CWE-840

Author: Aif4thah

Controller/Controller.cs

@@ -64,7 +64,7 @@ On enregistre les objets "employé" valides dans un fichier en lecture seule
                 }
             }
 
-            return Results.Ok(Newtonsoft.Json.JsonConvert.SerializeObject(new List<object> { File.GetAttributes(ROFile).ToString(), NewId, HaveToBeEmpty.IsNullOrEmpty() }));
+            return Results.Ok(JsonConvert.SerializeObject(new List<object> { File.GetAttributes(ROFile).ToString(), NewId, HaveToBeEmpty.IsNullOrEmpty() }));
         }
 
         public static string VulnerableXmlParser(string Xml)
@@ -147,7 +147,7 @@ Permets aux employés de consulter leurs données personnelles
             */
             var Employee = Data.GetEmployees()?.Where(x => Id == x.Id)?.FirstOrDefault();
 
-            return Results.Ok(Newtonsoft.Json.JsonConvert.SerializeObject(Employee));
+            return Results.Ok(JsonConvert.SerializeObject(Employee));
         }
 
         public static object VulnerableCmd(string UserStr)
@@ -217,6 +217,26 @@ Permets l'upload de fichier de type SVG
             else return Results.Unauthorized();
         }
 
+        public static async Task<object> VulnerableLogic(int price, int qty, string owner, string client, string activity)
+        {
+            /*
+            Vérifie les champs du formulaire et calcul le prix d'une prestation
+            */
+            int tva = 30;
+            int FinalPrice;
+            if (price > 0 && !owner.IsNullOrEmpty() && !client.IsNullOrEmpty() && !activity.IsNullOrEmpty())
+            {
+                FinalPrice = price * qty;
+                FinalPrice += (FinalPrice * tva) / 100;
+
+                return Results.Ok(new { FinalPrice = $"{FinalPrice}€" });
+
+            }
+            return Results.StatusCode(400);
+
+        }
+
+
 
     }
 }

Model/Model.cs

@@ -24,6 +24,19 @@ Login et mots de passe des employés de l'entreprise
         public string Passwd { get; set; }
     }
 
+    public class Invoice
+    {
+        /*
+        Informations de facturation
+        */
+        public int Price { get; set; }
+        public int Qty { get; set; }
+        public string Owner { get; set; }
+        public string Client { get; set; }
+        public string Activity { get; set; }
+    }
+
+
     public class Data
     {
         public static string GetLogPage()

Program.cs

@@ -67,8 +67,6 @@
 
 app.MapGet("/", async (string? lang) => await Task.FromResult(VLAController.VulnerableHelloWorld(HttpUtility.UrlDecode(lang))));
 
-app.MapPost("/Login", [ProducesResponseType(StatusCodes.Status200OK)] async (HttpRequest request, [FromBody] VulnerableWebApplication.VLAModel.Creds login) => await Task.FromResult(VLAIdentity.VulnerableQuery(login.User, login.Passwd)).Result).WithOpenApi();
-
 app.MapGet("/Contract", async (string i) => await Task.FromResult(VLAController.VulnerableXmlParser(HttpUtility.UrlDecode(i)))).WithOpenApi();
 
 app.MapGet("/LocalWebQuery", async (string? i) => await VLAController.VulnerableWebRequest(i)).WithOpenApi();
@@ -79,6 +77,10 @@
 
 app.MapGet("/LocalDNSResolver", async (string i) => await Task.FromResult(VLAController.VulnerableCmd(HttpUtility.UrlDecode(i)))).WithOpenApi();
 
+app.MapPost("/Login", [ProducesResponseType(StatusCodes.Status200OK)] async (HttpRequest request, [FromBody] Creds login) => await Task.FromResult(VLAIdentity.VulnerableQuery(login.User, login.Passwd)).Result).WithOpenApi();
+
+app.MapPost("/Invoice", async (Invoice request) => await Task.FromResult(VLAController.VulnerableLogic(request.Price, request.Qty, request.Owner, request.Client, request.Activity)).Result).WithOpenApi();
+
 app.MapPatch("/Patch", async ([FromHeader(Name="X-Forwarded-For")] string h, [FromForm] IFormFile file) => await VLAController.VulnerableHandleFileUpload(file, h)).DisableAntiforgery().WithOpenApi();
 
 app.UseGraphQL<ISchema>("/Client");

README.md

@@ -11,10 +11,10 @@
 
 
 
-> ⚠️ **Disclaimer** : This repository, together with its tools, is provided by Taisen-Solutions on an "as is" basis. Be aware that this application is highly vulnerable, including remote command and code execution. Use it at your own risk. Taisen-Solutions makes no representations or warranties of any kind, express or implied, as to the operation of the information, content, materials, tools, services and/or products included on the repository. Taisen-Solution disclaims, to the full extent permissible by applicable law, all warranties, express or implied, including but not limited to, implied warranties of merchantability and fitness for a particular purpose.
+>⚠️ This repository and its tools are provided "as is." The author(s) make no representations or warranties, express or implied, regarding the operation of the information, content, materials, tools, services, or products included. The author(s) disclaim, to the full extent permissible by law, all warranties, express or implied, including implied warranties of merchantability and fitness for a particular purpose.
 
 
-## 🎱 Components
+## 🎱 Components & Attack Surface
 
 ```mermaid
 flowchart TD
@@ -24,13 +24,15 @@ flowchart TD
     A --> D[Host services]
     A --> F[GraphQL]
     A --> G[App Services]
+    A --> H[Memory]
 
     B --> I(*Identities*)
     C --> J(*Logs*)
     C --> K(*Secrets*)
     D --> L(*DNS*)
     F --> M(*Sensitive Data*)
     G --> O(*Serialized Data*)
+    H --> P(*Variables and functions*)
 ```
 
 ## 🐞 Vulnerabilities
@@ -60,6 +62,7 @@ flowchart TD
 | CWE-787 | Out-of-bounds Write | Easy |
 | CWE-798 | Use of Hard-coded Credentials | Easy |
 | CWE-829 | Local File Inclusion | Easy |
+| CWE-840 | Business Logic Error | Easy |
 | CWE-912 | Backdoor | Hard |
 | CWE-918 | Server-Side Request Forgery | Medium |
 | CWE-1270 | Generation of Incorrect Security Tokens | Medium |