init

Buffer Copy Without Checking Size of Input/code files/mitigated.cpp

@@ -0,0 +1,20 @@
+#include <iostream>
+ 
+using namespace std;
+ 
+int main() {
+  
+
+   
+char UserType[11]; // need one more than 10 for the end marker
+
+	std::cout << "Please enter your name (less than 10 characters): " << '\n';
+
+	std::cin.getline(UserType, 11); // limit input to 10
+
+	std::cout << UserType << '\n';
+   
+
+  
+ 
+}

Buffer Copy Without Checking Size of Input/code files/vulnerable.cpp

@@ -0,0 +1,16 @@
+#include <iostream>
+ 
+using namespace std;
+ 
+int main() {
+   char name[10];
+ 
+   cout << "Please enter your name: ";
+   cin >> name;
+   
+   
+   
+   cout << "Your name is: " << name << endl;
+   
+ 
+}

Improper restriction of excessive authentication attemps/Mitigated/LogIn.java

@@ -0,0 +1,44 @@
+import java.util.Scanner; 
+
+
+public class LogIn {
+
+
+public static void main(String[] args) {
+
+//declare variables
+String username, password;
+int n = 0;
+
+Scanner scanner = new Scanner (System.in);
+
+ while (n<3) {
+     
+    //prompt user for their username
+    System.out.print("Enter your username: ");  
+    username = scanner.nextLine();
+
+    //prompt user for their password
+    System.out.print("Enter your password: ");  
+    password = scanner.nextLine(); 
+     
+    
+        if ("Justinfromcharleston@gmail.com".equals(username) && "secret17".equals(password)) 
+        {  System.out.println("Welcome " + username + "!!!");
+                break;
+        }
+        else if(!"secret17".equals(password) || !"Justinfromcharleston@gmail.com".equals(username)) {
+           System.out.println("Incorrect login. Please try again.");
+                n++;  
+                
+                  if (n==3){
+                
+                        System.out.print("Maximum login attemps exceeded.");  
+                        break;
+           }
+        }
+      
+ 
+        }
+ }
+}

Improper restriction of excessive authentication attemps/Vulnerable/LogIn.java

@@ -0,0 +1,41 @@
+package homework.pkg5;
+
+import java.util.Scanner; 
+
+
+public class LogIn{
+
+
+public static void main(String[] args) {
+
+//declare variables
+String username, password;
+int n = 0;
+
+Scanner scanner = new Scanner (System.in);
+
+ while (n<3) {
+     
+    //prompt user for their username
+    System.out.print("Enter your username: ");  
+    username = scanner.nextLine();
+
+    //prompt user for their password
+    System.out.print("Enter your password: ");  
+    password = scanner.nextLine(); 
+     
+    
+        if ("Justinfromcharleston@gmail.com".equals(username) && "secret17".equals(password)) 
+        {  System.out.println("Welcome " + username + "!!!");
+                break;
+        }
+        else if(!"secret17".equals(password) || !"Justinfromcharleston@gmail.com".equals(username)) {
+           System.out.println("Incorrect login. Please try again.");
+                
+                   
+        }
+      
+ 
+        }
+ }
+}

Integer Overflow/code files/mitigated.java

@@ -0,0 +1,26 @@
+
+package integer.overflow;
+
+/**
+ *
+ * @author justi
+ */
+public class IntegerOverflow_Mitigated {
+
+    /**
+     * @param args the command line arguments
+     */
+    public static void main(String[] args) {
+  
+
+     //int a is equal to the largest int available
+     int a = Integer.MAX_VALUE;
+     int b = 1;
+     
+     //calculation will result in integer overflow
+     int c = a + b;
+     System.out.println("Before: " + a + " + " + b + " = " + c);
+     System.out.println("After: " +  Math.addExact( a, b ));
+    }
+    
+}

Integer Overflow/code files/vulnerable.java

@@ -0,0 +1,26 @@
+
+package integer.overflow;
+
+/**
+ *
+ * @author justi
+ */
+public class IntegerOverflow {
+
+    /**
+     * @param args the command line arguments
+     */
+    public static void main(String[] args) {
+  
+
+     //int a is equal to the largest int available
+     int a = Integer.MAX_VALUE;
+     int b = 1;
+     
+     //calculation will result in integer overflow
+     int c = a + b;
+     System.out.println(a + " + " + b + " = " + c);
+
+    }
+    
+}

Missing Encryption of Sensitive Data/code files/Mitigated/Password.java

@@ -0,0 +1,29 @@
+
+package homework.pkg4;
+
+import java.security.MessageDigest;
+import java.util.Scanner;
+import javax.xml.bind.DatatypeConverter;
+
+public class Password {
+	public static void main( String[] args ) throws Exception {
+		Scanner keyboard = new Scanner(System.in);
+		String un, pw, encrypt_psswrd;
+
+		MessageDigest digest = MessageDigest.getInstance("SHA-256");
+                
+                System.out.print("Please create a username: ");
+		un = keyboard.nextLine();
+
+		System.out.print("Please create a password: ");
+		pw = keyboard.nextLine();
+
+		digest.update( pw.getBytes("UTF-8") );
+		encrypt_psswrd = DatatypeConverter.printHexBinary( digest.digest() );
+		
+		//overwrites user's original input so it is not visible to hackers. 
+		pw = "empty";
+
+		System.out.println( "Your username is: " + un + ". Your password has been encryped for security purposes: " + encrypt_psswrd );
+	}
+}

Missing Encryption of Sensitive Data/code files/Vulnerable/Password.java

@@ -0,0 +1,22 @@
+package homework.pkg4;
+
+import java.security.MessageDigest;
+import java.util.Scanner;
+
+
+public class Password {
+	public static void main( String[] args ) throws Exception {
+		Scanner keyboard = new Scanner(System.in);
+		String un, pw, encrypt_psswrd;
+
+		MessageDigest digest = MessageDigest.getInstance("SHA-256");
+                
+                System.out.print("Please create a username: ");
+		un = keyboard.nextLine();
+
+		System.out.print("Please create a password: ");
+		pw = keyboard.nextLine();
+
+		System.out.println( "Your username is: " + un + ". Your password is: " + pw);
+	}
+}

README.md

@@ -0,0 +1,2 @@
+# Software-Vulnerability-Demonstrations
+Software Vulnerability Demonstrations Unique and complete demonstrations of software vulnerabilities found in the CWE/SANS Top 25  vulnerabilities list. Each example contains executable code with both a vulnerable version  showing the weakness and a mitigated version showing how eliminate it. Each is well-documented  and includes screenshots showing the application executing step by step. These are part of what would be a much larger application. 

SQL Injection/code files/Mitigated/SQL_Injection.php

@@ -0,0 +1,71 @@
+<?php
+	// 1. Create a database connection
+	$dbhost = "localhost";
+	$dbuser = "root";
+	$dbpass = "dakota02";
+	$dbname = "UMUC";
+	$connection = mysqli_connect($dbhost, $dbuser, $dbpass,
+			$dbname);
+//you could just place the variables directly into the arugments also, but
+//it's easier to understand this way.
+
+//Once we call the mysqli_connect function, the value that it returns is what we
+//have assigned to the variable $connection. It is what is referred to as a handle for the connection.
+
+//will see if connected, if not will quit and display error messages with error.
+	//test if connection occured.
+	if(mysqli_connect_errno()){
+	die("Database connection failed: " .
+		mysqli_connect_error() .
+		"(" . mysqli_connect_errno() . ")"
+	);
+	}
+
+?>
+<?php
+
+if (isset($_POST['submit'])){
+//assign post data to variables
+$first_name = $_POST["first_name"];
+$last_name = $_POST ["last_name"];
+$student_id = $_POST["student_id"];
+}
+
+	$stmt = $connection->prepare("INSERT INTO students (first_name, last_name, student_id) VALUES (?, ?, ?)");
+        $stmt->bind_param('sss', $_POST['first_name'], $_POST['last_name'], $_POST['student_id']);
+        $stmt->execute();
+        $stmt->close();
+
+        
+        
+	//test if there was a query error
+	if($stmt){
+			//success
+			echo "Success! Student added to database!";
+			}else{		
+			//failure	
+			die("Database query failed. " . mysqli_error($connection));
+			}
+?>
+
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+	"http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+<title>SQL Injection</title>
+</head>
+
+<body>
+
+
+
+
+</body>
+</html>
+
+<?php
+	//5.close database connection
+mysqli_close($connection);
+?>

SQL Injection/code files/Mitigated/index.php

@@ -0,0 +1,27 @@
+
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+	"http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+<title>Form</title>
+</head>
+
+
+
+
+
+<br />
+<form action="SQL_Injection.php" method="post">
+	First name: <input type="text" name="first_name" value ="" /> <br />
+	Last name: <input type="text" name="last_name" value ="" /> <br />
+        Student ID: <input type="text" name="student_id" value ="" /> <br />
+	<br />
+	<input type="submit" name="submit" value ="Submit" /> <br />
+</form>
+
+
+
+
+</html>

SQL Injection/code files/Vulnerable/SQL_Injection.php

@@ -0,0 +1,77 @@
+<?php
+	// 1. Create a database connection
+	$dbhost = "localhost";
+	$dbuser = "root";
+	$dbpass = "dakota02";
+	$dbname = "UMUC";
+	$connection = mysqli_connect($dbhost, $dbuser, $dbpass,
+			$dbname);
+//you could just place the variables directly into the arugments also, but
+//it's easier to understand this way.
+
+//Once we call the mysqli_connect function, the value that it returns is what we
+//have assigned to the variable $connection. It is what is referred to as a handle for the connection.
+
+//will see if connected, if not will quit and display error messages with error.
+	//test if connection occured.
+	if(mysqli_connect_errno()){
+	die("Database connection failed: " .
+		mysqli_connect_error() .
+		"(" . mysqli_connect_errno() . ")"
+	);
+	}
+
+?>
+<?php
+
+if (isset($_POST['submit'])){
+//assign post data to variables
+$first_name = $_POST["first_name"];
+$last_name = $_POST["last_name"];
+$student_id = $_POST["student_id"];
+}
+
+	//2. perform database query
+	//This way is called assembling a query. Easier to read and work with.
+	//could also wrap parts in if statements. ex. if something is true,
+	//append the WHERE clause.
+	$query = "INSERT INTO students (";
+	$query .= " first_name, last_name, student_id"; 
+	$query .= ") VALUES (";
+	$query .= " '{$first_name}', '{$last_name}', '{$student_id}' ";
+	$query .= ")";
+
+	$result = mysqli_query($connection, $query);
+	//test if there was a query error
+	if($result){
+			//success
+			//could do a redirect. ex redirect to("somepage.php");
+			echo "Success! Student added to database!";
+			}else{		
+			//failure	
+			//$message = "Student creation failed";
+			die("Database query failed. " . mysqli_error($connection));
+			}
+?>
+
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+	"http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+<title>SQL Injection</title>
+</head>
+
+<body>
+
+
+
+
+</body>
+</html>
+
+<?php
+	//5.close database connection
+mysqli_close($connection);
+?>

SQL Injection/code files/Vulnerable/index.php

@@ -0,0 +1,27 @@
+
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+	"http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+<title>Form</title>
+</head>
+
+
+
+
+
+<br />
+<form action="SQL_Injection.php" method="post">
+	First name: <input type="text" name="first_name" value ="" /> <br />
+	Last name: <input type="text" name="last_name" value ="" /> <br />
+        Student ID: <input type="text" name="student_id" value ="" /> <br />
+	<br />
+	<input type="submit" name="submit" value ="Submit" /> <br />
+</form>
+
+
+
+
+</html>

Unrestricted Upload/code files/example files to be uploaded/malicious_code.php

@@ -0,0 +1,5 @@
+<?php
+
+//malicious script goes here.
+
+?>

Unrestricted Upload/code files/example files to be uploaded/sdev325notes.txt

@@ -0,0 +1 @@
+blah blah blah

Unrestricted Upload/code files/mitigated/upload_picture.php

@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<!--
+To change this license header, choose License Headers in Project Properties.
+To change this template file, choose Tools | Templates
+and open the template in the editor.
+-->
+<html>
+    <head>
+        <meta charset="UTF-8">
+        <title>Upload</title>
+    </head>
+    <body>
+        
+  
+        
+<?php
+
+
+if (isset($_FILES["file"]["name"])) {
+
+    $name = $_FILES["file"]["name"];
+    $temp_file = $_FILES['file']['tmp_name'];
+    $error = $_FILES['file']['error'];
+
+    
+    
+    
+    
+    $imginfo_array = getimagesize($temp_file);   // returns a false if not a valid image file
+ 
+    if ($imginfo_array !== false) {
+    $mime_type = $imginfo_array['mime'];
+    switch($mime_type) { 
+        case "image/jpeg" ||"image/gif" || "image/png":
+                $location = 'pictures/';
+		move_uploaded_file($temp_file, $location.$name);
+                echo 'Uploaded successfully.';
+                        }
+                                  }
+            else {
+                 echo "This is not a valid image file";
+                 }
+
+}
+
+ 
+?>
+
+        <form action="upload_picture.php" method="POST" enctype="multipart/form-data">
+    <input type="file" name="file"><br><br>
+    <input type="submit" value="Submit">
+</form>
+    </body>
+</html>

Unrestricted Upload/code files/vulnerable/upload_picture.php

@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<!--
+To change this license header, choose License Headers in Project Properties.
+To change this template file, choose Tools | Templates
+and open the template in the editor.
+-->
+<html>
+    <head>
+        <meta charset="UTF-8">
+        <title>Upload</title>
+    </head>
+    <body>
+        
+<?php
+
+if (isset($_FILES["file"]["name"])) {
+
+    $name = $_FILES["file"]["name"];
+    $tmp_name = $_FILES['file']['tmp_name'];
+    $error = $_FILES['file']['error'];
+
+    if (!empty($name)) {
+        $location = 'pictures/';
+
+        if  (move_uploaded_file($tmp_name, $location.$name)){
+            echo 'Uploaded';
+        }
+
+    } else {
+        echo 'please choose a file';
+    }
+}
+?>
+
+        <form action="upload_picture.php" method="POST" enctype="multipart/form-data">
+    <input type="file" name="file"><br><br>
+    <input type="submit" value="Submit">
+</form>
+    </body>
+</html>

Use of Hard-Coded Credentials/code files/Mitigated/SQL_Injection.php

@@ -0,0 +1,63 @@
+<?php
+	
+require 'db.php';
+
+
+
+//will see if connected, if not will quit and display error messages with error.
+	//test if connection occured.
+	if(mysqli_connect_errno()){
+	die("Database connection failed: " .
+		mysqli_connect_error() .
+		"(" . mysqli_connect_errno() . ")"
+	);
+	}
+
+?>
+<?php
+
+if (isset($_POST['submit'])){
+//assign post data to variables
+$first_name = $_POST["first_name"];
+$last_name = $_POST ["last_name"];
+$student_id = $_POST["student_id"];
+}
+
+	$stmt = $connection->prepare("INSERT INTO students (first_name, last_name, student_id) VALUES (?, ?, ?)");
+        $stmt->bind_param('sss', $_POST['first_name'], $_POST['last_name'], $_POST['student_id']);
+        $stmt->execute();
+        $stmt->close();
+
+        
+        
+	//test if there was a query error
+	if($stmt){
+			//success
+			echo "Success! Student added to database!";
+			}else{		
+			//failure	
+			die("Database query failed. " . mysqli_error($connection));
+			}
+?>
+
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+	"http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+<title>SQL Injection</title>
+</head>
+
+<body>
+
+
+
+
+</body>
+</html>
+
+<?php
+	//5.close database connection
+mysqli_close($connection);
+?>

Use of Hard-Coded Credentials/code files/Mitigated/db.php

@@ -0,0 +1,6 @@
+<?php
+
+	// 1. Create a database connection
+	$connection = mysqli_connect('localhost', 'root', 'dakota02', 'UMUC');
+
+?>

Use of Hard-Coded Credentials/code files/Mitigated/index.php

@@ -0,0 +1,27 @@
+
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+	"http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+<title>Form</title>
+</head>
+
+
+
+
+
+<br />
+<form action="SQL_Injection.php" method="post">
+	First name: <input type="text" name="first_name" value ="" /> <br />
+	Last name: <input type="text" name="last_name" value ="" /> <br />
+        Student ID: <input type="text" name="student_id" value ="" /> <br />
+	<br />
+	<input type="submit" name="submit" value ="Submit" /> <br />
+</form>
+
+
+
+
+</html>

Use of Hard-Coded Credentials/code files/Vulnerable/SQL_Injection.php

@@ -0,0 +1,66 @@
+<?php
+	// 1. Create a database connection
+		// 1. Create a database connection
+	$connection = mysqli_connect('localhost', 'root', 'dakota02', 'UMUC');
+
+
+//Once we call the mysqli_connect function, the value that it returns is what we
+//have assigned to the variable $connection. It is what is referred to as a handle for the connection.
+
+//will see if connected, if not will quit and display error messages with error.
+	//test if connection occured.
+	if(mysqli_connect_errno()){
+	die("Database connection failed: " .
+		mysqli_connect_error() .
+		"(" . mysqli_connect_errno() . ")"
+	);
+	}
+
+?>
+<?php
+
+if (isset($_POST['submit'])){
+//assign post data to variables
+$first_name = $_POST["first_name"];
+$last_name = $_POST ["last_name"];
+$student_id = $_POST["student_id"];
+}
+
+	$stmt = $connection->prepare("INSERT INTO students (first_name, last_name, student_id) VALUES (?, ?, ?)");
+        $stmt->bind_param('sss', $_POST['first_name'], $_POST['last_name'], $_POST['student_id']);
+        $stmt->execute();
+        $stmt->close();
+
+        
+        
+	//test if there was a query error
+	if($stmt){
+			//success
+			echo "Success! Student added to database!";
+			}else{		
+			//failure	
+			die("Database query failed. " . mysqli_error($connection));
+			}
+?>
+
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+	"http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+<title>SQL Injection</title>
+</head>
+
+<body>
+
+
+
+
+</body>
+</html>
+
+<?php
+	//5.close database connection
+mysqli_close($connection);
+?>

Use of Hard-Coded Credentials/code files/Vulnerable/index.php

@@ -0,0 +1,27 @@
+
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+	"http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+
+<head>
+<title>Form</title>
+</head>
+
+
+
+
+
+<br />
+<form action="SQL_Injection.php" method="post">
+	First name: <input type="text" name="first_name" value ="" /> <br />
+	Last name: <input type="text" name="last_name" value ="" /> <br />
+        Student ID: <input type="text" name="student_id" value ="" /> <br />
+	<br />
+	<input type="submit" name="submit" value ="Submit" /> <br />
+</form>
+
+
+
+
+</html>

Use of a broken or risky Cryptographic algorithm/Mitigated/AES.java

@@ -0,0 +1,66 @@
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.xml.bind.DatatypeConverter;
+
+
+public class AES {
+
+
+    public static void main(String[] args) throws Exception {
+
+        String plainText = "Secret Message";
+        SecretKey secKey = getSecretEncryptionKey();
+        byte[] cipherText = encryptText(plainText, secKey);
+        String decryptedText = decryptText(cipherText, secKey);
+
+         
+
+        System.out.println("Original Text:" + plainText);
+        System.out.println("AES Key (Hex Form):"+bytesToHex(secKey.getEncoded()));
+        System.out.println("Encrypted Text (Hex Form):"+bytesToHex(cipherText));
+        System.out.println("Descrypted Text:"+decryptedText);
+    } 
+    //End of main class
+     
+    
+    //Gets encryption key. Would normally be stored differently in a real world situation. 
+    public static SecretKey getSecretEncryptionKey() throws Exception{
+
+        KeyGenerator generator = KeyGenerator.getInstance("AES");
+        generator.init(128); // AES key size. More secure than the 56 bit DES
+        SecretKey secKey = generator.generateKey();
+        return secKey;
+    }
+
+     
+    //ENCRYPT our text using the secret key to byte array
+    public static byte[] encryptText(String plainText,SecretKey secKey) throws Exception{
+
+        Cipher aesCipher = Cipher.getInstance("AES");
+        aesCipher.init(Cipher.ENCRYPT_MODE, secKey);
+        byte[] byteCipherText = aesCipher.doFinal(plainText.getBytes());
+        return byteCipherText;
+    }
+
+     
+    //DECRYPTS the byte array using the key
+    public static String decryptText(byte[] byteCipherText, SecretKey secKey) throws Exception {
+
+        Cipher aesCipher = Cipher.getInstance("AES");
+        aesCipher.init(Cipher.DECRYPT_MODE, secKey);
+        byte[] bytePlainText = aesCipher.doFinal(byteCipherText);
+        return new String(bytePlainText);
+
+    }
+
+     
+
+    //Converts binary byte array into readable hex
+    private static String  bytesToHex(byte[] hash) {
+
+        return DatatypeConverter.printHexBinary(hash);
+
+    }
+
+}

Use of a broken or risky Cryptographic algorithm/Vulnerable/DES.java

@@ -0,0 +1,44 @@
+import java.io.*;
+import javax.crypto.*;
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+      
+   
+public class DES {
+
+   
+    public static void main(String[] args) {
+       
+        try{
+            
+            String st = "Hello";
+            System.out.println("Real String: " + st);
+                     
+            byte str[]= st.getBytes();
+            Cipher c= Cipher.getInstance("DES");
+            KeyGenerator kg =KeyGenerator.getInstance("DES");
+            SecretKey sk= kg.generateKey();
+            
+            //encrypt mode
+            c.init(Cipher.ENCRYPT_MODE, sk);
+            byte ct[]= c.doFinal(str);
+            System.out.println("ENCRYPT_MODE DATA : " + new String(ct));
+            
+            //decrypt mode
+            c.init(Cipher.DECRYPT_MODE, sk);
+            byte ct1[]= c.doFinal(ct);
+            System.out.println("DECRYPT_MODE DATA : "  + new String(ct1));
+            
+            
+            
+        }
+        catch(Exception e)
+        {
+            System.out.println(e);
+        }
+        
+        
+    }
+    
+}