From b00c2081138ecbc2fbc38210a168563e0299b29b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Jun 2025 18:33:06 +0000 Subject: [PATCH 1/4] Initial plan From 419c6b00a05fd60e177ec2c9840b9f70878d5384 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Jun 2025 18:35:53 +0000 Subject: [PATCH 2/4] Fix build issues: Update to .NET 8.0 and fix Program.cs Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com> --- src/webapp01/Program.cs | 5 ++--- src/webapp01/webapp01.csproj | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/webapp01/Program.cs b/src/webapp01/Program.cs index a04832b..3177bcf 100644 --- a/src/webapp01/Program.cs +++ b/src/webapp01/Program.cs @@ -19,8 +19,7 @@ app.UseAuthorization(); -app.MapStaticAssets(); -app.MapRazorPages() - .WithStaticAssets(); +app.UseStaticFiles(); +app.MapRazorPages(); app.Run(); diff --git a/src/webapp01/webapp01.csproj b/src/webapp01/webapp01.csproj index 9b11105..97303be 100644 --- a/src/webapp01/webapp01.csproj +++ b/src/webapp01/webapp01.csproj @@ -1,7 +1,7 @@ - net9.0 + net8.0 enable enable 7f0355f0-e3cb-4a1e-bf2d-0431db9b93f8 @@ -13,7 +13,7 @@ - + From 8e8e8d5b09684b2a3e205586d72f009432115104 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Jun 2025 18:38:52 +0000 Subject: [PATCH 3/4] Create DevSecOps3 page with GHAS features and security demos Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com> --- src/webapp01/Pages/DevSecOps3.cshtml | 223 ++++++++++++++++++++++ src/webapp01/Pages/DevSecOps3.cshtml.cs | 244 ++++++++++++++++++++++++ src/webapp01/Pages/Index.cshtml | 4 + 3 files changed, 471 insertions(+) create mode 100644 src/webapp01/Pages/DevSecOps3.cshtml create mode 100644 src/webapp01/Pages/DevSecOps3.cshtml.cs diff --git a/src/webapp01/Pages/DevSecOps3.cshtml b/src/webapp01/Pages/DevSecOps3.cshtml new file mode 100644 index 0000000..b611b36 --- /dev/null +++ b/src/webapp01/Pages/DevSecOps3.cshtml @@ -0,0 +1,223 @@ +@page +@model DevSecOps3Model +@{ + ViewData["Title"] = "DevSecOps3 - Advanced GitHub Security Demo"; +} + +
+
+
+

@ViewData["Title"]

+

Explore the cutting-edge features and capabilities of GitHub Advanced Security (GHAS)

+
+
+
+ + + @if (TempData["SecurityDemoResult"] != null) + { + + } + + @if (TempData["SecurityDemoError"] != null) + { + + } + +
+ +
+
+
+

+ Latest GitHub Advanced Security Updates 2024 +

+
+
+ @if (Model.LatestGHASNews.Any()) + { +
+ @foreach (var newsItem in Model.LatestGHASNews) + { +
+ LATEST +
+

@newsItem

+ Updated with latest GHAS capabilities +
+
+ } +
+ } + else + { +

No news available at this time.

+ } +
+
+ + +
+
+

Enhanced GHAS Features Portfolio

+
+
+
+
+
AI-Powered Code Scanning
+

Next-generation CodeQL with machine learning enhanced vulnerability detection and fix suggestions.

+ +
Advanced Secret Scanning
+

Comprehensive secret detection with custom patterns and push protection across all repositories.

+ +
Dependency Insights
+

Deep dependency analysis with supply chain attack detection and automated security updates.

+
+
+
Security Policies
+

Organization-wide security policy enforcement with compliance tracking and reporting.

+ +
Real-time Monitoring
+

Continuous security monitoring with instant alerts and automated incident response.

+ +
Team Collaboration
+

Enhanced security workflows with developer-friendly remediation guidance and training.

+
+
+
+
+
+ + +
+ +
+
+

+ Advanced Security Demo +

+
+
+

+ This demonstration includes intentionally vulnerable code patterns for GHAS testing. + These vulnerabilities showcase advanced scanning capabilities. +

+ + +
+
+ + +
Test patterns that may cause ReDoS vulnerabilities
+
+
+ + +
+ +
+ + +
+
+ + +
Demonstrates SQL injection vulnerabilities
+
+ +
+
+
+ + +
+
+

+ GHAS Resources +

+
+
+
+ + Security Features Guide + + + CodeQL Repository + + + Code Scanning Docs + + + Secret Scanning Guide + + + Dependabot Security + +
+
+
+
+
+ + +
+
+
+
+

+ Advanced GHAS Capabilities & Future Roadmap +

+
+
+
+
+
AI-Enhanced Security
+
    +
  • Machine learning vulnerability detection
    • +
  • Automated fix suggestions
    • +
  • Smart false positive reduction
    • +
  • Contextual security insights
    • +
+
+
+
Supply Chain Security
+
    +
  • Comprehensive dependency scanning
    • +
  • Software bill of materials (SBOM)
    • +
  • Provenance tracking
    • +
  • Malicious package detection
    • +
+
+
+
Enterprise Integration
+
    +
  • SIEM/SOAR integration
    • +
  • Compliance reporting
    • +
  • Custom security policies
    • +
  • Advanced metrics & dashboards
    • +
+
+
+
+
+
+
+
\ No newline at end of file diff --git a/src/webapp01/Pages/DevSecOps3.cshtml.cs b/src/webapp01/Pages/DevSecOps3.cshtml.cs new file mode 100644 index 0000000..fa15ffc --- /dev/null +++ b/src/webapp01/Pages/DevSecOps3.cshtml.cs @@ -0,0 +1,244 @@ +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; +using System.Text.RegularExpressions; +using Microsoft.Data.SqlClient; +using Newtonsoft.Json; +using System.Text.Json; + +namespace webapp01.Pages +{ + public class DevSecOps3Model : PageModel + { + private readonly ILogger _logger; + + // Hardcoded database credentials for demo purposes - SECURITY VULNERABILITY + private const string DB_CONNECTION_STRING = "Data Source=localhost;Initial Catalog=SecurityDemo;User ID=sa;Password=SuperSecret123!;"; + + // Hardcoded API keys for demo purposes - SECURITY VULNERABILITY + private const string API_KEY = "sk-1234567890abcdef"; + private const string SECRET_TOKEN = "ghp_xxxxxxxxxxxxxxxxxxxx"; + + // Vulnerable regex patterns - ReDoS vulnerability + private static readonly Regex ComplexVulnerableRegex = new Regex(@"^(([a-z])+.)+[A-Z]([a-z])+$", RegexOptions.Compiled); + private static readonly Regex NestedQuantifierRegex = new Regex(@"^(a+)+$", RegexOptions.Compiled); + + public DevSecOps3Model(ILogger logger) + { + _logger = logger; + } + + public List LatestGHASNews { get; set; } = new(); + + public void OnGet() + { + // Log forging vulnerability - unsanitized user input in logs + string userAgent = Request.Headers.ContainsKey("User-Agent") + ? Request.Headers["User-Agent"].ToString() + : "Unknown"; + string clientIp = Request.Headers.ContainsKey("X-Forwarded-For") + ? Request.Headers["X-Forwarded-For"].ToString() + : "Unknown"; + + _logger.LogInformation($"DevSecOps3 page accessed by: {userAgent} from IP: {clientIp}"); + + // Path traversal vulnerability demonstration + string file = Request.Query.ContainsKey("file") ? Request.Query["file"].ToString() ?? "" : ""; + if (!string.IsNullOrEmpty(file)) + { + _logger.LogWarning($"File access attempt: {file}"); + } + + // Load latest GHAS news with potential deserialization vulnerabilities + LoadLatestGHASNews(); + + // Demonstrate weak cryptography + DemonstrateWeakCrypto(); + + // Test vulnerable regex with user input + TestVulnerableRegexPatterns(); + } + + private void LoadLatestGHASNews() + { + LatestGHASNews = new List + { + "GitHub Advanced Security introduces AI-powered vulnerability detection with 40% improved accuracy", + "New CodeQL queries added for detecting supply chain attacks and malicious dependencies", + "Secret scanning now supports 300+ service providers with custom pattern matching", + "Dependency review enhanced with exploitability scoring and remediation prioritization", + "Security overview dashboard now includes compliance frameworks (SOC2, ISO27001, NIST)", + "GitHub Copilot for Security provides real-time security assistance during development", + "Advanced threat modeling integration with Microsoft Threat Modeling Tool", + "Enhanced SARIF support enables seamless integration with 50+ security scanning tools", + "New security advisories database provides enriched vulnerability intelligence", + "Custom CodeQL rule sharing across organizations with centralized security policies" + }; + + try + { + // Potential JSON deserialization vulnerability - unsafe deserialization + string jsonData = JsonConvert.SerializeObject(LatestGHASNews); + + // Unsafe deserialization without type checking + var settings = new JsonSerializerSettings + { + TypeNameHandling = TypeNameHandling.All // VULNERABILITY: Enables type confusion attacks + }; + var deserializedData = JsonConvert.DeserializeObject>(jsonData, settings); + + _logger.LogInformation($"Successfully loaded {LatestGHASNews.Count} GHAS news items via JSON deserialization"); + } + catch (Exception ex) + { + // Information disclosure through detailed error messages + _logger.LogError($"JSON processing failed: {ex.Message} | Stack: {ex.StackTrace}"); + } + } + + private void DemonstrateWeakCrypto() + { + try + { + // Weak encryption demonstration - MD5 hash (deprecated) + using (var md5 = System.Security.Cryptography.MD5.Create()) + { + string sensitiveData = "user_password_123"; + byte[] hashBytes = md5.ComputeHash(System.Text.Encoding.UTF8.GetBytes(sensitiveData)); + string hash = Convert.ToBase64String(hashBytes); + + _logger.LogDebug($"Generated weak MD5 hash for security demo: {hash}"); + } + } + catch (Exception ex) + { + _logger.LogError($"Cryptography demo failed: {ex.Message}"); + } + } + + private void TestVulnerableRegexPatterns() + { + string testInput = Request.Query.ContainsKey("regex_test") + ? Request.Query["regex_test"].ToString() ?? "aaaaaa" + : "aaaaaa"; + + try + { + // ReDoS vulnerability demonstration + bool match1 = ComplexVulnerableRegex.IsMatch(testInput); + bool match2 = NestedQuantifierRegex.IsMatch(testInput); + + _logger.LogInformation($"Regex evaluation completed for input: {testInput} | Results: {match1}, {match2}"); + } + catch (RegexMatchTimeoutException ex) + { + _logger.LogError($"Regex timeout occurred - potential ReDoS: {ex.Message}"); + } + catch (Exception ex) + { + _logger.LogError($"Regex evaluation failed: {ex.Message}"); + } + } + + public IActionResult OnPostTestAdvancedRegex(string pattern, string input) + { + try + { + if (string.IsNullOrEmpty(pattern) || string.IsNullOrEmpty(input)) + { + TempData["SecurityDemoError"] = "Both pattern and input are required for regex testing."; + return Page(); + } + + // Log forging vulnerability - direct user input in logs + _logger.LogInformation($"Advanced regex test initiated by user with pattern: {pattern} and input: {input}"); + + // Create potentially vulnerable regex without timeout + var regex = new Regex(pattern, RegexOptions.Compiled); + + var startTime = DateTime.UtcNow; + bool isMatch = regex.IsMatch(input); + var duration = DateTime.UtcNow - startTime; + + string result = $"Pattern '{pattern}' against input '{input}': {(isMatch ? "MATCH" : "NO MATCH")} (took {duration.TotalMilliseconds:F2}ms)"; + + // Potential information disclosure + _logger.LogInformation($"Regex test result: {result}"); + TempData["SecurityDemoResult"] = result; + + if (duration.TotalMilliseconds > 1000) + { + TempData["SecurityDemoError"] = "WARNING: Regex took longer than 1 second - potential ReDoS vulnerability detected!"; + } + } + catch (ArgumentException ex) + { + string errorMsg = $"Invalid regex pattern: {ex.Message}"; + _logger.LogError(errorMsg); + TempData["SecurityDemoError"] = errorMsg; + } + catch (RegexMatchTimeoutException ex) + { + string errorMsg = $"Regex timeout - ReDoS vulnerability confirmed: {ex.Message}"; + _logger.LogError(errorMsg); + TempData["SecurityDemoError"] = errorMsg; + } + catch (Exception ex) + { + // Information disclosure through error messages + string errorMsg = $"Regex test failed: {ex.Message} | Type: {ex.GetType().Name}"; + _logger.LogError(errorMsg); + TempData["SecurityDemoError"] = errorMsg; + } + + return Page(); + } + + public IActionResult OnPostTestSqlDemo(string userId) + { + try + { + if (string.IsNullOrEmpty(userId)) + { + TempData["SecurityDemoError"] = "User ID is required for SQL demonstration."; + return Page(); + } + + // Log forging vulnerability - unsanitized user input + _logger.LogInformation($"SQL demo test for user ID: {userId}"); + + // SQL Injection vulnerability - string concatenation instead of parameterized queries + string vulnerableQuery = $"SELECT * FROM Users WHERE UserID = {userId}"; + + _logger.LogDebug($"Executing vulnerable SQL query: {vulnerableQuery}"); + + // Simulate database connection (don't actually execute for safety) + using var connection = new SqlConnection(DB_CONNECTION_STRING); + + // Log the connection string (credential exposure) + _logger.LogDebug($"Connecting to database with connection string: {DB_CONNECTION_STRING}"); + + string result = $"SQL Query executed: {vulnerableQuery}"; + TempData["SecurityDemoResult"] = result; + + // Additional vulnerability - exposing internal system information + _logger.LogInformation($"Database operation completed. Connection string: {DB_CONNECTION_STRING.Substring(0, 20)}..."); + } + catch (SqlException ex) + { + // Information disclosure through detailed SQL error messages + string errorMsg = $"SQL Error: {ex.Message} | Number: {ex.Number} | Severity: {ex.Class}"; + _logger.LogError(errorMsg); + TempData["SecurityDemoError"] = errorMsg; + } + catch (Exception ex) + { + // Generic error disclosure + string errorMsg = $"Database demo failed: {ex.Message} | Stack: {ex.StackTrace?.Substring(0, Math.Min(200, ex.StackTrace?.Length ?? 0))}"; + _logger.LogError(errorMsg); + TempData["SecurityDemoError"] = errorMsg; + } + + return Page(); + } + } +} \ No newline at end of file diff --git a/src/webapp01/Pages/Index.cshtml b/src/webapp01/Pages/Index.cshtml index e0db7f6..9444a55 100644 --- a/src/webapp01/Pages/Index.cshtml +++ b/src/webapp01/Pages/Index.cshtml @@ -13,5 +13,9 @@ New! Check out our DevSecOps Demo page to see the latest GHAS features and security demonstrations.

+

+ Latest! Explore our advanced DevSecOps3 Demo + featuring cutting-edge security features and enhanced vulnerability demonstrations. +

From cec74e6ab84d781a2ebf65630042ed50573ae15c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 26 Jun 2025 18:47:04 +0000 Subject: [PATCH 4/4] Implement DevSecOps6 page with container and supply chain security demos Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com> --- src/webapp01/Pages/DevSecOps6.cshtml | 223 ++++++++++++++++++++ src/webapp01/Pages/DevSecOps6.cshtml.cs | 259 ++++++++++++++++++++++++ src/webapp01/Pages/Index.cshtml | 4 + 3 files changed, 486 insertions(+) create mode 100644 src/webapp01/Pages/DevSecOps6.cshtml create mode 100644 src/webapp01/Pages/DevSecOps6.cshtml.cs diff --git a/src/webapp01/Pages/DevSecOps6.cshtml b/src/webapp01/Pages/DevSecOps6.cshtml new file mode 100644 index 0000000..b2ce0e4 --- /dev/null +++ b/src/webapp01/Pages/DevSecOps6.cshtml @@ -0,0 +1,223 @@ +@page +@model DevSecOps6Model +@{ + ViewData["Title"] = "DevSecOps6 - Container & Supply Chain Security"; +} + +
+
+
+

@ViewData["Title"]

+

Advanced container security, supply chain protection, and cloud-native DevSecOps practices

+
+
+
+ + + @if (TempData["SecurityDemoResult"] != null) + { + + } + + @if (TempData["SecurityDemoError"] != null) + { + + } + +
+ +
+
+
+

+ Container Security & Supply Chain Updates 2024 +

+
+
+ @if (Model.ContainerSecurityFeatures.Any()) + { +
+ @foreach (var feature in Model.ContainerSecurityFeatures) + { +
+ NEW +
+

@feature

+ Enhanced container and cloud security capabilities +
+
+ } +
+ } + else + { +

No container security updates available.

+ } +
+
+ + +
+
+

Supply Chain Security Portfolio

+
+
+
+
+
SBOM Generation
+

Automated Software Bill of Materials generation with vulnerability mapping and license compliance tracking.

+ +
Artifact Signing
+

Cryptographic signing of container images and artifacts with Sigstore and Cosign integration.

+ +
Provenance Tracking
+

Complete build provenance documentation with SLSA framework compliance and attestation.

+
+
+
Cloud Security
+

Multi-cloud security posture management with infrastructure-as-code scanning and compliance.

+ +
Runtime Protection
+

Container runtime security monitoring with behavioral analysis and threat detection.

+ +
Mesh Security
+

Service mesh security policies with zero-trust networking and encrypted communication.

+
+
+
+
+
+ + +
+ +
+
+

+ Container Security Demo +

+
+
+

+ This demonstration includes container and cloud security vulnerabilities for advanced GHAS testing. + These patterns showcase supply chain and runtime security scanning. +

+ + +
+
+ + +
Test environment variable exposure vulnerabilities
+
+
+ + +
+ +
+ + +
+
+ + +
Demonstrates container escape vulnerabilities
+
+ +
+
+
+ + +
+
+

+ Cloud Security Resources +

+
+
+
+ + Supply Chain Security + + + Deployment Security + + + Security Updates + + + Enterprise Security + + + Organization Security + +
+
+
+
+
+ + +
+
+
+
+

+ Cloud-Native Security & DevSecOps Automation +

+
+
+
+
+
Infrastructure Security
+
    +
  • Infrastructure-as-Code scanning
    • +
  • Cloud misconfigurations detection
    • +
  • Kubernetes security policies
    • +
  • Multi-cloud compliance monitoring
    • +
+
+
+
Container Security
+
    +
  • Image vulnerability scanning
    • +
  • Runtime threat detection
    • +
  • Container escape prevention
    • +
  • Secrets management integration
    • +
+
+
+
DevSecOps Automation
+
    +
  • Security-as-Code practices
    • +
  • Automated compliance reporting
    • +
  • CI/CD security gates
    • +
  • Security workflow orchestration
    • +
+
+
+
+
+
+
+
\ No newline at end of file diff --git a/src/webapp01/Pages/DevSecOps6.cshtml.cs b/src/webapp01/Pages/DevSecOps6.cshtml.cs new file mode 100644 index 0000000..c2aa44d --- /dev/null +++ b/src/webapp01/Pages/DevSecOps6.cshtml.cs @@ -0,0 +1,259 @@ +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; +using System.Diagnostics; +using System.Text.Json; +using Newtonsoft.Json; + +namespace webapp01.Pages +{ + public class DevSecOps6Model : PageModel + { + private readonly ILogger _logger; + + // Hardcoded container registry credentials - SECURITY VULNERABILITY + private const string CONTAINER_REGISTRY_URL = "registry.acme.com"; + private const string REGISTRY_USERNAME = "admin"; + private const string REGISTRY_PASSWORD = "DockerPass123!"; + + // Hardcoded cloud provider credentials - SECURITY VULNERABILITY + private const string AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"; + private const string AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"; + private const string AZURE_TENANT_ID = "12345678-1234-1234-1234-123456789012"; + + // Insecure container configuration - SECURITY VULNERABILITY + private const string DOCKER_SOCKET_PATH = "/var/run/docker.sock"; + private const bool PRIVILEGED_CONTAINER = true; + private const string CONTAINER_USER = "root"; + + public DevSecOps6Model(ILogger logger) + { + _logger = logger; + } + + public List ContainerSecurityFeatures { get; set; } = new(); + + public void OnGet() + { + // Log forging vulnerability - unsanitized user input in logs + string userAgent = Request.Headers.ContainsKey("User-Agent") + ? Request.Headers["User-Agent"].ToString() + : "Unknown"; + string requestPath = Request.Path.ToString(); + + _logger.LogInformation($"DevSecOps6 page accessed by: {userAgent} at path: {requestPath}"); + + // Environment variable exposure demonstration + DemonstrateEnvironmentVariableExposure(); + + // Load container security features with potential vulnerabilities + LoadContainerSecurityFeatures(); + + // Demonstrate insecure container operations + DemonstrateContainerVulnerabilities(); + + // Test cloud provider credential exposure + DemonstrateCloudCredentialExposure(); + } + + private void DemonstrateEnvironmentVariableExposure() + { + try + { + // Environment variable exposure - logging sensitive information + string dbPassword = Environment.GetEnvironmentVariable("DATABASE_PASSWORD") ?? "defaultpass123"; + string apiKey = Environment.GetEnvironmentVariable("API_KEY") ?? "sk-default-key"; + string jwtSecret = Environment.GetEnvironmentVariable("JWT_SECRET") ?? "super-secret-jwt-key"; + + // VULNERABILITY: Logging sensitive environment variables + _logger.LogDebug($"Environment check - DB Password: {dbPassword}, API Key: {apiKey}, JWT Secret: {jwtSecret}"); + + // VULNERABILITY: Exposing all environment variables + foreach (var envVar in Environment.GetEnvironmentVariables().Cast()) + { + _logger.LogTrace($"Environment variable found: {envVar.Key} = {envVar.Value}"); + } + } + catch (Exception ex) + { + _logger.LogError($"Environment variable demo failed: {ex.Message}"); + } + } + + private void LoadContainerSecurityFeatures() + { + ContainerSecurityFeatures = new List + { + "Container image scanning with SBOM generation and vulnerability correlation analysis", + "Runtime container behavior monitoring with ML-based anomaly detection", + "Kubernetes security policies with admission controller integration and RBAC enforcement", + "Container registry security with image signing, verification, and notary service integration", + "Supply chain security with provenance tracking, attestation, and SLSA compliance verification", + "Infrastructure-as-Code security scanning for Terraform, ARM templates, and CloudFormation", + "Cloud workload protection with runtime threat detection and automated incident response", + "Container network security with service mesh integration and zero-trust networking", + "Secrets management integration with HashiCorp Vault, Azure Key Vault, and AWS Secrets Manager", + "Compliance automation with SOC2, PCI-DSS, HIPAA, and custom framework support" + }; + + try + { + // Unsafe deserialization vulnerability + string jsonData = JsonConvert.SerializeObject(ContainerSecurityFeatures); + + // VULNERABILITY: Unsafe JSON deserialization settings + var settings = new JsonSerializerSettings + { + TypeNameHandling = TypeNameHandling.Auto, // Enables type confusion attacks + DefaultValueHandling = DefaultValueHandling.Include + }; + + var deserializedFeatures = JsonConvert.DeserializeObject>(jsonData, settings); + + _logger.LogInformation($"Loaded {ContainerSecurityFeatures.Count} container security features via unsafe deserialization"); + } + catch (Exception ex) + { + // Information disclosure through detailed error messages + _logger.LogError($"Container features loading failed: {ex.Message} | Stack: {ex.StackTrace}"); + } + } + + private void DemonstrateContainerVulnerabilities() + { + try + { + // VULNERABILITY: Container privilege escalation + _logger.LogWarning($"Container running with privileged mode: {PRIVILEGED_CONTAINER}"); + _logger.LogWarning($"Container user: {CONTAINER_USER}"); + _logger.LogWarning($"Docker socket access: {DOCKER_SOCKET_PATH}"); + + // VULNERABILITY: Hardcoded container registry credentials + _logger.LogDebug($"Container registry: {CONTAINER_REGISTRY_URL} with user: {REGISTRY_USERNAME} and password: {REGISTRY_PASSWORD}"); + + // Simulate container command execution vulnerability + string containerCommand = Request.Query.ContainsKey("cmd") + ? Request.Query["cmd"].ToString() ?? "" + : ""; + + if (!string.IsNullOrEmpty(containerCommand)) + { + // VULNERABILITY: Command injection through user input + _logger.LogWarning($"Attempting to execute container command: {containerCommand}"); + } + } + catch (Exception ex) + { + _logger.LogError($"Container vulnerability demo failed: {ex.Message}"); + } + } + + private void DemonstrateCloudCredentialExposure() + { + try + { + // VULNERABILITY: Cloud provider credential exposure + _logger.LogDebug($"AWS Access Key: {AWS_ACCESS_KEY}"); + _logger.LogDebug($"AWS Secret Key: {AWS_SECRET_KEY.Substring(0, 10)}..."); + _logger.LogDebug($"Azure Tenant ID: {AZURE_TENANT_ID}"); + + // VULNERABILITY: Insecure cloud resource access patterns + string cloudResource = $"https://storage.blob.core.windows.net/container?key={AWS_SECRET_KEY}"; + _logger.LogInformation($"Cloud resource URL generated: {cloudResource}"); + + // VULNERABILITY: Insecure temporary file creation + string tempFile = Path.Combine(Path.GetTempPath(), "cloud-credentials.txt"); + System.IO.File.WriteAllText(tempFile, $"AWS_KEY={AWS_ACCESS_KEY}\nAWS_SECRET={AWS_SECRET_KEY}"); + _logger.LogDebug($"Temporary credentials file created: {tempFile}"); + } + catch (Exception ex) + { + _logger.LogError($"Cloud credential demo failed: {ex.Message}"); + } + } + + public IActionResult OnPostTestEnvironmentVariables(string envVar, string envValue) + { + try + { + if (string.IsNullOrEmpty(envVar) || string.IsNullOrEmpty(envValue)) + { + TempData["SecurityDemoError"] = "Both environment variable name and value are required."; + return Page(); + } + + // Log forging vulnerability - direct user input in logs + _logger.LogInformation($"Environment variable test initiated: {envVar} = {envValue}"); + + // VULNERABILITY: Environment variable injection + Environment.SetEnvironmentVariable(envVar, envValue); + + // VULNERABILITY: Unsafe environment variable access + string retrievedValue = Environment.GetEnvironmentVariable(envVar); + + string result = $"Environment variable '{envVar}' set to '{envValue}' and retrieved as '{retrievedValue}'"; + + // Information disclosure vulnerability + _logger.LogInformation($"Environment test result: {result}"); + TempData["SecurityDemoResult"] = result; + + // Additional vulnerability - exposing system environment + var systemEnvVars = Environment.GetEnvironmentVariables(); + _logger.LogDebug($"Total system environment variables: {systemEnvVars.Count}"); + } + catch (Exception ex) + { + // Information disclosure through error messages + string errorMsg = $"Environment variable test failed: {ex.Message} | Type: {ex.GetType().Name}"; + _logger.LogError(errorMsg); + TempData["SecurityDemoError"] = errorMsg; + } + + return Page(); + } + + public IActionResult OnPostTestContainerCommand(string command) + { + try + { + if (string.IsNullOrEmpty(command)) + { + TempData["SecurityDemoError"] = "Container command is required for demonstration."; + return Page(); + } + + // Log forging vulnerability - unsanitized user input + _logger.LogInformation($"Container command test initiated: {command}"); + + // VULNERABILITY: Command injection - executing user input without sanitization + var processInfo = new ProcessStartInfo + { + FileName = "/bin/bash", + Arguments = $"-c \"{command}\"", // Direct command injection vulnerability + RedirectStandardOutput = true, + RedirectStandardError = true, + UseShellExecute = false, + CreateNoWindow = true + }; + + // VULNERABILITY: Unsafe process execution + _logger.LogDebug($"Executing container command via process: {processInfo.FileName} {processInfo.Arguments}"); + + string result = $"Container command '{command}' scheduled for execution"; + TempData["SecurityDemoResult"] = result; + + // Additional vulnerability - exposing container runtime information + _logger.LogInformation($"Container runtime: {Environment.OSVersion} | User: {Environment.UserName}"); + _logger.LogWarning($"Container privileges: Running as {(Environment.UserName == "root" ? "ROOT" : "NON-ROOT")}"); + } + catch (Exception ex) + { + // Information disclosure through detailed error messages + string errorMsg = $"Container command test failed: {ex.Message} | Stack: {ex.StackTrace?.Substring(0, Math.Min(200, ex.StackTrace?.Length ?? 0))}"; + _logger.LogError(errorMsg); + TempData["SecurityDemoError"] = errorMsg; + } + + return Page(); + } + } +} \ No newline at end of file diff --git a/src/webapp01/Pages/Index.cshtml b/src/webapp01/Pages/Index.cshtml index 9444a55..5cb70f0 100644 --- a/src/webapp01/Pages/Index.cshtml +++ b/src/webapp01/Pages/Index.cshtml @@ -17,5 +17,9 @@ Latest! Explore our advanced DevSecOps3 Demo featuring cutting-edge security features and enhanced vulnerability demonstrations.

+

+ New! Check out our comprehensive DevSecOps6 Demo + showcasing container security, supply chain protection, and cloud-native DevSecOps practices. +