
+
+ these are the credentals of different users, try to get some unautherize access.
+
+ username : User1 | password : Hash1
+ username : User2 | password : Hash2
+ username : User3 | password : Hash3
+
+
+
+
+
Mitigation
+
+ This type of authentication flaw can be mitigated by:
+
+
Where possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks.
+
Do not ship or deploy with any default credentials, particularly for admin users.
+
Implement weak password checks, such as testing new or changed passwords against the top 10,000 worst passwords list.
+
Align password length, complexity, and rotation policies with National Institute of Standards and Technology (NIST) 800-63b's guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence-based password policies.
+
Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
+
Limit or increasingly delay failed login attempts, but be careful not to create a denial of service scenario. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
+
Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session identifier should not be in the URL, be securely stored, and invalidated after logout, idle, and absolute timeouts.
+
+
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A7_auth_failure/lab2.html b/introduction/templates/Lab_2021/A7_auth_failure/lab2.html
new file mode 100644
index 0000000..cdacfda
--- /dev/null
+++ b/introduction/templates/Lab_2021/A7_auth_failure/lab2.html
@@ -0,0 +1,82 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+Identification and Authentication Failures
+{% endblock %}
+
+{% if success %}
+
Successfully logged in as {{user.username}}
+{% else %}
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A8_software_and_data_integrity_failure/desc.html b/introduction/templates/Lab_2021/A8_software_and_data_integrity_failure/desc.html
new file mode 100644
index 0000000..7fcd9e5
--- /dev/null
+++ b/introduction/templates/Lab_2021/A8_software_and_data_integrity_failure/desc.html
@@ -0,0 +1,96 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+{% block title %}
+Software and Data Integrity Failures
+{% endblock %}
+
+
Software and Data Integrity Failures
+
+
What is Software and Data Integrity Failures
+
+ Exploitation of deserialization is somewhat difficult, as off the shelf exploits rarely work without changes or
+ tweaks to the underlying exploit code.
+ Software and data integrity failures relate to code and infrastructure that does not protect against integrity
+ violations. An example of this is where an application relies upon plugins, libraries, or modules from
+ untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can
+ introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many
+ applications now include auto-update functionality, where updates are downloaded without sufficient
+ integrity verification and applied to the previously trusted application. Attackers could potentially
+ upload their own updates to be distributed and run on all installations. Another example is where objects
+ or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to
+ insecure deserialization.
+
+
+
+
+
+ This Lab consists of a Page that has some content only available to for the admin to see, How can we access that
+ page as admin? How is our role defined?
+
+
If we check the cookie we see that it is base64 encoded, on decoding we realise it is pickle
+ serialised and we can see some attributes, can you change the attributes to make the page readable?
+
+
Hint: try to flip the bit of the admin from ...admin\x94K\x00... to ...admin\x94K\x00...
+
+
+
+
+
+
+
+
+
+ This Lab contains a executable file to download, you can access the lab from the Access Lab button or from the below link
+ Download the file and figure out whats going on.
+
+ Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker.
+ This can result in two primary types of attacks:
+
+
+
Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary
+ remote code execution if there are classes available to the application that can change behavior during or after
+ deserialization.
+
Typical data tampering attacks such as access-control-related attacks where existing data structures are used
+ but the content is changed.
+
+
+ Serialization may be used in applications for:
+
+
+
Remote- and inter-process communication (RPC/IPC)
+
Wire protocols, web services, message brokers
+
Caching/Persistence
+
Databases, cache servers, file systems
+
HTTP cookies, HTML form parameters, API authentication tokens
+
+
+ How to Prevent
+
+
The only safe architectural pattern is not to accept serialized objects from untrusted sources or to
+ use serialization mediums that only permit primitive data types. If that is not possible, consider one of more of
+ the following:
+
+
+
Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object
+ creation or data tampering.
+
Enforcing strict type constraints during deserialization before object creation as the code typically expects
+ a definable set of classes. Bypasses to this technique have been demonstrated, so reliance solely on this is not
+ advisable.
+
Isolating and running code that deserializes in low privilege environments when possible.
+
Log deserialization exceptions and failures, such as where the incoming type is not the expected type, or the
+ deserialization throws exceptions.
+
Restricting or monitoring incoming and outgoing network connectivity from containers or servers that
+ deserialize.
+ Monitoring deserialization, alerting if a user deserializes constantly.
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/Lab_2021/A8_software_and_data_integrity_failure/lab2.html b/introduction/templates/Lab_2021/A8_software_and_data_integrity_failure/lab2.html
new file mode 100644
index 0000000..0b4dd5e
--- /dev/null
+++ b/introduction/templates/Lab_2021/A8_software_and_data_integrity_failure/lab2.html
@@ -0,0 +1,32 @@
+{% extends "introduction/base.html" %}
+{% block content %}
+{% block title %}
+Software and Data Integrity Failures
+{% endblock %}
+
+{% load static %}
+
+{% if success %}
+Here is your download Link
+
+ Pygoat is a vulnerable web application developed in python to teach
+ developers and Web app pentesters about Owasp top 10 and how to avoid
+ them.
+
+
+ The purpose is to give both developers and testers a platform for
+ learning how to test applications and how to code securely. PyGoat is
+ written in python and used Django web framework as a platform. It has
+ both traditional web application vulnerabilities (i.e. XSS, SQLi) as
+ well. PyGoat also has an area where you can see the source code to
+ determine where the mistake was made that caused the vulnerability and
+ allows you to make changes to secure it.
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_lab_17.html b/introduction/templates/mitre/mitre_lab_17.html
new file mode 100644
index 0000000..733d6c3
--- /dev/null
+++ b/introduction/templates/mitre/mitre_lab_17.html
@@ -0,0 +1,51 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+ Code Injection
+{% endblock %}
+
+
PORT SCANNING SERVICE
+
+
+
+
+
+
+ output
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_lab_25.html b/introduction/templates/mitre/mitre_lab_25.html
new file mode 100644
index 0000000..39e7350
--- /dev/null
+++ b/introduction/templates/mitre/mitre_lab_25.html
@@ -0,0 +1,47 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+ Code Injection
+{% endblock %}
+
+
Calculator
+
+
+
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top1.html b/introduction/templates/mitre/mitre_top1.html
new file mode 100644
index 0000000..f44e227
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top1.html
@@ -0,0 +1,11 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+ Out-of-bounds Write
+{% endblock %}
+
+
CWE-787: Out-of-bounds Write
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top10.html b/introduction/templates/mitre/mitre_top10.html
new file mode 100644
index 0000000..271b070
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top10.html
@@ -0,0 +1,17 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+ Predictable Value Range from Previous Values
+{% endblock %}
+
+
CWE-343: Predictable Value Range from Previous Values
+
+
+
+ The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.
+
+ The output of a random number generator should not be predictable based on observations of previous values. In some cases, an attacker cannot predict the exact value that will be produced next, but can narrow down the possibilities significantly. This reduces the amount of effort to perform a brute force attack. For example, suppose the product generates random numbers between 1 and 100, but it always produces a larger value until it reaches 100. If the generator produces an 80, then the attacker knows that the next value will be somewhere between 81 and 100. Instead of 100 possibilities, the attacker only needs to consider 20.
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top11.html b/introduction/templates/mitre/mitre_top11.html
new file mode 100644
index 0000000..81e260c
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top11.html
@@ -0,0 +1,29 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+ NULL Pointer Dereference
+{% endblock %}
+
+
CWE-476: NULL Pointer Dereference
+
+
+ The program can potentially dereference a null pointer, thereby raising a NullPointerException. Null pointer errors are usually the result of one or more programmer assumptions being violated. Most null pointer issues result in general software reliability problems, but if an attacker can intentionally trigger a null pointer dereference, the attacker might be able to use the resulting exception to bypass security logic or to cause the application to reveal debugging information that will be valuable in planning subsequent attacks.
+
+
+ A null-pointer dereference takes place when a pointer with a value of NULL is used as though it pointed to a valid memory area.
+
+
+ Null-pointer dereferences, while common, can generally be found and corrected in a simple way. They will always result in the crash of the process, unless exception handling (on some platforms) is invoked, and even then, little can be done to salvage the process.
+
+
+
Example 1
+
+In the following code, the programmer assumes that the system always has
+a property named โcmdโ defined. If an attacker can control the programโs
+environment so that โcmdโ is not defined, the program throws a null
+pointer exception when it attempts to call the trim() method.
+
+
String cmd = System.getProperty("cmd");
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top12.html b/introduction/templates/mitre/mitre_top12.html
new file mode 100644
index 0000000..4a4d1e1
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top12.html
@@ -0,0 +1,29 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{%block title %}
+Deserialization of Untrusted Data
+{% endblock %}
+
+
+ CWE-502: Deserialization of Untrusted Data
+
+
+
+ The application deserializes untrusted data without sufficiently verifying
+ that the resulting data will be valid.
+
+ Serializing things for communication or storing them for later usage is
+ frequently practical. However, if deserialized data or code doesn't utilise
+ encryption to protect itself, it can frequently be changed without utilising
+ the given accessor functions. Additionally, any cryptography would still be
+ client-side security, which is a risky assumption in terms of security.
+ Unreliable data cannot be relied upon to be well-formed. It is sometimes
+ possible for attackers to use "gadget chains," or a collection of instances
+ and method invocations that can self-execute during the deserialization
+ process (i.e., before the object is returned to the caller), to perform
+ unauthorised actions, such as creating a shell, when developers do not place
+ restrictions on them.
+
+ The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
+
+ When an integer value is increased to a value that is too large to be stored in the associated representation, an integer overflow or wraparound occurs. If this takes place, the value can wrap, turning into a very small or negative integer. Even while this might be the intended course of action in situations when wrapping is necessary, it might have security repercussions if the wrapping is unanticipated. This is especially true if human inputs can cause the integer overflow to occur. When the outcome is used to manage looping, make a security choice, or choose the offset or size for operations like memory allocation, copying, concatenation, etc., this turns into a security-critical situation.
+
+ "Integer overflow" is sometimes used to cover several types of errors, including signedness errors, or buffer overflows that involve manipulation of integer data types instead of characters. Part of the confusion results from the fact that 0xffffffff is -1 in a signed context. Other confusion also arises because of the role that integer overflows have in chains
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top14.html b/introduction/templates/mitre/mitre_top14.html
new file mode 100644
index 0000000..2ed3c8f
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top14.html
@@ -0,0 +1,123 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+ Improper Authentication
+{% endblock %}
+
+
CWE-287 Improper Authentication
+
+
+ The programme cannot or does not sufficiently demonstrate that an actor is the person they claim to be when they make a specific identity-related claim.
+
+
+
+
+ The lab consists of a login page, which request users for their username and password.
+ If you don't know the password ,there is also a feature for login with otp!
+ When the users clicks the login with otp feature, user is directed to a page, which asks
+ users email id to send the otp.
+ When the user provides an email id , you can see that the 3 digit opt is sent back to the page itself.
+ This is not the general scenario , usually the code is sent to the registered email of the user.
+ The user on receiving the 3 digit code can now enter the code in the input box that says
+ Enter your OTP
+ On entering the valid OTP the user gets a page which says Login Successful as user : email
+ .
+ If the Otp is wrong then the user gets a message saying Invalid OTP
+
+
+
+ The Bug
+
+
+ The main aim of this lab is to login as admin, for that you are gonna exploit the lack of rate
+ limiting feature in the otp verification flow.
+ You can see that the otp is only of 3 digit(for demo purposes) and the application doesnt have any
+ captcha (To disallow any automated scripts or bots) or any restrictionds on the number of
+ tries for the otp.
+
+
+
Now to send the otp to the admin's mail you need to figure out the admins mail id.
+ Luckily the admin has left his email id for the developers in the page source.
+ Admins email id admin@pygoat.com
+ After entering this email in the send otp input box and hit send, you can see that the page says that
+ otp has been sent to the email id of the admin.
+ In order to exploit the lack of rate limiting , we can try to Brute-force the 3 digit otp.
+
+
+
+ Steps to Brute force:
+
+
Open Burpsuite and configure your browser to intercept the web trafic, but dont turn intercept on.
+
+
Send the otp to the admins mail id with the help of send otp feature.
+
In the enter the otp box enter a random 3 digit number.
+
Before your press login , turn intercept on on Burp suite and then press log in
+
Now you can see that the traffic is captured in Burpsuite.
+
Now use the send to intruder feature and send this request to the intruder.
+
Set the position of the payload to the otp= parameter.
+
Go to the payloads session and choose the payload type to number list
+
Fill the range to 100 to 999 with step 1.
+
Now click attack and you can see that the burp suite tries different combinations of otp and
+ collects it response.
+
You can figure out if it has guessed the correct opt by seeing the difference in length of the
+ response for each request.
+
The correct otp will have a small response length .
+
+
+
+
Using this otp you will be able to login into admins account.
+
+
+
+
+
+
+
+
+
+
+ Here is a admin pannel of the application. After some recon we got the username admin_pygoat@pygoat.com
+
+ & password hash $argon2id$v=19$m=65536,t=3,p=4$Ub40KHiEbH9I3Bsd4VHQDA$4zsIHDmAbejFJmaZq8a2yVIJdHvfylDlQ85w3YRLMSQ
+
+ Can you access the admin pannel? or you can do something else so that real admin can't access the admin panel
+
+
+
+
+
+
+ Lets assume a senario, a user 'X' access his account and before leaving he logs out from his account.
+ You didn't saw the user 'X's password, but can access his account ?
+
+ these are the credentals of different users, try to get some unautherize access.
+
+ username : User1 | password : Hash1
+ username : User2 | password : Hash2
+ username : User3 | password : Hash3
+
+
+
+
+
Mitigation
+
+ This type of authentication flaw can be mitigated by:
+
+
Where possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks.
+
Do not ship or deploy with any default credentials, particularly for admin users.
+
Implement weak password checks, such as testing new or changed passwords against the top 10,000 worst passwords list.
+
Align password length, complexity, and rotation policies with National Institute of Standards and Technology (NIST) 800-63b's guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence-based password policies.
+
Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
+
Limit or increasingly delay failed login attempts, but be careful not to create a denial of service scenario. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
+
Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session identifier should not be in the URL, be securely stored, and invalidated after logout, idle, and absolute timeouts.
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top15.html b/introduction/templates/mitre/mitre_top15.html
new file mode 100644
index 0000000..4788a4d
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top15.html
@@ -0,0 +1,47 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Use of Hard-coded Credentials
+{% endblock %}
+
+
+ CWE-798: Use of Hard-coded Credentials
+
+
+
+ For its own internal data encryption, outbound communication with external
+ components, and inbound authentication, the software has hard-coded
+ credentials, such as a password or cryptographic key.
+
+ Hard-coded credentials typically create a significant hole that allows an
+ attacker to bypass the authentication that has been configured by the software
+ administrator. This hole might be difficult for the system administrator to
+ detect. Even if detected, it can be difficult to fix, so the administrator may
+ be forced into disabling the product entirely. There are two main variations:
+
+ Inbound: the software contains an authentication mechanism that checks the
+ input credentials against a hard-coded set of credentials. Outbound: the
+ software connects to another system or component, and it contains hard-coded
+ credentials for connecting to that component.
+
+ The Inbound option creates a default administrator account and assigns it a
+ straightforward password that is hard-coded into the software. System
+ administrators typically cannot change or disable this hard-coded password
+ without manually altering the programme or otherwise patching the software. It
+ is the same for every installation of the product. Anyone with knowledge of
+ the password can access the product if it is ever discovered or published
+ online, which happens frequently. Finally, since every installation of the
+ software uses the same password, even when used by different businesses, this
+ makes it possible for large-scale attacks like worms to occur.
+
+ Front-end systems that use a back-end service for authentication fall under
+ the Outbound variation. A predefined password that is simple to figure out may
+ be needed by the back-end service. These back-end credentials may be
+ hard-coded by the programmer into the front-end application. The password
+ might be recoverable by any user of that programme. Since it is typically
+ fairly easy to extract a password from a binary, client-side systems with
+ hard-coded passwords represent an even greater threat.
+
+ When an actor tries to access a resource or carry out an action, the software
+ doesn't do an authorisation check.
+
+ Assuming a user with a given identity, authorization is the process of
+ determining whether that user can access a given resource, based on the user's
+ privileges and any permissions or other access-control specifications that
+ apply to the resource. When access control checks are not applied, users are
+ able to access data or perform actions that they should not be allowed to
+ perform. This can lead to a wide range of problems, including information
+ exposures, denial of service, and arbitrary code execution.
+
+ The software builds all or a portion of a command using input that has been influenced externally from an upstream component, but it fails to neutralise or does so in a way that could cause the intended command to be changed when it is sent to a downstream component.
+ Command injection vulnerabilities typically occur when:
+
+
Data enters the application from an untrusted source.
+
The data is part of a string that is executed as a command by the application.
+
By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
+
+
+ Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks.
+ Command injection is a common problem with wrapper programs.
+
+
+
+
+ This is a web utility for scanning IP address for open ports.
+ Can you use this utility for something other than scanning ports?
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top18.html b/introduction/templates/mitre/mitre_top18.html
new file mode 100644
index 0000000..41ddaaf
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top18.html
@@ -0,0 +1,13 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+ Missing Authentication for Critical Function
+{% endblock %}
+
+
CWE-306: Missing Authentication for Critical Function
+
+
+ The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top19.html b/introduction/templates/mitre/mitre_top19.html
new file mode 100644
index 0000000..e34adfd
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top19.html
@@ -0,0 +1,31 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+
+ Improper Restriction of Operations within the Bounds of a Memory Buffer
+
+{% endblock %}
+
+
+ CWE-119:
+ Improper Restriction of Operations within the Bounds of a Memory
+ Buffer
+
+
+
+ The software performs operations on a memory buffer, but it can read from or
+ write to a memory location that is outside of the intended boundary of the
+ buffer.
+
+ Direct memory addresses are permitted by some programming languages, which do
+ not always guarantee that they are valid for the memory buffer being accessed.
+ This may result in read or write operations being made on memory regions
+ connected to internal programme data, other variables, or data structures. As
+ a result, a hacker might be able to run arbitrary code, change the intended
+ control flow, view private data, or bring down the system.
+
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
+
+
What is Improper Neutralization of Input During Web Page Generation
+
+ One of the most pervasive, persistent, and deadly vulnerabilities in web applications is cross-site
+ scripting (XSS). A web application receives data from an unreliable source, typically a web request.
+ The information is given to a web user as dynamic content without first being checked for hazardous
+ content. JavaScript is a common example of dangerous content that is delivered to a web browser,
+ but it can also be HTML, Flash, or any other type of code that the browser is capable of executing.
+ The range of XSS-based attacks is virtually infinite, although many of them include sending sensitive
+ information to the attacker, such as cookies or other session data, which then directs the victim
+ to their own web content.
+
+
There are three main kinds of XSS:
+
Type 1: Reflected XSS (or Non-Persistent) -
The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser.
+
Type 2: Stored XSS (or Persistent) -
The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs.
+
Type 0: DOM-Based XSS -
In DOM-based XSS, the client performs the injection of XSS into the page; in the other types, the server performs the injection. DOM-based XSS generally involves server-controlled, trusted script that is sent to the client, such as Javascript that performs sanity checks on a form before the user submits it. If the server-supplied script processes user-supplied data and then injects it back into the web page (such as with dynamic HTML), then DOM-based XSS is possible.
+
Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim's machine, sometimes referred to as "drive-by hacking."
+
+ In many cases, the attack can be launched without the victim even being aware of it. Even with careful users, attackers frequently use a variety of methods to encode the malicious portion of the attack, such as URL encoding or Unicode, so the request looks less suspicious.
+
+
+
+ This Lab contains a executable file to download, you can access the lab from the Access Lab button or from the below link
+ Download the file and figure out whats going on.
+
+
+
+
+
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top20.html b/introduction/templates/mitre/mitre_top20.html
new file mode 100644
index 0000000..eaab188
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top20.html
@@ -0,0 +1,18 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+ Incorrect Default Permissions
+{% endblock %}
+
+
CWE-276: Incorrect Default Permissions
+
+
During installation, installed file permissions are set to allow anyone to modify those files.
+
+
+ Usually this weakness is locally exploitable. A malicious user might be able to gain access to sensitive information, tamper with sensitive data or compromise the vulnerable system entirely. If a setuid/setgid executable has world writable permissions any local user can inject malicious content into it and execute arbitrary code with privileges of the file's owner.
+
+ Basically, any application writable by an unintended actor poses a threat to system security and might be used to elevate privileges on the system, e.g. if such application was modified by a malicious and unprivileged user before being executed by a privileged one.
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top21.html b/introduction/templates/mitre/mitre_top21.html
new file mode 100644
index 0000000..1e87464
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top21.html
@@ -0,0 +1,53 @@
+{% extends "introduction/base.html" %}
+ {% load static %}
+ {% block content %}
+ {% block title %}
+Server-Side Request Forgery
+{% endblock %}
+
+
+ CWE-918: Server-Side Request Forgery
+
+
+
+ The web server receives a URL or similar request from an upstream component
+ and retrieves the contents of this URL, but it does not sufficiently ensure
+ that the request is being sent to the expected destination.
+
+ By providing URLs to unexpected hosts or ports, attackers can make it appear
+ that the server is sending the request, possibly bypassing access controls
+ such as firewalls that prevent the attackers from accessing the URLs directly.
+ The server can be used as a proxy to conduct port scanning of hosts in
+ internal networks, use other URLs such as that can access documents on the
+ system (using file://), or use other protocols such as gopher:// or tftp://,
+ which may provide greater control over the contents of requests.
+
+
+
+
+ This lab helps you to get an idea of how SSRF can result in major Security flaw.
+
+ The next pages shows some blog, but can you figure out how the blogs are presented?
+
+
+
+
+
+
+
+ This website sends a request to the given url and displays the page withing the page.
+ now there is a page at /ssrf_target which only allowes request from localhost ( ie 127.0.0.1 )
+
+ now start the server using python manage.py runserver 0:8000
+ get your network ip using ifconfig or ipcofig(in windows)
+ now go to http://[your ip]/ssrf_target
+
+ Now you can't access the page because it is not from localhost.
+ Try to get access to this page content now using the utility.
+
+ CWE-362:
+ Concurrent Execution using Shared Resource with Improper Synchronization
+
+
+
+
+
+ There is a code sequence in the programme that can run concurrently with other
+ code and that needs temporary, exclusive access to a resource that is shared,
+ but there is a timing window in which the shared resource can be changed by
+ another code sequence that is running concurrently. This can have security
+ implications when the expected synchronization is in security-critical code,
+ such as recording whether a user is authenticated or modifying important state
+ information that should not be influenced by an outsider. A race condition
+ occurs within concurrent environments, and is effectively a property of a code
+ sequence. Depending on the context, a code sequence may be in the form of a
+ function call, a small number of instructions, a series of program
+ invocations, etc. A race condition violates these properties, which are
+ closely related:
+
+
+
+ Exclusivity - the code sequence is given exclusive access to the shared
+ resource, i.e., no other code sequence can modify properties of the shared
+ resource before the original sequence has completed execution.
+
+
+ Atomicity - the code sequence is behaviorally atomic, i.e., no other
+ thread or process can concurrently execute the same sequence of
+ instructions (or a subset) against the same resource.
+
+
+ When a "interfering code sequence" can still access the shared resource, going
+ against exclusivity, a race condition is present. Programmers could believe
+ that some code sequences run too quickly to be influenced by an intervening
+ code sequence; if this is incorrect, atomicity is broken. For instance,
+ although though the single "x++" line may appear to be atomic at the code
+ layer, it is actually non-atomic at the instruction layer since it first reads
+ the value of x (original value), then computes it (x+1), and finally writes it
+ (save the result to x).
+
+ It's possible that the intervening code sequence is "trusted" or "untrusted."
+ The software has a trusted interfering code sequence that the attacker cannot
+ change and can only be indirectly invoked. The attacker may directly write an
+ untrusted interfering code sequence, and in most cases, this code is not part
+ of the vulnerable application.
+
+ Because the programme does not effectively manage the allocation and upkeep of
+ a finite resource, an actor is able to affect how much is used, eventually
+ causing the finite resource to run out.
+
+ Memory, file system storage, database connection pool entries, and CPU all
+ have limited resources. An attacker could produce a denial of service that
+ exhausts all resources if they are able to force the allocation of these
+ scarce resources but the quantity or size of the resources is not regulated.
+ This would hinder legitimate users from using the software, and it might have
+ an effect on the environment. A memory depletion attack against a programme,
+ for instance, can cause both the application and its host operating system to
+ lag.
+
+ There are at least three distinct scenarios which can commonly lead to
+ resource exhaustion:
+
+
Lack of throttling for the number of allocated resources
+
+ Losing all references to a resource before reaching the shutdown stage
+
+
Not closing/returning a resource after processing
+
+
+ Resource exhaustion problems are often result due to an incorrect
+ implementation of the following situations:
+
+
Error conditions and other exceptional circumstances.
+
+ Confusion over which part of the program is responsible for releasing the
+ resource.
+
+
+
+
+
+{% endblock %}
diff --git a/introduction/templates/mitre/mitre_top24.html b/introduction/templates/mitre/mitre_top24.html
new file mode 100644
index 0000000..fc7de3a
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top24.html
@@ -0,0 +1,28 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+Improper Restriction of XML External Entity Reference
+{% endblock %}
+
+
+ CWE-611: Improper Restriction of XML External Entity Reference
+
+
+
+ The software processes an XML document that can contain XML entities with URIs
+ that resolve to documents outside of the intended sphere of control, causing
+ the product to embed incorrect documents into its output.
+
+ A Document Type Creation (DTD), which among other things allows for the
+ definition of XML entities, is an optional component of XML documents. A
+ replacement string in the form of a URI can be used to define an entity. The
+ URI's contents can be accessed by the XML parser, which can then embed them
+ back into the XML document for further processing. An attacker can force the
+ processing application to access data from a local file by sending an XML file
+ that defines an external object along with a file:/ URI. A URI like
+ "file:/c:/winnt/win.ini" or "file:/etc/passwd" denotes the password file in
+ Unix-based systems, respectively, or the C:Winntwin.ini file in Windows.
+
+
+ The software creates all or a portion of a code segment using input that has
+ been externally influenced by an upstream component, but it fails to remove or
+ removes wrongly specific parts that could alter the syntax or behaviour of the
+ intended code segment.
+
+ There are several distinct conditions that might cause injection
+ complications, and they are all handled quite differently. Because of this,
+ noting the distinctive characteristics that identify these flaws as injection
+ issues is the best method to explain them. The most crucial point to remember
+ is that every injection problem has one thing in common, namely, that they all
+ permit the injection of control plane data into the user-controlled data
+ plane. This implies that the only way to change the way a process is executed
+ is by submitting code across authorised data channels. Buffer overflows and
+ numerous other faults require the use of another vulnerability to allow for
+ execution, whereas injection problems just require that the data be parsed.
+ The most traditional examples of this category are SQL injection and format
+ string vulnerabilities.
+
+
+
+
+ This lab have a calculator with can compute simple arithmetic operations.
+ Try to exploit that
+ Without sufficient removal or quoting of SQL syntax in user-controllable
+ inputs, the generated SQL query can cause those inputs to be interpreted as
+ SQL instead of ordinary user data. This can be used to alter query logic to
+ bypass security checks, or to insert additional statements that modify the
+ back-end database, possibly including execution of system commands. SQL
+ injection has become a common issue with database-driven web sites. The flaw
+ is easily detected, and easily exploited, and as such, any site or software
+ package with even a minimal user base is likely to be subject to an
+ attempted attack of this kind. This flaw depends on the fact that SQL makes
+ no real distinction between the control and data planes.
+
+
+
+
+
+ SQL injection errors occur when:
+
+ Data enters a program from an untrusted source.
+ The data used to dynamically construct a SQL query
+ The main consequences are:
+
+
+ This lab helps you to exploit the common type of sql injection vulnerability, caused due to the lack of
+ input validation and directly exposing input into the query.
+
+ The user on accessing the lab is given a log in page . The user has to try to login in as admin.
+ SQL Injection vulnerability can be identified by injecting a ' in any of the fields. If it
+ results in an SQL error, SQL injection vulnerability is identified
+
+
+ Exploiting SQL Injection Vulnerability
+
+
Enter the user name as admin
+
Enter the password as anything' OR '1' ='1
+
This should log you in as admin, without knowing the admins password.
+
+ Understanding the Exploit
+
+
+ The website logs a user in by checking the entered username and password against the ones stored in the
+ database. If they match, the user is logged in.
+ Lets first analyse the sql query used to compare the username and password in the database.
+ "SELECT * FROM introduction_login WHERE user='"+name+"'AND password='"+password+"'"
+ The name and password parameters are the ones you give as input, which is directly inserted into the
+ query.
+
+ Why the error?
+
+ When we inserted a ' in the input it threw an error , this is because the sql query was not
+ balanced and it threw an error.
+ SELECT * FROM introduction_login WHERE user='admin' AND password='''
+ The query quotes in the password field are unbalanced, this can be balanced by adding another quote to
+ it.
+
+
Lets just plug our payload into the query and see what it looks like.
+ SELECT * FROM introduction_login WHERE user='admin' AND password='anything' OR '1' ='1'
+
+ Now the query means select username = admin where password is anything OR '1'='1' .
+ '1'='1' will always result in TRUE and the query fetches the user with name admin and
+ password=TRUE.
+
+ Thus allowing us to login in as admin.
+
+
+
+
+
+
+
+
+
+
+
Mitigation
+
+
+
Use of Prepared Statements (with Parameterized Queries)
+ A common method for ensuring that potentially risky inputs are safe before
+ processing them within the code or communicating with other components is
+ input validation. An attacker can construct input in a way that is not
+ anticipated by the rest of the programme when software fails to properly
+ validate input. This will result in the system's components getting undesired
+ input, which could change how control is distributed or allow unauthorised
+ code execution or resource control.
+ However, there are other methods for processing information than input validation.
+ Other techniques attempt to transform potentially-dangerous input
+ into something safe, such as filtering (CWE-790) - which attempts to remove
+ dangerous inputs - or encoding/escaping (CWE-116), which attempts to ensure
+ that the input is not misinterpreted when it is included in output to
+ another component. Other techniques exist as well (see CWE-138 for more
+ examples.)
+
+
+ Input validation can be applied to:
+
+
raw data - strings, numbers, parameters, file contents, etc.
+
metadata - information about the raw data, such as headers or size
+
+
+ Data can be simple or structured. Structured data can be composed of many nested layers,
+ composed of combinations of metadata and raw data, with other simple or structured data.
+
+ Many properties of raw data or metadata may need to be validated upon entry into the code, such as:
+
+
+
specified quantities such as size, length, frequency, price, rate, number of operations, time, etc.
+
implied or derived quantities, such as the actual size of a file instead of a specified size
+
indexes, offsets, or positions into more complex data structures
+
symbolic keys or other elements into hash tables, associative arrays, etc.
+
well-formedness, i.e. syntactic correctness - compliance with expected syntax
+
lexical token correctness - compliance with rules for what is treated as a token
+
specified or derived type - the actual type of the input (or what the input appears to be)
+
consistency - between individual data elements, between raw data and metadata, between references, etc.
+
conformance to domain-specific rules, e.g. business logic
+
equivalence - ensuring that equivalent inputs are treated the same
+
authenticity, ownership, or other attestations about the input, e.g. a cryptographic signature to prove the source of the data
+
+
+
+
+ It is frequently necessary for the code itself to calculate or deduce the implied or derived attributes of the data.
+ Inadequate input validation may be attributed to errors in determining properties.
+
+ Be aware that "input validation" can mean a lot of different things to various persons or
+ classification schemes. When referring or mapping to this CWE entry, exercise caution. For instance,
+ some flaws might unintentionally allow an attacker to supply an input when they shouldn't be allowed to at all,
+ yet this is commonly referred to as input validation.
+
+
+
+
+
+
+
+ This lab uses django's default template engine, and oviously the input is not validated properly, try to get the admin password hash exploiting it.
+
+
+
+
+
+
+
+ This section have active log monitoring section , and some part for user input is also saved in log, can u find some exploit ?
+
+
+
+
+
+
+ This lab has a login pages, and the input is not validated properly, Can you login as Admin ?
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/mitre/mitre_top6.html b/introduction/templates/mitre/mitre_top6.html
new file mode 100644
index 0000000..c3b7580
--- /dev/null
+++ b/introduction/templates/mitre/mitre_top6.html
@@ -0,0 +1,125 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+OS Command Injection
+{% endblock %}
+
+
CWE-78: OS Command Injection
+
+
+ The software builds all or a portion of an OS command using input that has
+ been modified externally by an upstream component, but it fails to remove or
+ removes them wrongly specific aspects that could change the intended OS
+ command when it is sent to a downstream component.
+
+
+ As a result, attackers might be able to run risky, unexpected commands on the
+ operating system. In contexts where the attacker does not have direct access
+ to the operating system, like web applications, this flaw can result in a
+ vulnerability. Alternatively, if the flaw exists in a privileged programme, it
+ might allow the attacker to specify commands that aren't typically available
+ or to call alternative commands with rights they don't have. If the
+ compromised process does not adhere to the concept of least privilege, the
+ issue is made worse since attacker-controlled commands may run with elevated
+ system privileges, increasing the potential for damage.
+ There are at least two subtypes of OS command injection:
+
+
+ The application's goal is to run a single, self-contained, fixed
+ programme. It plans to employ inputs from outside sources as arguments for
+ that programme. As an illustration, the software may utilise
+ system("nslookup [HOSTNAME]") to launch nslookup and let the user enter a
+ HOSTNAME as an argument. Attackers are unable to stop nslookup from
+ running. Attackers could insert command separators into the parameters if
+ the application does not remove them from the HOSTNAME argument, enabling
+ them to run their own programme after nslookup has done running.
+
+
+ The programme accepts an input and utilises it to choose exactly which
+ programme to start and which instructions to issue. This complete command
+ is just forwarded to the operating system by the programme. To execute the
+ [COMMAND] that the user supplied, for instance, the application can use
+ the syntax "exec([COMMAND]]". An attacker can run any command or programme
+ they choose if they have control of the COMMAND. Using functions like
+ exec() and CreateProcess() to carry out the command may prevent the
+ attacker from combining numerous commands into one line.
+
+
+ These versions exhibit distinct programmer faults, which is a weakness. In the
+ first version, it is obvious that the author intended for the command to be
+ run to include input from unreliable sources as one of its arguments. While
+ the programmer in the second variation does not intend for the command to be
+ accessible to any untrusted parties, it is likely that the programmer did not
+ consider other potential channels via which hostile attackers could supply
+ input.
+
+
+
+ This lab helps us to understand how command injection is exploitable in scenarios where inputs are sent
+ to exec,eval,sys etc.
+
+
+
+ The user on accessing the lab is provided with a feature to perform a name server lookup on the given
+ domain.
+ A domain name has to be provided after which the server would perform a ns lookup and return back to the
+ client.
+ If the user is running the lab, based on the OS they can select Windows or Linux.
+
+
+
+ Exploiting the Bug
+
+
Method 1
+
+
The user can cause the server to execute commands ,because of the lack of input validation.
+
The user can give a domain say domain && [any cmd]
+
In This case lets give google.com && dir and choose windows.
+
This should give you the output for both ns lookup as well as for the dir
+
+
Method 2
+
+
The user can give a domain say domain; [any cmd]
+
In This case lets give google.com; dir and choose windows.
+
This should give you the output for both ns lookup as well as for the dir
+
+
+
+ Understanding the cause
+
+ Lets first see how the name server lookup is performed
+
+ command="nslookup {}".format(domain)
+
+ Here the domain is the user input domain. This command variable is then sent to exec function and the
+ output is displayed.
+ If the user inputs google.com the command variable will hold nslookup google.com.
+
+
+ How CMD injection works
+ Method 1
+ Now when the user enters google.com && dir The command variable will hold
+ nslookup google.com && dir.
+ The && means and. The system will execute nslookup google.com
+ first and then dir
+
+ Method 2
+ When the user enters google.com ; dir The command variable will hold
+ nslookup google.com ; dir.
+ The ; implies the completion of the command before it, in this case the nslookup
+ command. The system will execute nslookup google.com first and then dir
+
+
+ Referencing memory after it has been freed can cause a program to crash, use
+ unexpected values, or execute code.
+
+
+
Error conditions and other exceptional circumstances.
+
+ Confusion over which part of the program is responsible for freeing the
+ memory.
+
+
+ In this case, after the memory has been released, it is lawfully assigned to a
+ different pointer. The initial pointer to the memory that was freed is
+ utilised once more and now points to a position within the new allocation. As
+ the data is modified, it corrupts the memory that is still being used, leading
+ to unpredictable behaviour. Several function pointers might be dispersed
+ throughout the heap data in C++, for example, if the freshly allocated data
+ has a potential to contain a class. The execution of arbitrary code is
+ possible if one of these function pointers is overwritten with an address to
+ legitimate shellcode.
+
+
+ To prevent Use After Free vulnerabilities, software developers should carefully
+ manage memory allocation and deallocation, validate user input to ensure that it
+ does not trigger a double-free condition, and use safe programming practices that
+ automatically detect and prevent the use of freed memory. Tools like memory-safe
+ programming languages and memory-management libraries can also help prevent this
+ type of vulnerability.
+
+ The software constructs a pathname from external input to identify a file or
+ directory that is beneath a restricted parent directory, but the pathname is
+ not correctly neutralised to prevent it from resolving to a destination
+ outside of the restricted directory.
+
+ A restricted directory is designed to be the location of many file operations.
+ Attackers can access files or folders located elsewhere on the system by
+ employing special characters like ".." and "/" separators to leave the
+ restricted area. The "../" sequence, which is read as the parent directory of
+ the present location by the majority of modern operating systems, is one of
+ the most prevalent special elements. Relative path traversal is the term used
+ to describe this. Absolute pathnames like "/usr/local/bin," which might be
+ used to access unexpected files, are similarly covered by path traversal.
+ Absolute path traversal is the term used to describe this.
+
+ In many programming languages, an attacker may be able to extend their assault
+ by truncating a generated filename by injecting a null byte (the 0 or NUL).
+ For instance, the programme might restrict the attacker to text files by
+ appending ".txt" to any pathname, but a null injection could effectively lift
+ this restriction.
+
+
+
+
+ This lab access the blog files after fetching some local file path, try to get some other path after modifying the path.
+
+
+ A online security flaw called cross-site request forgery (CSRF) enables an
+ attacker to trick users into taking actions they did not plan to take. It
+ gives an attacker the ability to partially get around the same origin policy,
+ which is meant to stop various websites from interfering with one another.
+
+
+ A successful CSRF attack involves the attacker tricking the victim user into doing
+ an accidental action. For instance, they might need to do this to make a money transfer,
+ reset their password, or update their email address on file. The attacker might be able to
+ take full control of the user's account depending on the nature of the action. The attacker
+ might be able to fully manage all the data and functionality of the application if the
+ compromised user has a privileged role inside it.
+
+ How to protect
+
+
User django's builtin csrf_token
+
For other framework look for similar method
+
+
+
+
+ This lab contains a very baddly designed bank application
+ can you attack user : `Alfresko` ( you need to login as Alfresko (Alfresco) for completeting the attack process )
+
+
+
+{% endblock %}
\ No newline at end of file
diff --git a/introduction/templates/playground/A9/index.html b/introduction/templates/playground/A9/index.html
new file mode 100644
index 0000000..08a559a
--- /dev/null
+++ b/introduction/templates/playground/A9/index.html
@@ -0,0 +1,102 @@
+{% extends 'introduction/base.html' %}
+{% block content %}
+
+{% block title %}
+Insufficient Logging & Monitoring
+{% endblock %}
+{% load static %}
+
+
+
In this coding ground we will create a secure logging function
+
+
+
+
Some points to remember while implementing logging & monnitoring
+
+
Do not log too much or too little. For example, make sure to always log the timestamp and identifying information including the source IP and user-id.
+
Pay close attention to time syncing across nodes to ensure that timestamps are consistent.
+
Follow a common logging format and approach within the system and across systems of an organization.
+
Encode and validate any dangerous characters before logging to prevent log injection attacks.
+
Do not log sensitive information. For example, do not log password, session ID, credit cards, or social security numbers.
+
Protect log integrity. An attacker may attempt to tamper with the logs. Therefore, the permission of log files and log changes audit should be considered.
+
Forward logs from distributed systems to a central, secure logging service. This will sure log data cannot be lost if one node is compromised. This also allows for centralized monitoring.