sonatype-nexus-community / codetocloud-workshop Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
codetocloud-workshop's People
Contributors
Stargazers
Watchers
codetocloud-workshop's Issues
WebGoatUser.java holds passwords in plain text?
WebGoatUser.java appears to hold passwords in plain text for longer than absolutely necessary. Should take password and immediately hash it for comparison to DB.
Potential ReDoS from vulnerable password evaluation library
Summary
The zxcvbn library uses unsafe regular expressions that can be exploited by specific payloads to consume extreme server resources, leading to a Denial of Service. Steps should be taken to limit the impact if this vulnerability is exploited.
Details
SecurePasswordsAssignment.java imports from zxcvbn leading to the vulnerability. There is no recommendation for an update, other possible remediations could be:
- check the string for dangerous sequences before evaluating the password strength with
zxcvbn - remove use of
zxcvbncompletely and use a different library that is not vulnerable - sandbox the execution of functions from
zxcvbnand limit the resources any execution is allowed to consume.
PoC
None, based on vulnerability report here
Impact
Exploitation could lead to Denial of Service
Suppress CVEs.. forever..
codetocloud-workshop/config/dependency-check/project-suppression.xml
Lines 51 to 68 in 96ba5c7
Lots of vulnerable libraries in eclipse-temurin:19-jre-focal base image
Should check if later image tags resolve these issues.
Otherwise figure out if another base image also works
docker.io/eclipse-temurin:19-jre-focal (ubuntu 20.04)
=====================================================
Total: 107 (UNKNOWN: 0, LOW: 67, MEDIUM: 40, HIGH: 0, CRITICAL: 0)
This Base image is used in ./Dockerfile
potential YAML injection on .github configuration
if no questions answered then you're verified
Unverified Commits
untrusted input?
Runner privilege escalation on workflow
Version mismatch
Github actions uses tumerin 17
Dockerfile uses tumerin 19
Dependency: underscore 1.10.2
Summary
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Details
The underscore package is vulnerable to Code Injection. The template function in underscore.js and template.js does not properly validate the variable property of the settings parameter to ensure it is a bare identifier. An attacker can exploit this by inputting malicious code to the variable property that would then be rendered and executed.
PoC
Primary cause is due to the following files:
underscore-1.10.2.tgzpackage/underscore-min.js[1.3.2, 1.12.1)
underscore-1.10.2.tgzpackage/underscore.js[1.3.2, 1.12.1)
underscore-1.10.2.tgzpackage/modules/index.js[1.10.0, 1.11.0)
Issues will be present when built with the following modules.
Impact
The service will be impacted and the DB's hosted on it will be prone to code injection.
SQL Injection
Summary
Unsanitized input from an HTTP parameter flows into prepareStatement, where it is used in an SQL query. This may result in an SQL Injection vulnerability.
Details
Some of them:
src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.javaOpen this link in a new tab
Details
In an SQL injection attack, the user can submit an SQL query directly to the database, gaining access without providing appropriate credentials. Attackers can then view, export, modify, and delete confidential information; change passwords and other authentication information; and possibly gain access to other systems within the network. This is one of the most commonly exploited categories of vulnerability, but can largely be avoided through good coding practices.
Best practices for prevention
Avoid passing user-entered parameters directly to the SQL server.
Avoid using string concatenation to build SQL queries from user-entered parameters.
When coding, define SQL code first, then pass in parameters. Use prepared statements with parameterized queries. Examples include SqlCommand() in .NET and bindParam() in PHP.
Use strong typing for all parameters so unexpected user data will be rejected.
Where direct user input cannot be avoided for performance reasons, validate input against a very strict allowlist of permitted characters, avoiding special characters such as ? & / < > ; - ' " \ and spaces. Use a vendor-supplied escaping routine if possible.
Develop your application in an environment and/or using libraries that provide protection against SQL injection.
Harden your entire environment around a least-privilege model, ideally with isolated accounts with privileges only for particular tasks.
MAINTAINER should not be used: 'MAINTAINER "WebGoat team"'
codetocloud-workshop/Dockerfile
Line 3 in 96ba5c7
HIGH: MAINTAINER should not be used: 'MAINTAINER "WebGoat team"'
Frontend uses vulnerable JavaScript libraries
Summary
Some of the static JavaScript libs included for the frontend include vulnerabilities including template injection. These dependencies should be kept up to date to prevent attacks.
Details
- jquery 1.5.1 should be upgraded to 3.5 per this recommendation
- underscore 1.10.2 should be upgraded to 1.12.1 per this recommendation
PoC
None, based on CVE reports only
Impact
These are old libraries and represent many known CVEs with various threat levels, but include Template Injection, XSS and Prototype Injection attacks
potential YAML injection on configuration
Session Cookie is set to SameSite=Lax
When a cookie has the SameSite=Lax attribute, it means that the cookie will be sent along with cross-origin GET requests initiated by third-party websites.
Xstream library vulnerable
Summary
Multiple CVEs open for Xstream, including http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285
Upgrading to 1.4.20 will cause breaking changes that will need to be addressed.
Security: Update JVM dependency
Summary
Our Java version is stuck at 17.0.6 which does contain CVE vulnerabilities
Details
https://security.snyk.io/package/linux/oracle:8/java-17-openjdk) in Dockerfile_desktop
PoC
Read Dockerfile_desktop :)
Impact
High
assuming user submitted id is same as logged in user id
com.thoughtworks.xstream : xstream : 1.4.5
Summary
XStream does not provide security checks when creating Java objects. When untrusted data is processed, an attacker can provide crafted data that allows arbitrary code execution resulting in access to the host system that is only limited by the privileges of the running application.
Details
The application is vulnerable by using this component as it is outdated.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
High vulnerability that could potential impact everyone company wide
Multiple vulnerable dependencies - trivy report
pom.xml (pom)
=============
Total: 60 (UNKNOWN: 1, LOW: 0, MEDIUM: 11, HIGH: 34, CRITICAL: 14)
┌─────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind │ CVE-2022-42003 │ HIGH │ 2.13.3 │ 2.12.7.1, 2.13.4.1 │ deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-42003 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-42004 │ │ │ 2.12.7.1, 2.13.4 │ use of deeply nested arrays │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-42004 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.google.guava:guava │ CVE-2023-2976 │ MEDIUM │ 31.1-jre │ 32.0.0 │ Guava vulnerable to insecure use of temporary directory │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-2976 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.thoughtworks.xstream:xstream │ CVE-2013-7285 │ CRITICAL │ 1.4.5 │ 1.4.7 │ XStream: remote code execution due to insecure XML │
│ │ │ │ │ │ deserialization │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-7285 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21342 │ │ │ 1.4.16 │ XStream: SSRF via crafted input stream │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21342 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21344 │ │ │ │ XStream: Unsafe deserizaliation of │
│ │ │ │ │ │ javax.sql.rowset.BaseRowSet │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21344 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21345 │ │ │ │ XStream: Unsafe deserizaliation of │
│ │ │ │ │ │ com.sun.corba.se.impl.activation.ServerTableEntry │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21345 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21346 │ │ │ │ XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21346 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21347 │ │ │ │ XStream: Unsafe deserizaliation of │
│ │ │ │ │ │ com.sun.tools.javac.processing.JavacProcessingEnvironment │
│ │ │ │ │ │ NameProcessIterator │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21347 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21350 │ │ │ │ XStream: Unsafe deserizaliation of │
│ │ │ │ │ │ com.sun.org.apache.bcel.internal.util.ClassLoader │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21350 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21351 │ │ │ │ XStream: allow a remote attacker to load and execute │
│ │ │ │ │ │ arbitrary code from... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21351 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2016-3674 │ HIGH │ │ 1.4.9 │ enabled processing of external entities │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-3674 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2017-7957 │ │ │ 1.4.10 │ XStream: DoS when unmarshalling void type │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-7957 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-26217 │ │ │ 1.4.14 │ XStream: remote code execution due to insecure XML │
│ │ │ │ │ │ deserialization when relying on... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26217 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-26258 │ │ │ 1.4.15 │ XStream: Server-Side Forgery Request vulnerability can be │
│ │ │ │ │ │ activated when unmarshalling │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26258 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21341 │ │ │ 1.4.16 │ XStream: allow a remote attacker to cause DoS only by │
│ │ │ │ │ │ manipulating the... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21341 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21343 │ │ │ │ XStream: arbitrary file deletion on the local host via │
│ │ │ │ │ │ crafted input stream... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21343 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21348 │ │ │ │ XStream: ReDoS vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21348 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-21349 │ │ │ │ XStream: SSRF can be activated unmarshalling with XStream to │
│ │ │ │ │ │ access data streams... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-21349 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-29505 │ │ │ 1.4.17 │ XStream: remote command execution attack by manipulating the │
│ │ │ │ │ │ processed input stream │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-29505 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39139 │ │ │ 1.4.18 │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of Xalan xsltc.trax.TemplatesImpl │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39139 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39141 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.xml.internal.ws.client.sei.* │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39141 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39144 │ │ │ │ Arbitrary code execution via unsafe deserialization of │
│ │ │ │ │ │ sun.tracing.* │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39144 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39145 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.jndi.ldap.LdapBindingEnumeration │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39145 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39146 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of javax.swing.UIDefaults$ProxyLazyValue │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39146 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39147 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.jndi.ldap.LdapSearchEnumeration │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39147 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39148 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.jndi.toolkit.dir.ContextEnumerator │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39148 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39149 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.corba.* │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39149 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39150 │ │ │ │ xstream: Server-side request forgery (SSRF) via unsafe │
│ │ │ │ │ │ deserialization of com.sun.xml.internal.ws.client.sei.* │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39150 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39151 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of com.sun.jndi.ldap.LdapBindingEnumeration │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39151 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39152 │ │ │ │ xstream: Server-side request forgery (SSRF) via unsafe │
│ │ │ │ │ │ deserialization of │
│ │ │ │ │ │ jdk.nashorn.internal.runtime.Source$URLData │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39152 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39153 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of Xalan xsltc.trax.TemplatesImpl │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39153 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39154 │ │ │ │ xstream: Arbitrary code execution via unsafe deserialization │
│ │ │ │ │ │ of javax.swing.UIDefaults$ProxyLazyValue │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39154 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-43859 │ │ │ 1.4.19 │ Injecting highly recursive collections or maps can cause a │
│ │ │ │ │ │ DoS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-43859 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-40151 │ │ │ │ Xstream to serialise XML data was vulnerable to Denial of │
│ │ │ │ │ │ Service attacks... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-40151 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-40152 │ │ │ │ woodstox to serialise XML data was vulnerable to Denial of │
│ │ │ │ │ │ Service attacks... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-40152 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41966 │ │ │ 1.4.20 │ Denial of Service by injecting recursive collections or maps │
│ │ │ │ │ │ based on element's... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41966 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2020-26259 │ MEDIUM │ │ 1.4.15 │ XStream: arbitrary file deletion on the local host when │
│ │ │ │ │ │ unmarshalling │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-26259 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39140 │ │ │ 1.4.18 │ xstream: Infinite loop DoS via unsafe deserialization of │
│ │ │ │ │ │ sun.reflect.annotation.AnnotationInvocationHandler │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39140 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-3mq5-fq9h-gj7j │ UNKNOWN │ │ │ Denial of Service due to parser crash │
│ │ │ │ │ │ https://github.com/advisories/GHSA-3mq5-fq9h-gj7j │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ io.undertow:undertow-core │ CVE-2022-1259 │ HIGH │ 2.2.18.Final │ │ undertow: potential security issue in flow control over │
│ │ │ │ │ │ HTTP/2 may lead to... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1259 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2053 │ │ │ 2.2.19 │ undertow: Large AJP request may cause DoS │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2053 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-2764 │ MEDIUM │ │ │ Undertow: DoS can be achieved as Undertow server waits for │
│ │ │ │ │ │ the LAST_CHUNK... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2764 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.hsqldb:hsqldb │ CVE-2022-41853 │ CRITICAL │ 2.5.2 │ 2.7.1 │ Untrusted input may lead to RCE attack │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41853 │
├─────────────────────────────────────────────────────────────┼─────────────────────┤ ├───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot-actuator-autoconfigure │ CVE-2023-20873 │ │ 2.7.1 │ 2.7.11, 3.0.6 │ Spring Boot Security Bypass with Wildcard Pattern Matching │
│ │ │ │ │ │ on Cloud Foundry │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20873 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot-autoconfigure │ CVE-2023-20883 │ HIGH │ │ 2.5.15, 2.6.15, 2.7.12, 3.0.7 │ Spring Boot Welcome Page DoS Vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20883 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-core │ CVE-2023-20862 │ CRITICAL │ 5.7.2 │ 5.7.8, 5.8.3, 6.0.3 │ Spring Security logout not clearing security context │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20862 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-31690 │ HIGH │ │ 5.6.9, 5.7.5 │ Privilege Escalation in spring-security-oauth2-client │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31690 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-web │ CVE-2022-31692 │ CRITICAL │ │ │ Authorization rules can be bypassed via forward or include │
│ │ │ │ │ │ dispatcher types in... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31692 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core │ CVE-2023-20861 │ MEDIUM │ 5.3.21 │ 5.3.26, 6.0.7, 5.2.23.RELEASE │ Spring Expression DoS Vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20861 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-20863 │ │ │ 5.3.27, 6.0.8, 5.2.24.RELEASE │ Spring Expression DoS Vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20863 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web │ CVE-2016-1000027 │ CRITICAL │ │ 6.0.0 │ spring: HttpInvokerServiceExporter readRemoteInvocation │
│ │ │ │ │ │ method untrusted java deserialization │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-1000027 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-webmvc │ CVE-2023-20860 │ HIGH │ │ 5.3.26, 6.0.7 │ Security Bypass With Un-Prefixed Double Wildcard Pattern │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20860 │
├─────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml │ CVE-2022-1471 │ CRITICAL │ 1.30 │ 2.0 │ Constructor Deserialization Remote Code Execution │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1471 │
│ ├─────────────────────┼──────────┤ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-25857 │ HIGH │ │ 1.31 │ Denial of Service due to missing nested depth limitation for │
│ │ │ │ │ │ collections │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25857 │
│ ├─────────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38749 │ MEDIUM │ │ │ Uncaught exception in │
│ │ │ │ │ │ org.yaml.snakeyaml.composer.Composer.composeSequenceNode │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38749 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38750 │ │ │ │ Uncaught exception in │
│ │ │ │ │ │ org.yaml.snakeyaml.constructor.BaseConstructor.constructObj- │
│ │ │ │ │ │ ect │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38750 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38751 │ │ │ │ Uncaught exception in │
│ │ │ │ │ │ java.base/java.util.regex.Pattern$Ques.match │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38751 │
│ ├─────────────────────┤ │ ├───────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-38752 │ │ │ 1.32 │ Uncaught exception in java.base/java.util.ArrayList.hashCode │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38752 │
│ ├─────────────────────┤ │ │ ├──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41854 │ │ │ │ DoS via stack overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41854 │
└─────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────────────────────┴──────────────────────────────────────────────────────────────┘
The session cookie is only hashed with base64 and hex
The value of the user session cookie spoof_auth is hashed as follows
- reverse the username
admin=>nimda - encode the string with hexidecimal
- encode the string with base64
This method can easily be reverse engineered and spoofed allowing bad actors to spoof user sessions. I suggest using bcrypt and a salting the string to resolve this issue.
sensitive personal data stored in employees.xml
Summary
src/main/resources/lessons/employees.xml has hardcoded unencrypted personal data stored in git
Details
PoC
Impact
High
Security: Possible CSRF issue on the login page
Details
PoC
No csrf handling for the form
Impact
cross site request forgery :P
Userform issue
Summary
Password seems to be hard coded and would be visible. Code would need either scramble it or encrypt any password sent out to auth service.
Details
/workspaces/codetocloud-workshop/src/main/java/org/owasp/webgoat/container/users/UserForm.java Code looks to have the password as plain text
PoC
Cookies would have text visible as plain text.
Impact
Any new user and existing user signing in.
master branch not protected
saw it at the speakers screen :P
Unsanitized inputs on Github workflows
On https://github.com/sonatype-nexus-community/codetocloud-workshop/blob/main/.github/workflows/build.yml (and other workflows).
Unsanitized strings could lead to arbitrary code execution on malicious definitions and/or configurations.
Hardcoded Credentials
Summary
Hardcoded username/password in lessons/insecurelogin/InsecureLoginTask.java@ln36
Details
N/A
PoC
N/A
Impact
Insecure login
Default user/pass configuration
AccountVerifyHelper bypass security questions
Summary
The AccountVerifyHelper.java, specifically, the "verifyAccount" method is subject to a bypass.
Details
Provided the user submits the same number of questions in the hashset and the key is different than the keys in the hashset, the method will return true.
Impact
An attacker will be able to bypass authentication.
Remote Code Execution vulnerability - hsqldb
Summary
The use of org.hsqldb : hsqldb : 2.5.2's java.sql.Statement or java.sql.PreparedStatement can allow remote code execution.
Details
org.hsqldb : hsqldb : 2.5.2
Cleartext credentials
/workspaces/codetocloud-workshop/.github/workflows/iq-tests.yml
SolutionConstants.java has plain text pass
Summary
Plain text password in SolutionConstants.java
TODO says to randomly generate
Passwords stored using insecure encoder
Summary
WebSecurityConfig.java uses org.springframework.security.crypto.password.NoOpPasswordEncoder which is considered insecure and only exists for testing purposes where working with plaintext passwords may be useful.
Details
- Should be hashing passwords and is not. Docs recommend BCrypt or DelegatingPasswordEncoder to allow password hash upgrades.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
An attacker could access all user data if passwords are leaked
Google Core Libraries expose vulnerability for temporary files
Summary
The application is not currently vulnerable to this issue because it does not use vulnerable functions from these core libraries, however the libraries should be upgraded for future safety anyway.
The vulnerability exists because Guava creates temporary files in a public location with no restrictions on some file systems, allowing an attacker to access files which may contain private data.
Details
- Application is not currently vulnerable
- Potential for vulnerability in the future if someone adds functionality that uses vulnerable parts of the Google Core Libraries
- Should upgrade to 32.0.1 per this report
PoC
None, based on vulnerability report
Impact
None at the moment
com.thoughtworks.xstream : xstream : 1.4.5 -- multiple issues
Summary
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Details
XStream does not provide security checks when creating Java objects. When untrusted data is processed, an attacker can provide crafted data that allows arbitrary code execution resulting in access to the host system that is only limited by the privileges of the running application.
PoC
The application is vulnerable by using this component. Issue will result when built as is without upgrading the dependency
Impact
Root Cause__
xstream-1.4.5.jarcom/thoughtworks/xstream/XStream.class(, 1.4.7)
xstream-1.4.5.jarcom/thoughtworks/xstream/converters/reflection/ReflectionConverter.class(, 1.4.7)
Will impact the server where code is ran.
Employees.xml
Summary
Employee information potentially put into the resources. Most likely for testing but in case it wasn't.
Details
Location: /workspaces/codetocloud-workshop/src/main/resources/lessons/employees.xml
PoC
Visible file passed to client.
Impact
Any employee of the company who's data is leaked.
password logged
Summary
LogBleedingTask is logging an (admin) password
Details
PoC
Impact
Hardcoded Question Answers
Summary
QuestionAssignment.java contains hardcoded question answers
Details
PoC
Impact
Suppression of CVEs
/workspaces/codetocloud-workshop/config/checkstyle/suppressions.xml
/workspaces/codetocloud-workshop/config/dependency-check/project-suppression.xml
possibly could save a malicious file
Summary
Class FileServer could possibly save a malicious file
Details
PoC
Impact
WebSecurityConfig.java Permits All?
Perhaps I am misreading due to being unfamiliar with Java. But it looks like the security policy for the request config is doing permit all as a default. Probably not a good idea.
No pinned versions for the robot tests
Versions are not pinned for the robot tests in robot/README.md. This may result in unintended upgrades and failing tests or even malware infection of developer machines
check for verified account defaults to true if conditions not met
should default to false and return true if x conditions are met
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.