Skip to content

ffleming/camelflage

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
2 branches 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
app
 
 
bin
 
 
config
 
 
db
 
 
lib/tasks
 
 
log
 
 
public
 
 
tmp
 
 
.env.sample
 
 
.gitignore
 
 
Gemfile
 
 
Gemfile.lock
 
 
README.md
 
 
Rakefile
 
 
config.ru
 
 
Camelflage Usage Timing Vulnerabilities Conditional Hashing Insecure string comparison Login Basic Auth Injection Vulnerabilities SQL Injection Vulnerabilities Raw SQL Query Injection Raw where SQL Injection Template Injection Vulnerability XSS Vulnerabilities XSS Parameter Vulnerability

README.md

Camelflage

I created this application to test timing-attack exploit tools. It's easier to develop an exploitation toolchain when you have an application that is both vulnerable and configurable in its vulnerability.

Route Required parameters Optional Parameters
/timing/conditional_hashing login delta
/timing/string_comparison password delta
/timing/login login, password delta
/timing/basic_auth password delta
/injections/sql/raw_sql name
/injections/sql/raw_where name
/injections/template/interpolation name
/xss/parameter name

Usage

% cp .env.sample .env

Edit .env to contain appropriate values, then

% bundle exec rails s

Timing Vulnerabilities

Conditional Hashing

The login parameter is the email address to test for inclusion in the "database," and is required.

The delta URL parameter can be provided to tell the application the timing differential between an account that exists in the database (and so a password would be hashed for comparison) and one that is not, in seconds. Bcrypt generally targets 100ms of compute time. While you can set delta as high as 0.2, values under 0.1 are probably what you're after.

Insecure string comparison

The password parameter is required.

The delta URL parameter can be provided to tell the application the length of time to spend "processing" a single character in seconds. You can set it as high as 0.05. The longer the comparison takes, the longery you wait before the early return. Use 0 to test the actual timing difference of an insecure comparison (that is, no additional delay is introduced).

Login

login and password parameters are required.

This endpoint simply combines conditional hashing and insecure string comparison for a full vulnerable login experience. A provided delta parameter will be used for both operations (maximums for each are set separately).

Basic Auth

password is required.

This endpoint applies insecure string comparison to the password field of HTTP basic authentication. Use whatever you like for the username (or nothing at all).

Injection Vulnerabilities

SQL Injection Vulnerabilities

Raw SQL Query Injection

This endpoint executes a raw SQL string that is vulnerable to injection. name is the injected parameter, and it is required.

Raw where SQL Injection

This endpoint executes a .where with an argument of an interpolated string. name is the injected parameter, and it is required.

Template Injection Vulnerability

This endpoint interpolates the contents of the name parameter into an ERB template.

XSS Vulnerabilities

XSS Parameter Vulnerability

This endpoint interpolates the contents of the name parameter into an HTML template.

About

Vulnerable rails application that is configurable in its vulnerability

Resources

Readme
Activity

Stars

19 stars

Watchers

5 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages