From 01bc0f859e9191d9608e07b605427d71083f565e Mon Sep 17 00:00:00 2001 From: Viachaslau Tyshkavets Date: Tue, 3 Sep 2024 11:30:45 +0400 Subject: [PATCH] docs(readme): remove helm chart section from main readme, rework client readme --- .env | 4 +- LICENSE | 2 +- README.md | 84 +++++++++--------------------------- client/README.md | 92 +++++++++++++++++++++------------------- client/package-lock.json | 4 ++ client/package.json | 4 ++ 6 files changed, 81 insertions(+), 109 deletions(-) diff --git a/.env b/.env index 80f8888b..f4927309 100644 --- a/.env +++ b/.env @@ -24,8 +24,8 @@ KEYCLOAK_PUBLIC_CLIENT_ID=brokencrystals-client KEYCLOAK_PUBLIC_CLIENT_SECRET=4bfb5df6-4647-46dd-bad1-c8b8ffd7caf4 BRIGHT_TOKEN= -BRIGHT_CLUSTER=app.neuralegion.com -SEC_TESTER_TARGET=http://localhost:8090 +BRIGHT_CLUSTER=app.brightsec.com +SEC_TESTER_TARGET=http://localhost:3000 CHAT_API_URL=https://api-inference.huggingface.co/v1/chat/completions CHAT_API_MODEL=meta-llama/Meta-Llama-3-8B-Instruct diff --git a/LICENSE b/LICENSE index 1a6078b4..fa02ee13 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2021 NeuraLegion +Copyright (c) 2024 NeuraLegion Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index b054c8ba..268c41aa 100644 --- a/README.md +++ b/README.md @@ -5,16 +5,16 @@ Broken Crystals is a benchmark application that uses modern technologies and imp The application contains: - React based web client - - FE - http://localhost:8090 + - FE - http://localhost:3001 - BE - http://localhost:3000 -- NodeJS server that serves the React client and provides both OpenAPI and GraphQL endpoints. +- Node.js server that serves the React client and provides both OpenAPI and GraphQL endpoints. The full API documentation is available via swagger or GraphQL: - - Swagger UI - http://localhost:8090/swagger - - Swagger JSON file - http://localhost:8090/swagger-json - - GraphiQL UI - http://localhost:8090/graphiql + - Swagger UI - http://localhost:3000/swagger + - Swagger JSON file - http://localhost:3000/swagger-json + - GraphiQL UI - http://localhost:3000/graphiql > **Note** -> The GraphQL API does not yet support all of the endpoints the REST API does. +> The GraphQL API does not yet support all the endpoints the REST API does. ## Building and Running the Application @@ -25,55 +25,13 @@ npm ci && npm run build # build client npm ci --prefix client && npm run build --prefix client -#build and start dockers with Postgres DB, nginx and server +# build and start local development environment with Postgres DB, MailCatcher and the app docker-compose --file=docker-compose.local.yml up -d -#rebuild dockers +# add build flag to ensure that the images are rebuilt before starting the services docker-compose --file=docker-compose.local.yml up -d --build ``` -## Running application with helm chart - -Helm command example: - -```bash -$ helm upgrade --install --namespace distributor broken \ - --set snifferApiURL=https://hotel.playground.neuralegion.com \ - --set snifferProjectID=ud8v8jwUaG14JiAihMQx1M \ - --set snifferApiKey=6g0daym.nexp.spkuhhishhttv \ - --set snifferNetworkInterface=lo0 \ - --set repeaterID=5r9Kci7AKLx4bkN58yYCDz \ - --set token=nptbmxr.nexp.kkaux80olef2mew3n3r3rw08tww3c4f5 \ - --set cluster=hotel.playground.neuralegion.com \ - --set timeout=40000 \ - --set repeaterImageTag=v11.5.0-next.4 \ - --set ingress.url=broken.k3s.brokencrystals.nexploit.app \ - --set ingress.cert=distributorwildcard \ - --set ingress.authlevel=- . --wait -``` - -Optionally, you can test your installation: - -```bash -$ helm test broken --namespace=distributor --logs -``` - -### Arguments info - -**repeaterID, token and cluster** - These argument values are required if you want to use repeater. In case you don't set any of these fields, repeater container won't be run. In that case this will be regular bc deployment. (Required arguments if repeater container is to be used). - -**timeout** - this is optional argument for repeater deployment with default value 30000 if it is not set, it's only used in conjuction with main repeater options (optional argument). - -**repeaterImageTag** - this argument is optional with default value latest if field is not set. Notice these are docker tags and not repeater versions. They are similar but not the same. Dockerhub tags usually have "v" in front of repeater version. this argument is only used in conjuction with main repeater options (optional argument). - -**snifferApiURL, snifferProjectID and snifferApiKey** - These argument values are required if you want to use sniffer. In case you don't set any of these fields, sniffer container won't be run. In that case this will be regular bc deployment. (Required arguments if sniffer container is to be used). - -**snifferNetworkInterface** - this is optional argument for sniffer deployment with default value set to **"eth0"** if it is not set explicitly, it's only used in conjuction with main sniffer options (optional argument). - -**namespace** - kubernetes namespace where app will be spawned. - -**ingress.url** - Domain name that will be used to access app from Internet. - ## Running tests by [SecTester](https://github.com/NeuraLegion/sectester-js/) In the path [`./test`](./test) you can find tests to run with Jest. @@ -87,7 +45,7 @@ BRIGHT_TOKEN = Then, you can modify a URL to your instance of the application by setting the `SEC_TESTER_TARGET` environment variable in your [`.env`](.env) file: ```text -SEC_TESTER_TARGET = http://localhost:8090 +SEC_TESTER_TARGET = http://localhost:3000 ``` Finally, you can start tests with SecTester against these endpoints as follows: @@ -110,11 +68,11 @@ Full configuration & usage examples can be found in our [demo project](https://g - **X5U Rogue Key** - Uses the uploaded certificate to sign the JWT and sets the X5U Header in JWT to point to the uploaded certificate (implemented in designated endpoint as described in Swagger). - **X5C Rogue Key** - The application doesn’t properly check which X5C key is used for signing. When we set the X5C headers to our values and sign with our private key, authentication is bypassed (implemented in designated endpoint as described in Swagger). - **JKU Rogue Key** - Uses our publicly available JSON to check if JWT is properly signed after we set the Header in JWT to point to our JSON and sign the JWT with our private key (implemented in designated endpoint as described in Swagger). - - **JWK Rogue Key** - We make a new JSON with empty values, hash it, and set it directly in the Header and we then use our private key to sign the JWT (implemented in designated endpoint as described in Swagger). + - **JWK Rogue Key** - We make a new JSON with empty values, hash it, and set it directly in the Header, and we then use our private key to sign the JWT (implemented in designated endpoint as described in Swagger). - **Brute Force Login** - Checks if the application user is using a weak password. The default setup contains user = _admin_ with password = _admin_ -- **Common Files** - Tries to find common files that shouldn’t be publicly exposed (such as “phpinfo”, “.htaccess”, “ssh-key.priv”, etc…). The application contains .htacess and Nginx.conf files under the client's root directory and additional files can be added by placing them under the public/public directory and running a build of the client. +- **Common Files** - Tries to find common files that shouldn’t be publicly exposed (such as “phpinfo”, “.htaccess”, “ssh-key.priv”, etc…). The application contains .htaccess and nginx.conf files under the client's root directory and additional files can be added by placing them under the public/public directory and running a build of the client. - **Cookie Security** - Checks if the cookie has the “secure” and HTTP only flags. The application returns two cookies (session and bc-calls-counter cookie), both without secure and HttpOnly flags. @@ -143,7 +101,7 @@ Full configuration & usage examples can be found in our [demo project](https://g - **HTML Injection** - Both forms testimonial and mailing list subscription forms allow HTML injection. -- **CSS Injection** - The login page is vulnerable to CSS Injections through a url parameter: https://brokencrystals.com/userlogin?logobgcolor=transparent. +- **CSS Injection** - The login page is vulnerable to CSS Injections through a URL parameter: https://brokencrystals.com/userlogin?logobgcolor=transparent. - **HTTP Method fuzzer** - The server supports uploading, deletion, and getting the content of a file via /put.raw addition to the URL. The actual implementation using a regular upload endpoint of the server and the /put.raw endpoint is mapped in Nginx. @@ -151,7 +109,7 @@ Full configuration & usage examples can be found in our [demo project](https://g - **Local File Inclusion (LFI)** - The /api/files endpoint returns any file on the server from the path that is provided in the _path_ param. The UI uses this endpoint to load crystal images on the landing page. -- **Mass Assignment** - You can add to user admin privilegies upon creating user or updating userdata. When you creating a new user /api/users/basic you can use additional hidden field in body request { ... "isAdmin" : true }. If you are trying to edit userdata with PUT request /api/users/one/{email}/info you can add this additional field mentioned above. For checking admin permissions there is one more endpoint: /api/users/one/{email}/adminpermission. +- **Mass Assignment** - You can add to user admin privileges upon creating user or updating userdata. When you are creating a new user /api/users/basic you can use additional hidden field in body request { ... "isAdmin" : true }. If you are trying to edit userdata with PUT request /api/users/one/{email}/info you can add this additional field mentioned above. For checking admin permissions there is one more endpoint: /api/users/one/{email}/adminpermission. - **Open Database** - The index.html file includes a link to manifest URL, which returns the server's configuration, including a DB connection string. @@ -168,11 +126,11 @@ Full configuration & usage examples can be found in our [demo project](https://g - **SQL injection (SQLi)** - The `/api/testimonials/count` endpoint receives and executes SQL query in the query parameter. Similarly, the `/api/products/views` endpoint utilizes the `x-product-name` header to update the number of views for a product. However, both of these parameters can be exploited to inject SQL code, making these endpoints vulnerable to SQL injection attacks. -- **Unvalidated Redirect** - The endpoint /api/goto redirects the client to the URL provided in the _url_ query parameter. The UI references the endpoint in the header (while clicking on the site's logo) and as an href source for the Terms and Services link in the footer. +- **Unvalidated Redirect** - The endpoint /api/goto redirects the client to the URL provided in the _url_ query parameter. The UI references the endpoint in the header (while clicking on the site's logo) and as a href source for the Terms and Services link in the footer. -- **Version Control System** - The client_s build process copies SVN, GIT, and Mercurial source control directories to the client application root and they are accessible under Nginx root. +- **Version Control System** - The client_s build process copies SVN, GIT, and Mercurial source control directories to the client application root, and they are accessible under Nginx root. -- **XML External Entity (XXE)** - The endpoint, POST /api/metadata, receives URL-encoded XML data in the _xml_ query parameter, processes it with enabled external entities (using libxmnl library) and returns the serialized DOM. Additionally, for a request that tries to load file:///etc/passwd as an entity, the endpoint returns a mocked up content of the file. +- **XML External Entity (XXE)** - The endpoint, POST /api/metadata, receives URL-encoded XML data in the _xml_ query parameter, processes it with enabled external entities (using `libxmljs` library) and returns the serialized DOM. Additionally, for a request that tries to load file:///etc/passwd as an entity, the endpoint returns a mocked up content of the file. Additionally, the endpoint PUT /api/users/one/{email}/photo accepts SVG images, which are proccessed with libxml library and stored on the server, as well as sent back to the client. - **JavaScript Vulnerabilities Scanning** - Index.html includes an older version of the jQuery library with known vulnerabilities. @@ -185,7 +143,7 @@ Full configuration & usage examples can be found in our [demo project](https://g - **Excessive Data Exposure** - The `/api/users/one/:email` is supposed to expose only basic user information required to be displayed on the UI, but it also returns the user's phone number which is unnecessary information. -- **Business Constraint Bypass** - The `/api/products/latest` endpoint supports a `limit` parameter, which by default is set to 3. The `/api/products` endpoint is a password protected endpoint which returns all of the products, yet if you change the `limit` param of `/api/products/latest` to be high enough you could get the same results without the need to be authenticated. +- **Business Constraint Bypass** - The `/api/products/latest` endpoint supports a `limit` parameter, which by default is set to 3. The `/api/products` endpoint is a password protected endpoint which returns all the products, yet if you change the `limit` param of `/api/products/latest` to be high enough you could get the same results without the need to be authenticated. - **ID Enumeration** - There are a few ID Enumeration vulnerabilities: @@ -201,12 +159,12 @@ Full configuration & usage examples can be found in our [demo project](https://g - **Prototype Pollution** - The `/marketplace` endpoint is vulnerable to prototype pollution using the following methods: - 1. The EP GET `/marketplace?__proto__[Test]=Test` represents the client side vulnerabillity, by parsing the URI (for portfolio filtering) and converting - it's parmeters into an object. This means that a requests like `/marketplace?__proto__[TestKey]=TestValue` will lead to a creation of `Object.TestKey`. + 1. The EP GET `/marketplace?__proto__[Test]=Test` represents the client side vulnerability, by parsing the URI (for portfolio filtering) and converting + its parameters into an object. This means that a requests like `/marketplace?__proto__[TestKey]=TestValue` will lead to a creation of `Object.TestKey`. One can test if an attack was successful by viewing the new property created in the console. - This EP also supports prototyp pollution based DOM XSS using a payload such as `__proto__[prototypePollutionDomXss]=data:,alert(1);`. + This EP also supports prototype pollution based DOM XSS using a payload such as `__proto__[prototypePollutionDomXss]=data:,alert(1);`. The "legitimate" code tries to use the `prototypePollutionDomXss` parameter as a source for a script tag, so if the exploit is not used via this key it won't work. - 2. The EP GET `/api/email/sendSupportEmail` represents the server side vulnerabillity, by having a rookie URI parsing mistake (similiar to the client side). + 2. The EP GET `/api/email/sendSupportEmail` represents the server side vulnerability, by having a rookie URI parsing mistake (similar to the client side). This means that a request such as `/api/email/sendSupportEmail?name=Bob%20Dylan&__proto__[status]=222&to=username%40email.com&subject=Help%20Request&content=Help%20me..` will lead to a creation of `uriParams.status`, which is a parameter used in the final JSON response. diff --git a/client/README.md b/client/README.md index 02aac3f6..47339122 100644 --- a/client/README.md +++ b/client/README.md @@ -1,70 +1,76 @@ -# Getting Started with Create React App +# BrokenCrystals React Client -This project was bootstrapped with [Create React App](https://github.com/facebook/create-react-app). +A React application designed to showcase a marketplace with various features including authentication, testimonials, user management and so on. -## Available Scripts - -In the project directory, you can run: - -### `yarn start` - -Runs the app in the development mode.\ -Open [http://localhost:3000](http://localhost:3000) to view it in the browser. +## Table of Contents -The page will reload if you make edits.\ -You will also see any lint errors in the console. +- [Prerequisites](#prerequisites) +- [Getting Started](#getting-started) +- [Available Scripts](#available-scripts) -### `yarn test` +## Prerequisites -Launches the test runner in the interactive watch mode.\ -See the section about [running tests](https://facebook.github.io/create-react-app/docs/running-tests) for more information. +This project requires Node.js version 18 or higher and npm version 10 or higher. Ensure you have the correct versions installed by running: -### `yarn build` +```bash +node -v +npm -v +``` -Builds the app for production to the `build` folder.\ -It correctly bundles React in production mode and optimizes the build for the best performance. +## Getting Started -The build is minified and the filenames include the hashes.\ -Your app is ready to be deployed! +To get a local copy up and running, follow these steps: -See the section about [deployment](https://facebook.github.io/create-react-app/docs/deployment) for more information. +1. Clone the repo: + ```bash + git clone https://github.com/NeuraLegion/brokencrystals + ``` +2. Navigate to the project directory: + ```bash + cd brokencrystals + ``` +3. Install the dependencies: + ```bash + npm ci --prefix client + ``` +4. Run the server application (see this repository main [README](../README.md)). +5. Run the client application in development mode: + ```bash + npm run start --prefix client + ``` -### `yarn eject` - -**Note: this is a one-way operation. Once you `eject`, you can’t go back!** - -If you aren’t satisfied with the build tool and configuration choices, you can `eject` at any time. This command will remove the single build dependency from your project. +## Available Scripts -Instead, it will copy all the configuration files and the transitive dependencies (webpack, Babel, ESLint, etc) right into your project so you have full control over them. All of the commands except `eject` will still work, but they will point to the copied scripts so you can tweak them. At this point you’re on your own. +In the project directory, you can run: -You don’t have to ever use `eject`. The curated feature set is suitable for small and middle deployments, and you shouldn’t feel obligated to use this feature. However we understand that this tool wouldn’t be useful if you couldn’t customize it when you are ready for it. +### `npm start` -## Learn More +Runs the app in development mode. Open [http://localhost:3001](http://localhost:3001) to view it in the browser. -You can learn more in the [Create React App documentation](https://facebook.github.io/create-react-app/docs/getting-started). +### `npm run build` -To learn React, check out the [React documentation](https://reactjs.org/). +Builds the app for production to the `dist` folder. It correctly bundles React in production mode and optimizes the build for the best performance. -### Code Splitting +### `npm run serve` -This section has moved here: [https://facebook.github.io/create-react-app/docs/code-splitting](https://facebook.github.io/create-react-app/docs/code-splitting) +Serves the built app for preview. -### Analyzing the Bundle Size +### `npm run test:e2e:gui` -This section has moved here: [https://facebook.github.io/create-react-app/docs/analyzing-the-bundle-size](https://facebook.github.io/create-react-app/docs/analyzing-the-bundle-size) +Opens Cypress for end-to-end testing in GUI mode. -### Making a Progressive Web App +### `npm run test:e2e:ci` -This section has moved here: [https://facebook.github.io/create-react-app/docs/making-a-progressive-web-app](https://facebook.github.io/create-react-app/docs/making-a-progressive-web-app) +Runs Cypress for end-to-end testing in CI mode. -### Advanced Configuration +### `npm run test` -This section has moved here: [https://facebook.github.io/create-react-app/docs/advanced-configuration](https://facebook.github.io/create-react-app/docs/advanced-configuration) +Alias for `npm run test:e2e:ci` -### Deployment +### `npm run format` -This section has moved here: [https://facebook.github.io/create-react-app/docs/deployment](https://facebook.github.io/create-react-app/docs/deployment) +Checks the code formatting using Prettier. -### `yarn build` fails to minify +### `npm run lint` -This section has moved here: [https://facebook.github.io/create-react-app/docs/troubleshooting#npm-run-build-fails-to-minify](https://facebook.github.io/create-react-app/docs/troubleshooting#npm-run-build-fails-to-minify) +Runs ESLint to check for code quality issues. diff --git a/client/package-lock.json b/client/package-lock.json index 747744ba..9b922b5b 100644 --- a/client/package-lock.json +++ b/client/package-lock.json @@ -35,6 +35,10 @@ "typescript": "^5.5.4", "typescript-eslint": "^8.3.0", "vite": "^5.4.2" + }, + "engines": { + "node": ">=18", + "npm": ">=10" } }, "node_modules/@colors/colors": { diff --git a/client/package.json b/client/package.json index a1769829..6d29511d 100644 --- a/client/package.json +++ b/client/package.json @@ -49,6 +49,10 @@ "react": "^18.3.1" } }, + "engines": { + "node": ">=18", + "npm": ">=10" + }, "browserslist": { "production": [ ">0.2%",