Added 2017 vulnerabilities to index

Author: subashsn

config/vulns.js

@@ -1,12 +1,14 @@
 module.exports = {
 	'a1_injection': 'A1: Injection',
-	'a2_broken_auth': 'A2: Broken Authentication and Session Management',
-	'a3_xss': 'A3: Cross-site Scripting',
-	'a4_idor': 'A4: Insecure Direct Object Reference',
-	'a5_sec_misconf': 'A5: Security Misconfiguration',
-	'a6_sensitive_data': 'A6: Sensitive Data Exposure',
-	'a7_missing_access_control': 'A7: Missing Function Level Access Control',
-	'a8_csrf': 'A8: Cross-site Request Forgery',
-	'a9_vuln_component': 'A9: Using Components with Known Vulnerability',
-	'a10_redirect': 'A10: Unvalidated Redirects and Forwards'
+	'a2_broken_auth': 'A2: Broken Authentication',
+	'a3_sensitive_data': 'A3: Sensitive Data Exposure',
+	'a4_xxe': 'A4: XML External Entities',
+	'a5_broken_access_control': 'A5: Broken Access Control',
+	'a6_sec_misconf': 'A6: Security Misconfiguration',
+	'a7_xss': 'A7: Cross-site Scripting',
+	'a8_ides': 'A8: Insecure Deserialization',
+	'a9_vuln_component': 'A9: Using Components with Known Vulnerabilities',
+	'a10_logging': 'A10: Insufficient Logging and Monitoring',
+	'ax_csrf': 'A8:2013  Cross-site Request Forgery',
+	'ax_redirect': 'A10:2013 Unvalidated Redirects and Forwards'
 }

core/appHandler.js

@@ -212,9 +212,9 @@ module.exports.listUsersAPI = function (req, res) {
 	})
 }
 
-module.exports.bulkProducts =  function(req, res) {
+module.exports.bulkProductsLegacy = function (req,res){
 	// TODO: Deprecate this soon
-	if (req.query.legacy && req.files.products){
+	if(req.files.products){
 		var products = serialize.unserialize(req.files.products.data.toString('utf8'))
 		console.log(products)
 		products.forEach( function (product) {
@@ -223,12 +223,16 @@ module.exports.bulkProducts =  function(req, res) {
 			newProduct.code = product.code
 			newProduct.tags = product.tags
 			newProduct.description = product.description
-
 			newProduct.save()
 		})
 		res.redirect('/app/products')
+	}else{
+		res.render('app/bulkproducts',{messages:{danger:'Invalid file'},legacy:true})
 	}
-	else if (req.files.products && req.files.products.mimetype=='text/xml'){
+}
+
+module.exports.bulkProducts =  function(req, res) {
+	if (req.files.products && req.files.products.mimetype=='text/xml'){
 		var products = libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true,noblanks:true})
 		products.root().childNodes().forEach( product => {
 			var newProduct = new db.Product()
@@ -240,6 +244,6 @@ module.exports.bulkProducts =  function(req, res) {
 		})
 		res.redirect('/app/products')
 	}else{
-		res.render('app/bulkproducts',{messages:{danger:'Invalid file'}})
+		res.render('app/bulkproducts',{messages:{danger:'Invalid file'},legacy:false})
 	}
 }

routes/app.js

@@ -20,7 +20,7 @@ module.exports = function () {
     })
 
     router.get('/bulkproducts', authHandler.isAuthenticated, function (req, res) {
-        res.render('app/bulkproducts')
+        res.render('app/bulkproducts',{legacy:req.query.legacy})
     })
 
     router.get('/products', authHandler.isAuthenticated, appHandler.listProducts)
@@ -61,5 +61,7 @@ module.exports = function () {
 
     router.post('/bulkproducts',authHandler.isAuthenticated, appHandler.bulkProducts);
 
+    router.post('/bulkproductslegacy',authHandler.isAuthenticated, appHandler.bulkProductsLegacy);
+
     return router
 }

routes/main.js

@@ -17,9 +17,11 @@ module.exports = function (passport) {
 			vuln_title: vulnDict[req.params.vuln],
 			vuln_scenario: req.params.vuln + '/scenario',
 			vuln_description: req.params.vuln + '/description',
-			vuln_reference: req.params.vuln + '/reference'
+			vuln_reference: req.params.vuln + '/reference',
+			vulnerabilities:vulnDict
 		}, function (err, html) {
 			if (err) {
+				console.log(err)
 				res.status(404).send('404')
 			} else {
 				res.send(html)
@@ -28,7 +30,7 @@ module.exports = function (passport) {
 	})
 
 	router.get('/learn', authHandler.isAuthenticated, function (req, res) {
-		res.render('learn')
+		res.render('learn',{vulnerabilities:vulnDict})
 	})
 
 	router.get('/register', authHandler.isNotAuthenticated, function (req, res) {

views/app/bulkproducts.ejs

@@ -23,10 +23,10 @@
 
         <div>
             <h3>Upload products</h3>
-            <form encType="multipart/form-data" method="post" action="/app/bulkproducts">
+            <form encType="multipart/form-data" method="post" action="/app/bulkproducts<% if(legacy){%>legacy<%}%>">
                 <div class="input-group mb-3">
                     <div class="products-file">
-                        <input type="file" name="products" class="file-input" id="inputfile" accept=".xml">
+                        <input type="file" name="products" class="file-input" id="inputfile" <% if(!legacy){ %> accept=".xml" <% } %>>
                         <br>
                         <input class="button" type="submit" name="submit" value="Upload">
                     </div>
@@ -35,44 +35,29 @@
         </div>
 
         <div><br>
+            <!-- Handle legacy endpoit /app/bulkproducts?legacy=true -->
+            <% if (!legacy) { %>
             <h3>Sample XML</h3>
-            <xmp>
-                <products>
-                    <product>
-                        <name>Xbox One</name>
-                        <code>23</code>
-                        <tags>gaming console</tags>
-                        <description>Gaming console by Microsoft</description>
-                    </product>
-                    <product>
-                        <name>Playstation 4</name>
-                        <code>26</code>
-                        <tags>gaming console</tags>
-                        <description>Gaming console by Sony</description>
-                    </product>
-                </products>
-            </xmp>
-            <xmp>
-                <products>
-                    <product>
-                        <name>Xbox One</name>
-                        <code>23</code>
-                        <tags>gaming console</tags>
-                        <description>Gaming console by Microsoft</description>
-                    </product>
-                    <product>
-                        <name>Playstation 4</name>
-                        <code>26</code>
-                        <tags>gaming console</tags>
-                        <description>Gaming console by Sony</description>
-                    </product>
-                </products>
-            </xmp>
-            <!-- For legacy endpoit /app/bulkproducts?legacy=true <xmp>[{"name":"Xbox 360","code":"15","tags":"gaming console","description":"Microsoft's flagship gaming console"},{"name":"Playstation 3","code":"17","tags":"gaming console","description":"Sony's flagshipgaming console"}]</xmp> -->
+<pre><xmp>
+<products>
+    <product>
+        <name>Xbox One</name>
+        <code>23</code>
+        <tags>gaming console</tags>
+        <description>Gaming console by Microsoft</description>
+    </product>
+    <product>
+        <name>Playstation 4</name>
+        <code>26</code>
+        <tags>gaming console</tags>
+        <description>Gaming console by Sony</description>
+    </product>
+</products>
+</xmp></pre>
+            <% } else { %>
+                <pre style="white-space: pre-wrap;">[{"name":"Xbox 360","code":"15","tags":"gaming console","description":"Microsoft's flagship gaming console"},{"name":"Playstation 3","code":"17","tags":"gaming console","description":"Sony's flagshipgaming console"}]</pre>
+            <%} %>
         </div>
-
-
-
         </div></div></div>
     <% include ../common/footer %>
 </body>

views/common/menu.ejs

@@ -9,7 +9,13 @@
 
         <div class='row'>
             <div class='col-md-3'>
-                <% include common/menu %>
+                <div class='list-group'>
+                    <% for (var vulnKey in vulnerabilities) { %>
+                        <a href="/learn/vulnerability/<%=vulnKey%>" class='list-group-item'>
+                            <i class='fa fa-angle-double-right'></i> <%=vulnerabilities[vulnKey]%>
+                        </a>
+                    <% } %>
+                </div>
             </div>
             <div class='col-md-9'>
                 <% if (messages.success) { %>
@@ -26,16 +32,9 @@
                 Start by selecting one of the vulnerability class from the left menu or select one of the link below: </p>
 
                 <ul>
-                    <li><a href='/learn/vulnerability/a1_injection'>A1: Injection</a></li>
-                    <li><a href='/learn/vulnerability/a2_broken_auth'>A2: Broken Authentication and Session Management</a></li>
-                    <li><a href='/learn/vulnerability/a3_xss'>A3: Cross-site Scripting</a></li>
-                    <li><a href='/learn/vulnerability/a4_idor'>A4: Insecure Direct Object Reference</a></li>
-                    <li><a href='/learn/vulnerability/a5_sec_misconf'>A5: Security Misconfiguration</a></li>
-                    <li><a href='/learn/vulnerability/a6_sensitive_data'>A6: Sensitive Data Exposure</a></li>
-                    <li><a href='/learn/vulnerability/a7_missing_access_control'>A7: Missing Function Level Access Control</a></li>
-                    <li><a href='/learn/vulnerability/a8_csrf'>A8: Cross-site Request Forgery</a></li>
-                    <li><a href='/learn/vulnerability/a9_vuln_component'>A9: Using Components with Known Vulnerability</a></li>
-                    <li><a href='/learn/vulnerability/a10_redirect'>A10: Unvalidated Redirects and Forwards</a></li>
+                    <% for (var vulnKey in vulnerabilities) { %>
+                    <li><a href='/learn/vulnerability/<%=vulnKey%>'> <%=vulnerabilities[vulnKey]%> </a></li>
+                    <% } %>
                 </ul>
             </div>
         </div>

views/learn.ejs

@@ -0,0 +1,3 @@
+<div class="markdown">
+Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. 
+</div>

views/vulnerabilities/a10_logging/description.ejs

@@ -0,0 +1,3 @@
+<div class="markdown">
+* [https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring](https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring)
+</div>

views/vulnerabilities/a10_logging/reference.ejs

@@ -0,0 +1,4 @@
+<div class='markdown'>
+* No Scenario for this vulnerability
+</div>
+

views/vulnerabilities/a10_logging/scenario.ejs

@@ -0,0 +1,3 @@
+<div class="markdown">
+Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
+</div>

views/vulnerabilities/a6_sensitive_data/description.ejs views/vulnerabilities/a3_sensitive_data/description.ejs

@@ -0,0 +1,3 @@
+<div class="markdown">
+* [https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)](https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE))
+</div>

views/vulnerabilities/a6_sensitive_data/reference.ejs views/vulnerabilities/a3_sensitive_data/reference.ejs

@@ -0,0 +1,3 @@
+<div class='markdown'>
+* [XXE: Import Products](/app/bulkproducts)
+</div>

views/vulnerabilities/a6_sensitive_data/scenario.ejs views/vulnerabilities/a3_sensitive_data/scenario.ejs

@@ -1,5 +1,5 @@
 <div class='markdown'>
 * [Admin API Dashbaord](/app/admin)
-
+* [Edit User](/app/useredit)
 </div>
 

views/vulnerabilities/a4_idor/description.ejs

@@ -0,0 +1,3 @@
+<div class="markdown">
+Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
+</div>

views/vulnerabilities/a4_idor/reference.ejs

@@ -0,0 +1,3 @@
+<div class="markdown">
+* [https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization](https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization)
+</div>

views/vulnerabilities/a4_idor/scenario.ejs

@@ -0,0 +1,4 @@
+<div class='markdown'>
+* [Insecure Deserialization: Legacy Import Products](/app/bulkproductslegacy)
+</div>
+

views/vulnerabilities/a4_xxe/description.ejs

@@ -9,7 +9,13 @@
 
     <div class='row'>
         <div class='col-md-3'>
-            <% include ../common/menu %>
+            <div class='list-group'>
+                <% for (var vulnKey in vulnerabilities) { %>
+                    <a href="/learn/vulnerability/<%=vulnKey%>" class='list-group-item'>
+                        <i class='fa fa-angle-double-right'></i> <%=vulnerabilities[vulnKey]%>
+                    </a>
+                <% } %>
+            </div>
         </div>
         <div class='col-md-9'>
             <h3><%=vuln_title%></h3>