Lab 9 submission

.github/workflows/github-actions-demo.yml

@@ -0,0 +1,47 @@
+name: GitHub Actions Demo
+run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
+on: 
+    push:
+    workflow_dispatch:
+jobs:
+  on-push-job:
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
+      - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by GitHub!"
+      - run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
+      - run: echo "🖥️ The workflow is now ready to test your code on the runner."
+      - name: List files in the repository
+        run: |
+          ls ${{ github.workspace }}
+      - name: Gather System Information
+        run: |
+          echo "### System Information ###"
+          echo "Runner OS: $(uname -a)"
+          echo "CPU Info: $(lscpu | grep 'Model name')"
+          echo "Memory: $(free -h)"
+          echo "Disk Space: $(df -h)"
+          echo "GitHub Runner Version: $(./run.sh --version 2>&1 || echo 'Not available')"
+          echo "Environment Variables:"
+          printenv | sort
+      - run: echo "🍏 This job's status is ${{ job.status }}."
+  on-manual-job:
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Manual job was triggered successfully"
+      - name: Gather System Information  
+        run: |
+          echo "### System Information ###"
+          echo "Runner OS: $(uname -a)"
+          echo "CPU Info: $(lscpu | grep 'Model name')"
+          echo "Memory: $(free -h)"
+          echo "Disk Space: $(df -h)"
+          echo "GitHub Runner Version: $(./run.sh --version 2>&1 || echo 'Not available')"
+          echo "Environment Variables:"
+          printenv | sort
+      - run: echo "🍏 This job's status is ${{ job.status }}."

gen.conf

@@ -0,0 +1,69 @@
+# zap-baseline rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+10003	WARN	(Vulnerable JS Library (Powered by Retire.js))
+10009	WARN	(In Page Banner Information Leak)
+10010	WARN	(Cookie No HttpOnly Flag)
+10011	WARN	(Cookie Without Secure Flag)
+10015	WARN	(Re-examine Cache-control Directives)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
+10019	WARN	(Content-Type Header Missing)
+10020	WARN	(Anti-clickjacking Header)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10023	WARN	(Information Disclosure - Debug Error Messages)
+10024	WARN	(Information Disclosure - Sensitive Information in URL)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
+10026	WARN	(HTTP Parameter Override)
+10027	WARN	(Information Disclosure - Suspicious Comments)
+10028	WARN	(Off-site Redirect)
+10029	WARN	(Cookie Poisoning)
+10030	WARN	(User Controllable Charset)
+10031	WARN	(User Controllable HTML Element Attribute (Potential XSS))
+10032	WARN	(Viewstate)
+10033	WARN	(Directory Browsing)
+10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative))
+10035	WARN	(Strict-Transport-Security Header)
+10036	WARN	(HTTP Server Response Header)
+10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+10039	WARN	(X-Backend-Server Header Information Leak)
+10040	WARN	(Secure Pages Include Mixed Content)
+10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post)
+10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post)
+10043	WARN	(User Controllable JavaScript Event (XSS))
+10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak))
+10049	WARN	(Content Cacheability)
+10050	WARN	(Retrieved from Cache)
+10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
+10054	WARN	(Cookie without SameSite Attribute)
+10055	WARN	(CSP)
+10056	WARN	(X-Debug-Token Information Leak)
+10057	WARN	(Username Hash Found)
+10061	WARN	(X-AspNet-Version Response Header)
+10062	WARN	(PII Disclosure)
+10063	WARN	(Permissions Policy Header Not Set)
+10096	WARN	(Timestamp Disclosure)
+10097	WARN	(Hash Disclosure)
+10098	WARN	(Cross-Domain Misconfiguration)
+10099	WARN	(Source Code Disclosure)
+10105	WARN	(Weak Authentication Method)
+10108	WARN	(Reverse Tabnabbing)
+10109	WARN	(Modern Web Application)
+10110	WARN	(Dangerous JS Functions)
+10111	WARN	(Authentication Request Identified)
+10112	WARN	(Session Management Response Identified)
+10113	WARN	(Verification Request Identified)
+10115	WARN	(Script Served From Malicious Domain (polyfill))
+10202	WARN	(Absence of Anti-CSRF Tokens)
+2	WARN	(Private IP Disclosure)
+3	WARN	(Session ID in URL Rewrite)
+50001	WARN	(Script Passive Scan Rules)
+90001	WARN	(Insecure JSF ViewState)
+90002	WARN	(Java Serialization Object)
+90003	WARN	(Sub Resource Integrity Attribute Missing)
+90004	WARN	(Insufficient Site Isolation Against Spectre Vulnerability)
+90011	WARN	(Charset Mismatch)
+90022	WARN	(Application Error Disclosure)
+90030	WARN	(WSDL File Detection)
+90033	WARN	(Loosely Scoped Cookie)

submission9.md

@@ -0,0 +1,34 @@
+## Task 1 Results
+- Juice Shop vulnerabilities found (Medium): 2 (`Content Security Policy (CSP) Header Not Set`, `Cross-Domain Misconfiguration`)
+- Most interesting vulnerability found: `Dangerous JS Functions` - 	
+A dangerous JS function seems to be in use that would leave the site vulnerable. (Didn't know they exist)
+- Security headers present: No, since `Content Security Policy (CSP) Header Not Set`
+
+In order to run check on Windows I had to change command a bit
+```
+docker run --rm -u zap -v ${pwd}:/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t http://host.docker.internal:3000 -g gen.conf -r zap-report.html
+```
+![alt text](voulnerabilities.png)
+
+## Task 2 Results
+- Critical vulnerabilities in Juice Shop image: 8
+- Vulnerable packages: 
+    1. base64url 
+    2. braces
+    3. crypto-js (crit)
+    4. express-jwt
+    5. http-cache-semantics
+    6. ip
+    7. jsonwebtoken (crit)
+    8. jws
+    9. lodash (crit)
+    10. lodash.set
+    11. marsdb (crit)
+    12. moment
+    13. sanitize-html
+    14. vm2 (crit)
+    15. ws
+- Dominant vulnerability type: Verification Bypass
+
+![alt text](trivy.png)
+Check `trivy_out.txt`