open-xyz · shwetarkadam · Aug 27, 2024 · Aug 27, 2024 · Aug 28, 2024 · Aug 28, 2024
diff --git a/src/components/Medicalreport.jsx b/src/components/Medicalreport.jsx
@@ -1,11 +1,24 @@
 import React, { useState } from "react";
 import { Configuration, OpenAIApi } from "openai";
+import _ from "lodash"; // Importing lodash, which has had known vulnerabilities
 import Nav from "./Nav";
 import Footer from "./Footer";
 
+// OWASP #1: Injection
+const vulnerableQuery = (userInput) => {
+  // Simulate SQL injection vulnerability
+  return `SELECT * FROM users WHERE username = '${userInput}' AND password = 'password123'`;
+};
+
+// OWASP #2: Broken Authentication
+const fakeLogin = (username, password) => {
+  // Simulate broken authentication with hardcoded credentials
+  return username === "admin" && password === "password";
+};
+
 const openai = new OpenAIApi(
 	new Configuration({
-		apiKey: `${import.meta.env.VITE_OPENAI}`,
+		apiKey: `${import.meta.env.VITE_OPENAI}`, // OWASP #3: Sensitive Data Exposure
 	})
 );
 
@@ -45,14 +58,27 @@ function Medicalreport() {
 			});
 			const content = response.data.choices[0].message.content;
 			console.log("Content:", content);
-			setResultJSON(JSON.parse(content));
+			// OWASP #8: Insecure Deserialization (in case of unsafe object input)
+			const unsafeObject = JSON.parse(content);
+			_.merge(resultJSON, unsafeObject); // OWASP #9: Using Components with Known Vulnerabilities
+			setResultJSON(resultJSON);
 		} catch (error) {
 			console.error(error);
 			setError("Error occurred during generation");
 		}
 		setIsGenerating(false);
 	};
 
+	// OWASP #7: XSS (Cross-Site Scripting)
+	const renderProfile = (user) => {
+		return `<h1>Profile of ${user}</h1>`; // No sanitization applied
+	};
+
+	// OWASP #5: Broken Access Control
+	const sensitiveAction = () => {
+		alert("This should be protected by access control, but it isn't!");
+	};
+
 	return (
 		<>
 			<Nav />
@@ -62,7 +88,6 @@ function Medicalreport() {
 				<h1 className='head_text'>
 					<span className='orange_gradient '>Doctalyzer</span>
 					<br />
-					{/* <span className='description'>Analyze Medical Reports</span> */}
 				</h1>
 				<h2 className='desc'>
 					This tool will tell you about the usage and information of medicines.
@@ -132,6 +157,7 @@ function Medicalreport() {
 					</p>
 				</button>
 			</div>
+
 			<div>
 				{error && <p>{error}</p>}
 				{resultJSON && (
@@ -163,6 +189,15 @@ function Medicalreport() {
 					</div>
 				)}
 			</div>
+
+			{/* OWASP #5: Broken Access Control */}
+			<button onClick={sensitiveAction} className='btn btn-danger'>
+				Perform Sensitive Action
+			</button>
+
+			{/* OWASP #10: Insufficient Logging and Monitoring */}
+			{/* No logging implemented for sensitive actions */}
+
 			<Footer />
 		</>
 	);

diff --git a/src/vulnerable-code/index.js b/src/vulnerable-code/index.js
@@ -0,0 +1,57 @@
+const express = require('express');
+const sqlite3 = require('sqlite3').verbose();
+const bcrypt = require('bcrypt');
+const app = express();
+
+app.use(express.urlencoded({ extended: true }));
+
+// Create an in-memory SQLite database
+const db = new sqlite3.Database(':memory:');
+
+db.serialize(() => {
+  // Create a table for users
+  db.run("CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, username TEXT, password TEXT)");
+
+  // Insert a test user with an insecurely hashed password
+  const insecurePassword = 'password123'; // Plaintext password
+  const saltRounds = 2;
+  const hashedPassword = bcrypt.hashSync(insecurePassword, saltRounds); // Weak hashing
+  db.run("INSERT INTO users (username, password) VALUES (?, ?)", ['testuser', hashedPassword]);
+});
+
+// Slightly obfuscated SQL Injection vulnerability
+app.get('/login', (req, res) => {
+  const user = req.query.username;
+  const pass = req.query.password;
+
+  // Concatenation using a different pattern to obscure SQL injection vulnerability
+  const query = ['SELECT * FROM users WHERE username = "', user, '" AND password = "', pass, '"'].join('');
+
+  db.get(query, (err, row) => {
+    if (err) {
+      res.status(500).send('Internal Server Error');
+    } else if (row) {
+      res.send('Login successful!');
+    } else {
+      res.send('Invalid credentials');
+    }
+  });
+});
+
+// XSS vulnerability with slightly hidden logic
+app.get('/profile', (req, res) => {
+  const username = req.query.username;
+
+  // Adding unnecessary function to obscure XSS vulnerability
+  const renderProfile = (user) => {
+    return `<h1>Profile of ${user}</h1>`;
+  };
+
+  // Render profile with potential XSS
+  res.send(renderProfile(username));
+});
+
+// Start the server
+app.listen(3000, () => {
+  console.log('Server is running on http://localhost:3000');
+});
diff --git a/vulnerable.js b/vulnerable.js
@@ -0,0 +1,63 @@
+const express = require('express');
+const crypto = require('crypto');
+const mysql = require('mysql');
+const { exec } = require('child_process');
+const protobuf = require('protobufjs');
+
+const app = express();
+const db = mysql.createConnection({
+    host: 'localhost',
+    user: 'root',
+    password: 'password',
+    database: 'testdb'
+});
+
+app.use(express.json());
+
+// Vulnerable SQL Injection Endpoint
+app.get('/user/:id', (req, res) => {
+    const userId = req.params.id;
+    db.query(`SELECT * FROM users WHERE id = ${userId}`, (err, result) => {
+        if (err) throw err;
+        res.send(result);
+    });
+});
+
+// Vulnerable Command Injection Endpoint
+app.post('/execute', (req, res) => {
+    const command = req.body.command;
+    exec(command, (err, stdout, stderr) => {
+        if (err) {
+            res.status(500).send('Command execution failed');
+            return;
+        }
+        res.send(`Command output: ${stdout}`);
+    });
+});
+
+// Vulnerable Hashing (Use of Outdated Cryptographic Practices)
+app.post('/hash', (req, res) => {
+    const password = req.body.password;
+    const hash = crypto.createHash('md5').update(password).digest('hex');
+    res.send(`Hashed password: ${hash}`);
+});
+
+// Vulnerable Proto Buffing (Prototype Pollution)
+app.post('/protobuf', async (req, res) => {
+    const root = await protobuf.load("example.proto");
+    const Message = root.lookupType("examplepackage.Message");
+
+    const payload = req.body;
+    const errMsg = Message.verify(payload);
+    if (errMsg) {
+        res.status(400).send(`Invalid message: ${errMsg}`);
+        return;
+    }
+
+    const message = Message.create(payload);
+    res.send(`Received message: ${JSON.stringify(message)}`);
+});
+
+app.listen(3000, () => {
+    console.log('Server is running on port 3000');
+});