コード例 #1
0
        private void ValidateBrokenAuthSensitivedataExposure(string userName)
        {
            string sessionId   = _httpContextAccessor.HttpContext.Request.Cookies["SessionId"];
            string logedInUser = null;

            CtfChallangeModel missingAuthChallange = _ctfOptions.CtfChallanges
                                                     .Where(x => x.Type == CtfChallengeTypes.MissingAuthentication)
                                                     .Single();

            if (string.IsNullOrEmpty(sessionId))
            {
                _httpContextAccessor.HttpContext.Response.Headers.Add(missingAuthChallange.FlagKey, missingAuthChallange.Flag);
            }
            else
            {
                if (!_userDAO.ValidateSession(sessionId.Split("-")[1]))
                {
                    _httpContextAccessor.HttpContext.Response.Headers.Add(missingAuthChallange.FlagKey, missingAuthChallange.Flag);
                }

                logedInUser = EncoderUtils.Base64Decode(sessionId.Split("-")[0]);
            }

            if (logedInUser != userName)
            {
                CtfChallangeModel sensitiveDataExposureChallenge = _ctfOptions.CtfChallanges
                                                                   .Where(x => x.Type == CtfChallengeTypes.SensitiveDataExposure)
                                                                   .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(sensitiveDataExposureChallenge.FlagKey, sensitiveDataExposureChallenge.Flag);
            }
        }
コード例 #2
0
        public override bool AuthorizeAdmin(AuthorizationFilterContext context)
        {
            bool result = base.AuthorizeAdmin(context);

            if (!result)
            {
                return(false);
            }

            string sessionId = context.HttpContext.Request.Cookies["SessionId"];
            string userName  = EncoderUtils.Base64Decode(sessionId.Split("-")[USER_NAME_INDEX]);

            IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>();

            UserDBModel user = userDAO.GetUser(userName);

            if (user.Role < ADMIN_ROLE)
            {
                CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

                CtfChallangeModel ctfChallange = ctfOptions.CtfChallanges
                                                 .Where(x => x.Type == CtfChallengeTypes.ChangeRoleInCookie)
                                                 .Single();

                context.HttpContext.Response.Headers.Add(ctfChallange.FlagKey, ctfChallange.Flag);
            }

            return(true);
        }
コード例 #3
0
        protected virtual IEnumerable <Claim> GetClaims(string cookie)
        {
            Claim[] claims = new[]
            {
                new Claim(CookieConstants.AUTHENTICATED_CALIM_TYPE, "True"),
                new Claim(CookieConstants.USERNAME_CALIM_TYPE, EncoderUtils.Base64Decode(GetUserName(cookie))),
                new Claim(CookieConstants.ROLE_CALIM_TYPE, GetRole(cookie)),
            };

            return(claims);
        }
コード例 #4
0
        public virtual bool AuthorizeNormal(AuthorizationFilterContext context)
        {
            string sessionId = context.HttpContext.Request.Cookies["SessionId"];

            if (string.IsNullOrEmpty(sessionId))
            {
                return(false);
            }

            string[] sessionParts = sessionId.Split('-');
            if (sessionParts.Length != COOKIE_PARTS)
            {
                return(false);
            }

            bool parseRoleResult = int.TryParse(sessionParts[ROLDE_INDEX], out int role);

            if (!parseRoleResult)
            {
                return(false);
            }

            IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>();

            if (userDAO.ValidateSession(sessionParts[TOKEN_INDEX]) == false)
            {
                return(false);
            }

            string roleString = NORMAL_ROLE_STRING;

            if (role >= ADMIN_ROLE)
            {
                roleString = ADMIN_ROLE_STRING;
            }

            Claim[] claims = new[]
            {
                new Claim("authenticated", "true"),
                new Claim("userName", EncoderUtils.Base64Decode(sessionParts[USER_NAME_INDEX])),
                new Claim("role", roleString),
            };

            GenericPrincipal tmpUser = new GenericPrincipal(new ClaimsIdentity(claims), Array.Empty <string>());

            context.HttpContext.User = tmpUser;

            return(true);
        }
コード例 #5
0
        public virtual Task <bool> RecoverPasswordValid(string token)
        {
            if (string.IsNullOrEmpty(token))
            {
                return(Task.FromResult(false));
            }

            string userName = EncoderUtils.Base64Decode(token);

            if (!_userDAO.PasswordTokenExists(userName))
            {
                return(Task.FromResult(false));
            }

            return(Task.FromResult(true));
        }
コード例 #6
0
        public virtual Task <bool> ConfirmRegistration(string token)
        {
            if (string.IsNullOrEmpty(token))
            {
                return(Task.FromResult(false));
            }

            string userName = EncoderUtils.Base64Decode(token);

            bool result = _userDAO.ConfirmToken(userName);

            if (!result)
            {
                return(Task.FromResult(false));
            }

            //_transactionDAO.MakeRandomTransactions(userName);
            return(Task.FromResult(true));
        }
コード例 #7
0
        public virtual Task <bool> RecoverPassword(UserModel passwordRecoveryModel)
        {
            if (passwordRecoveryModel == null || string.IsNullOrEmpty(passwordRecoveryModel.Token) || string.IsNullOrEmpty(passwordRecoveryModel.Password))
            {
                return(Task.FromResult(false));
            }

            string userName = EncoderUtils.Base64Decode(passwordRecoveryModel.Token);

            if (!_userDAO.PasswordTokenExists(userName))
            {
                return(Task.FromResult(false));
            }

            if (!_userDAO.UpdatePassword(userName, passwordRecoveryModel.Password))
            {
                return(Task.FromResult(false));
            }

            return(Task.FromResult(true));
        }