Added CSP ex2

client.csp.demo/routes/exercise.js

@@ -20,4 +20,20 @@ router.post('/1/exploited', express.urlencoded(), (req, res) => {
   }
 })
 
+router.get('/2', (req, res) => {
+  res.render(`ex2`, {cspIsSet: req.exSetPolicy, isPost: false, isSuccess: false, emailAddr: '' });
+});
+
+router.post('/2', express.urlencoded(), (req, res) => {
+  if(req.body.email) {
+    if(/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}$/i.test(req.body.email)) {
+      res.render(`ex2`, {cspIsSet: req.exSetPolicy, isPost: true, isSuccess: false, emailAddr: '', message: 'If the supplied email matches a valid user in this app, an email will be sent with reset instructions.'});
+    } else {
+      res.render(`ex2`, {cspIsSet: req.exSetPolicy, isPost: true, isSuccess: false, emailAddr: req.body.email, message: 'The supplied email address appeared to be improperly formatted.' });
+    }
+  } else {
+    res.render(`ex2`, {cspIsSet: req.exSetPolicy, isPost: true, isSuccess: false, emailAddr: ''});
+  }
+});
+
 module.exports = router

client.csp.demo/static/alertsolve.js

@@ -0,0 +1,6 @@
+window.alert = ((_alert) => {
+    return function() {
+        $('#topMessage').text(`Congratulations on solving this exercise!`);
+        return _alert.apply(null, arguments);
+    } 
+})(window.alert);

client.csp.demo/static/cspForm.js

@@ -2,9 +2,6 @@ setTimeout(function() { document.getElementById('msg').innerHTML = ''}, 2500);
 
 function createTexboxBlurHandler(checkbox) {
   return function (event) {
-    console.log('event fired')
-    console.log(event.target)
-    console.log(event.target.value)
     if(event.target.value.trim().length === 0) {
       checkbox.checked = ''
     } else {

client.csp.demo/views/_base.njk

@@ -20,6 +20,9 @@
           <a class="navbar-item" href="/ex/1">
             Exercise 1
           </a>
+          <a class="navbar-item" href="/ex/2">
+            Exercise 2
+          </a>
   </div>
 </nav>
 </div>

client.csp.demo/views/ex2.njk

@@ -0,0 +1,49 @@
+{% extends "_base.njk" %}
+
+{% block pageTitle %} - Exercise 2{% endblock %}
+
+{% block body %}
+<div class="hero is-warning">
+<h1 class="title">Exercise 2</h1>
+<h2 class="subtitle">
+{% if cspIsSet %}
+  <span id="topMessage">The CSP is set.</span>
+{% else %}
+    Looks like the CSP isn't set for this exercise.
+    <form method="POST" action="/set-csp">
+      <input type="hidden" name="ex" value="2" />
+      <input type="hidden" name="use-default-src" value="on" />
+      <input type="hidden" name="default-src" value="'self'" />
+      <input type="hidden" name="script-src" value="'self' cdn.jsdelivr.net" />
+      <input type="hidden" name="use-script-src" value="on" />
+      <button class="button is-danger" type="submit">(re)set</button>
+    </form>
+{% endif %}
+</h2>
+</div>
+<section class="section is-small is-light">
+<p>This exercise is a test of finding the flaw in the CSP. Execute a JavaScript <code>alert</code> pop-up to prove you have execution.</p>
+<p>Note: This one requires access to the internet.</p>
+
+
+<!-- The target scope is below this point -->
+
+  <div class="card">
+    <div class="card-content">
+      <p class="title is-4">Forgot My Password</p>
+      <form action="/ex/2" method="POST">
+        <label class="label">Email</label>
+          <div class="field">
+            <div class="control"><input class="input" type="text" name="email" value="{{ emailAddr | safe }}" /></div>
+          </div>
+          <input type="submit" class="button is-dark" value="Submit" />
+          {% if message %}
+            <p>{{ message }}</p>
+          {% endif %}
+      </form>
+    </div>
+  </div>
+</section>
+  <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/jquery.min.js"></script>
+  <script src="/alertsolve.js"></script>
+{% endblock %}