Exemplo n.º 1
0
        private void ValidateBrokenAuthSensitivedataExposure(string userName)
        {
            string sessionId   = _httpContextAccessor.HttpContext.Request.Cookies["SessionId"];
            string logedInUser = null;

            CtfChallangeModel missingAuthChallange = _ctfOptions.CtfChallanges
                                                     .Where(x => x.Type == CtfChallengeTypes.MissingAuthentication)
                                                     .Single();

            if (string.IsNullOrEmpty(sessionId))
            {
                _httpContextAccessor.HttpContext.Response.Headers.Add(missingAuthChallange.FlagKey, missingAuthChallange.Flag);
            }
            else
            {
                if (!_userDAO.ValidateSession(sessionId.Split("-")[1]))
                {
                    _httpContextAccessor.HttpContext.Response.Headers.Add(missingAuthChallange.FlagKey, missingAuthChallange.Flag);
                }

                logedInUser = EncoderUtils.Base64Decode(sessionId.Split("-")[0]);
            }

            if (logedInUser != userName)
            {
                CtfChallangeModel sensitiveDataExposureChallenge = _ctfOptions.CtfChallanges
                                                                   .Where(x => x.Type == CtfChallengeTypes.SensitiveDataExposure)
                                                                   .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(sensitiveDataExposureChallenge.FlagKey, sensitiveDataExposureChallenge.Flag);
            }
        }
Exemplo n.º 2
0
        public override byte[] GetProfileImage(string userName)
        {
            ValidateBrokenAuthSensitivedataExposure(userName);

            byte[] profileImage;

            try
            {
                profileImage = base.GetProfileImage(userName);
            }
            catch (Exception ex)
            {
                CtfChallangeModel exceptionHandlingChallange = _ctfOptions.CtfChallanges
                                                               .Where(x => x.Type == CtfChallengeTypes.ExcaptionHandling)
                                                               .Single();

                throw new Exception(exceptionHandlingChallange.Flag, ex);
            }

            if (userName != null && CTF_FILES.Contains(userName))
            {
                CtfChallangeModel pathTraversal = _ctfOptions.CtfChallanges
                                                  .Where(x => x.Type == CtfChallengeTypes.PathTraversal)
                                                  .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(pathTraversal.FlagKey, pathTraversal.Flag);
            }

            return(profileImage);
        }
Exemplo n.º 3
0
        public override TransactionDBModel Details(int?id)
        {
            TransactionDBModel transaction = base.Details(id);

            if (transaction == null)
            {
                return(null);
            }

            string userName = _httpContextAccessor.HttpContext.GetUserName();
            string role     = _httpContextAccessor.HttpContext.GetRole();

            if (transaction.SenderId != userName && transaction.ReceiverId != userName && role != CookieConstants.ADMIN_ROLE_STRING)
            {
                if (_ctfOptions.CtfChallengeOptions.Enumeration)
                {
                    CtfChallangeModel enumerationChallange = _ctfOptions.CtfChallanges
                                                             .Where(x => x.Type == CtfChallengeTypes.Enumeration)
                                                             .Single();

                    _httpContextAccessor.HttpContext.Response.Headers.Add(enumerationChallange.FlagKey, enumerationChallange.Flag);
                }
                else
                {
                    return(null);
                }
            }

            return(transaction);
        }
Exemplo n.º 4
0
        public override bool AuthorizeAdmin(AuthorizationFilterContext context)
        {
            bool result = base.AuthorizeAdmin(context);

            if (!result)
            {
                return(false);
            }

            string sessionId = context.HttpContext.Request.Cookies["SessionId"];
            string userName  = EncoderUtils.Base64Decode(sessionId.Split("-")[USER_NAME_INDEX]);

            IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>();

            UserDBModel user = userDAO.GetUser(userName);

            if (user.Role < ADMIN_ROLE)
            {
                CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

                CtfChallangeModel ctfChallange = ctfOptions.CtfChallanges
                                                 .Where(x => x.Type == CtfChallengeTypes.ChangeRoleInCookie)
                                                 .Single();

                context.HttpContext.Response.Headers.Add(ctfChallange.FlagKey, ctfChallange.Flag);
            }

            return(true);
        }
Exemplo n.º 5
0
        public async override Task <bool> BuyProduct(BuyProductReq buyProductReq, string userName)
        {
            List <StoreItem> storeItems = await _storeAPICalls.GetStoreItemsAsync();

            if (storeItems == null)
            {
                return(await base.BuyProduct(buyProductReq, userName));
            }

            CtfChallangeModel invalidModelChallange = _ctfOptions.CtfChallanges
                                                      .Where(x => x.Type == CtfChallengeTypes.InvalidModel)
                                                      .Single();

            StoreItem storeItem = storeItems
                                  .Where(x => x.Id == buyProductReq.Id)
                                  .SingleOrDefault();

            if (storeItem == null)
            {
                _httpContextAccessor.HttpContext.Response.Headers.Add(invalidModelChallange.FlagKey, invalidModelChallange.Flag);
            }
            else
            {
                if (storeItem.Price != buyProductReq.Price)
                {
                    _httpContextAccessor.HttpContext.Response.Headers.Add(invalidModelChallange.FlagKey, invalidModelChallange.Flag);
                }
            }

            return(await base.BuyProduct(buyProductReq, userName));
        }
Exemplo n.º 6
0
        protected override string ParseXml(string xml)
        {
            string parsedXml;

            try
            {
                parsedXml = base.ParseXml(xml);
            }
            catch (Exception ex)
            {
                CtfChallangeModel exceptionHandlingChallange = _ctfOptions.CtfChallanges
                                                               .Where(x => x.Type == CtfChallengeTypes.ExcaptionHandling)
                                                               .Single();

                throw new Exception(exceptionHandlingChallange.Flag, ex);
            }

            try
            {
                string validParse = ValidXmlParse(xml);
            }
            catch (Exception)
            {
                CtfChallangeModel xxeChallange = _ctfOptions.CtfChallanges
                                                 .Where(x => x.Type == CtfChallengeTypes.XxeInjection)
                                                 .Single();

                if (CTF_XEE_FILES.Any(x => xml.Contains(x)))
                {
                    _httpContextAccessor.HttpContext.Response.Headers.Add(xxeChallange.FlagKey, xxeChallange.Flag);
                }
            }

            return(parsedXml);
        }
Exemplo n.º 7
0
        protected override bool ValidateRegistrationModel(UserModel userModel)
        {
            if (userModel == null || string.IsNullOrEmpty(userModel.UserName) || string.IsNullOrEmpty(userModel.Password))
            {
                return(false);
            }

            try
            {
                bool isEmailValid = Regex.IsMatch(userModel.UserName, EMAIL_REGEX_PATTERN, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(5));
                if (!isEmailValid)
                {
                    return(false);
                }
            }
            catch (Exception)
            {
                if (_ctfOptions.CtfChallengeOptions.reDOS)
                {
                    CtfChallangeModel reDOS = _ctfOptions.CtfChallanges
                                              .Where(x => x.Type == CtfChallengeTypes.reDOS)
                                              .Single();

                    _httpContextAccessor.HttpContext.Response.Headers.Add(reDOS.FlagKey, reDOS.Flag);
                }

                return(false);
            }

            return(true);
        }
Exemplo n.º 8
0
        public override string RegisterAdmin(UserModel userModel)
        {
            CtfChallangeModel hiddenPageChallange = _ctfOptions.CtfChallanges
                                                    .Where(x => x.Type == CtfChallengeTypes.HiddenPage)
                                                    .Single();

            return(hiddenPageChallange.Flag);
        }
Exemplo n.º 9
0
        public override void Delete()
        {
            CtfChallangeModel unkonwChallange = _ctfOptions.CtfChallanges
                                                .Where(x => x.Type == CtfChallengeTypes.UnknownGeneration)
                                                .Single();

            _httpContextAccessor.HttpContext.Response.Cookies.Append(unkonwChallange.FlagKey, unkonwChallange.Flag);

            base.Delete();
        }
Exemplo n.º 10
0
        public override DataTableResp <TransactionResp> GetTransactions(string userName, string search, int start, int lenght)
        {
            CtfChallangeModel sqlInjectionChallange = _ctfOptions.CtfChallanges
                                                      .Where(x => x.Type == CtfChallengeTypes.SqlInjection)
                                                      .Single();

            DataTableResp <TransactionResp> paginatedTransactions = base.GetTransactions(userName, search, start, lenght);

            if (paginatedTransactions == null)
            {
                paginatedTransactions = new DataTableResp <TransactionResp>();
            }

            string validSearch = search;

            if (search == null || search.All(x => "%".Contains(x)))
            {
                validSearch = null;
            }

            List <TransactionResp> validTransactions = _transactionDAO.GetTransactionsCtfCheck(userName, validSearch);

            if (validTransactions.Count != paginatedTransactions.RecordsTotal)
            {
                _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag);
            }
            else
            {
                foreach (TransactionResp transaction in paginatedTransactions.Data)
                {
                    if (!validTransactions.Any(x => x.IsEqual(transaction)))
                    {
                        _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag);
                        break;
                    }
                }
            }

            bool xss = paginatedTransactions.Data.Any(x => CtfConstants.XXS_KEYVORDS.Any(c =>
                                                                                         (x.SenderId?.Contains(c) ?? false) || (x.ReceiverId?.Contains(c) ?? false) || (x.Reason?.Contains(c) ?? false) || (x.Reference?.Contains(c) ?? false)));

            if (xss)
            {
                CtfChallangeModel xxsChallange = _ctfOptions.CtfChallanges
                                                 .Where(x => x.Type == CtfChallengeTypes.Xss)
                                                 .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(xxsChallange.FlagKey, xxsChallange.Flag);
            }

            return(base.GetTransactions(userName, search, start, lenght));
        }
Exemplo n.º 11
0
        public override IActionResult LoginAdmin()
        {
            if (!_ctfOptions.CtfChallengeOptions.HiddenPageLoginAdmin)
            {
                return(base.LoginAdmin());
            }


            CtfChallangeModel hiddenPageModel = _ctfOptions.CtfChallanges
                                                .Where(x => x.Type == CtfChallengeTypes.HiddenPage)
                                                .SingleOrDefault();

            return(new OkObjectResult(new { Flag = hiddenPageModel.Flag }));
        }
Exemplo n.º 12
0
        public override Task Logout(string returnUrl)
        {
            IUrlHelper urlHelper = _urlHelperFactory.GetUrlHelper(_actionContextAccessor.ActionContext);

            if (!urlHelper.IsLocalUrl(returnUrl))
            {
                CtfChallangeModel invalidRedirect = _ctfOptions.CtfChallanges
                                                    .Where(x => x.Type == CtfChallengeTypes.InvalidRedirect)
                                                    .Single();

                _httpContextAccessor.HttpContext.Response.Cookies.Append(invalidRedirect.FlagKey, invalidRedirect.Flag);
            }

            return(base.Logout(returnUrl));
        }
Exemplo n.º 13
0
        public override bool Create(TransactionDBModel transactionTable)
        {
            string userName = _httpContextAccessor.HttpContext.GetUserName();

            if (transactionTable.SenderId != userName)
            {
                CtfChallangeModel invalidModelChallenge = _ctfOptions.CtfChallanges
                                                          .Where(x => x.Type == CtfChallengeTypes.InvalidModel)
                                                          .Single();

                _httpContextAccessor.HttpContext.Response.Cookies.Append(invalidModelChallenge.FlagKey, invalidModelChallenge.Flag);
            }

            return(base.Create(transactionTable));
        }
Exemplo n.º 14
0
        public override async Task <List <PurcahseHistoryItemResp> > GetAllPurchases()
        {
            List <PurcahseHistoryItemResp> purchases = await base.GetAllPurchases();

            bool xss = purchases.Any(x => CtfConstants.XXS_KEYVORDS.Any(c => (x.Name?.Contains(c) ?? false) || (x.Description?.Contains(c) ?? false)));

            if (xss)
            {
                CtfChallangeModel xxsChallange = _ctfOptions.CtfChallanges
                                                 .Where(x => x.Type == CtfChallengeTypes.Xss)
                                                 .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(xxsChallange.FlagKey, xxsChallange.Flag);
            }

            return(purchases);
        }
Exemplo n.º 15
0
        public override async Task <DataTableResp <StoreItem> > GetStoreItems()
        {
            DataTableResp <StoreItem> storeItems = await base.GetStoreItems();

            bool xss = storeItems.Data.Any(x => CtfConstants.XXS_KEYVORDS.Any(c => (x.Name?.Contains(c) ?? false) || (x.Description?.Contains(c) ?? false)));

            if (xss)
            {
                CtfChallangeModel xxsChallange = _ctfOptions.CtfChallanges
                                                 .Where(x => x.Type == CtfChallengeTypes.Xss)
                                                 .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(xxsChallange.FlagKey, xxsChallange.Flag);
            }

            return(storeItems);
        }
Exemplo n.º 16
0
        public void OnActionExecuting(ActionExecutingContext context)
        {
            CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

            if (ctfOptions.CtfChallengeOptions.UnknownGeneration)
            {
                CtfChallangeModel unkonwChallange = ctfOptions.CtfChallanges
                                                    .Where(x => x.Type == CtfChallengeTypes.UnknownGeneration)
                                                    .Single();

                context.HttpContext.Response.Headers.Add(unkonwChallange.FlagKey, unkonwChallange.Flag);
            }
            else if (ctfOptions.IsCtfEnabled)
            {
                context.Result = new NotFoundResult();
            }
        }
Exemplo n.º 17
0
        public override List <TransactionsByDayResp> GetTransactionsByDay(string userName)
        {
            CtfChallangeModel sqlInjectionChallange = _ctfOptions.CtfChallanges
                                                      .Where(x => x.Type == CtfChallengeTypes.SqlInjection)
                                                      .Single();

            List <TransactionsByDayResp> transactions;

            if (_ctfOptions.CtfChallengeOptions.SqlInjection)
            {
                try
                {
                    transactions = _transactionDAO.GetTransactionsByDay(userName);
                }
                catch (Exception)
                {
                    _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag);
                    return(null);
                }

                List <TransactionsByDayResp> validTransactions = _transactionDAO.GetTransactionsByDayCtfCheck(userName);

                if (validTransactions.Count != transactions.Count)
                {
                    _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag);
                }
                else
                {
                    foreach (var transaction in transactions)
                    {
                        if (!validTransactions.Any(x => x.IsEqual(transaction)))
                        {
                            _httpContextAccessor.HttpContext.Response.Headers.Add(sqlInjectionChallange.FlagKey, sqlInjectionChallange.Flag);
                            break;
                        }
                    }
                }
            }
            else
            {
                transactions = _transactionDAO.GetTransactionsByDayCtfCheck(userName);
            }

            return(transactions);
        }
Exemplo n.º 18
0
        protected override bool CheckTransaction(TransactionDBModel transaction)
        {
            if (_ctfOptions.CtfChallengeOptions.FreeCredit)
            {
                if (transaction.ReceiverId == SecureBankConstants.CREDIT_USERNAME)
                {
                    CtfChallangeModel freeCredit = _ctfOptions.CtfChallanges
                                                   .Where(x => x.Type == CtfChallengeTypes.FreeCredit)
                                                   .SingleOrDefault();

                    _httpContextAccessor.HttpContext.Response.Cookies.Append(freeCredit.FlagKey, freeCredit.Flag);

                    return(true);
                }
            }

            return(base.CheckTransaction(transaction));
        }
Exemplo n.º 19
0
        public override DataTableResp <AdminUserInfoResp> GetUsers()
        {
            DataTableResp <AdminUserInfoResp> users = base.GetUsers();

            bool xss = users.Data.Any(x => CtfConstants.XXS_KEYVORDS.Any(c =>
                                                                         (x.Name?.Contains(c) ?? false) || (x.Surname?.Contains(c) ?? false) || (x.Username?.Contains(c) ?? false)));

            if (xss)
            {
                CtfChallangeModel xxsChallange = _ctfOptions.CtfChallanges
                                                 .Where(x => x.Type == CtfChallengeTypes.Xss)
                                                 .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(xxsChallange.FlagKey, xxsChallange.Flag);
            }

            return(users);
        }
Exemplo n.º 20
0
        public override bool AuthorizeAdmin(AuthorizationFilterContext context)
        {
            bool result = base.AuthorizeAdmin(context);

            if (!result)
            {
                return(false);
            }

            IEnumerable <Claim> claims = _cookieService.GetClaims(context.HttpContext);

            string userName = claims
                              .Where(x => x.Type == CookieConstants.USERNAME_CALIM_TYPE)
                              .Select(x => x.Value)
                              .SingleOrDefault();

            IUserDAO userDAO = context.HttpContext.RequestServices.GetRequiredService <IUserDAO>();

            UserDBModel user = userDAO.GetUser(userName);

            if (_ctfOptions.CtfChallengeOptions.ChangeRoleInCookie)
            {
                if (user.Role < 50)
                {
                    CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

                    CtfChallangeModel ctfChallange = ctfOptions.CtfChallanges
                                                     .Where(x => x.Type == CtfChallengeTypes.ChangeRoleInCookie)
                                                     .Single();

                    context.HttpContext.Response.Headers.Add(ctfChallange.FlagKey, ctfChallange.Flag);
                }
            }
            else
            {
                if (user.Role < 50)
                {
                    return(false);
                }
            }

            return(true);
        }
Exemplo n.º 21
0
        public async override Task <bool> BuyProduct(BuyProductReq buyProductReq, string userName)
        {
            string cacheKey = string.Format(SIMULTANEOUS_REQUESTS_KEY, userName, buyProductReq.Id);

            if (_memoryCache.TryGetValue(cacheKey, out string value))
            {
                if (!_ctfOptions.CtfChallengeOptions.SimultaneousRequest)
                {
                    return(false);
                }
            }

            _memoryCache.Set(cacheKey, string.Empty, LOCK_BUY_REQUEST_FOR);

            bool result = await base.BuyProduct(buyProductReq, userName);

            if (_ctfOptions.CtfChallengeOptions.InvalidModelStore)
            {
                List <StoreItem> storeItems = await _storeAPICalls.GetStoreItemsAsync();

                if (storeItems != null)
                {
                    CtfChallangeModel invalidModelChallange = _ctfOptions.CtfChallanges
                                                              .Where(x => x.Type == CtfChallengeTypes.InvalidStoreModel)
                                                              .Single();

                    StoreItem storeItem = storeItems
                                          .Where(x => x.Id == buyProductReq.Id)
                                          .SingleOrDefault();
                    if (storeItem != null)
                    {
                        if (storeItem.Price != buyProductReq.Price)
                        {
                            _httpContextAccessor.HttpContext.Response.Headers.Add(invalidModelChallange.FlagKey, invalidModelChallange.Flag);
                        }
                    }
                }
            }

            _memoryCache.Remove(cacheKey);

            return(result);
        }
Exemplo n.º 22
0
        public override Task <List <PurcahseHistoryItemResp> > GetPurcahseHistory(string userName)
        {
            if (userName != _httpContextAccessor.HttpContext.GetUserName())
            {
                if (_ctfOptions.CtfChallengeOptions.SensitiveDataExposureStore)
                {
                    CtfChallangeModel sensitiveDataExpusure = _ctfOptions.CtfChallanges
                                                              .Where(x => x.Type == CtfChallengeTypes.SensitiveDataExposure)
                                                              .Single();

                    _httpContextAccessor.HttpContext.Response.Headers.Add(sensitiveDataExpusure.FlagKey, sensitiveDataExpusure.Flag);
                }
                else
                {
                    userName = _httpContextAccessor.HttpContext.GetUserName();
                }
            }

            return(base.GetPurcahseHistory(userName));
        }
Exemplo n.º 23
0
        public override PortalSearchModel Search(string search)
        {
            if (!string.IsNullOrEmpty(search))
            {
                if (_ctfOptions.CtfChallengeOptions.PortalSearchXss)
                {
                    bool hasXss = CtfConstants.XXS_KEYVORDS.Any(x => search.ToUpper().Contains(x.ToUpper()));
                    if (hasXss)
                    {
                        CtfChallangeModel xssChallenge = _ctfOptions.CtfChallanges
                                                         .Where(x => x.Type == CtfChallengeTypes.Xss)
                                                         .Single();

                        _httpContextAccessor.HttpContext.Response.Headers.Add(xssChallenge.FlagKey, xssChallenge.Flag);
                    }
                }
            }

            return(base.Search(search));
        }
Exemplo n.º 24
0
        public override DataTableResp <TransactionResp> GetTransactions()
        {
            DataTableResp <TransactionResp> transactions = base.GetTransactions();

            bool xss = transactions.Data.Any(x => CtfConstants.XXS_KEYVORDS.Any(c =>
                                                                                (x.SenderId?.Contains(c) ?? false) || (x.ReceiverId?.Contains(c) ?? false) || (x.Reason?.Contains(c) ?? false) || (x.Reference?.Contains(c) ?? false) ||
                                                                                (x.SenderName?.Contains(c) ?? false) || (x.SenderSurname?.Contains(c) ?? false) || (x.ReceiverName?.Contains(c) ?? false) ||
                                                                                (x.ReceiverSurname?.Contains(c) ?? false)));

            if (xss)
            {
                CtfChallangeModel xssChallange = _ctfOptions.CtfChallanges
                                                 .Where(x => x.Type == CtfChallengeTypes.Xss)
                                                 .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(xssChallange.FlagKey, xssChallange.Flag);
            }

            return(transactions);
        }
Exemplo n.º 25
0
        public override byte[] GetProfileImage(string userName)
        {
            string loggedInUserName = _httpContextAccessor.HttpContext.GetUserName();

            if (_ctfOptions.CtfChallengeOptions.PathTraversal)
            {
                if (userName != null && CTF_FILES.Contains(userName))
                {
                    CtfChallangeModel pathTraversal = _ctfOptions.CtfChallanges
                                                      .Where(x => x.Type == CtfChallengeTypes.PathTraversal)
                                                      .Single();

                    _httpContextAccessor.HttpContext.Response.Headers.Add(pathTraversal.FlagKey, pathTraversal.Flag);
                }
            }
            else
            {
                foreach (char invalidCharacter in Path.GetInvalidFileNameChars())
                {
                    userName = userName.Replace(invalidCharacter, '_');
                }
            }

            if (_ctfOptions.CtfChallengeOptions.SensitiveDataExposureProfileImage)
            {
                if (userName != loggedInUserName)
                {
                    CtfChallangeModel sensitiveDataExposure = _ctfOptions.CtfChallanges
                                                              .Where(x => x.Type == CtfChallengeTypes.SensitiveDataExposure)
                                                              .Single();

                    _httpContextAccessor.HttpContext.Response.Headers.Add(sensitiveDataExposure.FlagKey, sensitiveDataExposure.Flag);
                }
            }
            else
            {
                userName = loggedInUserName;
            }

            return(base.GetProfileImage(userName));
        }
Exemplo n.º 26
0
        public void OnActionExecuting(ActionExecutingContext context)
        {
            CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

            if (!ctfOptions.IsCtfEnabled)
            {
                context.Result = new OkObjectResult("Admin Registration");
            }
            else if (ctfOptions.CtfChallengeOptions.HiddenPageRegisterAdmin)
            {
                CtfChallangeModel hiddenPageChallange = ctfOptions.CtfChallanges
                                                        .Where(x => x.Type == CtfChallengeTypes.HiddenPage)
                                                        .Single();

                context.Result = new OkObjectResult(hiddenPageChallange.Flag);
            }
            else
            {
                context.Result = new NotFoundResult();
            }
        }
Exemplo n.º 27
0
        public override AccountBalanceResp GetAmount(string userName)
        {
            string loggedInUserName = _httpContextAccessor.HttpContext.GetUserName();

            if (_ctfOptions.CtfChallengeOptions.SensitiveDataExposureBalance)
            {
                if (userName != loggedInUserName)
                {
                    CtfChallangeModel sensitiveDataExposure = _ctfOptions.CtfChallanges
                                                              .Where(x => x.Type == CtfChallengeTypes.SensitiveDataExposure)
                                                              .Single();

                    _httpContextAccessor.HttpContext.Response.Headers.Add(sensitiveDataExposure.FlagKey, sensitiveDataExposure.Flag);
                }
            }
            else
            {
                userName = loggedInUserName;
            }

            return(base.GetAmount(userName));
        }
Exemplo n.º 28
0
        public override string GetIndexViewName()
        {
            ActionContext actionContext = _actionContextAccessor.ActionContext;

            string user = actionContext.HttpContext.GetUserName();

            UserDBModel userDBModel = _userDAO.GetUser(user);

            if (!userDBModel.Confirmed)
            {
                if (_ctfOptions.CtfChallengeOptions.UnconfirmedLogin)
                {
                    CtfChallangeModel ctfChallangeModel = _ctfOptions.CtfChallanges
                                                          .Where(x => x.Type == CtfChallengeTypes.UnconfirmedLogin)
                                                          .SingleOrDefault();

                    actionContext.ModelState.AddModelError(string.Empty, ctfChallangeModel.Flag);
                }
            }

            return(base.GetIndexViewName());
        }
Exemplo n.º 29
0
        public override Task <bool> Register(UserModel registrationModel)
        {
            if (registrationModel.Password.Length <= 3)
            {
                CtfChallangeModel weakPasswordChallenge = _ctfOptions.CtfChallanges
                                                          .Where(x => x.Type == CtfChallengeTypes.WeakPassword)
                                                          .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(weakPasswordChallenge.FlagKey, weakPasswordChallenge.Flag);
            }

            if (registrationModel.UserRight != 0)
            {
                CtfChallangeModel registrationRoleSetChallange = _ctfOptions.CtfChallanges
                                                                 .Where(x => x.Type == CtfChallengeTypes.RegistrationRoleSet)
                                                                 .Single();

                _httpContextAccessor.HttpContext.Response.Headers.Add(registrationRoleSetChallange.FlagKey, registrationRoleSetChallange.Flag);
            }

            return(base.Register(registrationModel));
        }
Exemplo n.º 30
0
        public override bool AuthorizeMissing(AuthorizationFilterContext context)
        {
            CtfOptions ctfOptions = context.HttpContext.RequestServices.GetRequiredService <IOptions <CtfOptions> >().Value;

            ICookieService cookieService = context.HttpContext.RequestServices.GetRequiredService <ICookieService>();
            bool           isCookieValid = cookieService.ValidateCookie(context.HttpContext);

            if (ctfOptions.CtfChallengeOptions.MissingAuthentication)
            {
                CtfChallangeModel missingAuth = ctfOptions.CtfChallanges
                                                .Where(x => x.Type == CtfChallengeTypes.MissingAuthentication)
                                                .Single();

                context.HttpContext.Response.Headers.Add(missingAuth.FlagKey, missingAuth.Flag);
            }
            else
            {
                if (!isCookieValid)
                {
                    return(false);
                }
                else
                {
                    IEnumerable <Claim> claims = _cookieService.GetClaims(context.HttpContext);
                    if (claims == null)
                    {
                        return(false);
                    }

                    GenericPrincipal tmpUser = new GenericPrincipal(new ClaimsIdentity(claims), Array.Empty <string>());

                    context.HttpContext.User = tmpUser;
                }
            }

            return(true);
        }