first commit

Author: Gregor Spagnolo

.gitignore

@@ -0,0 +1,12 @@
+################################################################################
+# This .gitignore file was automatically created by Microsoft(R) Visual Studio.
+################################################################################
+
+/BankWebPortal/.vs/BankWebPortal/v16
+/BankWebPortal/BankWebPortal/bin/Debug/netcoreapp2.2
+/BankWebPortal/BankWebPortal/obj
+*.user
+/BankWebPortal/.vs
+.vs/
+bin/
+obj/

README.md

@@ -1 +1,33 @@
-# SecureBank
+# SecureBank
+
+SecureBank is a FinTech application which contains all OWASP TOP 10 security vulnerabilities along with some other security flaws found in real-world applications.
+
+![alt text](preview.gif "SecureBankPreview")
+
+# Setup
+> You can setup SecureBank application from source code or just pull from docker hub
+
+## From source
+> Make sure that you have Microsoft SQL Server DB available you can install it or run inside docker
+
+1. Install [.NET Core 3.1 SDK](https://dotnet.microsoft.com/download/dotnet-core/3.1)
+2. Install [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) or just run with  [Visual Studio Code](https://code.visualstudio.com/download)
+3. Clone from GitHub
+4. Navigate to directory SecureBank -> src
+5. `dotnet run` or open solution in IDE and run there 
+
+## From Docker
+1. Install [Docker](https://docs.docker.com/get-docker/)
+2. Run `docker run -p 80:80 -p 5000:5000 -p 1080:1080 ssrd/securebank`
+3. Browse to [http://localhost:80](http://localhost:80)
+
+## Docker with multiply containers
+1. Install [Docker](https://docs.docker.com/get-docker/)
+2. Install [Docker Compose](https://docs.docker.com/compose/install/)
+3. Run `docker-compose up`
+
+
+## CTF-Mode
+If you want to run SecureBank in CTF mode we have also prepared this option. It will crate CTFd compatible export file.
+
+Run  `docker run -p 80:80 -p 5000:5000 -e 'AppSettings:Ctf:Enabled=true' -e 'AppSettings:Ctf:Seed=example' ssrd/securebank`

docker-compose.yml

@@ -0,0 +1,64 @@
+version: '3'
+
+services:
+  securebank:
+    build: ./src/securebank
+    container_name: securebank
+    environment: 
+      - AppSettings:StoreEndpoint:ApiUrl=storeapi/api/Store/
+      - AppSettings:StoreEndpoint:ApiToken=-
+      - AppSettings:SmtpCredentialsIp=maildev
+      - AppSettings:SmtpCredentials:Port=1025
+      - AppSettings:SmtpCredentials:Username=-
+      - AppSettings:SmtpCredentials:Password=-
+      - AppSettings:Ctf:Enabled=false
+      - AppSettings:Ctf:Seed=example
+      - DatabaseConnections:SecureBankMSSQL:UserId=sa
+      - DatabaseConnections:SecureBankMSSQL:UserPass=Your_Password123
+      - DatabaseConnections:SecureBankMSSQL:Server=mssql
+      - DatabaseConnections:SecureBankMSSQL:1433
+      - DatabaseConnections:SecureBankMSSQL:securebank
+    volumes:
+      -  ./logs/storeapi:/var/log/storeapi
+    ports: 
+      - 7000:80
+  
+  storeapi:
+    build: ./src/storeapi
+    container_name: storeapi
+    environment: 
+      - DatabaseConnections:StoreMSSQL:UserId=sa
+      - DatabaseConnections:StoreMSSQL:UserPass=Your_Password123
+      - DatabaseConnections:StoreMSSQL:Server=mssql
+      - DatabaseConnections:StoreMSSQL:ServerPort=1433
+      - DatabaseConnections:StoreMSSQL:Database=store
+    volumes:
+      - ./logs/storeapi:/var/log/storeapi
+    ports:
+      - 7010:80
+  
+  mssql:
+    image: mcr.microsoft.com/mssql/server:2019-CU3-ubuntu-16.04
+    container_name: mssql
+    environment: 
+      - ACCEPT_EULA=y
+      - SA_PASSWORD=Your_Password123
+#    ports: 
+#      - 1433:1433
+    volumes: 
+      - .data:/var/opt/mssql/data
+
+  maildev:
+    image: maildev/maildev:1.1.0
+    container_name: maildev
+    ports: 
+      - 1080:1080
+  
+  ftp:
+    image: inanimate/vsftpd-anon
+    container_name: ftp
+    ports:
+      - 20-21:20-21
+      - 65500-65515:65500-65515
+    volumes: :
+      - ./ftp-files:/var/ftp:ro

exampledata/xxe_linux.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo 
+	[
+		<!ELEMENT foo ANY >
+		<!ENTITY xxe SYSTEM "file:///etc/passwd" >
+]>
+<foo>&xxe;</foo>

exampledata/xxe_win.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo 
+	[
+		<!ELEMENT foo ANY >
+		<!ENTITY xxe SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts" >
+]>
+<foo>&xxe;</foo>

preview.gif

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.28922.388
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SecureBank", "SecureBank\SecureBank.csproj", "{AB331573-5EB0-4277-9D70-B986EC5C09CD}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "StoreAPI", "StoreAPI\StoreAPI.csproj", "{1FD26B43-39A2-4FF4-A1A1-3291DF83C422}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{AB331573-5EB0-4277-9D70-B986EC5C09CD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{AB331573-5EB0-4277-9D70-B986EC5C09CD}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{AB331573-5EB0-4277-9D70-B986EC5C09CD}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{AB331573-5EB0-4277-9D70-B986EC5C09CD}.Release|Any CPU.Build.0 = Release|Any CPU
+		{1FD26B43-39A2-4FF4-A1A1-3291DF83C422}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1FD26B43-39A2-4FF4-A1A1-3291DF83C422}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{1FD26B43-39A2-4FF4-A1A1-3291DF83C422}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1FD26B43-39A2-4FF4-A1A1-3291DF83C422}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {17EDF5D4-93D4-47AE-B98F-EF2B30CE3ABD}
+	EndGlobalSection
+EndGlobal

src/SecureBank.sln

@@ -0,0 +1,2 @@
+bin\
+obj\

src/SecureBank/.dockerignore

@@ -0,0 +1,22 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc.Filters;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace SecureBank.Helpers.Authorization.Attributes
+{
+    /// <summary>
+    /// Only checks if user has Autheticatio cookie and sets claims.
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+    public sealed class AuthenticateAttribute : AuthorizeAttribute, IAuthorizationFilter
+    {
+        public void OnAuthorization(AuthorizationFilterContext context)
+        {
+            IAuthorizeService authorizeService = (IAuthorizeService)context.HttpContext.RequestServices.GetService(typeof(IAuthorizeService));
+            authorizeService.AuthorizeNormal(context);
+        }
+    }
+}

src/SecureBank/Authorization/Attributes/AuthenticateAttribute.cs

@@ -0,0 +1,46 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Filters;
+using System;
+
+namespace SecureBank.Helpers.Authorization.Attributes
+{
+
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+    public sealed class AuthorizeAdminAttribute : AuthorizeAttribute, IAuthorizationFilter
+    {
+        private readonly AuthorizeAttributeTypes _authorizeAttributeType;
+
+        public AuthorizeAdminAttribute(AuthorizeAttributeTypes authorizeAttributeType)
+        {
+            _authorizeAttributeType = authorizeAttributeType;
+        }
+
+        public void OnAuthorization(AuthorizationFilterContext context)
+        {
+            IAuthorizeService authorizeService = (IAuthorizeService)context.HttpContext.RequestServices.GetService(typeof(IAuthorizeService));
+            bool result = authorizeService.AuthorizeAdmin(context);
+            if (!result)
+            {
+                switch (_authorizeAttributeType)
+                {
+                    case AuthorizeAttributeTypes.Mvc:
+                        {
+                            context.Result = new RedirectToActionResult("Login", "Auth", null);
+                            return;
+                        }
+                    case AuthorizeAttributeTypes.Api:
+                        {
+
+                            context.Result = new UnauthorizedResult();
+                            return;
+                        }
+                    default:
+                        {
+                            throw new Exception($"Unsupported AuthorizeAttributeType");
+                        }
+                }
+            }
+        }
+    }
+}

src/SecureBank/Authorization/Attributes/AuthorizeAdminAttribute.cs

@@ -0,0 +1,13 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace SecureBank.Helpers.Authorization.Attributes
+{
+    public enum AuthorizeAttributeTypes
+    {
+        Mvc = 1,
+        Api = 2,
+    }
+}

src/SecureBank/Authorization/Attributes/AuthorizeAttributeTypes.cs

@@ -0,0 +1,19 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc.Filters;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace SecureBank.Helpers.Authorization.Attributes
+{
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+    public sealed class AuthorizeMissing : AuthorizeAttribute, IAuthorizationFilter
+    {
+        public void OnAuthorization(AuthorizationFilterContext context)
+        {
+            IAuthorizeService authorizeService = (IAuthorizeService)context.HttpContext.RequestServices.GetService(typeof(IAuthorizeService));
+            bool result = authorizeService.AuthorizeMissing(context);
+        }
+    }
+}

src/SecureBank/Authorization/Attributes/AuthorizeMissingAttribute.cs

@@ -0,0 +1,46 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Filters;
+using System;
+
+namespace SecureBank.Helpers.Authorization.Attributes
+{
+
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+    public sealed class AuthorizeNormalAttribute : AuthorizeAttribute, IAuthorizationFilter
+    {
+        private readonly AuthorizeAttributeTypes _authorizeAttributeType;
+
+        public AuthorizeNormalAttribute(AuthorizeAttributeTypes authorizeAttributeType)
+        {
+            _authorizeAttributeType = authorizeAttributeType;
+        }
+
+        public void OnAuthorization(AuthorizationFilterContext context)
+        {
+            IAuthorizeService authorizeService = (IAuthorizeService)context.HttpContext.RequestServices.GetService(typeof(IAuthorizeService));
+            bool result = authorizeService.AuthorizeNormal(context);
+            if (!result)
+            {
+                switch (_authorizeAttributeType)
+                {
+                    case AuthorizeAttributeTypes.Mvc:
+                        {
+                            context.Result = new RedirectToActionResult("Login", "Auth", null);
+                            return;
+                        }
+                    case AuthorizeAttributeTypes.Api:
+                        {
+
+                            context.Result = new UnauthorizedResult();
+                            return;
+                        }
+                    default:
+                        {
+                            throw new Exception($"Unsupported AuthorizeAttributeType");
+                        }
+                }
+            }
+        }
+    }
+}