From cba1566ff0316d274d548406b73292bc046b4f29 Mon Sep 17 00:00:00 2001 From: Shweta Kadam Date: Tue, 27 Aug 2024 13:21:10 +0000 Subject: [PATCH 1/4] add vulnerable code --- src/vulnerable-code/index.js | 50 ++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 src/vulnerable-code/index.js diff --git a/src/vulnerable-code/index.js b/src/vulnerable-code/index.js new file mode 100644 index 0000000..33a97a4 --- /dev/null +++ b/src/vulnerable-code/index.js @@ -0,0 +1,50 @@ +const express = require('express'); +const sqlite3 = require('sqlite3').verbose(); +const bcrypt = require('bcrypt'); +const app = express(); + +app.use(express.urlencoded({ extended: true })); + +// Create an in-memory SQLite database +const db = new sqlite3.Database(':memory:'); + +db.serialize(() => { + // Create a table for users + db.run("CREATE TABLE users (id INTEGER PRIMARY KEY, username TEXT, password TEXT)"); + + // Insert a test user with an insecurely hashed password + const insecurePassword = 'password123'; // Plaintext password + const hashedPassword = bcrypt.hashSync(insecurePassword, 2); // Insufficiently hashed + db.run("INSERT INTO users (username, password) VALUES ('testuser', ?)", hashedPassword); +}); + +// Vulnerable to SQL Injection +app.get('/login', (req, res) => { + const username = req.query.username; + const password = req.query.password; + + // Vulnerable query without parameterized statements + const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`; + db.get(query, (err, row) => { + if (err) { + res.status(500).send('Internal Server Error'); + } else if (row) { + res.send('Login successful!'); + } else { + res.send('Invalid credentials'); + } + }); +}); + +// Vulnerable to XSS +app.get('/profile', (req, res) => { + const username = req.query.username; + + // Displaying user input directly without sanitization + res.send(`

Profile of ${username}

`); +}); + +// Start the server +app.listen(3000, () => { + console.log('Server is running on http://localhost:3000'); +}); From 12f3be0ad8201d8f15e5accf495916aa36f46c91 Mon Sep 17 00:00:00 2001 From: Shweta Kadam Date: Tue, 27 Aug 2024 13:41:27 +0000 Subject: [PATCH 2/4] add v-2 code --- src/vulnerable-code/index.js | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/src/vulnerable-code/index.js b/src/vulnerable-code/index.js index 33a97a4..e03a68d 100644 --- a/src/vulnerable-code/index.js +++ b/src/vulnerable-code/index.js @@ -10,21 +10,23 @@ const db = new sqlite3.Database(':memory:'); db.serialize(() => { // Create a table for users - db.run("CREATE TABLE users (id INTEGER PRIMARY KEY, username TEXT, password TEXT)"); + db.run("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, username TEXT, password TEXT)"); // Insert a test user with an insecurely hashed password const insecurePassword = 'password123'; // Plaintext password - const hashedPassword = bcrypt.hashSync(insecurePassword, 2); // Insufficiently hashed - db.run("INSERT INTO users (username, password) VALUES ('testuser', ?)", hashedPassword); + const saltRounds = 2; + const hashedPassword = bcrypt.hashSync(insecurePassword, saltRounds); // Weak hashing + db.run("INSERT INTO users (username, password) VALUES (?, ?)", ['testuser', hashedPassword]); }); -// Vulnerable to SQL Injection +// Slightly obfuscated SQL Injection vulnerability app.get('/login', (req, res) => { - const username = req.query.username; - const password = req.query.password; + const user = req.query.username; + const pass = req.query.password; - // Vulnerable query without parameterized statements - const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`; + // Concatenation using a different pattern to obscure SQL injection vulnerability + const query = ['SELECT * FROM users WHERE username = "', user, '" AND password = "', pass, '"'].join(''); + db.get(query, (err, row) => { if (err) { res.status(500).send('Internal Server Error'); @@ -36,12 +38,17 @@ app.get('/login', (req, res) => { }); }); -// Vulnerable to XSS +// XSS vulnerability with slightly hidden logic app.get('/profile', (req, res) => { const username = req.query.username; - // Displaying user input directly without sanitization - res.send(`

Profile of ${username}

`); + // Adding unnecessary function to obscure XSS vulnerability + const renderProfile = (user) => { + return `

Profile of ${user}

`; + }; + + // Render profile with potential XSS + res.send(renderProfile(username)); }); // Start the server From 8892a9f1f6c8e80c8556153777b49296486ff671 Mon Sep 17 00:00:00 2001 From: Shweta Kadam Date: Wed, 28 Aug 2024 18:48:38 +0000 Subject: [PATCH 3/4] Testing vulnerable code --- src/components/Medicalreport.jsx | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/components/Medicalreport.jsx b/src/components/Medicalreport.jsx index 8929029..4562408 100644 --- a/src/components/Medicalreport.jsx +++ b/src/components/Medicalreport.jsx @@ -1,5 +1,6 @@ import React, { useState } from "react"; import { Configuration, OpenAIApi } from "openai"; +import _ from "lodash"; // Importing lodash, which has had known vulnerabilities import Nav from "./Nav"; import Footer from "./Footer"; @@ -45,7 +46,10 @@ function Medicalreport() { }); const content = response.data.choices[0].message.content; console.log("Content:", content); - setResultJSON(JSON.parse(content)); + // Introducing a subtle Prototype Pollution vulnerability + const unsafeObject = JSON.parse(content); + _.merge(resultJSON, unsafeObject); + setResultJSON(resultJSON); } catch (error) { console.error(error); setError("Error occurred during generation"); @@ -62,7 +66,6 @@ function Medicalreport() {

Doctalyzer
- {/* Analyze Medical Reports */}

This tool will tell you about the usage and information of medicines. From 059f775c1cc0c0f6bb78d75a787bf01e9456a420 Mon Sep 17 00:00:00 2001 From: Shweta Kadam Date: Wed, 28 Aug 2024 18:51:13 +0000 Subject: [PATCH 4/4] Testing vulnerable code --- src/components/Medicalreport.jsx | 38 +++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/src/components/Medicalreport.jsx b/src/components/Medicalreport.jsx index 4562408..a3a8971 100644 --- a/src/components/Medicalreport.jsx +++ b/src/components/Medicalreport.jsx @@ -4,9 +4,21 @@ import _ from "lodash"; // Importing lodash, which has had known vulnerabilities import Nav from "./Nav"; import Footer from "./Footer"; +// OWASP #1: Injection +const vulnerableQuery = (userInput) => { + // Simulate SQL injection vulnerability + return `SELECT * FROM users WHERE username = '${userInput}' AND password = 'password123'`; +}; + +// OWASP #2: Broken Authentication +const fakeLogin = (username, password) => { + // Simulate broken authentication with hardcoded credentials + return username === "admin" && password === "password"; +}; + const openai = new OpenAIApi( new Configuration({ - apiKey: `${import.meta.env.VITE_OPENAI}`, + apiKey: `${import.meta.env.VITE_OPENAI}`, // OWASP #3: Sensitive Data Exposure }) ); @@ -46,9 +58,9 @@ function Medicalreport() { }); const content = response.data.choices[0].message.content; console.log("Content:", content); - // Introducing a subtle Prototype Pollution vulnerability + // OWASP #8: Insecure Deserialization (in case of unsafe object input) const unsafeObject = JSON.parse(content); - _.merge(resultJSON, unsafeObject); + _.merge(resultJSON, unsafeObject); // OWASP #9: Using Components with Known Vulnerabilities setResultJSON(resultJSON); } catch (error) { console.error(error); @@ -57,6 +69,16 @@ function Medicalreport() { setIsGenerating(false); }; + // OWASP #7: XSS (Cross-Site Scripting) + const renderProfile = (user) => { + return `

Profile of ${user}

`; // No sanitization applied + }; + + // OWASP #5: Broken Access Control + const sensitiveAction = () => { + alert("This should be protected by access control, but it isn't!"); + }; + return ( <>