Merge pull request #531 from digininja/authbypass

Authorisation Bypass module added

.gitignore

@@ -13,3 +13,6 @@ Dockerfile
 
 # Used by pytest
 tests/__pycache__/
+
+# Don't include any uploaded images
+hackable/uploads/*

dvwa/includes/dvwaPage.inc.php

@@ -276,6 +276,9 @@ function dvwaHtmlEcho( $pPage ) {
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'xss_s', 'name' => 'XSS (Stored)', 'url' => 'vulnerabilities/xss_s/' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'csp', 'name' => 'CSP Bypass', 'url' => 'vulnerabilities/csp/' );
 		$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'javascript', 'name' => 'JavaScript', 'url' => 'vulnerabilities/javascript/' );
+		if (dvwaCurrentUser() == "admin") {
+			$menuBlocks[ 'vulnerabilities' ][] = array( 'id' => 'authbypass', 'name' => 'Authorisation Bypass', 'url' => 'vulnerabilities/authbypass/' );
+		}
 	}
 
 	$menuBlocks[ 'meta' ] = array();

vulnerabilities/authbypass/authbypass.js

@@ -0,0 +1,53 @@
+function show_save_result (data) {
+	if (data.result == 'ok') {
+		document.getElementById('save_result').innerText = 'Save Successful';
+	} else {
+		document.getElementById('save_result').innerText = 'Save Failed';
+	}
+}
+
+function submit_change(id) {
+	first_name = document.getElementById('first_name_' + id).value
+	surname = document.getElementById('surname_' + id).value
+
+	fetch('change_user_details.php', {
+		method: 'POST',
+		headers: {
+			'Accept': 'application/json',
+			'Content-Type': 'application/json'
+		},
+		body: JSON.stringify({ 'id': id, 'first_name': first_name, 'surname': surname })
+	}
+	)
+	.then((response) => response.json())
+	.then((data) => show_save_result(data));
+}
+
+function populate_form() {
+	var xhr= new XMLHttpRequest();
+	xhr.open('GET', 'get_user_data.php', true);
+	xhr.onreadystatechange= function() {
+		if (this.readyState!==4) {
+			return;
+		}
+		if (this.status!==200) {
+			return;
+		}
+		const users = JSON.parse (this.responseText);
+		table_body = document.getElementById('user_table').getElementsByTagName('tbody')[0];
+		users.forEach(updateTable);
+
+		function updateTable (user) {
+			var row = table_body.insertRow(0);
+			var cell0 = row.insertCell(-1);
+			cell0.innerHTML = user['user_id'] + '<input type="hidden" id="user_id_' + user['user_id'] + '" name="user_id" value="' + user['user_id'] + '" />';
+			var cell1 = row.insertCell(1);
+			cell1.innerHTML = '<input type="text" id="first_name_' + user['user_id'] + '" name="first_name" value="' + user['first_name'] + '" />';
+			var cell2 = row.insertCell(2);
+			cell2.innerHTML = '<input type="text" id="surname_' + user['user_id'] + '" name="surname" value="' + user['surname'] + '" />';
+			var cell3 = row.insertCell(3);
+			cell3.innerHTML = '<input type="button" value="Update" onclick="submit_change(' + user['user_id'] + ')" />';
+		}
+	};
+	xhr.send();
+}

vulnerabilities/authbypass/change_user_details.php

@@ -0,0 +1,51 @@
+<?php
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaDatabaseConnect();
+
+/*
+On impossible only the admin is allowed to retrieve the data.
+*/
+
+if (dvwaSecurityLevelGet() == "impossible" && dvwaCurrentUser() != "admin") {
+	print json_encode (array ("result" => "fail", "error" => "Access denied"));
+}
+
+if ($_SERVER['REQUEST_METHOD'] != "POST") {
+	$result = array (
+						"result" => "fail",
+						"error" => "Only POST requests are accepted"
+					);
+	echo json_encode($result);
+	exit;
+}
+
+try {
+	$json = file_get_contents('php://input');
+	$data = json_decode($json);
+	if (is_null ($data)) {
+		$result = array (
+							"result" => "fail",
+							"error" => 'Invalid format, expecting "{id: {user ID}, first_name: "{first name}", surname: "{surname}"}'
+
+						);
+		echo json_encode($result);
+		exit;
+	}
+} catch (Exception $e) {
+	$result = array (
+						"result" => "fail",
+						"error" => 'Invalid format, expecting \"{id: {user ID}, first_name: "{first name}", surname: "{surname}\"}'
+
+					);
+	echo json_encode($result);
+	exit;
+}
+
+$query = "UPDATE users SET first_name = '" . $data->first_name . "', last_name = '" .  $data->surname . "' where user_id = " . $data->id . "";
+$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
+
+print json_encode (array ("result" => "ok"));
+exit;
+?>

vulnerabilities/authbypass/get_user_data.php

@@ -0,0 +1,41 @@
+<?php
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaDatabaseConnect();
+
+/*
+On high and impossible, only the admin is allowed to retrieve the data.
+*/
+if ((dvwaSecurityLevelGet() == "high" || dvwaSecurityLevelGet() == "impossible") && dvwaCurrentUser() != "admin") {
+	print json_encode (array ("result" => "fail", "error" => "Access denied"));
+}
+
+$query  = "SELECT user_id, first_name, last_name FROM users";
+$result = mysqli_query($GLOBALS["___mysqli_ston"],  $query );
+
+$guestbook = ''; 
+$users = array();
+
+while ($row = mysqli_fetch_row($result) ) { 
+	if( dvwaSecurityLevelGet() == 'impossible' ) { 
+		$user_id = $row[0];
+		$first_name = htmlspecialchars( $row[1] );
+		$surname = htmlspecialchars( $row[2] );
+	} else {
+		$user_id = $row[0];
+		$first_name = $row[1];
+		$surname = $row[2];
+	}   
+
+	$user = array (
+					"user_id" => $user_id,
+					"first_name" => $first_name,
+					"surname" => $surname
+				);
+	$users[] = $user;
+}
+
+print json_encode ($users);
+exit;
+?>

vulnerabilities/authbypass/help/help.php

@@ -0,0 +1,82 @@
+<div class="body_padded">
+	<h1>Help - Authorisation Bypass</h1>
+
+	<div id="code">
+	<table width='100%' bgcolor='white' style="border:2px #C0C0C0 solid">
+	<tr>
+	<td><div id="code">
+		<h3>About</h3>
+		<p>
+			When developers have to build authorisation matrices into complex systems it is easy for them to miss adding the right checks in every place, especially those
+			which are not directly accessible through a browser, for example API calls.
+		</p>
+
+		<p>
+			As a tester, you need to be looking at every call a system makes and then testing it using every level of user to ensure that the checks are being carried out correctly.
+			This can often be a long and boring task, especially with a large matrix with lots of different user types, but it is critical that the testing is carried out as one missed
+			check could lead to an attacker gaining access to confidential data or functions.
+		</p>
+
+		<br /><hr /><br />
+
+		<h3>Objective</h3>
+		<p>Your goal is to test this user management system at all four security levels to identify any areas where authorisation checks have been missed.</p>
+		<p>The system is only designed to be accessed by the admin user, so have a look at all the calls made while logged in as the admin, and then try to reproduce them while logged in as different user.</p>
+		<p>If you need a second user, you can use <i>gordonb / abc123</i>.
+
+		<br /><hr /><br />
+
+		<h3>Low Level</h3>
+		<p>Non-admin users do not have the 'Authorisation Bypass' menu option.</p>
+		<p>Spoiler: <span class="spoiler">Try browsing directly to /vulnerabilities/authbypass/</span>.</p>
+
+
+		<br />
+
+		<h3>Medium Level</h3>
+		<p>The developer has locked down access to the HTML for the page, but have a look how the page is populated when logged in as the admin.</p>
+		<p>Spoiler: <span class="spoiler">Try browsing directly to /vulnerabilities/authbypass/get_user_data.php to access the API which returns the user data for the page.</span></p>
+
+		<br />
+
+		<h3>High Level</h3>
+		<p>Both the HTML page and the API to retrieve data have been locked down, but what about updating data? You have to make sure you test every call to the site.</p>
+		<p>Spoiler: <span class="spoiler">GET calls to retrieve data have been locked down but the POST to update the data has been missed, can you figure out how to call it?</span></p>
+
+		<p>Spoiler: <span class="spoiler">This is one way to do it:</p>
+
+		<pre><span class="spoiler">fetch('change_user_details.php', {
+method: 'POST',
+headers: {
+'Accept': 'application/json',
+'Content-Type': 'application/json'
+},
+body: JSON.stringify({ 'id':1, "first_name": "Harry", "surname": "Hacker" })
+}
+)
+.then((response) => response.json())
+.then((data) => console.log(data));
+</span></pre>
+
+		<br />
+
+		<h3>Impossible Level</h3>
+		<p>
+			Hopefully on this level all the functions correctly check authorisation before allowing access to the data.
+		</p>
+		<p>
+			There may however be some non-authorisation related issues on the page, so do not write it off as fully secure.
+		</p>
+	</div></td>
+	</tr>
+	</table>
+
+	</div>
+
+	<br />
+
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema' ); ?></p>
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema' ); ?></p>
+	<p>Reference: <?php echo dvwaExternalLinkUrlGet( 'https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication' ); ?></p>
+
+</div>

vulnerabilities/authbypass/index.php

@@ -0,0 +1,77 @@
+<?php
+
+define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
+require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
+
+dvwaPageStartup( array( 'authenticated', 'phpids' ) );
+
+$page = dvwaPageNewGrab();
+$page[ 'title' ]   = 'Vulnerability: Authorisation Bypass' . $page[ 'title_separator' ].$page[ 'title' ];
+$page[ 'page_id' ] = 'authbypass';
+$page[ 'help_button' ]   = 'authbypass';
+$page[ 'source_button' ] = 'authbypass';
+dvwaDatabaseConnect();
+
+$method            = 'GET';
+$vulnerabilityFile = '';
+switch( dvwaSecurityLevelGet() ) {
+	case 'low':
+		$vulnerabilityFile = 'low.php';
+		break;
+	case 'medium':
+		$vulnerabilityFile = 'medium.php';
+		break;
+	case 'high':
+		$vulnerabilityFile = 'high.php';
+		break;
+	default:
+		$vulnerabilityFile = 'impossible.php';
+		$method = 'POST';
+		break;
+}
+
+require_once DVWA_WEB_PAGE_TO_ROOT . "vulnerabilities/authbypass/source/{$vulnerabilityFile}";
+
+$page[ 'body' ] .= '
+<div class="body_padded">
+	<h1>Vulnerability: Authorisation Bypass</h1>
+
+	<p>This page should only be accessible by the admin user. Your challenge is to gain access to the fetures using one of the other users, for example <i>gordonb</i> / <i>abc123</i>.</p>
+
+	<div class="vulnerable_code_area">
+	<div style="font-weight: bold;color: red;font-size: 120%;" id="save_result"></div>
+	<div id="user_form"></div>
+	<p>
+		Welcome to the user manager, please enjoy updating your user\'s details.
+	</p>
+	';
+
+$page[ 'body' ] .= "
+<script src='authbypass.js'></script>
+
+<table id='user_table'>
+	<thead>
+		<th>ID</th>
+		<th>First Name</th>
+		<th>Surname</th>
+		<th>Update</th>
+	</thead>
+	<tbody>
+	</tbody>
+</table>
+
+<script>
+	populate_form();
+</script>
+";
+
+$page[ 'body' ] .= '
+		' . 
+		$html
+		. '
+	</div>
+</div>';
+
+dvwaHtmlEcho( $page );
+
+?>

vulnerabilities/authbypass/source/high.php

@@ -0,0 +1,17 @@
+<?php
+/*
+
+Only the admin user is allowed to access this page.
+
+Have a look at this file for possible vulnerabilities: 
+
+* vulnerabilities/authbypass/change_user_details.php
+
+*/
+
+if (dvwaCurrentUser() != "admin") {
+	print "Unauthorised";
+	http_response_code(403);
+	exit;
+}
+?>

vulnerabilities/authbypass/source/impossible.php

@@ -0,0 +1,13 @@
+<?php
+/*
+
+Only the admin user is allowed to access this page
+
+*/
+
+if (dvwaCurrentUser() != "admin") {
+	print "Unauthorised";
+	http_response_code(403);
+	exit;
+}
+?>

vulnerabilities/authbypass/source/low.php

@@ -0,0 +1,11 @@
+<?php
+/*
+
+Nothing to see here for this vulnerability, have a look
+instead at the dvwaHtmlEcho function in:
+
+* dvwa/includes/dvwaPage.inc.php
+
+*/
+
+?>

vulnerabilities/authbypass/source/medium.php

@@ -0,0 +1,18 @@
+<?php
+/*
+
+Only the admin user is allowed to access this page.
+
+Have a look at these two files for possible vulnerabilities: 
+
+* vulnerabilities/authbypass/get_user_data.php
+* vulnerabilities/authbypass/change_user_details.php
+
+*/
+
+if (dvwaCurrentUser() != "admin") {
+	print "Unauthorised";
+	http_response_code(403);
+	exit;
+}
+?>