init

2 years ago · 83c6e7627d
--- a/Input/Buffer
+++ b/Input/Buffer
--- a/files/mitigated.cpp
+++ b/files/mitigated.cpp
@@ -0,0 +1,20 @@
 #include <iostream>
 using namespace std;
 int main() {
 char UserType[11]; // need one more than 10 for the end marker
 	std::cout << "Please enter your name (less than 10 characters): " << '\n';
 	std::cin.getline(UserType, 11); // limit input to 10
 	std::cout << UserType << '\n';
 }
--- a/files/vulnerable.cpp
+++ b/files/vulnerable.cpp
@@ -0,0 +1,16 @@
 #include <iostream>
 using namespace std;
 int main() {
   char name[10];
   cout << "Please enter your name: ";
   cin >> name;
   cout << "Your name is: " << name << endl;
 }
--- a/attemps/Improper
+++ b/attemps/Improper
--- a/attemps/Mitigated/LogIn.java
+++ b/attemps/Mitigated/LogIn.java
@@ -0,0 +1,44 @@
 import java.util.Scanner; 
 public class LogIn {
 public static void main(String[] args) {
 //declare variables
 String username, password;
 int n = 0;
 Scanner scanner = new Scanner (System.in);
 while (n<3) {
    //prompt user for their username
    System.out.print("Enter your username: ");  
    username = scanner.nextLine();
    //prompt user for their password
    System.out.print("Enter your password: ");  
    password = scanner.nextLine(); 
        if ("Justinfromcharleston@gmail.com".equals(username) && "secret17".equals(password)) 
        {  System.out.println("Welcome " + username + "!!!");
                break;
        }
        else if(!"secret17".equals(password) || !"Justinfromcharleston@gmail.com".equals(username)) {
           System.out.println("Incorrect login. Please try again.");
                n++;  
                  if (n==3){
                        System.out.print("Maximum login attemps exceeded.");  
                        break;
           }
        }
        }
 }
 }
--- a/attemps/Vulnerable/LogIn.java
+++ b/attemps/Vulnerable/LogIn.java
@@ -0,0 +1,41 @@
 package homework.pkg5;
 import java.util.Scanner; 
 public class LogIn{
 public static void main(String[] args) {
 //declare variables
 String username, password;
 int n = 0;
 Scanner scanner = new Scanner (System.in);
 while (n<3) {
    //prompt user for their username
    System.out.print("Enter your username: ");  
    username = scanner.nextLine();
    //prompt user for their password
    System.out.print("Enter your password: ");  
    password = scanner.nextLine(); 
        if ("Justinfromcharleston@gmail.com".equals(username) && "secret17".equals(password)) 
        {  System.out.println("Welcome " + username + "!!!");
                break;
        }
        else if(!"secret17".equals(password) || !"Justinfromcharleston@gmail.com".equals(username)) {
           System.out.println("Incorrect login. Please try again.");
        }
        }
 }
 }
--- a/Overflow/Integer
+++ b/Overflow/Integer
--- a/files/mitigated.java
+++ b/files/mitigated.java
@@ -0,0 +1,26 @@
 package integer.overflow;
 /**
 *
 * @author justi
 */
 public class IntegerOverflow_Mitigated {
    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
     //int a is equal to the largest int available
     int a = Integer.MAX_VALUE;
     int b = 1;
     //calculation will result in integer overflow
     int c = a + b;
     System.out.println("Before: " + a + " + " + b + " = " + c);
     System.out.println("After: " +  Math.addExact( a, b ));
    }
 }
--- a/files/vulnerable.java
+++ b/files/vulnerable.java
@@ -0,0 +1,26 @@
 package integer.overflow;
 /**
 *
 * @author justi
 */
 public class IntegerOverflow {
    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
     //int a is equal to the largest int available
     int a = Integer.MAX_VALUE;
     int b = 1;
     //calculation will result in integer overflow
     int c = a + b;
     System.out.println(a + " + " + b + " = " + c);
    }
 }
--- a/Data/Missing
+++ b/Data/Missing
--- a/files/Mitigated/Password.java
+++ b/files/Mitigated/Password.java
@@ -0,0 +1,29 @@
 package homework.pkg4;
 import java.security.MessageDigest;
 import java.util.Scanner;
 import javax.xml.bind.DatatypeConverter;
 public class Password {
 	public static void main( String[] args ) throws Exception {
 		Scanner keyboard = new Scanner(System.in);
 		String un, pw, encrypt_psswrd;
 		MessageDigest digest = MessageDigest.getInstance("SHA-256");
                System.out.print("Please create a username: ");
 		un = keyboard.nextLine();
 		System.out.print("Please create a password: ");
 		pw = keyboard.nextLine();
 		digest.update( pw.getBytes("UTF-8") );
 		encrypt_psswrd = DatatypeConverter.printHexBinary( digest.digest() );
 		//overwrites user's original input so it is not visible to hackers. 
 		pw = "empty";
 		System.out.println( "Your username is: " + un + ". Your password has been encryped for security purposes: " + encrypt_psswrd );
 	}
 }
--- a/files/Vulnerable/Password.java
+++ b/files/Vulnerable/Password.java
@@ -0,0 +1,22 @@
 package homework.pkg4;
 import java.security.MessageDigest;
 import java.util.Scanner;
 public class Password {
 	public static void main( String[] args ) throws Exception {
 		Scanner keyboard = new Scanner(System.in);
 		String un, pw, encrypt_psswrd;
 		MessageDigest digest = MessageDigest.getInstance("SHA-256");
                System.out.print("Please create a username: ");
 		un = keyboard.nextLine();
 		System.out.print("Please create a password: ");
 		pw = keyboard.nextLine();
 		System.out.println( "Your username is: " + un + ". Your password is: " + pw);
 	}
 }
--- a/README.md
+++ b/README.md
@@ -0,0 +1,2 @@
 # Software-Vulnerability-Demonstrations
 Software Vulnerability Demonstrations Unique and complete demonstrations of software vulnerabilities found in the CWE/SANS Top 25  vulnerabilities list. Each example contains executable code with both a vulnerable version  showing the weakness and a mitigated version showing how eliminate it. Each is well-documented  and includes screenshots showing the application executing step by step. These are part of what would be a much larger application. 
--- a/Injection.docx
+++ b/Injection.docx
--- a/files/Mitigated/SQL_Injection.php
+++ b/files/Mitigated/SQL_Injection.php
@@ -0,0 +1,71 @@
 <?php
 	// 1. Create a database connection
 	$dbhost = "localhost";
 	$dbuser = "root";
 	$dbpass = "dakota02";
 	$dbname = "UMUC";
 	$connection = mysqli_connect($dbhost, $dbuser, $dbpass,
 			$dbname);
 //you could just place the variables directly into the arugments also, but
 //it's easier to understand this way.
 //Once we call the mysqli_connect function, the value that it returns is what we
 //have assigned to the variable $connection. It is what is referred to as a handle for the connection.
 //will see if connected, if not will quit and display error messages with error.
 	//test if connection occured.
 	if(mysqli_connect_errno()){
 	die("Database connection failed: " .
 		mysqli_connect_error() .
 		"(" . mysqli_connect_errno() . ")"
 	);
 	}
 ?>
 <?php
 if (isset($_POST['submit'])){
 //assign post data to variables
 $first_name = $_POST["first_name"];
 $last_name = $_POST ["last_name"];
 $student_id = $_POST["student_id"];
 }
 	$stmt = $connection->prepare("INSERT INTO students (first_name, last_name, student_id) VALUES (?, ?, ?)");
        $stmt->bind_param('sss', $_POST['first_name'], $_POST['last_name'], $_POST['student_id']);
        $stmt->execute();
        $stmt->close();
 	//test if there was a query error
 	if($stmt){
 			//success
 			echo "Success! Student added to database!";
 			}else{		
 			//failure	
 			die("Database query failed. " . mysqli_error($connection));
 			}
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 	"http://www.w3.org/TR/html4/loose.dtd">
 <html lang="en">
 <head>
 <title>SQL Injection</title>
 </head>
 <body>
 </body>
 </html>
 <?php
 	//5.close database connection
 mysqli_close($connection);
 ?>
--- a/files/Mitigated/index.php
+++ b/files/Mitigated/index.php
@@ -0,0 +1,27 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 	"http://www.w3.org/TR/html4/loose.dtd">
 <html lang="en">
 <head>
 <title>Form</title>
 </head>
 <br />
 <form action="SQL_Injection.php" method="post">
 	First name: <input type="text" name="first_name" value ="" /> <br />
 	Last name: <input type="text" name="last_name" value ="" /> <br />
        Student ID: <input type="text" name="student_id" value ="" /> <br />
 	<br />
 	<input type="submit" name="submit" value ="Submit" /> <br />
 </form>
 </html>
--- a/files/Vulnerable/SQL_Injection.php
+++ b/files/Vulnerable/SQL_Injection.php
@@ -0,0 +1,77 @@
 <?php
 	// 1. Create a database connection
 	$dbhost = "localhost";
 	$dbuser = "root";
 	$dbpass = "dakota02";
 	$dbname = "UMUC";
 	$connection = mysqli_connect($dbhost, $dbuser, $dbpass,
 			$dbname);
 //you could just place the variables directly into the arugments also, but
 //it's easier to understand this way.
 //Once we call the mysqli_connect function, the value that it returns is what we
 //have assigned to the variable $connection. It is what is referred to as a handle for the connection.
 //will see if connected, if not will quit and display error messages with error.
 	//test if connection occured.
 	if(mysqli_connect_errno()){
 	die("Database connection failed: " .
 		mysqli_connect_error() .
 		"(" . mysqli_connect_errno() . ")"
 	);
 	}
 ?>
 <?php
 if (isset($_POST['submit'])){
 //assign post data to variables
 $first_name = $_POST["first_name"];
 $last_name = $_POST["last_name"];
 $student_id = $_POST["student_id"];
 }
 	//2. perform database query
 	//This way is called assembling a query. Easier to read and work with.
 	//could also wrap parts in if statements. ex. if something is true,
 	//append the WHERE clause.
 	$query = "INSERT INTO students (";
 	$query .= " first_name, last_name, student_id"; 
 	$query .= ") VALUES (";
 	$query .= " '{$first_name}', '{$last_name}', '{$student_id}' ";
 	$query .= ")";
 	$result = mysqli_query($connection, $query);
 	//test if there was a query error
 	if($result){
 			//success
 			//could do a redirect. ex redirect to("somepage.php");
 			echo "Success! Student added to database!";
 			}else{		
 			//failure	
 			//$message = "Student creation failed";
 			die("Database query failed. " . mysqli_error($connection));
 			}
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 	"http://www.w3.org/TR/html4/loose.dtd">
 <html lang="en">
 <head>
 <title>SQL Injection</title>
 </head>
 <body>
 </body>
 </html>
 <?php
 	//5.close database connection
 mysqli_close($connection);
 ?>
--- a/files/Vulnerable/index.php
+++ b/files/Vulnerable/index.php
@@ -0,0 +1,27 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 	"http://www.w3.org/TR/html4/loose.dtd">
 <html lang="en">
 <head>
 <title>Form</title>
 </head>
 <br />
 <form action="SQL_Injection.php" method="post">
 	First name: <input type="text" name="first_name" value ="" /> <br />
 	Last name: <input type="text" name="last_name" value ="" /> <br />
        Student ID: <input type="text" name="student_id" value ="" /> <br />
 	<br />
 	<input type="submit" name="submit" value ="Submit" /> <br />
 </form>
 </html>
--- a/Upload/Unrestriced
+++ b/Upload/Unrestriced
--- a/uploaded/malicious_code.php
+++ b/uploaded/malicious_code.php
@@ -0,0 +1,5 @@
 <?php
 //malicious script goes here.
 ?>
--- a/uploaded/sdev325notes.txt
+++ b/uploaded/sdev325notes.txt
@@ -0,0 +1 @@
 blah blah blah
--- a/files/mitigated/upload_picture.php
+++ b/files/mitigated/upload_picture.php
@@ -0,0 +1,54 @@
 <!DOCTYPE html>
 <!--
 To change this license header, choose License Headers in Project Properties.
 To change this template file, choose Tools | Templates
 and open the template in the editor.
 -->
 <html>
    <head>
        <meta charset="UTF-8">
        <title>Upload</title>
    </head>
    <body>
 <?php
 if (isset($_FILES["file"]["name"])) {
    $name = $_FILES["file"]["name"];
    $temp_file = $_FILES['file']['tmp_name'];
    $error = $_FILES['file']['error'];
    $imginfo_array = getimagesize($temp_file);   // returns a false if not a valid image file
    if ($imginfo_array !== false) {
    $mime_type = $imginfo_array['mime'];
    switch($mime_type) { 
        case "image/jpeg" ||"image/gif" || "image/png":
                $location = 'pictures/';
 		move_uploaded_file($temp_file, $location.$name);
                echo 'Uploaded successfully.';
                        }
                                  }
            else {
                 echo "This is not a valid image file";
                 }
 }
 ?>
        <form action="upload_picture.php" method="POST" enctype="multipart/form-data">
    <input type="file" name="file"><br><br>
    <input type="submit" value="Submit">
 </form>
    </body>
 </html>
--- a/files/vulnerable/upload_picture.php
+++ b/files/vulnerable/upload_picture.php
@@ -0,0 +1,40 @@
 <!DOCTYPE html>
 <!--
 To change this license header, choose License Headers in Project Properties.
 To change this template file, choose Tools | Templates
 and open the template in the editor.
 -->
 <html>
    <head>
        <meta charset="UTF-8">
        <title>Upload</title>
    </head>
    <body>
 <?php
 if (isset($_FILES["file"]["name"])) {
    $name = $_FILES["file"]["name"];
    $tmp_name = $_FILES['file']['tmp_name'];
    $error = $_FILES['file']['error'];
    if (!empty($name)) {
        $location = 'pictures/';
        if  (move_uploaded_file($tmp_name, $location.$name)){
            echo 'Uploaded';
        }
    } else {
        echo 'please choose a file';
    }
 }
 ?>
        <form action="upload_picture.php" method="POST" enctype="multipart/form-data">
    <input type="file" name="file"><br><br>
    <input type="submit" value="Submit">
 </form>
    </body>
 </html>
--- a/Credentials.docx
+++ b/Credentials.docx
--- a/files/Mitigated/SQL_Injection.php
+++ b/files/Mitigated/SQL_Injection.php
@@ -0,0 +1,63 @@
 <?php
 require 'db.php';
 //will see if connected, if not will quit and display error messages with error.
 	//test if connection occured.
 	if(mysqli_connect_errno()){
 	die("Database connection failed: " .
 		mysqli_connect_error() .
 		"(" . mysqli_connect_errno() . ")"
 	);
 	}
 ?>
 <?php
 if (isset($_POST['submit'])){
 //assign post data to variables
 $first_name = $_POST["first_name"];
 $last_name = $_POST ["last_name"];
 $student_id = $_POST["student_id"];
 }
 	$stmt = $connection->prepare("INSERT INTO students (first_name, last_name, student_id) VALUES (?, ?, ?)");
        $stmt->bind_param('sss', $_POST['first_name'], $_POST['last_name'], $_POST['student_id']);
        $stmt->execute();
        $stmt->close();
 	//test if there was a query error
 	if($stmt){
 			//success
 			echo "Success! Student added to database!";
 			}else{		
 			//failure	
 			die("Database query failed. " . mysqli_error($connection));
 			}
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 	"http://www.w3.org/TR/html4/loose.dtd">
 <html lang="en">
 <head>
 <title>SQL Injection</title>
 </head>
 <body>
 </body>
 </html>
 <?php
 	//5.close database connection
 mysqli_close($connection);
 ?>
--- a/files/Mitigated/db.php
+++ b/files/Mitigated/db.php
@@ -0,0 +1,6 @@
 <?php
 	// 1. Create a database connection
 	$connection = mysqli_connect('localhost', 'root', 'dakota02', 'UMUC');
 ?>
--- a/files/Mitigated/index.php
+++ b/files/Mitigated/index.php
@@ -0,0 +1,27 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 	"http://www.w3.org/TR/html4/loose.dtd">
 <html lang="en">
 <head>
 <title>Form</title>
 </head>
 <br />
 <form action="SQL_Injection.php" method="post">
 	First name: <input type="text" name="first_name" value ="" /> <br />
 	Last name: <input type="text" name="last_name" value ="" /> <br />
        Student ID: <input type="text" name="student_id" value ="" /> <br />
 	<br />
 	<input type="submit" name="submit" value ="Submit" /> <br />
 </form>
 </html>
--- a/files/Vulnerable/SQL_Injection.php
+++ b/files/Vulnerable/SQL_Injection.php
@@ -0,0 +1,66 @@
 <?php
 	// 1. Create a database connection
 		// 1. Create a database connection
 	$connection = mysqli_connect('localhost', 'root', 'dakota02', 'UMUC');
 //Once we call the mysqli_connect function, the value that it returns is what we
 //have assigned to the variable $connection. It is what is referred to as a handle for the connection.
 //will see if connected, if not will quit and display error messages with error.
 	//test if connection occured.
 	if(mysqli_connect_errno()){
 	die("Database connection failed: " .
 		mysqli_connect_error() .
 		"(" . mysqli_connect_errno() . ")"
 	);
 	}
 ?>
 <?php
 if (isset($_POST['submit'])){
 //assign post data to variables
 $first_name = $_POST["first_name"];
 $last_name = $_POST ["last_name"];
 $student_id = $_POST["student_id"];
 }
 	$stmt = $connection->prepare("INSERT INTO students (first_name, last_name, student_id) VALUES (?, ?, ?)");
        $stmt->bind_param('sss', $_POST['first_name'], $_POST['last_name'], $_POST['student_id']);
        $stmt->execute();
        $stmt->close();
 	//test if there was a query error
 	if($stmt){
 			//success
 			echo "Success! Student added to database!";
 			}else{		
 			//failure	
 			die("Database query failed. " . mysqli_error($connection));
 			}
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 	"http://www.w3.org/TR/html4/loose.dtd">
 <html lang="en">
 <head>
 <title>SQL Injection</title>
 </head>
 <body>
 </body>
 </html>
 <?php
 	//5.close database connection
 mysqli_close($connection);
 ?>
--- a/files/Vulnerable/index.php
+++ b/files/Vulnerable/index.php
@@ -0,0 +1,27 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 	"http://www.w3.org/TR/html4/loose.dtd">
 <html lang="en">
 <head>
 <title>Form</title>
 </head>
 <br />
 <form action="SQL_Injection.php" method="post">
 	First name: <input type="text" name="first_name" value ="" /> <br />
 	Last name: <input type="text" name="last_name" value ="" /> <br />
        Student ID: <input type="text" name="student_id" value ="" /> <br />
 	<br />
 	<input type="submit" name="submit" value ="Submit" /> <br />
 </form>
 </html>
--- a/algorithm/Mitigated/AES.java
+++ b/algorithm/Mitigated/AES.java
@@ -0,0 +1,66 @@
 import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.xml.bind.DatatypeConverter;
 public class AES {
    public static void main(String[] args) throws Exception {
        String plainText = "Secret Message";
        SecretKey secKey = getSecretEncryptionKey();
        byte[] cipherText = encryptText(plainText, secKey);
        String decryptedText = decryptText(cipherText, secKey);
        System.out.println("Original Text:" + plainText);
        System.out.println("AES Key (Hex Form):"+bytesToHex(secKey.getEncoded()));
        System.out.println("Encrypted Text (Hex Form):"+bytesToHex(cipherText));
        System.out.println("Descrypted Text:"+decryptedText);
    } 
    //End of main class
    //Gets encryption key. Would normally be stored differently in a real world situation. 
    public static SecretKey getSecretEncryptionKey() throws Exception{
        KeyGenerator generator = KeyGenerator.getInstance("AES");
        generator.init(128); // AES key size. More secure than the 56 bit DES
        SecretKey secKey = generator.generateKey();
        return secKey;
    }
    //ENCRYPT our text using the secret key to byte array
    public static byte[] encryptText(String plainText,SecretKey secKey) throws Exception{
        Cipher aesCipher = Cipher.getInstance("AES");
        aesCipher.init(Cipher.ENCRYPT_MODE, secKey);
        byte[] byteCipherText = aesCipher.doFinal(plainText.getBytes());
        return byteCipherText;
    }
    //DECRYPTS the byte array using the key
    public static String decryptText(byte[] byteCipherText, SecretKey secKey) throws Exception {
        Cipher aesCipher = Cipher.getInstance("AES");
        aesCipher.init(Cipher.DECRYPT_MODE, secKey);
        byte[] bytePlainText = aesCipher.doFinal(byteCipherText);
        return new String(bytePlainText);
    }
    //Converts binary byte array into readable hex
    private static String  bytesToHex(byte[] hash) {
        return DatatypeConverter.printHexBinary(hash);
    }
 }
--- a/algorithm.docx
+++ b/algorithm.docx
--- a/algorithm/Vulnerable/DES.java
+++ b/algorithm/Vulnerable/DES.java
@@ -0,0 +1,44 @@
 import java.io.*;
 import javax.crypto.*;
 import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 public class DES {
    public static void main(String[] args) {
        try{
            String st = "Hello";
            System.out.println("Real String: " + st);
            byte str[]= st.getBytes();
            Cipher c= Cipher.getInstance("DES");
            KeyGenerator kg =KeyGenerator.getInstance("DES");
            SecretKey sk= kg.generateKey();
            //encrypt mode
            c.init(Cipher.ENCRYPT_MODE, sk);
            byte ct[]= c.doFinal(str);
            System.out.println("ENCRYPT_MODE DATA : " + new String(ct));
            //decrypt mode
            c.init(Cipher.DECRYPT_MODE, sk);
            byte ct1[]= c.doFinal(ct);
            System.out.println("DECRYPT_MODE DATA : "  + new String(ct1));
        }
        catch(Exception e)
        {
            System.out.println(e);
        }
    }
 }