jvlsg · 100HnoMeuNome · Sep 7, 2020 · Sep 7, 2020 · Sep 7, 2020 · Sep 7, 2020
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,11 @@
+version: 2.1
+orbs:
+  snyk: snyk/snyk@1.0.1
+jobs:
+  build:
+    docker:
+      - image: 'caf3ina/vulnerableimage'
+    steps:
+      - checkout
+      - run: pip3 install requirements.txt
+      - snyk/scan
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,6 @@
-FROM python:3.8-slim-buster
+FROM python:3.8
 COPY . /headpage
 WORKDIR /headpage
-RUN pip3 install --upgrade pip && \
-    pip3 install --trusted-host pypi.python.org -r requirements.txt && \
-    ./reset_db.sh
+RUN pip3 install --no-cache-dir --upgrade pip && \
 EXPOSE 8000
 ENTRYPOINT ["python3", "src/manage.py","runserver","0.0.0.0:8000"]
diff --git a/README.md b/README.md
@@ -1,36 +1,48 @@
-# HeadPage
+# What is the HeadPage?
 
-A Simple and porpousely vulnerable django web-application for testing and learning
+A Simple and porpousely vulnerable django web-application for testing and learning how to protect using the Trend Micro Application Security.
+
+# What is the Cloud One Application Security?
+
+Trend Micro Cloud One - Application Security provides runtime protection for containerized applications and serverless functions. When Application Security is properly deployed, threats to your web applications will be detected and protected against, minimizing your risk. Determined attackers are continuously running scanners against your site, creating malicious user accounts, fuzzing various elements, triggering exceptions, and attempting to run exploitation tools.
+
+* More information here: https://cloudone.trendmicro.com/docs/application-security/
+* Create a account in Cloud One https://cloudone.trendmicro.com/
 
 ![index](docs/index.png)
 ![User profile](docs/profile.png)
 
-## Idea
+## Running 
+The recommended way is using docker using the following commands to build and run the container.
 
-* Create a social-media-like (HeadPage != Facebook) web application with a relatively small, and vulnerable, code base. 
-* Users create public profiles, upload files for public (such as photos)or private (such as pdfs) use and browse other users' profiles.
+`$ yum install git -y`
 
-## Running 
-The recommended way is using docker using the following commands to build and run the container
+`$ git clone https://github.com/caf3ina/HeadPage.git`
 
-`docker build --tag=headpage:latest .`
+`$ cd HeadPage/`
 
-`docker run -d --rm -p 8000:8000 --name headpage headpage:latest`
+* Edit the following line on `src/headpage/settings.py` to serve HeadPage on all interfaces. This can be dangerous, if possible run inside a VM on Host-Only interface.
 
-Otherwise, install the dependencies on `requirements.txt` and run the default django webserver and you'll be good to go.
+`ALLOWED_HOSTS = ['*']`
 
-## Allowing connections other than localhost
+Create a file with name `trend_app_protect.ini` and put the information bellow.
 
-Change the following line on `src/headpage/settings.py` to serve HeadPage on all interfaces. This can be dangerous, if possible run inside a VM on Host-Only interface.
+`[trend_app_protect]`
 
-`ALLOWED_HOSTS = ['*']`
+`key = my-key`
 
+`secret = my-secret`
 
-## Why?
-**Yes**
+Get the key and secret from Cloud One Application Security console
+https://cloudone.trendmicro.com/docs/application-security/python/#install-the-agent
+
+`docker build --tag=headpage:latest .`
+
+`docker run -d --rm -p 8000:8000 --name headpage headpage:latest`
 
 ## The site is ugly as sin!
 **Yes** - Also, I'm not a web developer
+* Open the url http://ip-address:8000/social/
 
 ## Main Vulnerabilities
 
@@ -43,9 +55,6 @@ Change the following line on `src/headpage/settings.py` to serve HeadPage on all
 * The user's first/last name or username are not sanitized and are displayed on their profile.
     * E.g. username: `<script>alert("!!")</script>`
 
-### CSRF
-* To be Implemented (?)
-
 ### Open Redirect
 * When clicking the link to the login/register page from a previous page, the previous Page URL is sent as a Parameter for a redirection back to the previous page after loging in/registering. The redirection URL is not validated.
     * E.g. 127.0.0.1:8000/social/login/?redirect=evilsite.url
@@ -64,3 +73,10 @@ Change the following line on `src/headpage/settings.py` to serve HeadPage on all
 * Some static files are returned after GET requests `127.0.0.1:8000/social/static/?file=privacy.txt` The `file` in the GET is not properly validated/sanitized
 
 ![/etc/passwd leak](docs/path_traversal.png)
+
+### Console Events
+
+* Malicious Payload
+
+![Block](https://user-images.githubusercontent.com/46326549/92649532-90319580-f2c1-11ea-9081-27214e5afdeb.jpg)
+![app sec](https://user-images.githubusercontent.com/46326549/92649758-e3a3e380-f2c1-11ea-8e37-d78dcc0c7c10.jpg)
diff --git a/config_dyna b/config_dyna
@@ -0,0 +1,2 @@
+dt0s01.ST2EY72KQINMH574WMNVI7YN.G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM
+
diff --git a/docker b/docker
@@ -0,0 +1 @@
+SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx
diff --git a/dockerfilenew b/dockerfilenew
@@ -0,0 +1,31 @@
+# --- STAGE 1: build all modules ---
+FROM maven:3.9.7-eclipse-temurin-17 AS builder
+WORKDIR /app
+
+# 1) copia todo o código
+COPY . .
+
+# 2) instala o bancocentral-module no repositório local
+RUN mvn -f bancocentral-module/pom.xml clean install -DskipTests
+
+# 3) compila e empacota o pom raiz (que engloba auth, account, transaction, etc)
+RUN mvn clean package -DskipTests
+
+# --- STAGE 2: runtime com JRE Debian-slim multi-arch ---
+FROM eclipse-temurin:17-jre
+WORKDIR /app
+
+# copia os jars prontos
+COPY --from=builder /app/auth-module/target/auth-module-1.0-SNAPSHOT.jar          auth-module.jar
+COPY --from=builder /app/account-module/target/account-module-1.0-SNAPSHOT.jar    account-module.jar
+COPY --from=builder /app/integration-module/target/integration-module-1.0-SNAPSHOT.jar integration-module.jar
+COPY --from=builder /app/notification-module/target/notification-module-1.0-SNAPSHOT.jar notification-module.jar
+COPY --from=builder /app/transaction-module/target/transaction-module-1.0-SNAPSHOT.jar transaction-module.jar
+COPY --from=builder /app/bancocentral-module/target/bancocentral-module-1.0-SNAPSHOT.jar bancocentral-module.jar
+
+# script de startup
+COPY start-all.sh .
+RUN chmod +x start-all.sh
+
+EXPOSE 8081 8082 8083 8084 8085 8088 8089
+CMD ["./start-all.sh"]
diff --git a/requirements.txt b/requirements.txt
@@ -1,2 +1 @@
 Django==2.2.12
-trend-app-protect #Optional
diff --git a/src/headpage/settings.py b/src/headpage/settings.py
@@ -25,7 +25,7 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = True
 
-ALLOWED_HOSTS = []
+ALLOWED_HOSTS = ['*']
 
 
 # Application definition

diff --git a/src/social/views.py b/src/social/views.py
@@ -152,9 +152,9 @@ def register(request):
             password=get_password_hash(request.POST.get('password'))
             try:
                 # +++ VULNERABLE TO SQL INJECTION +++
-                curs.executescript(
-                    "INSERT INTO social_user ('username','password','first_name','last_name') VALUES ('{}','{}','{}','{}')".format(
-                        username,password,first_name,last_name)
+                curs.execute(
+                    "INSERT INTO social_user (username, password, first_name, last_name) VALUES (%s, %s, %s, %s)",
+                    [username, password, first_name, last_name]
                 )
                 #+++ VULNERABLE TO UNVALIDATED REDIRECTS +++
                 return redirect(url_to_redirect)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		dt0s01.ST2EY72KQINMH574WMNVI7YN.G3DFPBEJYMODIDAEX454M7YWBUVEFOWKPRVMWFASS64NFH52PX6BNDVFFM572RZM
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx