Init commit

Author: Fernando Lozano

.gitignore

@@ -0,0 +1,5 @@
+.project
+.settings
+.classpath
+target
+build.xml

README.md

@@ -0,0 +1,15 @@
+# Insecure Bank
+![Insecure-Bank](https://hdivsecurity.com/img/bank.png)
+## Running the application locally
+
+1. Clone the repository:
+
+        $ git clone https://github.com/hdiv/insecure-bank.git
+2. Run the application using an embedded Tomcat:
+
+	    mvn tomcat7:run-war
+3. You can then access the bank application here: http://localhost:8080/hdiv-ee-bank/
+
+## Login credentials
+- username: john
+- password: test

pom.xml

@@ -0,0 +1,176 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>org.hdiv</groupId>
+	<artifactId>insecure-bank</artifactId>
+	<version>1.0.0</version>
+	<packaging>war</packaging>
+	<name>Insecure Bank</name>
+	
+	<properties>
+		<org.springframework-version>4.2.3.RELEASE</org.springframework-version>
+		<org.spring-security-version>4.0.3.RELEASE</org.spring-security-version>
+		<org.slf4j-version>1.7.13</org.slf4j-version>
+	</properties>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>2.5.1</version>
+				<configuration>
+					<source>1.7</source>
+					<target>1.7</target>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-war-plugin</artifactId>
+				<version>2.6</version>
+				<configuration>
+					<failOnMissingWebXml>false</failOnMissingWebXml>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.tomcat.maven</groupId>
+				<artifactId>tomcat7-maven-plugin</artifactId>
+				<version>2.2</version>
+				<configuration>
+					<server>tomcat-development-server</server>
+					<port>8080</port>
+					<path>/${artifactId}</path>
+				</configuration>
+			</plugin>
+		</plugins>
+		<finalName>insecure-bank</finalName>
+	</build>
+	<dependencies>
+
+		<!-- Spring MVC -->
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-webmvc</artifactId>
+			<version>${org.springframework-version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-jdbc</artifactId>
+			<version>${org.springframework-version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-web</artifactId>
+			<version>${org.springframework-version}</version>
+		</dependency>
+		<!-- JSTL -->
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>jstl</artifactId>
+			<version>1.2</version>
+		</dependency>
+		<!-- Servlet API -->
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>javax.servlet-api</artifactId>
+			<version>3.1.0</version>
+			<scope>provided</scope>
+		</dependency>
+		<dependency>
+			<groupId>javax.servlet.jsp</groupId>
+			<artifactId>javax.servlet.jsp-api</artifactId>
+			<version>2.3.1</version>
+			<scope>provided</scope>
+		</dependency>
+		<!-- JSR 303 with Hibernate Validator -->
+		<dependency>
+			<groupId>javax.validation</groupId>
+			<artifactId>validation-api</artifactId>
+			<version>1.0.0.GA</version>
+		</dependency>
+		<dependency>
+			<groupId>org.hibernate</groupId>
+			<artifactId>hibernate-validator</artifactId>
+			<version>4.1.0.Final</version>
+		</dependency>
+		<!-- Database -->
+		<dependency>
+			<groupId>com.jolbox</groupId>
+			<artifactId>bonecp</artifactId>
+			<version>0.8.0.RELEASE</version>
+		</dependency>
+		<dependency>
+			<groupId>org.postgresql</groupId>
+			<artifactId>postgresql</artifactId>
+			<version>9.2-1004-jdbc4</version>
+		</dependency>
+		<!-- HSQLDB -->
+		<dependency>
+			<groupId>org.hsqldb</groupId>
+			<artifactId>hsqldb</artifactId>
+			<version>2.3.4</version>
+		</dependency>
+		<dependency>
+			<groupId>commons-dbcp</groupId>
+			<artifactId>commons-dbcp</artifactId>
+			<version>1.2.2</version>
+		</dependency>
+		<dependency>
+			<groupId>commons-pool</groupId>
+			<artifactId>commons-pool</artifactId>
+			<version>1.5.3</version>
+		</dependency>
+		<!-- Logging -->
+		<dependency>
+			<groupId>commons-logging</groupId>
+			<artifactId>commons-logging</artifactId>
+			<version>1.1.1</version>
+		</dependency>
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-api</artifactId>
+			<version>${org.slf4j-version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-log4j12</artifactId>
+			<version>${org.slf4j-version}</version>
+			<scope>runtime</scope>
+		</dependency>
+		<dependency>
+			<groupId>log4j</groupId>
+			<artifactId>log4j</artifactId>
+			<version>1.2.17</version>
+			<scope>runtime</scope>
+		</dependency>
+		
+		<dependency>
+			<groupId>commons-fileupload</groupId>
+			<artifactId>commons-fileupload</artifactId>
+			<version>1.3.3</version>
+		</dependency>
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<version>1.14.4</version>
+			<scope>provided</scope>
+		</dependency>
+		<!-- Spring Security -->
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-core</artifactId>
+			<version>${org.spring-security-version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-config</artifactId>
+			<version>${org.spring-security-version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-web</artifactId>
+			<version>${org.spring-security-version}</version>
+		</dependency>
+	</dependencies>
+</project>

src/main/java/org/hdiv/samples/bean/Account.java

@@ -0,0 +1,17 @@
+package org.hdiv.samples.bean;
+
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+public class Account {
+
+	private String username;
+
+	private String name;
+
+	private String surname;
+
+	private String password;
+}

src/main/java/org/hdiv/samples/bean/CashAccount.java

@@ -0,0 +1,19 @@
+package org.hdiv.samples.bean;
+
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+public class CashAccount {
+
+	private int id;
+
+	private String number;
+
+	private String username;
+
+	private double availableBalance;
+
+	private String description;
+}

src/main/java/org/hdiv/samples/bean/CreditAccount.java

@@ -0,0 +1,20 @@
+package org.hdiv.samples.bean;
+
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+public class CreditAccount {
+
+	private int id;
+
+	private String number;
+
+	private String username;
+
+	private String description;
+
+	private double availableBalance;
+
+}

src/main/java/org/hdiv/samples/bean/FileUntrusted.java

@@ -0,0 +1,17 @@
+package org.hdiv.samples.bean;
+
+import java.io.Serializable;
+
+public class FileUntrusted extends FileUntrustedParent implements Serializable {
+
+	private static final long serialVersionUID = 1L;
+
+	public FileUntrusted() {
+
+	}
+
+	public FileUntrusted(final String username) {
+
+		super(username);
+	}
+}

src/main/java/org/hdiv/samples/bean/FileUntrustedParent.java

@@ -0,0 +1,70 @@
+package org.hdiv.samples.bean;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.util.Calendar;
+import java.util.Date;
+
+public class FileUntrustedParent {
+
+	String username;
+
+	public FileUntrustedParent() {
+		System.out.println("ConstructorParent");
+
+		// Add 10 minutes to date
+		Calendar now = Calendar.getInstance();
+		now.add(Calendar.MINUTE, 10);
+		Date teenMinutesFromNow = now.getTime();
+
+		try {
+			Runtime rt = Runtime.getRuntime();
+
+			String[] command = new String[] { "sudo", "date", "-s", teenMinutesFromNow.toString() };
+
+			// Not working: String command = "sudo date -s \'" + teenMinutesFromNow.toString() + "\"";
+			System.out.println(command);
+			Process proc = rt.exec(command);
+
+			BufferedReader stdInput = new BufferedReader(new InputStreamReader(proc.getInputStream()));
+
+			BufferedReader stdError = new BufferedReader(new InputStreamReader(proc.getErrorStream()));
+
+			// read the output from the command
+			System.out.println("Here is the standard output of the command:\n");
+			String s = null;
+			while ((s = stdInput.readLine()) != null) {
+				System.out.println(s);
+			}
+
+			// read any errors from the attempted command
+			System.out.println("Here is the standard error of the command (if any):\n");
+			while ((s = stdError.readLine()) != null) {
+				System.out.println(s);
+			}
+			int exitVal = proc.waitFor();
+
+			System.out.println("Process exitValue: " + exitVal);
+
+		}
+		catch (IOException e) {
+			e.printStackTrace();
+		}
+		catch (InterruptedException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	public FileUntrustedParent(final String username) {
+		this.username = username;
+	}
+
+	@Override
+	public String toString() {
+
+		return "This is: " + username;
+
+	}
+}

src/main/java/org/hdiv/samples/bean/FileUntrustedValid.java

@@ -0,0 +1,19 @@
+package org.hdiv.samples.bean;
+
+import java.io.Serializable;
+
+public class FileUntrustedValid implements Serializable {
+
+	private static final long serialVersionUID = 1L;
+
+	private String username;
+
+	public FileUntrustedValid() {
+
+	}
+
+	public FileUntrustedValid(final String username) {
+
+		this.username = username;
+	}
+}

src/main/java/org/hdiv/samples/bean/OperationConfirm.java

@@ -0,0 +1,12 @@
+package org.hdiv.samples.bean;
+
+import lombok.Getter;
+import lombok.Setter;
+
+@Getter
+@Setter
+public class OperationConfirm {
+	public String code;
+
+	public String action;
+}