From cbde3af6168253ce85e4efa8769f56ff7a59ebcc Mon Sep 17 00:00:00 2001 From: "Taisen.fr (Dev)" Date: Wed, 28 Aug 2024 14:03:23 +0200 Subject: [PATCH] Add Admin Permission --- Identity/VLAIdentity.cs | 53 +++++++++++++++++++++++++++++++++++++---- MidlWare/MidlWare.cs | 8 +++++++ Model/Model.cs | 27 +++++++++++---------- README.md | 2 +- 4 files changed, 72 insertions(+), 18 deletions(-) diff --git a/Identity/VLAIdentity.cs b/Identity/VLAIdentity.cs index f067255..ed34af0 100644 --- a/Identity/VLAIdentity.cs +++ b/Identity/VLAIdentity.cs @@ -4,6 +4,7 @@ using System.IdentityModel.Tokens.Jwt; using Microsoft.IdentityModel.Tokens; using System.Security.Cryptography; +using Newtonsoft.Json.Linq; namespace VulnerableWebApplication.VLAIdentity @@ -31,6 +32,7 @@ public static async Task VulnerableQuery(string User, string Passwd) Authentifie les utilisateurs par login et mot de passe, et renvoie un token JWT si l'authentification a réussi */ + bool IsAdmin = false; SHA256 Sha256Hash = SHA256.Create(); byte[] Bytes = Sha256Hash.ComputeHash(Encoding.UTF8.GetBytes(Passwd)); StringBuilder stringbuilder = new StringBuilder(); @@ -39,12 +41,13 @@ public static async Task VulnerableQuery(string User, string Passwd) VLAController.VLAController.VulnerableLogs("login attempt for:\n" + User + "\n" + Passwd + "\n", LogFile); var DataSet = VLAModel.Data.GetDataSet(); - var Result = DataSet.Tables[0].Select("Passwd = '" + Hash + "' and User = '" + User + "'"); + var Result = DataSet.Tables[0].Select("Passwd = '" + Hash + "' and User = '" + User + "'"); + if( DataSet.Tables[0].Select("User = '" + User.Replace("'", "''") + "' and IsAdmin = 1" ).Length > 0) IsAdmin = true; - return Result.Length > 0 ? Results.Ok(VulnerableGenerateToken(User)) : Results.Unauthorized(); + return Result.Length > 0 ? Results.Ok(VulnerableGenerateToken(User, IsAdmin)) : Results.Unauthorized(); } - public static string VulnerableGenerateToken(string User) + public static string VulnerableGenerateToken(string User, bool IsAdmin) { /* Retourne un token JWT signé pour l'utilisateur passé en paramètre @@ -53,7 +56,7 @@ Retourne un token JWT signé pour l'utilisateur passé en paramètre var Key = Encoding.ASCII.GetBytes(Secret); var TokenDescriptor = new SecurityTokenDescriptor { - Subject = new ClaimsIdentity(new[] { new Claim("Id", User) }), + Subject = new ClaimsIdentity(new[] { new Claim("Id", User), new Claim("IsAdmin", IsAdmin.ToString()) }), Expires = DateTime.UtcNow.AddDays(365), SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(Key), SecurityAlgorithms.HmacSha256Signature) }; @@ -93,5 +96,47 @@ Vérifie la validité du token JWT passé en paramètre return Result; } + + public static bool VulnerableAdminValidateToken(string Token, string Secret) + { + /* + Vérifie la validité du token ADMIN passé en paramètre + */ + var TokenHandler = new JwtSecurityTokenHandler(); + var Key = Encoding.ASCII.GetBytes(Secret); + bool Result = false; + Token = Token.Substring("Bearer ".Length); + + try + { + var JwtSecurityToken = TokenHandler.ReadJwtToken(Token); + if (JwtSecurityToken.Header.Alg == "HS256" || JwtSecurityToken.Header.Typ == "JWT") + { + TokenHandler.ValidateToken(Token, new TokenValidationParameters + { + ValidateIssuerSigningKey = true, + IssuerSigningKey = new SymmetricSecurityKey(Key), + ValidateIssuer = false, + ValidateAudience = false, + ValidateLifetime = true, + }, out SecurityToken validatedToken); + + var JwtToken = (JwtSecurityToken)validatedToken; + var claims = JwtToken.Claims; + + var isAdminClaim = claims.FirstOrDefault(c => c.Type == "IsAdmin"); + Console.WriteLine(isAdminClaim.Value); + if (isAdminClaim.Value.Contains("True")) Result = true; + } + } + catch (Exception e) { Result = false; } + + + + + return Result; + } + + } } diff --git a/MidlWare/MidlWare.cs b/MidlWare/MidlWare.cs index 001ae79..20118a0 100644 --- a/MidlWare/MidlWare.cs +++ b/MidlWare/MidlWare.cs @@ -52,11 +52,19 @@ Authentifie les utilisateurs } string authHeader = context.Request.Headers["Authorization"]; + if (authHeader.IsNullOrEmpty() || !VLAIdentity.VLAIdentity.VulnerableValidateToken(authHeader, configuration["Secret"])) { context.Response.StatusCode = StatusCodes.Status401Unauthorized; return; } + + if (path.StartsWith("/Patch", StringComparison.OrdinalIgnoreCase) && (authHeader.IsNullOrEmpty() || !VLAIdentity.VLAIdentity.VulnerableAdminValidateToken(authHeader, configuration["Secret"])) ) + { + context.Response.StatusCode = StatusCodes.Status401Unauthorized; + return; + } + await _next(context); } } diff --git a/Model/Model.cs b/Model/Model.cs index adab875..4110af7 100644 --- a/Model/Model.cs +++ b/Model/Model.cs @@ -42,19 +42,20 @@ Contenu de la BDD relationnelle (Utilisateurs) DataTable table = new DataTable(); table.Columns.Add("User", typeof(string)); table.Columns.Add("Passwd", typeof(string)); - table.Rows.Add("root", "ce5ca673d13b36118d54a7cf13aeb0ca012383bf771e713421b4d1fd841f539a"); - table.Rows.Add("admin", "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a444"); - table.Rows.Add("User", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"); - table.Rows.Add("Alice", "9b510b4af0d9b121f68d5a3400975047cbf38f963963b4c7510842d9d6310e7f"); - table.Rows.Add("Bob", "aed8f2deab14c36eeaa6d9c5c07ac6b586a74c18015dff9ac1cd0fc320f107b2"); - table.Rows.Add("Charlie", "99cdaf24cef97271760d72f0552ff18bb0c53e47d272cc1b3aa2c8b4e7d71b22"); - table.Rows.Add("Diana", "c27ab3e46131d5e15819aa5c919dca2c7d449a13a1293c9963e1a9d6181b51ac"); - table.Rows.Add("Edward", "3b179a52471e65a043a6c2b2dc1cb703165e2f94a8d4d3818b35eb278f730111"); - table.Rows.Add("Fiona", "31b6273952ff5ef238f5ef544a212eb434813782a279de537bf8c02ccc07fa08"); - table.Rows.Add("George", "27730420c3b86d8eb76e568be4e9279f69d5b00d625c2f0742d260ed9cc2ec26"); - table.Rows.Add("Hannah", "dc8fd3ef67d7031e81a8e2d088aceb430972e4ad03bfccafd063b5729ca0a139"); - table.Rows.Add("Ian", "0964e66cc96ed16adb6364caf1d0c80f80b91c9bf49aed3ffc0e51bca4dc0567"); - table.Rows.Add("Julia", "69ccc763a7a99e5ef616c760e8dcc90a96491cfd15ec84d61fbbf222474a9b3d"); + table.Columns.Add("IsAdmin", typeof(int)); + table.Rows.Add("User", "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", 0); + table.Rows.Add("root", "ce5ca673d13b36118d54a7cf13aeb0ca012383bf771e713421b4d1fd841f539a", 1); + table.Rows.Add("admin", "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a444", 1); + table.Rows.Add("Alice", "9b510b4af0d9b121f68d5a3400975047cbf38f963963b4c7510842d9d6310e7f", 0); + table.Rows.Add("Bob", "aed8f2deab14c36eeaa6d9c5c07ac6b586a74c18015dff9ac1cd0fc320f107b2", 0); + table.Rows.Add("Charlie", "99cdaf24cef97271760d72f0552ff18bb0c53e47d272cc1b3aa2c8b4e7d71b22", 0); + table.Rows.Add("Diana", "c27ab3e46131d5e15819aa5c919dca2c7d449a13a1293c9963e1a9d6181b51ac", 0); + table.Rows.Add("Edward", "3b179a52471e65a043a6c2b2dc1cb703165e2f94a8d4d3818b35eb278f730111",0); + table.Rows.Add("Fiona", "31b6273952ff5ef238f5ef544a212eb434813782a279de537bf8c02ccc07fa08", 0); + table.Rows.Add("George", "27730420c3b86d8eb76e568be4e9279f69d5b00d625c2f0742d260ed9cc2ec26", 0); + table.Rows.Add("Hannah", "dc8fd3ef67d7031e81a8e2d088aceb430972e4ad03bfccafd063b5729ca0a139", 0); + table.Rows.Add("Ian", "0964e66cc96ed16adb6364caf1d0c80f80b91c9bf49aed3ffc0e51bca4dc0567", 0); + table.Rows.Add("Julia", "69ccc763a7a99e5ef616c760e8dcc90a96491cfd15ec84d61fbbf222474a9b3d", 0); var DataSet = new DataSet(); DataSet.Tables.Add(table); return DataSet; diff --git a/README.md b/README.md index a3d3a64..c2dd3f5 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ | CWE-287 | Improper Authentication | Medium | | CWE-319 | Cleartext Transmission of Sensitive Information | Easy | | CWE-326 | Inadequate Encryption Strength | Easy | -| CWE-434 | Unrestricted Upload of File with Dangerous Type | Medium | +| CWE-434 | Unrestricted Upload of File with Dangerous Type | Hard | | CWE-502 | Deserialization of Untrusted Data | Hard | | CWE-521 | Weak Password Requirements | Easy | | CWE-532 | Insertion of Sensitive Information into Log File | Easy |