damnvulnerablecryptoapp / damnvulnerablecryptoapp Goto Github PK

Describe clearly what is your issue, and what you expect from an answer of this issue.
Provide as much information as possible.

Create a github action for new releases (tagged in git) to create the docker image, push it to docker hub, and create the release package to add in the release section

maybe also publish to npm??

Automatic padding had to be disabled for this challenge to work. Padding is not being done on the backend so it fails encrypting content. Needs to manually pad received content

We need to add a decrypt method to the backend, otherwise IV detection is not possible
The challenge may need to be adapted to make use of the decrypt method

Describe the bug
A clear and concise description of what the bug is and what should be expected. If you want to propose a way of fixing it go ahead

To Reproduce
Steps to reproduce the behavior:

1. Go to 'I pulled the docker using docker pull damnvulnerablecryptoapp1/damnvulnerablecryptoapp
   and then run it using docker run -p 4000:4000 -t dvca '
2. I am not able to access the web page on http://0.0.0.0:8081/

Screenshots
If applicable, add screenshots to help explain your problem.

Add a read me file with at least the following info:

• Manifesto
  • Explain why this project exists, and how it defers from others
  • No need to code
  • Pratical cases with real world scenarios
  • Math is banned! good old english to explain the problem
  • No need to dominate crypto to understand/exploit the vulnerability nor to learn to fix it
• How to build from dev code
• How to run the app
• Link to documentation
• Interesting crypto links
• Contributors
• How to contribute
  • github integration, link commit to issue, close it, etc

create a challenge where you can enumerate usernames based on the time of the response from the server

Tests are failing in windows due to file checksums (new lines are different) so the expected hash is different.

Change line endings in backend/src/config/publickey.pem

Also should have any mechanism to make sure line endings are always the same (linux) for all files

In github wikis are themselves git repositories.
We can create an automation that clones the actual wiki, copies all the markdown documentation from the backend folder and commits it.

This way we have always the wiki updated based on the project documentation

https://help.github.com/en/github/building-a-strong-community/adding-or-editing-wiki-pages

Add snyk to project for SCA analysis

Instead of having the flags hardcoded in the code, get them to a config file, and generate the file in the first time the app starts.

Existing docker which is in backend folder, was generated with the project template.

But, since the backend server the frontend from another app, the docker will never work.

Also, when implementing #30 this will fail even more.

Extract the docker file to the root folder of the project, and adapt it to work there, after implementing #30

Add relevant documentation to the readme file

Reference the common algorithms
https://en.wikipedia.org/wiki/List_of_random_number_generators

Explain how they work, in a simple way:
https://en.wikipedia.org/wiki/Middle-square_method

make it more appealing.

Right now the build version of the app, its using the /dist folder of the backend + /build folder of frontend with relative paths... this is not good....

Create instead dist folder in the root dir, and add the frontend code to the public folder of the server.

for dev we can serve the build folder from the react app, although it should not be needed

There are currently two docs folder, one in the root of the project, and another at backend/src/documentation

the first one is being used for generic app documentation and the second for the crypto and challenges (which is needed by the backend to serve to the app)

This is a bad structure, and should be replaced. We should only use the docs folder in the root, and the necessary files should be copied to the backend folder on the build process.

Since we do not need all the doc files in the backend we can come up with a prefix to indentify which files need to be copied

What/Why
Add a hint option to display challenge hints , so the user will be able to get some help on how to solve the challenge without disclosing the hole solution

Solution
Have a series of hidden text that can be displayed to the user if he requests for

This is specially important when loading docs. since it takes some time to open, and the page just shows up empty

improve overall usability for small devices.
App was not build with this ideia in mind

When returning data from BE, force a type to the response, if is the method that returns the flag, try to standardize the response (when applicable) {success: xxx, flag: xxxx}

In the frontend the same. create the types for the responses expected by the BE

add an option in main page to clear all challenges.
This should clear everything stored in localstorage

Use something like sha256 to encrypt passwords without a salt.
Find a nice dictionary with pre computed hashes for help documentation

The scenario could be an sql file with dump of a DB with some credentials (but it looks like weak hash)
Other idea could be the hashed version of the password used in a cookie to manage authentication.

in documentation show the differences between bruteforce an hash with and withouth the salt. The difference in time.

Always use passwords from the TOP 500, just to make it fast

make it more appealing

frontend code is completely dependent on port 4000 for dev server.
If the port is changed features will break.

Need to make this dynamic

right sidebar in challenge pages. improve the ui for the docs section

Write now we mixed UI text content with the code, which can be hard, specially for specl check, text improvements, translations, etc.
We should start separating all of this text to a specific file

What's the crypto algorithm/mode/ related to this?
Ex. AES-CBC[...]

Describe the problem with the documentation
A clear and concise description of what you want is wrong/missing in the documentation.

Link to the actual documentation page
If this is related to existing documentation please leave here the link to the page

This issue serves only to document themes to use when developing new challenges

• Crypto protocol to encrypt http traffic, like a self made HTTPS. Use a browser frame, and show a self contained custom webpage in the challenge

• Encrypted upload service like mega

• Online Password manager like Lastpass

• KeyVault service to store app passwords

• Simulate a Proxy app like burp or fiddler, where the user sees a few requests made in the past. One of this requests has encrypted content, These requests can be inspected, and one of them has some encrypted content. To send the flag, the proxy app should be able to send raw http requests, the flag should be sent there somehow

Since package.json scripts use unix commands like cp and mkdir. Build on windows does not work (unless using WSL).

Need to change these scripts to work anywhere

• Improve challenge layout
• Implement challenge logic
• Remove private key from commits

and make all dependencies are compatible with it

Logo is not quite symetric. The middle, where the colors change (from the left side to the right) the color on the left goes a little bit after the middle, to the right

this was one of the first docs created, and does not follow the same structure as the others.

Seperate the docs into the 3 sections defined for challenge docs