vuln app demo

it-security-kassel-nordhessen · Nov 7, 2019 · f96be2f · f96be2f
1 parent a2a7f7f
commit f96be2f
Show file tree

Hide file tree

Showing 27 changed files with 886 additions and 0 deletions.
diff --git a/2019_11_07_workshop/vuln-app-demo/docker/Dockerfile b/2019_11_07_workshop/vuln-app-demo/docker/Dockerfile
@@ -0,0 +1,7 @@
+FROM openjdk:8-jdk-alpine
+RUN mkdir /server && addgroup -S user && adduser -S user -G user && chown -R user:user /server
+COPY vuln-app-demo.jar /server
+COPY ysoserial-0.0.5.jar /server
+RUN chown user:user /server/vuln-app-demo.jar
+USER user
+CMD ["java","-jar","/server/vuln-app-demo.jar"]
diff --git a/2019_11_07_workshop/vuln-app-demo/docker/run.sh b/2019_11_07_workshop/vuln-app-demo/docker/run.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+docker build -t vuln-spring-boot .
+docker stop vuln-spring-boot
+docker rm vuln-spring-boot
+docker run -d -p 127.0.0.1:8080:8080 --name vuln-spring-boot vuln-spring-boot
diff --git a/2019_11_07_workshop/vuln-app-demo/docker/vuln-app-demo.jar b/2019_11_07_workshop/vuln-app-demo/docker/vuln-app-demo.jar
diff --git a/2019_11_07_workshop/vuln-app-demo/docker/ysoserial-0.0.5.jar b/2019_11_07_workshop/vuln-app-demo/docker/ysoserial-0.0.5.jar
diff --git a/2019_11_07_workshop/vuln-app-demo/pom.xml b/2019_11_07_workshop/vuln-app-demo/pom.xml
@@ -0,0 +1,66 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>de.micromata</groupId>
+	<artifactId>vuln-app-demo</artifactId>
+	<packaging>jar</packaging>
+	<version>0.0.1-SNAPSHOT</version>
+	<name>XEE Demo App</name>
+	<url>http://maven.apache.org</url>
+
+	<!-- Inherit defaults from Spring Boot -->
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>2.2.0.RELEASE</version>
+	</parent>
+
+	<!-- Add typical dependencies for a web application -->
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-thymeleaf</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-actuator</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>commons-io</groupId>
+			<artifactId>commons-io</artifactId>
+			<version>2.6</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-lang3</artifactId>
+			<version>3.9</version>
+		</dependency>
+
+		<dependency>
+			<groupId>commons-collections</groupId>
+			<artifactId>commons-collections</artifactId>
+			<version>3.1</version>
+		</dependency>
+
+	</dependencies>
+
+	<!-- Package as an executable jar -->
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+</project>
diff --git a/2019_11_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/App.java b/2019_11_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/App.java
@@ -0,0 +1,13 @@
+package de.micromata.demo;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class App {
+
+	    public static void main(String[] args) {
+	        SpringApplication.run(App.class, args);
+	    }
+
+}
diff --git a/2019_11_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/ConfigDemoController.java b/2019_11_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/ConfigDemoController.java
@@ -0,0 +1,39 @@
+package de.micromata.demo;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.ModelAndView;
+
+@Controller
+public class ConfigDemoController {
+
+	Logger logger = LoggerFactory.getLogger(ConfigDemoController.class);
+
+	@RequestMapping("/config-demo")
+	public ModelAndView configDemo(HttpServletRequest request, String username, String password) throws IOException {
+		ModelAndView mav = new ModelAndView("config-demo");
+
+		HttpSession session = request.getSession();
+		Object attribute = session.getAttribute("loggedin");
+
+		if (attribute != null) {
+			mav.addObject("loggedin", "true");
+			return mav;
+		}
+
+		if (StringUtils.equals(username, "admin") && StringUtils.equals(password, "EeH4U")) {
+			mav.addObject("loggedin", "true");
+			session.setAttribute("loggedin", "true");
+		}
+
+		return mav;
+	}
+}
diff --git a/...1_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/CreatedSerializedObjects.java b/...1_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/CreatedSerializedObjects.java
@@ -0,0 +1,39 @@
+package de.micromata.demo;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.util.Base64;
+
+public class CreatedSerializedObjects {
+
+	public static void main(String[] args) throws IOException, ClassNotFoundException {
+		Person person = new Person();
+		person.setFirstName("Heino");
+		person.setLastName("Haller");
+		person.setAge(35);
+
+		ByteArrayOutputStream serializedArrayObjStream = new ByteArrayOutputStream();
+		ObjectOutputStream serializedObjStream = new ObjectOutputStream(serializedArrayObjStream);
+		serializedObjStream.writeObject(person);
+		serializedObjStream.flush();
+		serializedObjStream.close();
+
+		String base64SerializedObject = Base64.getEncoder().encodeToString(serializedArrayObjStream.toByteArray());
+
+		System.out.println(base64SerializedObject);
+
+		//##################################################################
+
+		byte[] base64SerializedObjectArray = Base64.getDecoder().decode(base64SerializedObject);
+		ObjectInputStream deserializedObjStream = new ObjectInputStream(
+				new ByteArrayInputStream(base64SerializedObjectArray));
+		Person deserializedObject = (Person) deserializedObjStream.readObject();
+		deserializedObjStream.close();
+
+//		System.out.println(deserializedObject.getFirstName());
+	}
+
+}
diff --git a/...workshop/vuln-app-demo/src/main/java/de/micromata/demo/DeserializationDemoController.java b/...workshop/vuln-app-demo/src/main/java/de/micromata/demo/DeserializationDemoController.java
@@ -0,0 +1,62 @@
+package de.micromata.demo;
+
+import java.io.ByteArrayInputStream;
+import java.io.ObjectInputStream;
+import java.util.Base64;
+
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.ModelAndView;
+
+@Controller
+public class DeserializationDemoController {
+
+	Logger logger = LoggerFactory.getLogger(DeserializationDemoController.class);
+
+	private static final String DEFAULT_OBJECT = "rO0ABXNyABhkZS5taWNyb21hdGEuZGVtby5QZXJzb24AAAAAAAAAAQIAA0wAA2FnZXQAE0xqYXZhL2xhbmcvSW50ZWdlcjtMAAlmaXJzdE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMAAhsYXN0TmFtZXEAfgACeHBzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAI3QABUhlaW5vdAAGSGFsbGVy";
+
+	/**
+	 * 
+	 * 
+	 * @param base64Object
+	 * @return
+	 */
+
+	@RequestMapping("/serial-demo")
+	public ModelAndView serailDemo(String base64Object) {
+		ModelAndView mav = new ModelAndView("serial-demo");
+		try {
+
+			Person deserializedObject = null;
+			base64Object = StringUtils.trim(base64Object);
+			base64Object = StringUtils.deleteWhitespace(base64Object);
+
+			if (StringUtils.isEmpty(base64Object)) {
+				mav.addObject("base64TextareaContent", DEFAULT_OBJECT);
+				return mav;
+			}
+
+			byte[] base64SerializedObjectArray = Base64.getDecoder().decode(base64Object);
+			ObjectInputStream deserializedObjStream = new ObjectInputStream(
+					new ByteArrayInputStream(base64SerializedObjectArray));
+
+			deserializedObject = (Person) deserializedObjStream.readObject();
+
+			deserializedObjStream.close();
+
+			if (deserializedObject != null) {
+				mav.addObject("parsedOutput", "<br /> Vorname: " + deserializedObject.getFirstName() + "<br /> Nachname: "
+						+ deserializedObject.getLastName() + "<br /> Alter: " + deserializedObject.getAge());
+			}
+
+		} catch (Exception e) {
+			mav.addObject("parsedOutput", e.fillInStackTrace());
+		}
+
+		mav.addObject("base64TextareaContent", base64Object);
+		return mav;
+	}
+}
diff --git a/2019_11_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/FileDemoController.java b/2019_11_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/FileDemoController.java
@@ -0,0 +1,52 @@
+package de.micromata.demo;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.ModelAndView;
+
+@Controller
+public class FileDemoController {
+
+	Logger logger = LoggerFactory.getLogger(FileDemoController.class);
+
+	@RequestMapping("/file-demo")
+	public ModelAndView fileDemo(String wikifile) throws IOException {
+		ModelAndView mav = new ModelAndView("file-demo");
+
+		if (StringUtils.isEmpty(wikifile)) {
+			return mav;
+		}
+		URL wikifilePath = this.getClass().getResource("/file-demo/");
+		String classpathDir = wikifilePath.getFile();
+		classpathDir = StringUtils.substringBefore(classpathDir, ".jar");
+		classpathDir = StringUtils.substringBeforeLast(classpathDir, "/");
+		classpathDir = StringUtils.removeStart(classpathDir, "file:");
+
+		File readFile = new File(classpathDir + "/" + wikifile);
+
+		logger.info("test dir: "+classpathDir + "/" + wikifile);
+
+		if (readFile.exists()) {
+			String fileContent = FileUtils.readFileToString(readFile, StandardCharsets.UTF_8.toString());
+			mav.addObject("fileContent", fileContent);
+			return mav;
+		}
+
+		URL wikifileFileLocation = this.getClass().getResource("/file-demo/" + wikifile);
+
+		InputStream wikifileStream = wikifileFileLocation.openStream();
+		mav.addObject("fileContent", IOUtils.toString(wikifileStream,StandardCharsets.UTF_8.toString()));
+		return mav;
+	}
+}
diff --git a/2019_11_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/Person.java b/2019_11_07_workshop/vuln-app-demo/src/main/java/de/micromata/demo/Person.java
@@ -0,0 +1,43 @@
+package de.micromata.demo;
+
+import java.io.Serializable;
+
+public class Person implements Serializable {
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1L;
+
+	private String firstName;
+
+	private String lastName;
+
+	private Integer age;
+
+	public String getFirstName() {
+		return firstName;
+	}
+
+	public void setFirstName(String firstName) {
+		this.firstName = firstName;
+	}
+
+	public String getLastName() {
+		return lastName;
+	}
+
+	public void setLastName(String lastName) {
+		this.lastName = lastName;
+	}
+
+	public Integer getAge() {
+		return age;
+	}
+
+	public void setAge(Integer age) {
+		this.age = age;
+	}
+
+
+}