Skip to content

Commit

Permalink
Merge development into master (#308)
Browse files Browse the repository at this point in the history
Co-authored-by: Goncharenko Alexander <[email protected]>
Co-authored-by: Anatol Karalkoŭ <[email protected]>
Co-authored-by: denanmusinovic <[email protected]>
Co-authored-by: Denan Musinovic <[email protected]>
Co-authored-by: Oleg <[email protected]>
Co-authored-by: gornication <[email protected]>
Co-authored-by: Alexander Goncharenko <[email protected]>
Co-authored-by: Maxim Ashin <[email protected]>
  • Loading branch information
9 people authored Mar 7, 2024
1 parent 97fd509 commit b4643b6
Show file tree
Hide file tree
Showing 67 changed files with 1,989 additions and 1,174 deletions.
17 changes: 17 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ on:
push:
branches:
- master
- development
- experimental

jobs:
packages:
Expand All @@ -18,8 +20,23 @@ jobs:
run: |
git config --global user.email "[email protected]"
git config --global user.name "Bright Security"
- name: Change name to development
if: ${{ github.ref == 'refs/heads/development' }}
run: |
sed -i 's/brokencrystals/brokencrystals-dev/g' ./charts/brokencrystals/Chart.yaml
sed -i 's/brkn/brkn-dev/g' ./charts/brokencrystals/Chart.yaml
- name: Change values to development
if: ${{ github.ref == 'refs/heads/development' }}
run: |
sed -i 's/^ main:.*/ main: development/' ./charts/brokencrystals/values.yaml
sed -i 's/^ client:.*/ client: development/' ./charts/brokencrystals/values.yaml
- name: Release packages
uses: helm/[email protected]
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_SKIP_EXISTING: true


19 changes: 19 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,26 @@ There are specific endpoints for each cloud provider as well - `/api/file/google
* **Version Control System** - The client_s build process copies SVN, GIT, and Mercurial source control directories to the client application root and they are accessible under Nginx root.

* **XML External Entity (XXE)** - The endpoint, POST /api/metadata, receives URL-encoded XML data in the _xml_ query parameter, processes it with enabled external entities (using libxmnl library) and returns the serialized DOM. Additionally, for a request that tries to load file:///etc/passwd as an entity, the endpoint returns a mocked up content of the file.
Additionally, the endpoint PUT /api/users/one/{email}/photo accepts SVG images, which are proccessed with libxml library and stored on the server, as well as sent back to the client.

* **JavaScript Vulnerabilities Scanning** - Index.html includes an older version of the jQuery library with known vulnerabilities.

* **AO1 Vertical access controls** - The page /dashboard can be reached despite the rights of user.

* **Broken Function Level Authorization** - The endpoint DELETE `/users/one/:id/photo?isAdmin=` can be used to delete any user's profile photo by enumerating the user IDs and setting the `isAdmin` query parameter to true, as there is no validation of it's value on the server side.

* **IFrame Injection** - The `/testimonials` page a URL parameter `videosrc` which directly controls the src attribute of the IFrame at the bottom of this page. Similarly, the home page takes a URL param `maptitle` which directly controls the `title` attribute of the IFrame at the CONTACT section of this page.

* **Excessive Data Exposure** - The `/api/users/one/:email` is supposed to expose only basic user information required to be displayed on the UI, but it also returns the user's phone number which is unnecessary information.

* **Business Constraint Bypass** - The `/api/products/latest` endpoint supports a `limit` parameter, which by default is set to 3. The `/api/products` endpoint is a password protected endpoint which returns all of the products, yet if you change the `limit` param of `/api/products/latest` to be high enough you could get the same results without the need to be authenticated.

* **ID Enumeration** - There are a few ID Enumeration vulnerabilities:
1. The endpoint DELETE `/users/one/:id/photo?isAdmin=` which is used to delete a user's profile picture is vulnerable to ID Enumeration together with [Broken Function Level Authorization](#broken-function-level-authorization).
2. The `/users/id/:id` endpoint returns user info by ID, it doesn't require neither authentication nor authorization.

* **XPATH Injection** - The `/api/partners/*` endpoint contains the following XPATH injection vulnerabilities:
1. The endpoint GET `/api/partners/partnerLogin` is supposed to login with the user's credentials in order to obtain account info. It's vulnerable to an XPATH injection using boolean based payloads. When exploited it'll retrieve data about other users as well. You can use `' or '1'='1` in the password field to exploit the EP.
2. The endpoint GET `/api/partners/searchPartners` is supposed to search partners' names by a given keyword. It's vulnerable to an XPATH injection using string detection payloads. When exploited, it can grant access to sensitive information like passwords and even lead to full data leak. You can use `')] | //password%00//` or `')] | //* | a[('` to exploit the EP.
3. The endpoint GET `/api/partners/query` is a raw XPATH injection endpoint. You can put whatever you like there. It is not referenced in the frontend, but it is an exposed API endpoint.
4. Note: All endpoints are vulnerable to error based payloads.
2 changes: 1 addition & 1 deletion charts/brokencrystals/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: |
Benchmark application that uses modern technologies and implements a set of
common security vulnerabilities
type: application
version: 0.0.29
version: 0.0.46
keywords:
- brokencrystals
- brkn
6 changes: 3 additions & 3 deletions charts/brokencrystals/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,13 @@ If release name contains chart name it will be used as a full name.
*/}}
{{- define "brokencrystals.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- .Release.Name | trunc 50 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
Expand Down
62 changes: 0 additions & 62 deletions charts/brokencrystals/templates/bc-postgres-deployment.yaml

This file was deleted.

86 changes: 0 additions & 86 deletions charts/brokencrystals/templates/bc-prod-deployment.yaml

This file was deleted.

91 changes: 0 additions & 91 deletions charts/brokencrystals/templates/bc-prod-proxy-deployment.yaml

This file was deleted.

9 changes: 9 additions & 0 deletions charts/brokencrystals/templates/config-keycloak-postgres.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "brokencrystals.fullname" . }}-keycloak-postgres
namespace: {{ .Release.Namespace }}
data:
postgresql.conf.sample: |
listen_addresses = '*'
port = 5433
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,13 @@ data:
pg.sql: |
set names 'utf8';
set session_replication_role = 'replica';
create table "user" ("id" serial primary key, "created_at" timestamptz(0) not null, "updated_at" timestamptz(0) not null, "email" varchar(255) not null, "password" varchar(255) not null, "first_name" varchar(255) not null, "last_name" varchar(255) not null, "is_admin" bool not null, "photo" bytea null, "company" varchar(255) not null, "card_number" varchar(255) not null, "phone_number" varchar(255) not null);
create table "user" ("id" serial primary key, "created_at" timestamptz(0) not null, "updated_at" timestamptz(0) not null, "email" varchar(255) not null, "password" varchar(255) not null, "first_name" varchar(255) not null, "last_name" varchar(255) not null, "is_admin" bool not null, "photo" bytea null, "company" varchar(255) not null, "card_number" varchar(255) not null, "phone_number" varchar(255) not null, "is_basic" bool not null);
create table "testimonial" ("id" serial primary key, "created_at" timestamptz(0) not null, "updated_at" timestamptz(0) not null, "name" varchar(255) not null, "title" varchar(255) not null, "message" varchar(255) not null);
create table "product" ("id" serial primary key, "created_at" timestamptz(0) not null default now(), "category" varchar(255) not null, "photo_url" varchar(255) not null, "name" varchar(255) not null, "description" varchar(255) null, "views_count" int DEFAULT 0);
set session_replication_role = 'origin';
--password is admin
INSERT INTO "user" (created_at, updated_at, email, password, first_name, last_name, is_admin, photo, company, card_number, phone_number) VALUES (now(), now(), 'admin', '$2b$10$BBJjmVNNdyEgv7pV/zQR9u/ssIuwZsdDJbowW/Dgp28uws3GmO0Ky', 'admin', 'admin', true, null, 'Brightsec', '1234 5678 9012 3456', '+1 234 567 890');
INSERT INTO "user" (created_at, updated_at, email, password, first_name, last_name, is_admin, photo, company, card_number, phone_number) VALUES (now(), now(), 'user', '$2b$10$edsq4aqzAHnrJu68t8GS2.v0Z7hJSstAo7wBBDmmbpjYGxMMTYpVi', 'user', 'user', false, null, 'Brightsec', '1234 5678 9012 3456', '+1 234 567 890');
INSERT INTO "user" (created_at, updated_at, email, password, first_name, last_name, is_admin, photo, company, card_number, phone_number, is_basic) VALUES (now(), now(), 'admin', '$2b$10$BBJjmVNNdyEgv7pV/zQR9u/ssIuwZsdDJbowW/Dgp28uws3GmO0Ky', 'admin', 'admin', true, null, 'Brightsec', '1234 5678 9012 3456', '+1 234 567 890', true);
INSERT INTO "user" (created_at, updated_at, email, password, first_name, last_name, is_admin, photo, company, card_number, phone_number, is_basic) VALUES (now(), now(), 'user', '$2b$10$edsq4aqzAHnrJu68t8GS2.v0Z7hJSstAo7wBBDmmbpjYGxMMTYpVi', 'user', 'user', false, null, 'Brightsec', '1234 5678 9012 3456', '+1 234 567 890', true);
--insert default products into the table
INSERT INTO "product" ("category", "photo_url", "name", "description") VALUES ('Healing', '/api/file?path=config/products/crystals/amethyst.jpg&type=image/jpg', 'Amethyst', 'a violet variety of quartz');
INSERT INTO "product" ("category", "photo_url", "name", "description") VALUES ('Gemstones', '/api/file?path=config/products/crystals/ruby.jpg&type=image/jpg', 'Ruby', 'an intense heart crystal');
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,24 +23,24 @@ data:
}
location /api {
proxy_pass http://{{ include "brokencrystals.fullname" . }}-nodejs:3000;
proxy_pass http://127.0.0.1:3000;
}
location /swagger {
proxy_pass http://{{ include "brokencrystals.fullname" . }}-nodejs:3000;
proxy_pass http://127.0.0.1:3000;
}
location /graphiql {
proxy_pass http://{{ include "brokencrystals.fullname" . }}-nodejs:3000;
proxy_pass http://127.0.0.1:3000;
}
location /graphql {
proxy_pass http://{{ include "brokencrystals.fullname" . }}-nodejs:3000;
proxy_pass http://127.0.0.1:3000;
}
location /put.raw {
rewrite put.raw /api/file/raw?path=./gil.txt break;
proxy_pass http://{{ include "brokencrystals.fullname" . }}-nodejs:3000;
proxy_pass http://127.0.0.1:3000;
}
location ~* ^/(config\.js|config\.json|\.htaccess|\.env|\.nginx\.conf|\.robots\.txt)$ {
Expand Down
Loading

0 comments on commit b4643b6

Please sign in to comment.