search

SasanLabs / VulnerableApp

OWASP VulnerableApp Project: For Security Enthusiasts by Security Enthusiasts.
https://sasanlabs.github.io/VulnerableApp/
Apache License 2.0
284 stars 377 forks source link

Add Local File Inclusion Vulnerability #286

Open preetkaran20 opened 3 years ago

preetkaran20 commented 3 years ago

Is your feature request related to a problem? Please describe. Currently, we have 2 levels for LFI vulnerability but because it is a very common vulnerability and has a lot of variants hence, it requires to be relooked.

Describe the solution you'd like Add levels to LFI Vulnerability, create a good use-case for this vulnerability by looking at other vulnerable applications like Juice shop, DVWA, etc.

preetkaran20 commented 3 years ago

Acceptance criteria:

  1. Use-case finding
  2. Backend API creation for Vulnerability.
  3. UserInterface/Template creation for the Vulnerability.
  4. Compatible with https://github.com/SasanLabs/VulnerableApp-facade schema design.
Ivan12273 commented 3 years ago

@preetkaran20 Hi, can I give it a try? I was reading the code and I saw how can I add a new vulnerability, but I'm not sure where those 2 levels of vulnerability are, I imagine that they are in "UnrestrictedFileUpload" but I don't know which ones.

preetkaran20 commented 3 years ago

Hi @Ivan12273,

Sorry for the confusion, actually RFI has 2 levels implemented but for LFI we don't have any vulnerability level implemented. Vulnerabilities implemented are: https://github.com/SasanLabs/VulnerableApp/tree/master/src/main/java/org/sasanlabs/service/vulnerability

thanks, Karan

Ivan12273 commented 3 years ago

@preetkaran20 Oh I see, thanks, by the way, I was testing the RFI vulnerabilities using the url param like this:

http://localhost:9090/VulnerableApp/?url=example-param

But I don't get any kind of response, am I doing something wrong?

preetkaran20 commented 3 years ago

Hi @Ivan12273 ,

Actually RFI is not fully implemented, however you can go to following URL: http://localhost:9090/VulnerableApp/RemoteFileInclusion/LEVEL_1?url=https://www.google.com

The URL logic is: http://localhost:9090/VulnerableApp/<VulnerabilityName>/<Level>

thanks, Karan

preetkaran20 commented 3 years ago

Please do look at https://security.stackexchange.com/questions/11868/difference-between-directory-traversal-and-file-inclusion as Path traversal/Directory traversal is already there and we are looking for LFI. I think it is tough to implement LFI for spring-boot as file execution is not very straigh forward, which is the case with server side languages like JSP or PHP and if that is the case, please go ahead to VulnerableApp-JSP to implement it.

thanks, Karan