marc-mueller · marc-mueller · Sep 15, 2024 · Sep 16, 2024 · Sep 19, 2024 · Dec 1, 2024
@@ -0,0 +1,17 @@
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+
+namespace backend.Controllers;
+
+[Route("api-secure/[controller]")]
+[ApiController]
+public class AuthorizedAccessControllerA1 : ControllerBase
+{
+    [HttpGet("GetSecretInfo")]
+    public IActionResult GetSecret()
+    {
+        return Ok("Something secret");
+    }
+
+}
+
@@ -0,0 +1,19 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+
+namespace backend.Controllers;
+
+[Route("api-secure/[controller]")]
+[ApiController]
+[Authorize]
+public class AuthorizedAccessControllerA2 : ControllerBase
+{
+    [HttpGet("GetSecretInfo")]
+    public IActionResult GetSecret()
+    {
+        return Ok("Something secret");
+    }
+
+}
+
@@ -0,0 +1,53 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace backend.Controllers;
+
+[ApiController]
+[Route("api/[controller]")]
+public class EncryptionController : Controller
+{
+    private readonly ILogger<HighScoreController> _logger;
+
+    public EncryptionController(ILogger<HighScoreController> logger)
+    {
+        _logger = logger;
+    }
+
+    [HttpGet("Encryption/EncryptString/{input}")]
+    public IActionResult EncryptString(string input)
+    {
+        var badEncryptionService = new BadEncryptionService();
+        return Ok(badEncryptionService.Encrypt(input));
+    }
+}
+
+public class BadEncryptionService
+    {
+        public byte[] Encrypt(string plainText)
+        {
+            var symmetricProvider = new DESCryptoServiceProvider();
@@ -31,6 +31,6 @@
        {
-            var symmetricProvider = new DESCryptoServiceProvider();
-            byte[] key = { 14, 48, 157, 156, 42, 1, 240, 65 };
-            symmetricProvider.Key = key;
-            var encryptor = symmetricProvider.CreateEncryptor();
+            var symmetricProvider = new AesCryptoServiceProvider();
+            symmetricProvider.GenerateKey();
+            symmetricProvider.GenerateIV();
+            var encryptor = symmetricProvider.CreateEncryptor(symmetricProvider.Key, symmetricProvider.IV);
@@ -31,6 +31,6 @@
        {
-            var symmetricProvider = new DESCryptoServiceProvider();
-            byte[] key = { 14, 48, 157, 156, 42, 1, 240, 65 };
-            symmetricProvider.Key = key;
-            var encryptor = symmetricProvider.CreateEncryptor();
+            var symmetricProvider = new AesCryptoServiceProvider();
+            symmetricProvider.GenerateKey();
+            symmetricProvider.GenerateIV();
+            var encryptor = symmetricProvider.CreateEncryptor(symmetricProvider.Key, symmetricProvider.IV);

+            byte[] key = { 14, 48, 157, 156, 42, 1, 240, 65 };
+            symmetricProvider.Key = key;
+            var encryptor = symmetricProvider.CreateEncryptor();
+
+            var plainBytes = Encoding.UTF8.GetBytes(plainText);
+
+            var encryptedBytes = encryptor.TransformFinalBlock(plainBytes, 0, plainBytes.Length);
+
+            return encryptedBytes;
+        }
+
+        public string CreateMD5(string input)
+        {
+            using (var md5 = MD5.Create())
+            {
+                var hashBytes = md5.ComputeHash(Encoding.UTF8.GetBytes(input));
+                return Convert.ToHexString(hashBytes);
+            }
+        }
+    }
+
@@ -0,0 +1,41 @@
+using backend.Entities;
+using backend.Storage;
+using Dapper;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+
+namespace backend.Controllers;
+
+[ApiController]
+[Route("api/[controller]")]
+public class SqlInjectionController : ControllerBase
+{
+    private readonly ILogger<HighScoreController> _logger;
+    private readonly HighScoreDbContext _context;
+
+    public SqlInjectionController(ILogger<HighScoreController> logger, HighScoreDbContext context)
+    {
+        _logger = logger;
+        _context = context;
+    }
+
+    [HttpGet("SqlInjection/SearchPersonalHighScoreInsecure/{name}")]
+    public async Task<IActionResult> SearchPersonalHighScoreInsecure(string name)
+    {
+        var conn = _context.Database.GetDbConnection();
+        var query = "SELECT Id, PlayerName, Score FROM HighScoreEntry WHERE PlayerName Like '%" + name + "%'";
+        IEnumerable<HighScoreEntry> personalHighScore;
+
+        try
+        {
+            await conn.OpenAsync();
+            personalHighScore = await conn.QueryAsync<HighScoreEntry>(query);
@@ -25,3 +25,3 @@
        var conn = _context.Database.GetDbConnection();
-        var query = "SELECT Id, PlayerName, Score FROM HighScoreEntry WHERE PlayerName Like '%" + name + "%'";
+        var query = "SELECT Id, PlayerName, Score FROM HighScoreEntry WHERE PlayerName Like @name";
        IEnumerable<HighScoreEntry> personalHighScore;
@@ -31,3 +31,3 @@
            await conn.OpenAsync();
-            personalHighScore = await conn.QueryAsync<HighScoreEntry>(query);
+            personalHighScore = await conn.QueryAsync<HighScoreEntry>(query, new { name = "%" + name + "%" });
        }
@@ -25,3 +25,3 @@
        var conn = _context.Database.GetDbConnection();
-        var query = "SELECT Id, PlayerName, Score FROM HighScoreEntry WHERE PlayerName Like '%" + name + "%'";
+        var query = "SELECT Id, PlayerName, Score FROM HighScoreEntry WHERE PlayerName Like @name";
        IEnumerable<HighScoreEntry> personalHighScore;
@@ -31,3 +31,3 @@
            await conn.OpenAsync();
-            personalHighScore = await conn.QueryAsync<HighScoreEntry>(query);
+            personalHighScore = await conn.QueryAsync<HighScoreEntry>(query, new { name = "%" + name + "%" });
        }
+        }
+
+        finally
+        {
+            conn.Close();
+        }
+        return Ok(personalHighScore);
+    }
+}
diff --git a/backend/backend.csproj b/backend/backend.csproj
@@ -9,9 +9,13 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Microsoft.EntityFrameworkCore" Version="8.0.8" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="8.0.8" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.8" />
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
     <PackageReference Include="Swashbuckle.AspNetCore" Version="6.7.3" />
+    <PackageReference Include="Dapper" Version="2.1.24" />
+    <PackageReference Include="Newtonsoft.Json" Version="10.0.1" />
   </ItemGroup>
 
    <!-- Pre-build event to run npm build and copy-to-backend in frontend folder -->

diff --git a/frontend/package.json b/frontend/package.json
@@ -8,6 +8,9 @@
     "start": "http-server ./dist -p 5500",
     "copy-to-backend": "cpy \"dist/**/*\" ../backend/wwwroot/"
   },
+  "dependencies": {
+    "lodash": "4.17.20"
+  },
   "devDependencies": {
     "cpy-cli": "^5.0.0",
     "http-server": "^14.1.1",

@@ -240,7 +240,7 @@ function updatePowerUps() {
 function activatePowerUp(type: string) {
     powerUpActive = true;
     powerUpEndTime = Date.now() + powerUpDuration;
-    (powerUpEffects as Record<string, () => void>)[type]();
+    eval(`(${(powerUpEffects as Record<string, () => void>)[type]})()`);
 }
 
 // Reset power-up effects
@@ -261,7 +261,7 @@ function autoShoot() {
 // Display power-up messages
 function displayMessage(message: string) {
     const msgDiv = document.createElement('div');
-    msgDiv.textContent = message;
+    msgDiv.innerHTML = message; // Potential XSS if `message` contains malicious code
     msgDiv.style.position = 'absolute';
     msgDiv.style.top = '10px';
     msgDiv.style.left = '50%';