cerberauth · emmanuelgautier · Oct 20, 2024 · Oct 4, 2024
diff --git a/challenges/http-cookies/Dockerfile b/challenges/http-cookies/Dockerfile
diff --git a/challenges/http-cookies/serve/server.go b/challenges/http-cookies/serve/server.go
diff --git a/challenges/http-cookies/.gitignore → challenges/http-misconfigurations/.gitignore b/challenges/http-cookies/.gitignore → challenges/http-misconfigurations/.gitignore
@@ -11,4 +11,4 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
-jwt-alg-none-bypass
+http-misconfigurations
diff --git a/challenges/http-misconfigurations/Dockerfile b/challenges/http-misconfigurations/Dockerfile
@@ -0,0 +1,23 @@
+FROM golang:1.23 AS builder
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . ./
+
+RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -o /http-misconfigurations .
+
+FROM gcr.io/distroless/static-debian11:nonroot AS runner
+
+WORKDIR /
+
+COPY --from=builder --chown=nonroot:nonroot /http-misconfigurations /usr/bin/http-misconfigurations
+
+EXPOSE 8080
+
+USER nonroot:nonroot
+
+ENTRYPOINT ["http-misconfigurations"]
+CMD ["serve"]
diff --git a/challenges/http-cookies/cmd/root.go → ...lenges/http-misconfigurations/cmd/root.go b/challenges/http-cookies/cmd/root.go → ...lenges/http-misconfigurations/cmd/root.go
@@ -3,7 +3,7 @@ package cmd
 import (
 	"os"
 
-	"github.com/cerberauth/api-vulns-challenges/challenges/http-cookies/cmd/serve"
+	"github.com/cerberauth/api-vulns-challenges/challenges/http-misconfigurations/cmd/serve"
 
 	"github.com/spf13/cobra"
 )

diff --git a/challenges/http-cookies/cmd/serve/root.go → .../http-misconfigurations/cmd/serve/root.go b/challenges/http-cookies/cmd/serve/root.go → .../http-misconfigurations/cmd/serve/root.go
@@ -3,7 +3,7 @@ package serve
 import (
 	"github.com/spf13/cobra"
 
-	"github.com/cerberauth/api-vulns-challenges/challenges/http-cookies/serve"
+	"github.com/cerberauth/api-vulns-challenges/challenges/http-misconfigurations/serve"
 )
 
 var (

diff --git a/challenges/http-cookies/go.mod → challenges/http-misconfigurations/go.mod b/challenges/http-cookies/go.mod → challenges/http-misconfigurations/go.mod
@@ -1,4 +1,4 @@
-module github.com/cerberauth/api-vulns-challenges/challenges/http-cookies
+module github.com/cerberauth/api-vulns-challenges/challenges/http-misconfigurations
 
 go 1.20
 

diff --git a/challenges/http-cookies/go.sum → challenges/http-misconfigurations/go.sum b/challenges/http-cookies/go.sum → challenges/http-misconfigurations/go.sum
diff --git a/challenges/http-cookies/main.go → challenges/http-misconfigurations/main.go b/challenges/http-cookies/main.go → challenges/http-misconfigurations/main.go
@@ -1,6 +1,6 @@
 package main
 
-import "github.com/cerberauth/api-vulns-challenges/challenges/http-cookies/cmd"
+import "github.com/cerberauth/api-vulns-challenges/challenges/http-misconfigurations/cmd"
 
 func main() {
 	cmd.Execute()

diff --git a/challenges/http-misconfigurations/serve/server.go b/challenges/http-misconfigurations/serve/server.go
@@ -0,0 +1,81 @@
+package serve
+
+import (
+	"log"
+	"net/http"
+	"time"
+)
+
+func RunServer(port string) {
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	http.HandleFunc("/headers/cors-wildcard", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	http.HandleFunc("/headers/csp-frame-ancestors", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.Header().Set("Content-Security-Policy", "frame-ancestors 'http://example.com'")
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	http.HandleFunc("/cookies/unsecure", func(w http.ResponseWriter, r *http.Request) {
+		http.SetCookie(w, &http.Cookie{
+			Name:     "unsecure",
+			Value:    "unsecure",
+			SameSite: http.SameSiteStrictMode,
+			Secure:   false,
+			HttpOnly: true,
+			Expires:  time.Now().Add(24 * time.Hour),
+		})
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	http.HandleFunc("/cookies/not-httponly", func(w http.ResponseWriter, r *http.Request) {
+		http.SetCookie(w, &http.Cookie{
+			Name:     "unsecure",
+			Value:    "unsecure",
+			SameSite: http.SameSiteStrictMode,
+			HttpOnly: false,
+			Secure:   true,
+			Expires:  time.Now().Add(24 * time.Hour),
+		})
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	http.HandleFunc("/cookies/samesite-none", func(w http.ResponseWriter, r *http.Request) {
+		http.SetCookie(w, &http.Cookie{
+			Name:     "unsecure",
+			Value:    "unsecure",
+			SameSite: http.SameSiteNoneMode,
+			HttpOnly: true,
+			Secure:   true,
+			Expires:  time.Now().Add(24 * time.Hour),
+		})
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	http.HandleFunc("/cookies/no-expiration", func(w http.ResponseWriter, r *http.Request) {
+		// set unsecure cookie
+		http.SetCookie(w, &http.Cookie{
+			Name:     "unsecure",
+			Value:    "unsecure",
+			SameSite: http.SameSiteStrictMode,
+			HttpOnly: true,
+			Secure:   true,
+		})
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	log.Println("Server started at port", port)
+	log.Fatal(http.ListenAndServe(":"+port, nil))
+}