Section and Lab added for A04:2021-Insecure Design

.gitignore

@@ -1,2 +1,3 @@
 .env/
-*.pyc
+*.pyc
+env

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "python.formatting.provider": "yapf"
+}

pygoat/introduction/admin.py

@@ -1,9 +1,10 @@
 from django.contrib import admin
-from .models import FAANG,info,login,comments,otp
+from .models import FAANG,info,login,comments,otp,tickits
 
 # Register your models here.
 admin.site.register(FAANG)
 admin.site.register(info)
 admin.site.register(login)
 admin.site.register(comments)
-admin.site.register(otp)
+admin.site.register(otp)
+admin.site.register(tickits)

pygoat/introduction/migrations/0011_tickits.py

@@ -0,0 +1,22 @@
+# Generated by Django 4.0.3 on 2022-03-19 11:21
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('introduction', '0010_authlogin'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='tickits',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('tickit', models.CharField(max_length=40, unique=True)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='introduction.authlogin')),
+            ],
+        ),
+    ]

pygoat/introduction/migrations/0012_alter_tickits_user.py

@@ -0,0 +1,21 @@
+# Generated by Django 4.0.3 on 2022-03-19 12:06
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('introduction', '0011_tickits'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='tickits',
+            name='user',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL),
+        ),
+    ]

pygoat/introduction/models.py

@@ -1,6 +1,6 @@
 from django.db import models
 from django.core.validators import MaxValueValidator
-
+from django.conf import settings
 # Create your models here.
 
 class FAANG (models.Model):
@@ -31,3 +31,10 @@ class authLogin(models.Model):
 class otp(models.Model):
     email=models.CharField(max_length=200)
     otp=models.IntegerField(validators=[MaxValueValidator(300)])
+
+class tickits(models.Model):
+    user=models.ForeignKey(settings.AUTH_USER_MODEL,on_delete=models.CASCADE)
+    tickit=models.CharField(max_length=40, unique = True)
+
+    def __str__(self):
+        return self.tickit+ " " + self.user.username;

pygoat/introduction/templates/Lab/A11/a11.html

@@ -0,0 +1,57 @@
+{% extends 'introduction/base.html' %} {% block content %} {% block title %}
+<title>Insecure Design</title>
+{% endblock %}
+<div class="content">
+  <h3>Insecure Design</h3>
+  <div class="box">
+    <h4>What is Insecure Design</h4>
+    <p class="bp">
+      Insecure design is a broad category representing different weaknesses,
+      expressed as “missing or ineffective control design.” Insecure design is
+      not the source for all other Top 10 risk categories. There is a difference
+      between insecure design and insecure implementation. We differentiate
+      between design flaws and implementation defects for a reason, they have
+      different root causes and remediation. A secure design can still have
+      implementation defects leading to vulnerabilities that may be exploited.
+      An insecure design cannot be fixed by a perfect implementation as by
+      definition, needed security controls were never created to defend against
+      specific attacks. One of the factors that contribute to insecure design is
+      the lack of business risk profiling inherent in the software or system
+      being developed, and thus the failure to determine what level of security
+      design is required.
+    </p>
+    <button class="coll btn btn-info">Lab Details</button>
+    <div class="lab">
+        <p class="bp">
+        This lab helps you to get an idea of how Insecure Design can result in major Security flaw.
+
+        In the next page,user can get 5 free tickets for a Movie. But he/she have to wait untill all the tickets are sold out.
+        For this particular situation, we can get advantage of the Insecure Design and somehow get all the tickets for the movie.
+
+        <ul><code>Hint</code></ul>
+        <ul> Logout and then think.</ul>
+
+        <br>
+        <div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/insecure-design_lab'">Access
+            Lab</button></div>
+    </div>
+  <div>
+    <br>
+    <h4>Mitigation</h4>
+    <p class="bp">
+    <ul>
+      <li>Establish and use a secure development lifecycle with AppSec professionals to help evaluate and design security and privacy-related controls</li>
+      <li>Establish and use a library of secure design patterns or paved road ready to use components</li>
+      <li>Use threat modeling for critical authentication, access control, business logic, and key flows</li>
+      <li>Integrate security language and controls into user stories</li>
+      <li>Integrate plausibility checks at each tier of your application (from frontend to backend)</li>
+      <li>Write unit and integration tests to validate that all critical flows are resistant to the threat model. Compile use-cases and misuse-cases for each tier of your application.s</li>
+      <li>Segregate tier layers on the system and network layers depending on the exposure and protection needs</li>
+      <li>Segregate tenants robustly by design throughout all tiers</li>
+      <li>Limit resource consumption by user or service</li>
+    </ul>
+    </p>
+  </div>
+</div>
+
+{% endblock %}

pygoat/introduction/templates/Lab/A11/a11_lab.html

@@ -0,0 +1,53 @@
+{% extends "introduction/base.html" %}
+{% load static %}
+{% block content %}
+{% block title %}
+<title>Insecure Design Lab</title>
+{% endblock %}
+{% block header %}
+
+{% endblock %}
+<div style="display:flex; flex-direction: row-reverse; align-items:center; justify-content:space-evenly; align-content:center">
+    <div style="display:flex; flex-direction: column; align-items:center">    
+        <div class="jumbotron">
+            <h4 style="text-align:center">My Tickets </h4>
+            <div class="login" style="text-align:center">
+                {% for i in tickets %}
+                <div> {{i}} </div>
+                {% endfor %}
+            </div>
+        </div>
+    </div>
+    <div style="display:flex; flex-direction: column; align-items:center">
+        <div class="btn btn-info" style="text-align:center ,">
+            {{error}}
+        </div>
+        <br>
+        <div class="jumbotron">
+            <h4 style="text-align:center">Claim Upto 5 Free Tickits  </h4>
+            <div class="login" style="text-align:center">
+                <form method="post" action="/insecure-design_lab">
+                    {% csrf_token %}
+                    <input id="input" type="number" name="count" placeholder="0"><br>
+                    <button style="margin-top:20px" class="btn btn-info" type="submit"> Claim </button>
+                </form>
+            </div>
+        </div>
+        <br>
+        <div class="jumbotron">
+            <h4 style="text-align:center"> Watch Movie </h4>
+            <div class="login" style="text-align:center">
+                <form method="post" action="/insecure-design_lab">
+                    {% csrf_token %}
+                    <input id="input" type="text" name="ticket" placeholder="Tickit"><br>
+                    <button style="margin-top:20px" class="btn btn-info" type="submit"> Watch </button>
+                </form>
+            </div>
+        </div>
+    </div>
+</div>
+
+<div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/insecure-design'">Back to Lab
+    Details</button></div>
+
+{% endblock %}

pygoat/introduction/templates/introduction/base.html

@@ -102,6 +102,10 @@ <h3>PyGoat</h3>
                         <i class="fas fa-bug"></i>
                         A10: Insufficient Logging & Monitoring
                     </a>
+                    <a href="/insecure-design">
+                        <i class="fas fa-bug"></i>
+                        A11: Insecure Design
+                    </a>
                     <a href="/auth">
                         <i class="fas fa-bug"></i>
                         Authentication

pygoat/introduction/urls.py

@@ -43,4 +43,6 @@
     path("a10",views.a10,name="A10"),
     path("a10_lab",views.a10_lab,name="A10 LAb"),
     path("debug",views.debug,name="debug"),
+    path("insecure-design",views.insec_desgine,name="insecure-design"),
+    path("insecure-design_lab",views.insec_desgine_lab,name="insecure-design_lab"),
 ]

pygoat/introduction/views.py

@@ -1,11 +1,13 @@
 from django.shortcuts import render,redirect
 from django.http import HttpResponse
-from .models import  FAANG,info,login,comments,authLogin
+from .models import  FAANG,info,login,comments,authLogin, tickits
 from django.core import serializers
 from requests.structures import CaseInsensitiveDict
 import requests
 from django.contrib.auth import login,authenticate
 from django.contrib.auth.forms import UserCreationForm
+import random
+import string
 
 #*****************************************Lab Requirements****************************************************#
 
@@ -505,3 +507,58 @@ def debug(request):
     response = render(request,'Lab/A10/debug.log')
     response['Content-Type'] =  'text/plain'
     return response
+
+#*********************************************************A11*************************************************#
+
+def gentckt():
+    return (''.join(random.choices(string.ascii_uppercase + string.ascii_lowercase, k=10)))
+
+def insec_desgine(request):
+    if request.user.is_authenticated:
+        return render(request,"Lab/A11/a11.html")
+    else:
+        return redirect('login')
+
+def insec_desgine_lab(request):
+    if request.user.is_authenticated:
+        if request.method=="GET":
+            tkts = tickits.objects.filter(user = request.user)
+            Tickets = []
+            for tkt in tkts:
+                Tickets.append(tkt.tickit)
+            return render(request,"Lab/A11/a11_lab.html",{"tickets":Tickets})
+        elif request.method=="POST":
+            tkts = tickits.objects.filter(user = request.user)
+            Tickets = []
+            for tkt in tkts:
+                Tickets.append(tkt.tickit)
+            try :
+                count = request.POST.get("count")
+                if (int(count)+len(tkts)) <=5:
+                    for i in range(int(count)):
+                        ticket_code = gentckt()
+                        Tickets.append(ticket_code)
+                        T = tickits(user = request.user, tickit = ticket_code)
+                        T.save()
+
+                    return render(request,"Lab/A11/a11_lab.html",{"tickets":Tickets})
+                else:
+                    return render(request,"Lab/A11/a11_lab.html",{"error":"You can have atmost 5 tickits","tickets":Tickets})
+            except:
+                try :
+                    tickit = request.POST.get("ticket")
+                    all_tickets = tickits.objects.all()
+                    sold_tickets = len(all_tickets)
+                    if sold_tickets <60:
+                        return render(request,"Lab/A11/a11_lab.html", {"error": "Invalid tickit","tickets":Tickets,"error":f"Wait until all tickets are sold ({60-sold_tickets} tickets left)"})
+                    else:
+                        if tickit in Tickets:
+                            return render(request,"Lab/A11/a11_lab.html", {"error": "Congratulation,You figured out the flaw in Design.<br> A better authentication should be used in case for checking the uniqueness of a user.","tickets":Tickets})
+                        else:
+                            return render(request,"Lab/A11/a11_lab.html",{"tickets":Tickets,"error": "Invalid ticket"},)
+                except:
+                    return render(request,"Lab/A11/a11_lab.html",{"tickets":Tickets})
+        else:
+            pass
+    else:
+        return redirect('login')