private void ValidateBrokenAuthSensitivedataExposure(string userName) { string sessionId = _httpContextAccessor.HttpContext.Request.Cookies["SessionId"]; string logedInUser = null; CtfChallangeModel missingAuthChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.MissingAuthentication) .Single(); if (string.IsNullOrEmpty(sessionId)) { _httpContextAccessor.HttpContext.Response.Headers.Add(missingAuthChallange.FlagKey, missingAuthChallange.Flag); } else { if (!_userDAO.ValidateSession(sessionId.Split("-")[1])) { _httpContextAccessor.HttpContext.Response.Headers.Add(missingAuthChallange.FlagKey, missingAuthChallange.Flag); } logedInUser = EncoderUtils.Base64Decode(sessionId.Split("-")[0]); } if (logedInUser != userName) { CtfChallangeModel sensitiveDataExposureChallenge = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.SensitiveDataExposure) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(sensitiveDataExposureChallenge.FlagKey, sensitiveDataExposureChallenge.Flag); } }
public override byte[] GetProfileImage(string userName) { ValidateBrokenAuthSensitivedataExposure(userName); byte[] profileImage; try { profileImage = base.GetProfileImage(userName); } catch (Exception ex) { CtfChallangeModel exceptionHandlingChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.ExcaptionHandling) .Single(); throw new Exception(exceptionHandlingChallange.Flag, ex); } if (userName != null && CTF_FILES.Contains(userName)) { CtfChallangeModel pathTraversal = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.PathTraversal) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(pathTraversal.FlagKey, pathTraversal.Flag); } return(profileImage); }
public override TransactionDBModel Details(int?id) { TransactionDBModel transaction = base.Details(id); if (transaction == null) { return(null); } string userName = _httpContextAccessor.HttpContext.GetUserName(); string role = _httpContextAccessor.HttpContext.GetRole(); if (transaction.SenderId != userName && transaction.ReceiverId != userName && role != CookieConstants.ADMIN_ROLE_STRING) { if (_ctfOptions.CtfChallengeOptions.Enumeration) { CtfChallangeModel enumerationChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.Enumeration) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(enumerationChallange.FlagKey, enumerationChallange.Flag); } else { return(null); } } return(transaction); }
public override bool AuthorizeAdmin(AuthorizationFilterContext context) { bool result = base.AuthorizeAdmin(context); if (!result) { return(false); } string sessionId = context.HttpContext.Request.Cookies["SessionId"]; string userName = EncoderUtils.Base64Decode(sessionId.Split("-")[USER_NAME_INDEX]); IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>(); UserDBModel user = userDAO.GetUser(userName); if (user.Role < ADMIN_ROLE) { CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value; CtfChallangeModel ctfChallange = ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.ChangeRoleInCookie) .Single(); context.HttpContext.Response.Headers.Add(ctfChallange.FlagKey, ctfChallange.Flag); } return(true); }
public async override Task <bool> BuyProduct(BuyProductReq buyProductReq, string userName) { List <StoreItem> storeItems = await _storeAPICalls.GetStoreItemsAsync(); if (storeItems == null) { return(await base.BuyProduct(buyProductReq, userName)); } CtfChallangeModel invalidModelChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.InvalidModel) .Single(); StoreItem storeItem = storeItems .Where(x => x.Id == buyProductReq.Id) .SingleOrDefault(); if (storeItem == null) { _httpContextAccessor.HttpContext.Response.Headers.Add(invalidModelChallange.FlagKey, invalidModelChallange.Flag); } else { if (storeItem.Price != buyProductReq.Price) { _httpContextAccessor.HttpContext.Response.Headers.Add(invalidModelChallange.FlagKey, invalidModelChallange.Flag); } } return(await base.BuyProduct(buyProductReq, userName)); }
protected override string ParseXml(string xml) { string parsedXml; try { parsedXml = base.ParseXml(xml); } catch (Exception ex) { CtfChallangeModel exceptionHandlingChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.ExcaptionHandling) .Single(); throw new Exception(exceptionHandlingChallange.Flag, ex); } try { string validParse = ValidXmlParse(xml); } catch (Exception) { CtfChallangeModel xxeChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.XxeInjection) .Single(); if (CTF_XEE_FILES.Any(x => xml.Contains(x))) { _httpContextAccessor.HttpContext.Response.Headers.Add(xxeChallange.FlagKey, xxeChallange.Flag); } } return(parsedXml); }
protected override bool ValidateRegistrationModel(UserModel userModel) { if (userModel == null || string.IsNullOrEmpty(userModel.UserName) || string.IsNullOrEmpty(userModel.Password)) { return(false); } try { bool isEmailValid = Regex.IsMatch(userModel.UserName, EMAIL_REGEX_PATTERN, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(5)); if (!isEmailValid) { return(false); } } catch (Exception) { if (_ctfOptions.CtfChallengeOptions.reDOS) { CtfChallangeModel reDOS = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.reDOS) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(reDOS.FlagKey, reDOS.Flag); } return(false); } return(true); }
public override string RegisterAdmin(UserModel userModel) { CtfChallangeModel hiddenPageChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.HiddenPage) .Single(); return(hiddenPageChallange.Flag); }
public override void Delete() { CtfChallangeModel unkonwChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.UnknownGeneration) .Single(); _httpContextAccessor.HttpContext.Response.Cookies.Append(unkonwChallange.FlagKey, unkonwChallange.Flag); base.Delete(); }
public override DataTableResp <TransactionResp> GetTransactions(string userName, string search, int start, int lenght) { CtfChallangeModel sqlInjectionChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.SqlInjection) .Single(); DataTableResp <TransactionResp> paginatedTransactions = base.GetTransactions(userName, search, start, lenght); if (paginatedTransactions == null) { paginatedTransactions = new DataTableResp <TransactionResp>(); } string validSearch = search; if (search == null || search.All(x => "%".Contains(x))) { validSearch = null; } List <TransactionResp> validTransactions = _transactionDAO.GetTransactionsCtfCheck(userName, validSearch); if (validTransactions.Count != paginatedTransactions.RecordsTotal) { _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag); } else { foreach (TransactionResp transaction in paginatedTransactions.Data) { if (!validTransactions.Any(x => x.IsEqual(transaction))) { _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag); break; } } } bool xss = paginatedTransactions.Data.Any(x => CtfConstants.XXS_KEYVORDS.Any(c => (x.SenderId?.Contains(c) ?? false) || (x.ReceiverId?.Contains(c) ?? false) || (x.Reason?.Contains(c) ?? false) || (x.Reference?.Contains(c) ?? false))); if (xss) { CtfChallangeModel xxsChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.Xss) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(xxsChallange.FlagKey, xxsChallange.Flag); } return(base.GetTransactions(userName, search, start, lenght)); }
public override IActionResult LoginAdmin() { if (!_ctfOptions.CtfChallengeOptions.HiddenPageLoginAdmin) { return(base.LoginAdmin()); } CtfChallangeModel hiddenPageModel = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.HiddenPage) .SingleOrDefault(); return(new OkObjectResult(new { Flag = hiddenPageModel.Flag })); }
public override Task Logout(string returnUrl) { IUrlHelper urlHelper = _urlHelperFactory.GetUrlHelper(_actionContextAccessor.ActionContext); if (!urlHelper.IsLocalUrl(returnUrl)) { CtfChallangeModel invalidRedirect = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.InvalidRedirect) .Single(); _httpContextAccessor.HttpContext.Response.Cookies.Append(invalidRedirect.FlagKey, invalidRedirect.Flag); } return(base.Logout(returnUrl)); }
public override bool Create(TransactionDBModel transactionTable) { string userName = _httpContextAccessor.HttpContext.GetUserName(); if (transactionTable.SenderId != userName) { CtfChallangeModel invalidModelChallenge = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.InvalidModel) .Single(); _httpContextAccessor.HttpContext.Response.Cookies.Append(invalidModelChallenge.FlagKey, invalidModelChallenge.Flag); } return(base.Create(transactionTable)); }
public override async Task <List <PurcahseHistoryItemResp> > GetAllPurchases() { List <PurcahseHistoryItemResp> purchases = await base.GetAllPurchases(); bool xss = purchases.Any(x => CtfConstants.XXS_KEYVORDS.Any(c => (x.Name?.Contains(c) ?? false) || (x.Description?.Contains(c) ?? false))); if (xss) { CtfChallangeModel xxsChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.Xss) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(xxsChallange.FlagKey, xxsChallange.Flag); } return(purchases); }
public override async Task <DataTableResp <StoreItem> > GetStoreItems() { DataTableResp <StoreItem> storeItems = await base.GetStoreItems(); bool xss = storeItems.Data.Any(x => CtfConstants.XXS_KEYVORDS.Any(c => (x.Name?.Contains(c) ?? false) || (x.Description?.Contains(c) ?? false))); if (xss) { CtfChallangeModel xxsChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.Xss) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(xxsChallange.FlagKey, xxsChallange.Flag); } return(storeItems); }
public void OnActionExecuting(ActionExecutingContext context) { CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value; if (ctfOptions.CtfChallengeOptions.UnknownGeneration) { CtfChallangeModel unkonwChallange = ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.UnknownGeneration) .Single(); context.HttpContext.Response.Headers.Add(unkonwChallange.FlagKey, unkonwChallange.Flag); } else if (ctfOptions.IsCtfEnabled) { context.Result = new NotFoundResult(); } }
public override List <TransactionsByDayResp> GetTransactionsByDay(string userName) { CtfChallangeModel sqlInjectionChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.SqlInjection) .Single(); List <TransactionsByDayResp> transactions; if (_ctfOptions.CtfChallengeOptions.SqlInjection) { try { transactions = _transactionDAO.GetTransactionsByDay(userName); } catch (Exception) { _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag); return(null); } List <TransactionsByDayResp> validTransactions = _transactionDAO.GetTransactionsByDayCtfCheck(userName); if (validTransactions.Count != transactions.Count) { _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag); } else { foreach (var transaction in transactions) { if (!validTransactions.Any(x => x.IsEqual(transaction))) { _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag); break; } } } } else { transactions = _transactionDAO.GetTransactionsByDayCtfCheck(userName); } return(transactions); }
protected override bool CheckTransaction(TransactionDBModel transaction) { if (_ctfOptions.CtfChallengeOptions.FreeCredit) { if (transaction.ReceiverId == SecureBankConstants.CREDIT_USERNAME) { CtfChallangeModel freeCredit = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.FreeCredit) .SingleOrDefault(); _httpContextAccessor.HttpContext.Response.Cookies.Append(freeCredit.FlagKey, freeCredit.Flag); return(true); } } return(base.CheckTransaction(transaction)); }
public override DataTableResp <AdminUserInfoResp> GetUsers() { DataTableResp <AdminUserInfoResp> users = base.GetUsers(); bool xss = users.Data.Any(x => CtfConstants.XXS_KEYVORDS.Any(c => (x.Name?.Contains(c) ?? false) || (x.Surname?.Contains(c) ?? false) || (x.Username?.Contains(c) ?? false))); if (xss) { CtfChallangeModel xxsChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.Xss) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(xxsChallange.FlagKey, xxsChallange.Flag); } return(users); }
public override bool AuthorizeAdmin(AuthorizationFilterContext context) { bool result = base.AuthorizeAdmin(context); if (!result) { return(false); } IEnumerable <Claim> claims = _cookieService.GetClaims(context.HttpContext); string userName = claims .Where(x => x.Type == CookieConstants.USERNAME_CALIM_TYPE) .Select(x => x.Value) .SingleOrDefault(); IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>(); UserDBModel user = userDAO.GetUser(userName); if (_ctfOptions.CtfChallengeOptions.ChangeRoleInCookie) { if (user.Role < 50) { CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value; CtfChallangeModel ctfChallange = ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.ChangeRoleInCookie) .Single(); context.HttpContext.Response.Headers.Add(ctfChallange.FlagKey, ctfChallange.Flag); } } else { if (user.Role < 50) { return(false); } } return(true); }
public async override Task <bool> BuyProduct(BuyProductReq buyProductReq, string userName) { string cacheKey = string.Format(SIMULTANEOUS_REQUESTS_KEY, userName, buyProductReq.Id); if (_memoryCache.TryGetValue(cacheKey, out string value)) { if (!_ctfOptions.CtfChallengeOptions.SimultaneousRequest) { return(false); } } _memoryCache.Set(cacheKey, string.Empty, LOCK_BUY_REQUEST_FOR); bool result = await base.BuyProduct(buyProductReq, userName); if (_ctfOptions.CtfChallengeOptions.InvalidModelStore) { List <StoreItem> storeItems = await _storeAPICalls.GetStoreItemsAsync(); if (storeItems != null) { CtfChallangeModel invalidModelChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.InvalidStoreModel) .Single(); StoreItem storeItem = storeItems .Where(x => x.Id == buyProductReq.Id) .SingleOrDefault(); if (storeItem != null) { if (storeItem.Price != buyProductReq.Price) { _httpContextAccessor.HttpContext.Response.Headers.Add(invalidModelChallange.FlagKey, invalidModelChallange.Flag); } } } } _memoryCache.Remove(cacheKey); return(result); }
public override Task <List <PurcahseHistoryItemResp> > GetPurcahseHistory(string userName) { if (userName != _httpContextAccessor.HttpContext.GetUserName()) { if (_ctfOptions.CtfChallengeOptions.SensitiveDataExposureStore) { CtfChallangeModel sensitiveDataExpusure = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.SensitiveDataExposure) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(sensitiveDataExpusure.FlagKey, sensitiveDataExpusure.Flag); } else { userName = _httpContextAccessor.HttpContext.GetUserName(); } } return(base.GetPurcahseHistory(userName)); }
public override PortalSearchModel Search(string search) { if (!string.IsNullOrEmpty(search)) { if (_ctfOptions.CtfChallengeOptions.PortalSearchXss) { bool hasXss = CtfConstants.XXS_KEYVORDS.Any(x => search.ToUpper().Contains(x.ToUpper())); if (hasXss) { CtfChallangeModel xssChallenge = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.Xss) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(xssChallenge.FlagKey, xssChallenge.Flag); } } } return(base.Search(search)); }
public override DataTableResp <TransactionResp> GetTransactions() { DataTableResp <TransactionResp> transactions = base.GetTransactions(); bool xss = transactions.Data.Any(x => CtfConstants.XXS_KEYVORDS.Any(c => (x.SenderId?.Contains(c) ?? false) || (x.ReceiverId?.Contains(c) ?? false) || (x.Reason?.Contains(c) ?? false) || (x.Reference?.Contains(c) ?? false) || (x.SenderName?.Contains(c) ?? false) || (x.SenderSurname?.Contains(c) ?? false) || (x.ReceiverName?.Contains(c) ?? false) || (x.ReceiverSurname?.Contains(c) ?? false))); if (xss) { CtfChallangeModel xssChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.Xss) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(xssChallange.FlagKey, xssChallange.Flag); } return(transactions); }
public override byte[] GetProfileImage(string userName) { string loggedInUserName = _httpContextAccessor.HttpContext.GetUserName(); if (_ctfOptions.CtfChallengeOptions.PathTraversal) { if (userName != null && CTF_FILES.Contains(userName)) { CtfChallangeModel pathTraversal = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.PathTraversal) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(pathTraversal.FlagKey, pathTraversal.Flag); } } else { foreach (char invalidCharacter in Path.GetInvalidFileNameChars()) { userName = userName.Replace(invalidCharacter, '_'); } } if (_ctfOptions.CtfChallengeOptions.SensitiveDataExposureProfileImage) { if (userName != loggedInUserName) { CtfChallangeModel sensitiveDataExposure = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.SensitiveDataExposure) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(sensitiveDataExposure.FlagKey, sensitiveDataExposure.Flag); } } else { userName = loggedInUserName; } return(base.GetProfileImage(userName)); }
public void OnActionExecuting(ActionExecutingContext context) { CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value; if (!ctfOptions.IsCtfEnabled) { context.Result = new OkObjectResult("Admin Registration"); } else if (ctfOptions.CtfChallengeOptions.HiddenPageRegisterAdmin) { CtfChallangeModel hiddenPageChallange = ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.HiddenPage) .Single(); context.Result = new OkObjectResult(hiddenPageChallange.Flag); } else { context.Result = new NotFoundResult(); } }
public override AccountBalanceResp GetAmount(string userName) { string loggedInUserName = _httpContextAccessor.HttpContext.GetUserName(); if (_ctfOptions.CtfChallengeOptions.SensitiveDataExposureBalance) { if (userName != loggedInUserName) { CtfChallangeModel sensitiveDataExposure = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.SensitiveDataExposure) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(sensitiveDataExposure.FlagKey, sensitiveDataExposure.Flag); } } else { userName = loggedInUserName; } return(base.GetAmount(userName)); }
public override string GetIndexViewName() { ActionContext actionContext = _actionContextAccessor.ActionContext; string user = actionContext.HttpContext.GetUserName(); UserDBModel userDBModel = _userDAO.GetUser(user); if (!userDBModel.Confirmed) { if (_ctfOptions.CtfChallengeOptions.UnconfirmedLogin) { CtfChallangeModel ctfChallangeModel = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.UnconfirmedLogin) .SingleOrDefault(); actionContext.ModelState.AddModelError(string.Empty, ctfChallangeModel.Flag); } } return(base.GetIndexViewName()); }
public override Task <bool> Register(UserModel registrationModel) { if (registrationModel.Password.Length <= 3) { CtfChallangeModel weakPasswordChallenge = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.WeakPassword) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(weakPasswordChallenge.FlagKey, weakPasswordChallenge.Flag); } if (registrationModel.UserRight != 0) { CtfChallangeModel registrationRoleSetChallange = _ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.RegistrationRoleSet) .Single(); _httpContextAccessor.HttpContext.Response.Headers.Add(registrationRoleSetChallange.FlagKey, registrationRoleSetChallange.Flag); } return(base.Register(registrationModel)); }
public override bool AuthorizeMissing(AuthorizationFilterContext context) { CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value; ICookieService cookieService = context.HttpContext.RequestServices.GetRequiredService <ICookieService>(); bool isCookieValid = cookieService.ValidateCookie(context.HttpContext); if (ctfOptions.CtfChallengeOptions.MissingAuthentication) { CtfChallangeModel missingAuth = ctfOptions.CtfChallanges .Where(x => x.Type == CtfChallengeTypes.MissingAuthentication) .Single(); context.HttpContext.Response.Headers.Add(missingAuth.FlagKey, missingAuth.Flag); } else { if (!isCookieValid) { return(false); } else { IEnumerable <Claim> claims = _cookieService.GetClaims(context.HttpContext); if (claims == null) { return(false); } GenericPrincipal tmpUser = new GenericPrincipal(new ClaimsIdentity(claims), Array.Empty <string>()); context.HttpContext.User = tmpUser; } } return(true); }