exploit hacks

_notebooks/2023-12-08-JavaExploitsStudent.ipynb

@@ -88,9 +88,9 @@
     "\n",
     "#### Process\n",
     "\n",
-    "1. SYN (____) - initiates connection\n",
-    "    - sends ISN (initial sequence number) that is used as an ____, organizing the data sent/received correctly\n",
-    "2. SYN-ACK (synchronize-____) - acknowledgement of connection\n",
+    "1. SYN (__synchronize __) - initiates connection\n",
+    "    - sends ISN (initial sequence number) that is used as an __identifier __, organizing the data sent/received correctly\n",
+    "2. SYN-ACK (synchronize-__acknowledge __) - acknowledgement of connection\n",
     "    - sends it's own ISN and the client's ISN, confirming a connection\n",
     "3. ACK (acknowledge) - completing the connection\n",
     "    - indicates that it knows the server's ISN\n",
@@ -621,20 +621,20 @@
    "source": [
     "`.addHeaderWriter(new StaticHeadersWriter(\"Access-Control-Allow-Credentials\", \"true\"))`:\n",
     "\n",
-    "- This header indicates whether the ____ should include credentials (like cookies, HTTP authentication, and client-side SSL certificates) in the request\n",
+    "- This header indicates whether the __browser __ should include credentials (like cookies, HTTP authentication, and client-side SSL certificates) in the request\n",
     "- This is typically used when the server needs to send and receive cookies on the requested domain.\n",
     "\n",
     "`.addHeaderWriter(new StaticHeadersWriter(\"Access-Control-Allow-ExposedHeaders\", \"*\", \"Authorization\"))`:\n",
     "\n",
-    "- This header, enables you to specify ____ headers (\"*\") and grants the browser to expose headers like \"Authorization\" to the client.\n",
+    "- This header, enables you to specify __exposed __ headers (\"*\") and grants the browser to expose headers like \"Authorization\" to the client.\n",
     "\n",
     "`.addHeaderWriter(new StaticHeadersWriter(\"Access-Control-Allow-Headers\", \"Content-Type\", \"Authorization\", \"x-csrf-token\"))`:\n",
     "\n",
     "- This line is listing the headers that the client is allowed to use in the actual request\n",
     "\n",
     "`.addHeaderWriter(new StaticHeadersWriter(\"Access-Control-Allow-MaxAge\", \"600\"))`:\n",
     "\n",
-    "- This line specifies that the results of a ___ request can be cached for in this case, 600 seconds\n",
+    "- This line specifies that the results of a __preflight_ request can be cached for in this case, 600 seconds\n",
     "- What this does in other words is before the actual request is received, a small request is typically sent and this request is saved for 600 seconds allowing for it so when similar calls are made, the result of the initial call is reused, this improves the performance and latency.\n",
     "\n",
     "`.addHeaderWriter(new StaticHeadersWriter(\"Access-Control-Allow-Methods\", \"POST\", \"GET\", \"OPTIONS\", \"HEAD\"))`:\n",
@@ -793,14 +793,152 @@
     "## Hacks\n",
     "\n",
     "- Create a PicoCTF account: [Link](https://play.picoctf.org/practice?category=1&page=1) -> go to Practice -> go to Web Exploit -> Complete any 5 challenges and blog about them.\n",
-    "- Implement DotEnv in one of your projects and document the process.\n",
     "- Capture the TCP and TLS protocols of your own springboot server project and document the steps in a blog. (Hint: Use Wireshark to capture the data.)\n",
     "- Show and explain how CORS has been used in your previous projects.\n",
     "\n",
     "### Extra +0.1\n",
     "\n",
     "- Find a modern example of SQL Injection, XXS, or another exploit, describe how it has been done, how it has been fixed, and how it could have been prevented."
    ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "# CTF CHALLENGES \n",
+    "\n",
+    "PicoCTF challenge 1: cookie challenge\n",
+    "\n",
+    "![image]({{site.baseurl}}/images/CTF1.png)\n",
+    "\n",
+    "I solved this one by editing the value for the only cookie, incrementing it by 1 and starting from 0 until I got this flag. I figured there was something to do with cookies but I had to google some info on finding out where the cookies were located in the developer tools\n",
+    "\n",
+    "PICO CTF challenge 2: GET aHEAD\n",
+    "\n",
+    "![image]({{site.baseurl}}/images/CTF2.png)\n",
+    "\n",
+    "with this one, I had to change the request to HEAD from POST, which gave me the flag when I changed the request and analyzed the header in burpsuite.\n",
+    "\n",
+    "PICO CTF challenge 3: Insp3ct0r\n",
+    "\n",
+    "![image]({{site.baseurl}}/images/CTF3.png)\n",
+    "\n",
+    "this one was easy. I just had to open developer tools and looked at the html, js, and css files, and the flag was just commented in each of those files.\n",
+    "\n",
+    "PICO CTF challenge 4: scavenger hunt\n",
+    "\n",
+    "![image]({{site.baseurl}}/images/CTF4.png)\n",
+    "\n",
+    "the first 2 parts of the flag were in indexed in html and css files, but the 3rd file needed me to append robots.txt to the end of the url to see the 3rd, part, before directing me to look at apache server. I had to look that up and found out I needed to go to .htaccess next as that file is used in apache servers, which gave me part 4. part 5 was a hint to mac stores which led me to search for ds store as the file to check for the final part of the flag.\n",
+    "\n",
+    "PICO CTF challenge 5: Some Assembly Required 1\n",
+    "\n",
+    "![image]({{site.baseurl}}/images/CTF5.png)\n",
+    "\n",
+    "for this one, I just had to look at source again and dig for answers. I checked here and found the flag right there, and surprisingly it was the answer.\n",
+    "\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "# Capture the TCP and TLS protocols of your own springboot server project and document the steps in a blog. (Hint: Use Wireshark to capture the data.)\n",
+    "\n",
+    "![image]({{site.baseurl}}/images/tcp.png)\n",
+    "\n",
+    "Here, I'm capturing the instance where I use get with my personal spring boot project running locally. \n",
+    "\n",
+    "First, I installed Wireshark and captured the adapter for loopback traffic capture. \n",
+    "\n",
+    "Next, I ran the springboot project locally\n",
+    "\n",
+    "then, I looked in wireshark for any handshakes occuring for my springboot project when I went to /api/persons as a test.\n",
+    "\n",
+    "I was able to see the TCP handshake on wireshark and the TLS handshake doing this."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "# Show and explain how cors has been used in your previous projects.\n",
+    "\n",
+    "Heres the code from my tri 1 backend I want to talk about:\n",
+    "\n",
+    "\n",
+    "`@Bean\n",
+    "\tpublic CorsConfigurationSource corsConfigurationSource() {\n",
+    "\t\tCorsConfiguration configuration = new CorsConfiguration();\n",
+    "\t\tconfiguration.setAllowedOrigins(Arrays.asList(\"https://y2kcoders.github.io\",\"http://127.0.0.1:4100\",\"https://y2kcoders.github.io/skatepark.co/devbools\")); // Add other allowed origins if\n",
+    "\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// needed\n",
+    "\t\tconfiguration.setAllowedMethods(Arrays.asList( \"DELETE\", \"GET\", \"POST\", \"PUT\"));\n",
+    "\t\tconfiguration.setAllowedHeaders(Arrays.asList(\"Content-Type\", \"Authorization\", \"x-csrf-token\"));\n",
+    "\t\tconfiguration.setAllowCredentials(true); // Allow credentials\n",
+    "\t\tUrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();\n",
+    "\t\tsource.registerCorsConfiguration(\"/**\", configuration);\n",
+    "\t\treturn source;\n",
+    "\t}`\n",
+    "\n",
+    "\t`@Override\n",
+    "\tprotected void configure(HttpSecurity httpSecurity) throws Exception {\n",
+    "\t\thttpSecurity\n",
+    "\t\t\t\t// no CSRF\n",
+    "\t\t\t\t.csrf().disable()\n",
+    "\t\t\t\t// list the requests/endpoints need to be authenticated\n",
+    "\t\t\t\t.authorizeRequests()\n",
+    "\t\t\t\t// Change \"permitAll\" to \"authenticated\" to enable authentication\n",
+    "\t\t\t\t.antMatchers(\"/mvc/person/update/**\").permitAll()\n",
+    "\t\t\t\t.antMatchers(\"/api/person/**\").permitAll()\n",
+    "\t\t\t\t.antMatchers(\"/api/skatepark/delete/**\").permitAll()\n",
+    "\t\t\t\t.antMatchers(\"/api/network/**\").permitAll()\n",
+    "\t\t\t\t.and()\n",
+    "\t\t\t\t// support cors\n",
+    "\t\t\t\t.cors().and()\n",
+    "\t\t\t\t.headers()\n",
+    "\t\t\t\t.addHeaderWriter(new StaticHeadersWriter(\"Access-Control-Allow-Credentials\", \"true\"))\n",
+    "\t\t\t\t.addHeaderWriter(new StaticHeadersWriter(\"Access-Control-Allow-ExposedHeaders\", \"*\", \"Authorization\"))\n",
+    "\t\t\t\t.addHeaderWriter(new StaticHeadersWriter(\"Access-Control-Allow-Headers\", \"Content-Type\",\n",
+    "\t\t\t\t\t\t\"Authorization\", \"x-csrf-token\"))\n",
+    "\t\t\t\t.addHeaderWriter\t(new StaticHeadersWriter(\"Access-Control-Allow-MaxAge\", \"600\"))\n",
+    "\t\t\t\t.addHeaderWriter(\n",
+    "\t\t\t\t\t\tnew StaticHeadersWriter(\"Access-Control-Allow-Methods\", \"POST\", \"GET\", \"OPTIONS\", \"DELETE\", \"HEAD\"))\n",
+    "\t\t\t\t\t.addHeaderWriter(new StaticHeadersWriter(\"Access-Control-Allow-Origin\", //\"https://theoh32.github.io\",\n",
+    "\t\t\t\t\"https://y2kcoders.github.io\"))\n",
+    "\t\t\t\t.and()\n",
+    "\t\t\t\t.formLogin()\n",
+    "\t\t\t\t.loginPage(\"/login\")\n",
+    "\t\t\t\t.and()\n",
+    "\t\t\t\t.logout()\n",
+    "\t\t\t\t.logoutRequestMatcher(new AntPathRequestMatcher(\"/logout\"))\n",
+    "\t\t\t\t.logoutSuccessUrl(\"/\")`\n",
+    "\n",
+    "\n",
+    "Basically, cors was used in our tri 1 project first for permitting the front end to access our backend, specifically our frontend only as seen in the addheaderwriter line including \n",
+    "y2kcoders, which was our frontend for our tri 1 project. I also set similar allowed origins in the top in the @bean, specifically allowing our localhost frontend to connect to actual backend for testing during development."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "# Extra +0.1\n",
+    "\n",
+    "- Find a modern example of SQL Injection, XXS, or another exploit, describe how it has been done, how it has been fixed, and how it could have been prevented.\n",
+    "\n",
+    "This isn't really an exploit and really just me doing research. idk if I will actually get anything for this but its kind of cool regardless.\n",
+    "\n",
+    "using trufflehog [link to github project](https://github.com/trufflesecurity/trufflehog) you can potentially scrape access keys off of github repos and use them. \n",
+    "\n",
+    "You can scrape both the repo itself as well as commits and other things as well.\n",
+    "\n",
+    "Heres an example of me using it to scrape the example repo for keys, though the real usage of this tool is for scraping your own repos to ensure that you have everything locked down, not scraping other repos.\n",
+    "\n",
+    "![image]({{site.baseurl}}/images/hog.png)\n",
+    "\n",
+    "\n",
+    "Though one could probably code an automated trufflehog bot for stealing keys for malicious purposes, it probably wouldn't be very effective as most people are smart enough not to commit their access keys to repos nowadays.\n"
+   ]
   }
  ],
  "metadata": {

_notebooks/2023-12-19-JWTLesson.ipynb

@@ -702,6 +702,15 @@
     "\n",
     "        ANS: Any of the above depending on app."
    ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "# HACK: Implement a simple authentication system using JWT with Java. Show how JWT works with postman. Get the request to be authorized\n",
+    "\n",
+    "\n"
+   ]
   }
  ],
  "metadata": {