updates to fix out of box execution of scripts

README.md

@@ -19,7 +19,7 @@ The code samples here hserve several purposes:
 
 # Code Authors
 
-Unless otherwise sited in the code, the scripts herein are generated by ChatGPT and Github Copilot with my own promts and subsequent edits.  There's no way to properly attribute the original source(s) of source code used to train the LLM.
+Unless otherwise sited in the code, the scripts herein are generated by a combination of Tim Kelly (human) and AI coding assistants (ChatGPT, Github Copilot).  
 
 # Installation Guide
 
@@ -38,15 +38,14 @@ Follow these steps to install the necessary dependencies for the project:
 `pip3 install -r requirements.txt`
 
 4. Navigate to the directory for the demo you want to run and run the python file there (e.g. `python3 idor.py`):
-
-* [broken-auth](./broken-auth/) - Demonstrates a session management vulnerabity if an attacker get ahold of an authentication session token. See also [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html).
 
     * This source code example also demonstrates sensitive data exposure where passwords are stored in code. See [OWASP Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html).
 
 # Demo Listing & References
 
+* [broken-auth](./broken-auth/) - Demonstrates a session management vulnerability if an attacker get ahold of an authentication session token. See also [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html).
 * [idor](./idor/) - Demonstrates broken access control for easily guessable IDs and no authentication. See also [OWASP IDOR](https://owasp.org/www-chapter-ghana/assets/slides/IDOR.pdf).
-* [sqli](./sqli/) - Dmonstrates standard SQL Injection being able to dump a database from a form field. See also [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).
-* [ssrf](./ssrf/) - Demonstrate a server side request forgery tricking the app to making a call to an not allowed 3rd party domain. See also [OWASP Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery).
-* [xss](./xss/) - Demonstrates executing arbitraty javascript inside the applicaiton. See also [OWASP Cross Site Scripting](https://owasp.org/www-community/attacks/xss/)
+* [sqli](./sqli/) - Demonstrates standard SQL Injection being able to dump a database from a form field. See also [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).
+* [ssrf](./ssrf/) - Demonstrate a server-side request forgery tricking the app to making an HTTP request to a not-allowed 3rd party domain. See also [OWASP Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery).
+* [xss](./xss/) - Demonstrates executing arbitrary javascript inside the application. See also [OWASP Cross Site Scripting](https://owasp.org/www-community/attacks/xss/)
 * [secrets](./secrets/) - An example of leaking a secrets file or environment variable configuration. These should all be caught by [Github Secrets Push Protection](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations).

broken-auth/templates/index.html

@@ -8,8 +8,8 @@
 </head>
 <body>
     <h1>Session Timeout Test</h1>
-
-    <p>This page provides instructions for testing the session timeout functionality in the Flask app.</p>
+    on timeout functionality in the Flask app. The session timeout is set to 5000 days for demonstration purposes. Seesions with long expiration or no expiration times increase the risk that someone else might access the account on the same computer or even steal the session token and compromise the account.</p>
+    <p>This page provides instructions for testing stealing a session token.
 
     <h2>Steps to Test Session Timeout:</h2>
     <ol>
@@ -24,11 +24,45 @@ <h2>Steps to Test Session Timeout:</h2>
                 <input type="submit" value="Login">
             </form>
         </li>
+
+        <p></p>
         <li>After logging in, you will be redirected to the <a href="/dashboard" target="_blank">Dashboard</a>.</li>
+        <p></p>
         <li>Refresh the Dashboard page or navigate to another page within the app.</li>
-        <li>Look at the network call to the /dashboard endpoint. Note that in the Cookie header value there is a session token. Get the curl and run it in a terminal. You full access to this users account now without having to know the password.</li>
+        <p></p>
+        <li>Look at the network call to the /dashboard endpoint (hint, use Chrome debugging tools). Note that in the Cookie header value there is a session token. Copy the GET curl command for /dashboard</li>
+        <p></p>
+        The curl command will look something like this (but won't work if you copy from here):
+        <p></p>
+        <code>
+    curl 'http://127.0.0.1:5000/dashboard' \
+  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
+  -H 'Accept-Language: en-US,en;q=0.9' \
+  -H 'Cache-Control: max-age=0' \
+  -H 'Connection: keep-alive' \
+  -H 'Cookie: session=eyJ1c2VybmFtZSI6InVzZXIxIn0.ZZRmyg.zKOnmV6Z7Nj46QR8hjAbuNZYV90' \
+  -H 'Referer: http://127.0.0.1:5000/' \
+  -H 'Sec-Fetch-Dest: document' \
+  -H 'Sec-Fetch-Mode: navigate' \
+  -H 'Sec-Fetch-Site: same-origin' \
+  -H 'Sec-Fetch-User: ?1' \
+  -H 'Upgrade-Insecure-Requests: 1' \
+  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' \
+  -H 'sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"' \
+  -H 'sec-ch-ua-mobile: ?0' \
+  -H 'sec-ch-ua-platform: "macOS"' \
+  --compressed
+        <p></p>
+        </code>
+        <li>
+            Paste the curl and run it in a terminal. You full access to this users account now without having to know the password. In other words, you can run this command from any computer in the world that can reach the application:
+        </li>
+        <p>
+        </p>
+        <code>
+            Welcome, user1! This is your dashboard.
+        </code>
     </ol>
 
-    <p>Note: The session timeout is set to 5000 days for demonstration purposes. In a real-world scenario, session timeout values will be much shorter.</p>
 </body>
 </html>

requirements.txt

@@ -1,4 +1,5 @@
-Flask==1.1.2
+Flask==3.0.0
 requests==2.25.1
 datetime==4.3
-pysqlite3==0.4.6
+pysqlite3==0.4.6
+Werkzeug==2.2.2

ssrf/ssrf.py

@@ -15,13 +15,12 @@ def follow_url():
 def home():
     return '''<h1>SSRF</h1>
                 <br>
-                Usage:
-                    <br><code>http://127.0.0.1:80/follow?url=https://api.github.com/events</code><br>
-                Running:
+                Usage: When the app is running, put in a desired URL to call from the app:
+                    <br><code>http://127.0.0.1:5000/follow?url=https://api.github.com/events</code><br>
+                <p></p>
+                Running: Navigate to the directory containing ssrf.py and run:
                 <br><code>
-                    sudo apt install -y python3-pip
-                    sudo pip3 install flask requests;
-                    FLASK_APP=ssrf.py flask run --host=0.0.0.0 --port=80
+                    python3 ssrf.py
                 </code></br>
     '''