diff --git a/docker-compose.yml b/docker-compose.yml index 3d39f83..e061b14 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,6 +9,10 @@ services: - POSTGRES_DB=postgres - POSTGRES_USER=postgres - POSTGRES_PASSWORD=postgres + security_opt: + - no-new-privileges:true + read_only: true + web: build: . image: pygoat/pygoat @@ -20,6 +24,10 @@ services: depends_on: - migration - db + security_opt: + - no-new-privileges:true + read_only: true + migration: image: pygoat/pygoat command: python pygoat/manage.py migrate --noinput @@ -27,3 +35,6 @@ services: - .:/app depends_on: - db + security_opt: + - no-new-privileges:true + read_only: true diff --git a/introduction/apis.py b/introduction/apis.py index 7926708..3ea45ec 100644 --- a/introduction/apis.py +++ b/introduction/apis.py @@ -12,14 +12,11 @@ from .utility import * from .views import authentication_decorator - - # steps --> # 1. covert input code to corrosponding code and write in file # 2. extract inputs form 2nd code # 3. Run the code # 4. get the result -@csrf_exempt def ssrf_code_checker(request): if request.user.is_authenticated: if request.method == 'POST': @@ -55,14 +52,15 @@ def ssrf_code_checker(request): # Insufficient Logging & Monitoring +from django.views.decorators.csrf import csrf_protect -@csrf_exempt +@csrf_protect # @authentication_decorator def log_function_checker(request): if request.method == 'POST': csrf_token = request.POST.get("csrfmiddlewaretoken") - log_code = request.POST.get('log_code') - api_code = request.POST.get('api_code') + log_code = sanitize_input(request.POST.get('log_code')) + api_code = sanitize_input(request.POST.get('api_code')) dirname = os.path.dirname(__file__) log_filename = os.path.join(dirname, "playground/A9/main.py") api_filename = os.path.join(dirname, "playground/A9/api.py") @@ -89,8 +87,11 @@ def log_function_checker(request): else: return JsonResponse({"message":"method not allowed"},status = 405) +def sanitize_input(data): + if data: + return data.replace('<', '<').replace('>', '>') + return data #a7 codechecking api -@csrf_exempt def A7_disscussion_api(request): if request.method != 'POST': return JsonResponse({"message":"method not allowed"},status = 405) @@ -107,9 +108,6 @@ def A7_disscussion_api(request): return JsonResponse({"message":"success"},status = 200) return JsonResponse({"message":"failure"},status = 400) - -#a6 codechecking api -@csrf_exempt def A6_disscussion_api(request): test_bench = ["Pillow==8.0.0","PyJWT==2.4.0","requests==2.28.0","Django==4.0.4"] @@ -121,18 +119,20 @@ def A6_disscussion_api(request): return JsonResponse({"message":"failure"},status = 400) except Exception as e: return JsonResponse({"message":"failure"},status = 400) +from django.views.decorators.csrf import csrf_protect +import html -@csrf_exempt +@csrf_protect def A6_disscussion_api_2(request): if request.method != 'POST': return JsonResponse({"message":"method not allowed"},status = 405) try: code = request.POST.get('code') + sanitized_code = html.escape(code) dirname = os.path.dirname(__file__) filename = os.path.join(dirname, "playground/A6/utility.py") - f = open(filename,"w") - f.write(code) - f.close() + with open(filename, "w") as f: + f.write(sanitized_code) except: return JsonResponse({"message":"missing code"},status = 400) - return JsonResponse({"message":"success"},status = 200) \ No newline at end of file + return JsonResponse({"message":"success"},status = 200) diff --git a/introduction/mitre.py b/introduction/mitre.py index c899c21..3ac74fc 100644 --- a/introduction/mitre.py +++ b/introduction/mitre.py @@ -150,6 +150,9 @@ def mitre_top24(request): def mitre_top25(request): if request.method == 'GET': return render(request, 'mitre/mitre_top25.html') +import os +from hashlib import scrypt +from base64 import urlsafe_b64encode @authentication_decorator def csrf_lab_login(request): @@ -158,23 +161,23 @@ def csrf_lab_login(request): elif request.method == 'POST': password = request.POST.get('password') username = request.POST.get('username') - password = md5(password.encode()).hexdigest() + salt = b'some_salt' # Ideally, use a unique salt for each password and store it securely with the password hash. + password = urlsafe_b64encode(scrypt(password.encode(), salt=salt, n=16384, r=8, p=1, maxmem=0, dklen=32)) User = CSRF_user_tbl.objects.filter(username=username, password=password) if User: - payload ={ + payload = { 'username': username, 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=300), 'iat': datetime.datetime.utcnow() } - cookie = jwt.encode(payload, 'csrf_vulneribility', algorithm='HS256') + jwt_secret = os.getenv('JWT_SECRET') + cookie = jwt.encode(payload, jwt_secret, algorithm='HS256') response = redirect("/mitre/9/lab/transaction") - response.set_cookie('auth_cookiee', cookie) + response.set_cookie('auth_cookiee', cookie, secure=True, httponly=True, samesite='Lax') return response - else : + else: return redirect('/mitre/9/lab/login') - @authentication_decorator -@csrf_exempt def csrf_transfer_monei(request): if request.method == 'GET': try: @@ -188,6 +191,7 @@ def csrf_transfer_monei(request): except: return redirect('/mitre/9/lab/login') + def csrf_transfer_monei_api(request,recipent,amount): if request.method == "GET": cookie = request.COOKIES['auth_cookiee'] @@ -211,16 +215,20 @@ def csrf_transfer_monei_api(request,recipent,amount): # @authentication_decorator -@csrf_exempt def mitre_lab_25_api(request): if request.method == "POST": - expression = request.POST.get('expression') - result = eval(expression) - return JsonResponse({'result': result}) + try: + import ast + expression = request.POST.get('expression') + result = ast.literal_eval(expression) + return JsonResponse({'result': result}) + except (ValueError, SyntaxError): + return JsonResponse({'error': 'Invalid expression'}, status=400) else: return redirect('/mitre/25/lab/') + @authentication_decorator def mitre_lab_25(request): return render(request, 'mitre/mitre_lab_25.html') @@ -228,13 +236,11 @@ def mitre_lab_25(request): @authentication_decorator def mitre_lab_17(request): return render(request, 'mitre/mitre_lab_17.html') +import subprocess def command_out(command): - process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE) return process.communicate() - - -@csrf_exempt def mitre_lab_17_api(request): if request.method == "POST": ip = request.POST.get('ip') @@ -244,4 +250,4 @@ def mitre_lab_17_api(request): err = err.decode() pattern = "STATE SERVICE.*\\n\\n" ports = re.findall(pattern, res,re.DOTALL)[0][14:-2].split('\n') - return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports}) \ No newline at end of file + return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports}) diff --git a/introduction/playground/A9/api.py b/introduction/playground/A9/api.py index 35e1bd2..eae79e8 100644 --- a/introduction/playground/A9/api.py +++ b/introduction/playground/A9/api.py @@ -1,10 +1,6 @@ from django.http import JsonResponse -from django.views.decorators.csrf import csrf_exempt - from .main import Log - -@csrf_exempt def log_function_target(request): L = Log(request) if request.method == "GET": @@ -30,4 +26,4 @@ def log_function_target(request): return JsonResponse({"message":"success", "method":"patch"},status = 200) if request.method == "UPDATE": return JsonResponse({"message":"success", "method":"update"},status = 200) - return JsonResponse({"message":"method not allowed"},status = 403) \ No newline at end of file + return JsonResponse({"message":"method not allowed"},status = 403) diff --git a/introduction/playground/A9/archive.py b/introduction/playground/A9/archive.py index c9db8fc..fe2b7e0 100644 --- a/introduction/playground/A9/archive.py +++ b/introduction/playground/A9/archive.py @@ -1,10 +1,8 @@ from django.http import JsonResponse -from django.views.decorators.csrf import csrf_exempt from .main import Log -@csrf_exempt def log_function_target(request): L = Log(request) if request.method == "GET": diff --git a/introduction/static/js/a9.js b/introduction/static/js/a9.js index 9c58b8a..738109d 100644 --- a/introduction/static/js/a9.js +++ b/introduction/static/js/a9.js @@ -37,9 +37,9 @@ event3 = function(){ document.getElementById("a9_d3").style.display = 'flex'; for (var i = 0; i < data.logs.length; i++) { var li = document.createElement("li"); - li.innerHTML = data.logs[i]; + li.textContent = data.logs[i]; document.getElementById("a9_d3").appendChild(li); } }) .catch(error => console.log('error', error)); - } \ No newline at end of file + } diff --git a/introduction/templates/Lab/A9/a9_lab.html b/introduction/templates/Lab/A9/a9_lab.html index 5a70b46..7145c34 100644 --- a/introduction/templates/Lab/A9/a9_lab.html +++ b/introduction/templates/Lab/A9/a9_lab.html @@ -8,6 +8,7 @@

Yaml To Json Converter

+ {% csrf_token %}

@@ -34,4 +35,4 @@
Here is your output:

-{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/introduction/templates/Lab/A9/a9_lab2.html b/introduction/templates/Lab/A9/a9_lab2.html index cace076..574aa06 100644 --- a/introduction/templates/Lab/A9/a9_lab2.html +++ b/introduction/templates/Lab/A9/a9_lab2.html @@ -19,6 +19,7 @@

Some Example

+ {% csrf_token %} @@ -88,7 +89,11 @@

Some Example

form.submit(); } {% if error %} - alert("{{ data }}"); + {{ data|json_script:"data-json" }} + {% endif %} diff --git a/introduction/templates/Lab/BrokenAccess/ba_lab.html b/introduction/templates/Lab/BrokenAccess/ba_lab.html index d45da9b..29b37f9 100644 --- a/introduction/templates/Lab/BrokenAccess/ba_lab.html +++ b/introduction/templates/Lab/BrokenAccess/ba_lab.html @@ -9,12 +9,10 @@

Admins Have the Secretkey

@@ -43,4 +41,4 @@

Please Provide Credentials

-{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/introduction/templates/Lab/BrokenAuth/otp.html b/introduction/templates/Lab/BrokenAuth/otp.html index 3d12cda..9676786 100644 --- a/introduction/templates/Lab/BrokenAuth/otp.html +++ b/introduction/templates/Lab/BrokenAuth/otp.html @@ -9,13 +9,12 @@
Login Through Otp

-
-
+ {% csrf_token %}

@@ -29,9 +28,6 @@

Your 3 Digit Verification Code:{{otp}}

{% if email %}

Login Successful as user : {{email}}

{% endif %} - - -
-{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/introduction/templates/Lab/CMD/cmd_lab.html b/introduction/templates/Lab/CMD/cmd_lab.html index 2998cd3..6175ff5 100644 --- a/introduction/templates/Lab/CMD/cmd_lab.html +++ b/introduction/templates/Lab/CMD/cmd_lab.html @@ -7,6 +7,7 @@

Name Server Lookup

+ {% csrf_token %}

@@ -33,4 +34,4 @@
Output

-{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/introduction/templates/Lab/CMD/cmd_lab2.html b/introduction/templates/Lab/CMD/cmd_lab2.html index a71a605..534f512 100644 --- a/introduction/templates/Lab/CMD/cmd_lab2.html +++ b/introduction/templates/Lab/CMD/cmd_lab2.html @@ -7,6 +7,7 @@

Evaluate any expression!

+ {% csrf_token %}

@@ -21,12 +22,10 @@
Output

{% endif %}
-

- -{% endblock %} \ No newline at end of file +{% endblock %} diff --git a/introduction/templates/Lab/XSS/xss_lab_3.html b/introduction/templates/Lab/XSS/xss_lab_3.html index a550b9a..7fa512e 100644 --- a/introduction/templates/Lab/XSS/xss_lab_3.html +++ b/introduction/templates/Lab/XSS/xss_lab_3.html @@ -17,9 +17,11 @@

Welcome to XSS Challenge


{{code}}

+{% json_script code as code_json %}
diff --git a/introduction/templates/Lab/ssrf/ssrf_discussion.html b/introduction/templates/Lab/ssrf/ssrf_discussion.html index 7dc6678..2eb5868 100644 --- a/introduction/templates/Lab/ssrf/ssrf_discussion.html +++ b/introduction/templates/Lab/ssrf/ssrf_discussion.html @@ -123,22 +123,22 @@
ssrf_lab.html