From 9563b12f2a690a35fd2d39f72546e48f24409c01 Mon Sep 17 00:00:00 2001
From: Ivan <ivanaguilar01@live.com.mx>
Date: Thu, 1 Jul 2021 18:02:43 -0500
Subject: [PATCH 1/3] Local File Inclusion Vulnerability and fixes

---
 .../vulnerability/lfi/LFIVulnerability.java   | 106 ++++++++++++++++++
 .../lfi/secretFiles/passwords.txt             |   6 +
 .../types/VulnerabilitySubType.java           |   5 +-
 src/main/resources/i18n/messages.properties   |  26 ++++-
 .../resources/i18n/messages_en_US.properties  |  26 ++++-
 .../static/images/GitHub-Mark-32px.png        | Bin 0 -> 1714 bytes
 src/main/resources/static/index.html          |   8 +-
 .../LocalFileInclusion/LEVEL_1/LFI.css        |   6 +
 .../LocalFileInclusion/LEVEL_1/LFI.html       |  17 +++
 9 files changed, 189 insertions(+), 11 deletions(-)
 create mode 100644 src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java
 create mode 100644 src/main/java/org/sasanlabs/service/vulnerability/lfi/secretFiles/passwords.txt
 create mode 100644 src/main/resources/static/images/GitHub-Mark-32px.png
 create mode 100644 src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
 create mode 100644 src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html

diff --git a/src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java
new file mode 100644
index 00000000..5446a034
--- /dev/null
+++ b/src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java
@@ -0,0 +1,106 @@
+package org.sasanlabs.service.vulnerability.lfi;
+
+import static org.sasanlabs.vulnerability.utils.Constants.NULL_BYTE_CHARACTER;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Map;
+import java.util.Scanner;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.sasanlabs.internal.utility.GenericUtils;
+import org.sasanlabs.internal.utility.LevelConstants;
+import org.sasanlabs.internal.utility.annotations.AttackVector;
+import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping;
+import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController;
+import org.sasanlabs.service.vulnerability.pathTraversal.PathTraversalVulnerability;
+import org.sasanlabs.vulnerability.types.VulnerabilitySubType;
+import org.sasanlabs.vulnerability.types.VulnerabilityType;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.RequestParam;
+
+@VulnerableAppRestController(
+        descriptionLabel = "URL_BASED_LFI_INJECTION",
+        value = "LocalFileInclusion",
+        type = {VulnerabilityType.LFI})
+public class LFIVulnerability {
+
+    private static final transient Logger LOGGER =
+            LogManager.getLogger(PathTraversalVulnerability.class);
+
+    private static final String URL_PARAM_KEY = "file";
+
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilitySubType.LFI,
+            description = "LFI_URL_DIRECT_INJECTION")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_1,
+            descriptionLabel = "LFI_URL_PARAM_BASED_DIRECT_INJECTION",
+            htmlTemplate = "LEVEL_1/LFI")
+    public ResponseEntity<String> getVulnerablePayloadLevelUnsecure(
+            @RequestParam Map<String, String> queryParams) {
+        StringBuilder payload = new StringBuilder();
+        String queryParameterURL = queryParams.get(URL_PARAM_KEY);
+        if (queryParameterURL != null) {
+            try {
+                File file =
+                        new File(
+                                "src/main/java/org/sasanlabs/service/vulnerability/lfi/"
+                                        + queryParameterURL);
+                Scanner reader = new Scanner(file);
+                String data = "";
+                while (reader.hasNextLine()) {
+                    data = data + reader.nextLine();
+                }
+                data =
+                        data
+                                + "<a href='/VulnerableApp/LocalFileInclusion/LEVEL_2'>go to LEVEL_2</a>";
+                payload.append(data);
+                reader.close();
+            } catch (IOException e) {
+                LOGGER.error("Following error occurred:", e);
+            }
+        }
+
+        return new ResponseEntity<>(
+                GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString()),
+                HttpStatus.OK);
+    }
+
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilitySubType.LFI,
+            description = "LFI_URL_DIRECT_INJECTION_WITH_VALIDATION_ON_FILE")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_2,
+            descriptionLabel = "LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE",
+            htmlTemplate = "LEVEL_1/LFI")
+    public ResponseEntity<String> getVulnerablePayloadLevelUnsecureLevel2(
+            @RequestParam Map<String, String> queryParams) {
+        StringBuilder payload = new StringBuilder();
+        String queryParameterURL = queryParams.get(URL_PARAM_KEY);
+        if (queryParameterURL != null && queryParameterURL.contains(NULL_BYTE_CHARACTER)) {
+            try {
+                queryParameterURL = queryParameterURL.replace(NULL_BYTE_CHARACTER, "");
+                File file =
+                        new File(
+                                "src/main/java/org/"
+                                        + "sasanlabs/service/vulnerability/lfi/"
+                                        + queryParameterURL);
+                Scanner reader = new Scanner(file);
+                String data = "";
+                while (reader.hasNextLine()) {
+                    data = data + reader.nextLine();
+                }
+                payload.append(data);
+                reader.close();
+            } catch (IOException e) {
+                LOGGER.error("Following error occurred:", e);
+            }
+        }
+
+        return new ResponseEntity<>(
+                GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString()),
+                HttpStatus.OK);
+    }
+}
diff --git a/src/main/java/org/sasanlabs/service/vulnerability/lfi/secretFiles/passwords.txt b/src/main/java/org/sasanlabs/service/vulnerability/lfi/secretFiles/passwords.txt
new file mode 100644
index 00000000..a6af29ce
--- /dev/null
+++ b/src/main/java/org/sasanlabs/service/vulnerability/lfi/secretFiles/passwords.txt
@@ -0,0 +1,6 @@
+<h2>TOP SECRET PASSWORDS</h2>
+
+<p>USER1:PQOAJ231</p>
+<p>USER2:DKAO1020</p>
+<p>USER3:CMVNP325</p>
+
diff --git a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java
index 747a8f9a..c1ecb121 100644
--- a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java
+++ b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java
@@ -41,7 +41,10 @@ public enum VulnerabilitySubType {
     NULL_BYTE(VulnerabilityType.NULL_BYTE),
 
     // XXE Vulnerability
-    XXE(VulnerabilityType.XXE);
+    XXE(VulnerabilityType.XXE),
+
+    // LFI Vulnerability
+    LFI(VulnerabilityType.LFI);
 
     private VulnerabilityType vulnerabilityType;
 
diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties
index c83e695b..64886581 100755
--- a/src/main/resources/i18n/messages.properties
+++ b/src/main/resources/i18n/messages.properties
@@ -203,9 +203,29 @@ COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26
 
 
 # Local File Injection
-#URL_BASED_LFI_INJECTION=Url based Local File Injection attack.
-#LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
-#LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+URL_BASED_LFI_INJECTION=LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine.\
+ An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. \
+An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). \
+Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input \ \
+as trusted, a local file may be used in the include statement. \
+<br/><br/> Important Links on LFI : \
+ <ol> \ <li><a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion" target="_blank">\
+  Testing for Local File Inclusion \</a> \
+   <li><a \
+       href="https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/local-file-inclusion/" target="_blank"> \
+       Local File Inclusion by netsparker </a> \
+ </ol>
+LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
+LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+#### AttackVector description
+LFI_URL_DIRECT_INJECTION=If the developer fails to implement sufficient filtering an attacker could exploit the local file \
+inclusion vulnerability by replacing the path with another path of a sensitive file such as a password file, allowing \
+the attacker to see its content.
+LFI_URL_DIRECT_INJECTION_WITH_VALIDATION_ON_FILE=The null character is a control character with the value zero present in \
+many character sets that is being used as a reserved character to mark the end of a string. Once used, any character after \
+this special byte will be ignored. Commonly the way to inject this character would be with the URL encoded string %00 by \
+appending it to the requested path, this would ignore the file's extension being added to the input filename, \
+returning to an attacker the file information as a result of a successful exploitation.
 
 # Local File Injection with Null Byte
 #URL_WITH_NULL_BYTE_BASED_LFI_INJECTION=Url with Null Byte Injection based Local File Injection attack.
diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties
index d1ff0875..be5bf115 100755
--- a/src/main/resources/i18n/messages_en_US.properties
+++ b/src/main/resources/i18n/messages_en_US.properties
@@ -203,9 +203,29 @@ COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26
 
 
 # Local File Injection
-#URL_BASED_LFI_INJECTION=Url based Local File Injection attack.
-#LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
-#LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+URL_BASED_LFI_INJECTION=LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine.\
+ An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. \
+An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). \
+Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input \ \
+as trusted, a local file may be used in the include statement. \
+<br/><br/> Important Links on LFI : \
+ <ol> \ <li><a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion" target="_blank">\
+  Testing for Local File Inclusion \</a> \
+   <li><a \
+       href="https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/local-file-inclusion/" target="_blank"> \
+       Local File Inclusion by netsparker </a> \
+ </ol>
+LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
+LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+#### AttackVector description
+LFI_URL_DIRECT_INJECTION=If the developer fails to implement sufficient filtering an attacker could exploit the local file \
+inclusion vulnerability by replacing the path with another path of a sensitive file such as a password file, allowing \
+the attacker to see its content.
+LFI_URL_DIRECT_INJECTION_WITH_VALIDATION_ON_FILE=The null character is a control character with the value zero present in \
+many character sets that is being used as a reserved character to mark the end of a string. Once used, any character after \
+this special byte will be ignored. Commonly the way to inject this character would be with the URL encoded string %00 by \
+appending it to the requested path, this would ignore the file's extension being added to the input filename, \
+returning to an attacker the file information as a result of a successful exploitation.
 
 # Local File Injection with Null Byte
 #URL_WITH_NULL_BYTE_BASED_LFI_INJECTION=Url with Null Byte Injection based Local File Injection attack.
diff --git a/src/main/resources/static/images/GitHub-Mark-32px.png b/src/main/resources/static/images/GitHub-Mark-32px.png
new file mode 100644
index 0000000000000000000000000000000000000000..8b25551a97921681334176ee143b41510a117d86
GIT binary patch
literal 1714
zcmaJ?X;2eq7*4oFu!ne{XxAht2qc?8LXr|_LPCfTpaBK7K$c{I0Ld=NLIOeuC;@2)
zZ$K%a)k+m-s0>xHmKxL%0V&0TRzzznhgyqrIC$F)0{WwLXLrBvd*^wc_uSc%h%m9E
z{W5z3f#4_!7RvAyFh6!S_*<8qJ%KOIm?#E|L=rJQq=gB5C6WLG5;c?r%V0>EmEH#X
z5eSwPRa6WXBMs#$5H%GtW2go-in9p>zW@UYDN<n!NPv@68XoE4nX@E7rR0&KnNm=S
z2Exgz;A|}%nH?6T$WB#ol%xQEz|X+N1=KJG0S0xNM#nYqNK?98d~Y_>NWc^XOXZQ?
z1QjEV00I#$3^1wQUJ8&-2UsjB-G|9y(LDhMNN3PM{APL4eYi{(m*ERcUnJa{R+-3^
z34^A6;U^v`8N*O6ji%S@sd{fJqD`XFIUJ5zgTe5^5nj414F(y!G&=H(f)Lgzv?>%+
zAsWD}2qhpH7>|TU`X&W6IxDNuO_vET7|j5oG&&VDr!)hUO8+0KR?nh!m<)a!?|%yG
zqOwq!CWCcIhE{<$E|F|@g>nP6FoYr6C<IBHsbWMjf+4zO1O);kS%8}qQm8a$gZmUi
zD&<NvIt<b%V2O}N!ZoNWm69uB(tX){2A{*><8>D?ID9%&5J(4oSbR1I^byW*g@__U
z4QsF&uJSEcFeleM3~ChjEQGbHOjsGDMbyAl(p=Ttv9RaVo8~I#js@@Y9C^_2U})yn
zzSHU%6FxuY?d;&<huP7GHTb-1@xlJO(B`!HdyxqFQHH(?73$<tXlZL#R;c$4@H*dP
z+g2Gl(SNi>65MyR({^lU*3$z$ZllDb(o&<7d;A_`h<Vt-co_6}4qhm4NL!6;QN;~C
ziOs0?+tNQdT6JgR$TNMl?(B>2U+3~BJ2Hv`{W}KEU801#cv_B|9Cm!ynR{S`AMsSn
z;7E=B;mb!wx$L;S>yGXG^6=&WlQn9$s?&L%Y1D8TI^MlKB1DqsEng$>f4=xYWBoPI
z_S1p!sJ#d2?YI4kPA{k}Eby?F=f-J9zIc`YDl^pzjVm~9ebE?Hn?t0Nx+la|D0MB;
z9)2xv1G>a1|A9kQ>~DV<Q;Z7ho$L^b&Ea$Dj%<sAD|e;zY><=X3-4yC&n!m8-3K#P
z{X@<rb5Hi2cU~WVHh|a|UznA=S2T~Zo%gX~ts(4Xc-Qdmw#zoiO^=#q#=Wa8_3kfM
zx=ub`8M3t4OXkYbtXVWMfw<I@{5w`SwWrV;vC8G9bB*bHN)Yk(=-utUw^Ilfg?CQ4
zGSWYIztN#z924;3n11kgM76CXFCp;!j+#P#S@z&Wc|z;)$KPUozl=B>0zRuQsy$+N
ziSCoLJU{Z$nQy4A4Y5UJ07$5FA~qL2%Q+cLaqDU?Lz3?=BC5;Nk6BbTmmceEaM>-Z
zi>O&-dSE=%ex;vcvCOk{*JQ5^_<YkKqpS$DAH0F(H<X7Bw`87_MOS)Pg#68pNxjDa
zB;jK$zmn_sWuB8y_{V!r7^(ToKe<wuXyxcEh_xT;sDAHiUbnkXO@U&w%;a;~8w^_5
z7JIw!*5j{umb8@5D<0X|rEcyQ=TV&ZS&EAftyyndd$Eih%<?R`$2~8S4QJH5$fAeG
z=l34zf}D3MsipO=ZSVHf&ktr)HOpO__7^nu7LNz%%Lk<ETz#8t6H|H@2wg%He@aa`
zq1}V7F@MGV3R$*cH!B-|SZ5VW<W<&vWR!!JM4Cx^@#nE|aNkx=5~sx;c)F*Skd>4M
z4lW7%l9IqY(z7pV(?I@@8=KPFO82)O{VDI18-*d-k$YmI^XiuPs_LuFw<^ZcD}yP5
c*NrbeloN*74g`U%%F6r~k%+>C^#XapzmV0H-2eap

literal 0
HcmV?d00001

diff --git a/src/main/resources/static/index.html b/src/main/resources/static/index.html
index e34b2a0a..3205fa6f 100755
--- a/src/main/resources/static/index.html
+++ b/src/main/resources/static/index.html
@@ -22,7 +22,7 @@
 		<!-- TODO Add active to mode when clicked-->
 		<div class="navbar navbar-item">
 			<div class="navbar-item-menu active" id="home">
-				<a href="/">Home</a>
+				<a href="/VulnerableApp">Home</a>
 			</div>
 			<div class="navbar-item-menu" id="about">
 				<a href="#about">About Us</a>
@@ -31,7 +31,7 @@
 				Mode
 			</div>
 			<div class="navbar-item-menu">
-				<a href="https://github.com/SasanLabs/VulnerableApp" target="_blank"><img src="/images/GitHub-Mark-32px.png" /></a>
+				<a href="https://github.com/SasanLabs/VulnerableApp" target="_blank"><img src="images/GitHub-Mark-32px.png" /></a>
 			</div>
 		</div>
 	</div>
@@ -86,8 +86,8 @@ <h2>How can Vulnerability Scanning Tools use VulnerableApp?</h2>
 				<br/>
 				<b>Following are the endpoints exposed: </b>
 				<ol>
-				<li><a href="/scanner">Scanner Endpoint</a></li>
-				<li><a href="/sitemap.xml">SiteMap Endpoint</a></li>
+				<li><a href="/VulnerableApp/scanner">Scanner Endpoint</a></li>
+				<li><a href="/VulnerableApp/sitemap.xml">SiteMap Endpoint</a></li>
 				</ol>
 				
 				<b>Scanner Endpoint</b><br/>
diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
new file mode 100644
index 00000000..d28a03ff
--- /dev/null
+++ b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
@@ -0,0 +1,6 @@
+#LFI_level_1 {
+    color: black;
+    text-align: left;
+    font-size: 18px;
+    font-weight: normal;
+}
\ No newline at end of file
diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html
new file mode 100644
index 00000000..73b29d13
--- /dev/null
+++ b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html
@@ -0,0 +1,17 @@
+<div id="LFI_level_1">
+    <div>
+        Local file inclusion (also known as LFI) is the process of including files,
+        that are already locally present on the server, through the exploiting of
+        vulnerable inclusion procedures implemented in the application.
+        This vulnerability occurs, for example, when a page receives, as input,
+        the path to the file that has to be included and this input is not properly
+        sanitized, allowing directory traversal characters (such as dot-dot-slash)
+        to be injected.
+        <br /> <br />
+        For practice these vulnerabilities enter to:
+        <i>http://[baseUrl]:9090/VulnerableApp/LocalFileInclusion/[level]</i>
+        Try to find the password file inside the secretFiles folder using the URL param: <i>file</i>
+        <br /> <br />
+        <a href="/VulnerableApp/LocalFileInclusion/LEVEL_1" target="_blank">click here to start in LEVEL 1</a>
+    </div>
+</div>
\ No newline at end of file

From 4520651018c97e2aa5d18f40fc78b006e9caa931 Mon Sep 17 00:00:00 2001
From: Ivan <ivanaguilar01@live.com.mx>
Date: Sat, 3 Jul 2021 15:00:09 -0500
Subject: [PATCH 2/3] New levels and UI changed

---
 .../vulnerability/lfi/LFIVulnerability.java   | 88 ++++++++++++++++---
 src/main/resources/i18n/messages.properties   |  5 ++
 .../resources/i18n/messages_en_US.properties  |  5 ++
 .../LocalFileInclusion/LEVEL_1/LFI.css        | 12 +++
 .../LocalFileInclusion/LEVEL_1/LFI.html       |  8 +-
 .../LocalFileInclusion/LEVEL_1/LFI.js         | 21 +++++
 6 files changed, 123 insertions(+), 16 deletions(-)
 create mode 100644 src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.js

diff --git a/src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java
index 5446a034..286d8a94 100644
--- a/src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java
+++ b/src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java
@@ -4,12 +4,11 @@
 
 import java.io.File;
 import java.io.IOException;
-import java.util.Map;
-import java.util.Scanner;
+import java.util.*;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.sasanlabs.internal.utility.GenericUtils;
 import org.sasanlabs.internal.utility.LevelConstants;
+import org.sasanlabs.internal.utility.Variant;
 import org.sasanlabs.internal.utility.annotations.AttackVector;
 import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping;
 import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController;
@@ -53,9 +52,6 @@ public ResponseEntity<String> getVulnerablePayloadLevelUnsecure(
                 while (reader.hasNextLine()) {
                     data = data + reader.nextLine();
                 }
-                data =
-                        data
-                                + "<a href='/VulnerableApp/LocalFileInclusion/LEVEL_2'>go to LEVEL_2</a>";
                 payload.append(data);
                 reader.close();
             } catch (IOException e) {
@@ -63,9 +59,7 @@ public ResponseEntity<String> getVulnerablePayloadLevelUnsecure(
             }
         }
 
-        return new ResponseEntity<>(
-                GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString()),
-                HttpStatus.OK);
+        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
     }
 
     @AttackVector(
@@ -99,8 +93,78 @@ public ResponseEntity<String> getVulnerablePayloadLevelUnsecureLevel2(
             }
         }
 
-        return new ResponseEntity<>(
-                GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString()),
-                HttpStatus.OK);
+        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
+    }
+
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilitySubType.LFI,
+            description = "LFI_URL_DIRECT_INJECTION_DOT_DOT_SLASH")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_3,
+            descriptionLabel = "LFI_URL_PARAM_BASED_INJECTION_WITH_DOT_DOT_SLASH",
+            htmlTemplate = "LEVEL_1/LFI")
+    public ResponseEntity<String> getVulnerablePayloadLevelUnsecureLevel3(
+            @RequestParam Map<String, String> queryParams) {
+        StringBuilder payload = new StringBuilder();
+        String queryParameterURL = queryParams.get(URL_PARAM_KEY);
+        if (queryParameterURL != null && queryParameterURL.equals("../passwords.txt")) {
+            try {
+                queryParameterURL = queryParameterURL.replace("..", "secretFiles");
+                File file =
+                        new File(
+                                "src/main/java/org/"
+                                        + "sasanlabs/service/vulnerability/lfi/"
+                                        + queryParameterURL);
+                Scanner reader = new Scanner(file);
+                String data = "";
+                while (reader.hasNextLine()) {
+                    data = data + reader.nextLine();
+                }
+                payload.append(data);
+                reader.close();
+            } catch (IOException e) {
+                LOGGER.error("Following error occurred:", e);
+            }
+        }
+
+        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
+    }
+
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilitySubType.LFI,
+            description = "LFI_URL_DIRECT_INJECTION_WHITELISTING")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_4,
+            variant = Variant.SECURE,
+            descriptionLabel = "LFI_URL_PARAM_BASED_DIRECT_INJECTION",
+            htmlTemplate = "LEVEL_1/LFI")
+    public ResponseEntity<String> getVulnerablePayloadLevelUnsecureLevel4(
+            @RequestParam Map<String, String> queryParams) {
+        StringBuilder payload = new StringBuilder();
+        String queryParameterURL = queryParams.get(URL_PARAM_KEY);
+        String[] files = new String[] {"secretFiles/passwords.txt"};
+        List<String> protectedFiles = new ArrayList<>(Arrays.asList(files));
+        if (queryParameterURL != null && protectedFiles.contains(queryParameterURL) == false) {
+            try {
+                File file =
+                        new File(
+                                "src/main/java/org/"
+                                        + "sasanlabs/service/vulnerability/lfi/"
+                                        + queryParameterURL);
+                Scanner reader = new Scanner(file);
+                String data = "";
+                while (reader.hasNextLine()) {
+                    data = data + reader.nextLine();
+                }
+                payload.append(data);
+                reader.close();
+            } catch (IOException e) {
+                LOGGER.error("Following error occurred:", e);
+            }
+        } else {
+            payload.append("You don't have access to this data");
+        }
+
+        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
     }
 }
diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties
index 64886581..2e28425c 100755
--- a/src/main/resources/i18n/messages.properties
+++ b/src/main/resources/i18n/messages.properties
@@ -217,6 +217,7 @@ as trusted, a local file may be used in the include statement. \
  </ol>
 LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
 LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+LFI_URL_PARAM_BASED_INJECTION_WITH_DOT_DOT_SLASH=Url Parameter \"fileName\" is validated and passed to include file.
 #### AttackVector description
 LFI_URL_DIRECT_INJECTION=If the developer fails to implement sufficient filtering an attacker could exploit the local file \
 inclusion vulnerability by replacing the path with another path of a sensitive file such as a password file, allowing \
@@ -226,6 +227,10 @@ many character sets that is being used as a reserved character to mark the end o
 this special byte will be ignored. Commonly the way to inject this character would be with the URL encoded string %00 by \
 appending it to the requested path, this would ignore the file's extension being added to the input filename, \
 returning to an attacker the file information as a result of a successful exploitation.
+LFI_URL_DIRECT_INJECTION_DOT_DOT_SLASH=The attacker can see a file content by appending the sequence: dot-dot-slash (../) \
+and the file's name in the url.
+LFI_URL_DIRECT_INJECTION_WHITELISTING=A way to prevent LFI attacks is with a whitelisting: use verified and secured whitelist \
+files and ignore everything else
 
 # Local File Injection with Null Byte
 #URL_WITH_NULL_BYTE_BASED_LFI_INJECTION=Url with Null Byte Injection based Local File Injection attack.
diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties
index be5bf115..46f1c25f 100755
--- a/src/main/resources/i18n/messages_en_US.properties
+++ b/src/main/resources/i18n/messages_en_US.properties
@@ -217,6 +217,7 @@ as trusted, a local file may be used in the include statement. \
  </ol>
 LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
 LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+LFI_URL_PARAM_BASED_INJECTION_WITH_DOT_DOT_SLASH=Url Parameter \"fileName\" is validated and passed to include file.
 #### AttackVector description
 LFI_URL_DIRECT_INJECTION=If the developer fails to implement sufficient filtering an attacker could exploit the local file \
 inclusion vulnerability by replacing the path with another path of a sensitive file such as a password file, allowing \
@@ -226,6 +227,10 @@ many character sets that is being used as a reserved character to mark the end o
 this special byte will be ignored. Commonly the way to inject this character would be with the URL encoded string %00 by \
 appending it to the requested path, this would ignore the file's extension being added to the input filename, \
 returning to an attacker the file information as a result of a successful exploitation.
+LFI_URL_DIRECT_INJECTION_DOT_DOT_SLASH=The attacker can see a file content by appending the sequence: dot-dot-slash (../) \
+and the file's name in the url.
+LFI_URL_DIRECT_INJECTION_WHITELISTING=A way to prevent LFI attacks is with a whitelisting: use verified and secured whitelist \
+files and ignore everything else
 
 # Local File Injection with Null Byte
 #URL_WITH_NULL_BYTE_BASED_LFI_INJECTION=Url with Null Byte Injection based Local File Injection attack.
diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
index d28a03ff..de450889 100644
--- a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
+++ b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
@@ -3,4 +3,16 @@
     text-align: left;
     font-size: 18px;
     font-weight: normal;
+}
+
+#verifyUrl {
+    background: blueviolet;
+    display: inline-block;
+    padding: 4px 4px;
+    margin: 10px;
+    border: 1px solid transparent;
+    border-radius: 2px;
+    transition: 0.2s opacity;
+    color: #FFF;
+    font-size: 12px;
 }
\ No newline at end of file
diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html
index 73b29d13..a1ff3947 100644
--- a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html
+++ b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html
@@ -8,10 +8,10 @@
         sanitized, allowing directory traversal characters (such as dot-dot-slash)
         to be injected.
         <br /> <br />
-        For practice these vulnerabilities enter to:
-        <i>http://[baseUrl]:9090/VulnerableApp/LocalFileInclusion/[level]</i>
         Try to find the password file inside the secretFiles folder using the URL param: <i>file</i>
-        <br /> <br />
-        <a href="/VulnerableApp/LocalFileInclusion/LEVEL_1" target="_blank">click here to start in LEVEL 1</a>
+    </div>
+    <div>
+        <button id="verifyUrl">Verify URL</button>
+        <div id="verificationResponse"></div>
     </div>
 </div>
\ No newline at end of file
diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.js b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.js
new file mode 100644
index 00000000..8adf6335
--- /dev/null
+++ b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.js
@@ -0,0 +1,21 @@
+function addingEventListenerToVerifyUrl() {
+  document.getElementById("verifyUrl").addEventListener("click", function () {
+    let url = getUrlForVulnerabilityLevel();
+    const queryString = location.search;
+
+    url = url + queryString;
+
+    console.log(url);
+
+    doGetAjaxCall(updateUIWithVerifyResponse, url, false);
+  });
+}
+addingEventListenerToVerifyUrl();
+
+function updateUIWithVerifyResponse(data) {
+  if (data) {
+    document.getElementById("verificationResponse").innerHTML = data;
+  } else {
+    document.getElementById("verificationResponse").innerHTML = "Try again.";
+  }
+}

From 0e67f1498610545c0f49cdb5408e8e2a3b30c605 Mon Sep 17 00:00:00 2001
From: Ivan <ivanaguilar01@live.com.mx>
Date: Sun, 4 Jul 2021 11:29:05 -0500
Subject: [PATCH 3/3] Input box for LFI vulnerability

---
 .../LocalFileInclusion/LEVEL_1/LFI.css        |  4 ++++
 .../LocalFileInclusion/LEVEL_1/LFI.html       |  3 +++
 .../LocalFileInclusion/LEVEL_1/LFI.js         | 21 ++++++++++++-------
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
index de450889..5f109f5e 100644
--- a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
+++ b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
@@ -15,4 +15,8 @@
     transition: 0.2s opacity;
     color: #FFF;
     font-size: 12px;
+}
+
+#url {
+    width: 500px
 }
\ No newline at end of file
diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html
index a1ff3947..422a0fe4 100644
--- a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html
+++ b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html
@@ -10,7 +10,10 @@
         <br /> <br />
         Try to find the password file inside the secretFiles folder using the URL param: <i>file</i>
     </div>
+    <br /> <br />
     <div>
+        <b>please enter a URL:</b>
+        <input type="text" id="url"/>
         <button id="verifyUrl">Verify URL</button>
         <div id="verificationResponse"></div>
     </div>
diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.js b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.js
index 8adf6335..3796fec1 100644
--- a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.js
+++ b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.js
@@ -1,13 +1,9 @@
 function addingEventListenerToVerifyUrl() {
   document.getElementById("verifyUrl").addEventListener("click", function () {
-    let url = getUrlForVulnerabilityLevel();
-    const queryString = location.search;
-
-    url = url + queryString;
-
-    console.log(url);
-
-    doGetAjaxCall(updateUIWithVerifyResponse, url, false);
+    let urlInput = document.getElementById("url").value;
+    let params = "?file=" + getParameterByName("file", urlInput);
+    let urlLevel = getUrlForVulnerabilityLevel() + params;
+    doGetAjaxCall(updateUIWithVerifyResponse, urlLevel, false);
   });
 }
 addingEventListenerToVerifyUrl();
@@ -19,3 +15,12 @@ function updateUIWithVerifyResponse(data) {
     document.getElementById("verificationResponse").innerHTML = "Try again.";
   }
 }
+
+function getParameterByName(name, url) {
+  name = name.replace(/[\[\]]/g, "\\$&");
+  var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
+    results = regex.exec(url);
+  if (!results) return null;
+  if (!results[2]) return "";
+  return results[2];
+}