add client side authentication vulnerability

codelion · Nov 8, 2017 · 7b263c8 · 7b263c8
1 parent 0c146c2
commit 7b263c8
Show file tree

Hide file tree

Showing 3 changed files with 124 additions and 2 deletions.
diff --git a/templates/template.csa.html b/templates/template.csa.html
@@ -0,0 +1,52 @@
+{{define "template.csa"}} {{template "template.header" .}} {{template "template.sidebar" .}}
+<div class="col-md-9">
+    <div class="panel panel-primary">
+        <div class="panel-heading">Client Side Authentication</div>
+        <div class="panel-body">
+            <div class="pnl">
+                <!-- <span class="subheader">SQL Injection Vulnerability</span> -->
+                <p>Hello json</p>
+                <p>Verify your account to view full profile:</p>
+                <div id="alert" style="display: none"></div> 
+                <div class="well">
+                    <form class="form-inline" id="otpform">
+                    <div class="form-group">
+                        <label for="otp" style="color:#428bca;font-family:Open Sans; font-weight:500">Input Your Verfication Code:</label>
+                        <input type="text" class="form-control" name="otp" id="otp">
+                        <button type="button" id="vrf" class="btn btn-small btn-primary">Verify</button>
+                    </div>
+                   </form>
+                </div>
+                <div class="more-info">
+                        <span>More Info :</span>
+                        <a target="_blank" href="https://api.jquery.com/jquery.post/">https://api.jquery.com/jquery.post/</a>
+                        <a target="_blank" href="https://portswigger.net/burp/help/proxy_gettingstarted">https://portswigger.net/burp/help/proxy_gettingstarted</a>
+                </div>    
+            </div>
+        </div>
+    </div>
+</div>
+{{.js}}
+<script>
+    $("#vrf").on('click', function(){
+        var data = $("#otpform").serialize()
+        url = "{{.url}}verify"
+        $.post(url,data)
+        .done(function(res){
+            if(res[0].code != 1){
+                $("#alert").removeClass("alert alert-success")
+                $("#alert").addClass("alert alert-danger")
+                $("#alert").html("<p>Wrong OTP</p>")
+                $("#alert").show()
+                $("#alert").delay(2000).fadeOut();
+            }else{
+                $("#alert").removeClass("alert alert-danger")
+                $("#alert").addClass("alert alert-success")
+                $("#alert").html("<p>Account Verified</p>")
+                $("#alert").show()
+                //$("#alert").delay(2000).fadeOut();
+            }
+        })
+    });
+</script>
+{{template "template.footer"}} {{ end }}
diff --git a/templates/template.sidebar.html b/templates/template.sidebar.html
@@ -45,13 +45,18 @@
                             <li><a href="{{.weburl}}idor2">IDOR 2</a></li>
                         </ul>
 
-                    <li data-toggle="collapse" data-target="#csrf" class="collapsed">
+                    <li data-toggle="collapse" data-target="#xxe" class="collapsed">
                         <a href="#"><i class="fa fa-bug fa-lg"></i> XXE <span class="arrow"></span></a>
                     </li>
-                    <ul class="sub-menu collapse" id="csrf">
+                    <ul class="sub-menu collapse" id="xxe">
                         <li><a href="#">XXE 1</a></li>
                         <li><a href="#">XXE 2</a></li>
                     </ul>
+                    <li>
+                            <a href="{{.weburl}}csa">
+                                <i class="fa fa-bug fa-lg"></i> Client Side Auth
+                            </a>
+                        </li>
                     <li style="height:35px">
                     </li>
                     <li>

diff --git a/vulnerability/csa/csa.go b/vulnerability/csa/csa.go
@@ -0,0 +1,65 @@
+package csa
+
+import (
+
+	"fmt"
+	"net/http"
+	"crypto/md5"
+	"encoding/hex"
+
+	"github.com/julienschmidt/httprouter"
+
+	"govwa/util"
+	"govwa/user/session"
+	"govwa/util/middleware"
+)
+
+type XSS struct{
+	Name string
+}
+func New()XSS{
+	return XSS{}
+}
+func (self XSS)SetRouter(r *httprouter.Router){
+	mw := middleware.New()
+	r.GET("/csa", mw.LoggingMiddleware(mw.CapturePanic(mw.AuthCheck(csaHandler))))
+	r.POST("/verify", mw.LoggingMiddleware(mw.CapturePanic(mw.AuthCheck(verifyHandler))))
+}
+
+type JsonRes struct{
+	Code int `json:"code"`
+}
+
+func csaHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params){
+	s := session.New()
+	uid := s.GetSession(r, "id")
+
+	data := make(map[string]interface{})
+	data["title"] = "Client Side Authentication"
+
+	id := fmt.Sprintf("<script> var uid=%s </script>", uid)
+
+	data["js"] = util.ToHTML(id)
+
+	util.SafeRender(w,r, "template.csa", data)
+}
+
+func verifyHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params){
+	if r.Method == "POST"{
+		sotp := "a587cd6bf1e49d2c3928d1f8b86f248b" 
+		otp := r.FormValue("otp")
+		res := JsonRes{}
+		if sotp != Md5Sum(otp){
+			res.Code = 0
+		}else{
+			res.Code = 1
+		}
+		util.RenderAsJson(w, res)
+	}
+}
+
+func Md5Sum(text string) string {
+	hasher := md5.New()
+	hasher.Write([]byte(text))
+	return hex.EncodeToString(hasher.Sum(nil))
+}