Skip to content

Commit

Permalink
⚰️ refactor: Remove commented-out code, unneeded files
Browse files Browse the repository at this point in the history
  • Loading branch information
eliasgierlinger committed Nov 20, 2023
1 parent 083c90e commit fb332cc
Show file tree
Hide file tree
Showing 41 changed files with 189 additions and 364 deletions.
7 changes: 7 additions & 0 deletions .idea/gradle.xml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

22 changes: 0 additions & 22 deletions .idea/php.xml

This file was deleted.

1 change: 0 additions & 1 deletion .idea/unguard.iml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Unguard is composed of eight microservices written in different languages that t
| [proxy-service](./src/proxy-service) | Java Spring | unguard-proxy | Serves REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL). |
| [profile-service](./src/profile-service) | Java Spring | default | Serves REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks |
| [membership-service](./src/membership-service) | .NET 7 | default | Serves REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks |
| [like-service](./src/like-service) | PHP | default | Serves REST API for liking and unliking posts using MariaDB; vulnerable to an SQL injection attack for removing other users' likes |
| [like-service](./src/like-service) | PHP | default | Serves REST API for adding likes to posts using MariaDB; vulnerable to SQL injection attacks |
| [user-auth-service](./src/user-auth-service) | Node.js Express | default | Serves REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion). |
| [status-service](./src/status-service) | Go | unguard-status | Serves REST API for Kubernetes deployments health, as well as a user and user role list (vulnerable to SQL injection) |
| jaeger | | default | The [Jaeger](https://www.jaegertracing.io/) stack for distributed tracing. |
Expand Down
7 changes: 0 additions & 7 deletions chart/templates/ingress.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,4 @@ spec:
name: unguard-envoy-proxy
port:
number: 8080
- path: /
pathType: Prefix
backend:
service:
name: unguard-envoy-proxy
port:
number: 8000
{{end}}
3 changes: 1 addition & 2 deletions chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -404,7 +404,7 @@ likeService:
ports:
containerPort: 8000
env:
JAEGER_COLLECTOR_HOST: collector # PHP OpenTelemetry sends data to jaeger-collector instead of jaeger-agent
JAEGER_COLLECTOR_HOST: collector # PHP OpenTelemetry sends data to jaeger-collector instead of jaeger-agent
JAEGER_DISABLED: true
JAEGER_PORT: 4318
SERVICE_NAME: unguard-like-service
Expand Down Expand Up @@ -455,4 +455,3 @@ frontend:
LIKE_SERVICE_BASE_PATH: /like-service
MEMBERSHIP_SERVICE_BASE_PATH: /membership-service
STATUS_SERVICE_BASE_PATH: /status-service

4 changes: 2 additions & 2 deletions docs/TRACING.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ This document explains how to install Jaeger tracing using Helm to the cluster.
1. For local development
1. Install Jaeger (takes a couple of minutes)
```sh
helm install jaeger jaegertracing/jaeger --version 0.71.14 --wait --namespace unguard --create-namespace --values ./chart/jaeger-otlp-values.yaml
helm install jaeger jaegertracing/jaeger --version 0.71.14 --wait --namespace unguard --create-namespace --values ./docs/jaeger/jaeger-otlp-values.yaml
```
2. Install the Jaeger-Operator
```sh
helm install jaeger-operator jaegertracing/jaeger-operator --version 2.22.0 --wait --namespace unguard --create-namespace
```
2. Deploy the AllInOne image for local development
3. Deploy the AllInOne image for local development
```sh
kubectl apply -f ./k8s-manifests/jaeger/jaeger.yaml
```
Expand Down
Binary file modified docs/images/unguard-timeline.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/images/unguard-user-profile.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
File renamed without changes.
2 changes: 1 addition & 1 deletion exploit-toolkit/exploit.py
Original file line number Diff line number Diff line change
Expand Up @@ -378,7 +378,7 @@ def sql_inject_unlike_post(post, user, target):
click.echo("Not logged in. Run login command first.")
return

r = session.get(f'http://{target + frontend_base_path}/post', params={'postId': [post, user], 'like_delete': ''}, allow_redirects=False)
r = session.get(f'http://{target + frontend_base_path}/unlike', params={'postId': [post, user]}, allow_redirects=False)

# should always be status code 404
click.echo('Request returned status code %s.' % str(r.status_code))
Expand Down
2 changes: 1 addition & 1 deletion exploit-toolkit/exploits/sql-injection/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
Unguard has three SQL injection vulnerabilities:
* [One in the Java `profile-service`](./SQLI-PROFILE-SERVICE-H2.md), which is exploitable through the user biography and allows you to access the h2 database.
* [One in the Golang `status-service`](./SQLI-STATUS-SERVICE-MARIADB.md), which is exploitable through the search bar on the Users page and allows you to access the MariaDB database.
* [One in the PHP `like-service`](./SQLI-LIKE-SERVICE-REMOVE-LIKE.md), which allows you to remove another user's like on a given post if you send the right parameters.
* [One in the PHP `like-service`](./SQLI-LIKE-SERVICE-REMOVE-LIKE.md), which allows you to remove another user's like on a given post.
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@

Utilizing [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) can lead to sensitive data being read
and/or databases to be modified (Insert/Update/Delete).
In addition, administrative operations such as shutting down the DBMS can also be completed.

Unguard has a PHP microservice for handling likes that uses an unsafe version of Laravel, allowing you to remove another user's like on a post. When liking/unliking, normally, the PHP service would receive a post ID and a user ID, but with the right parameters, you can send two post IDs, leading to the latter one being misinterpreted as the user ID by Laravel ([see more details](https://security.snyk.io/vuln/SNYK-PHP-LARAVELFRAMEWORK-1060045)).

Expand All @@ -20,9 +19,9 @@ This ID is exposed indirectly through the Users page. The admanager user always
The user shown below the admanager has the ID 2, the one below that has the ID 3 etc.

### w/o Toolkit CLI
Once you have the ID of the user whose like on a particular post you want to remove, head over to the frontend page for that post, e.g. http://unguard.kube/ui/post?postId=1.
You can get to that page by liking the post yourself. Then, in the search bar, modify the parameters thusly:
`http://unguard.kube/ui/post?postId=[POST_ID]&postId=[USER_ID]&like_delete`.
Once you have the ID of the user whose like on a particular post you want to remove, head over to the frontend page for that post, e.g. http://unguard.kube/ui/post/1.
You can get to that page by liking the post yourself. From the address bar, you can now see the post id (1 in the example). Then open the following in your browser:
`http://unguard.kube/ui/unlike?postId=[POST_ID]&postId=[USER_ID]`.
The second `postId` parameter is misinterpreted by Laravel as the user ID, and the like for that user will be deleted. After you load the site with these parameters,
you should see a 404 error.

Expand Down
16 changes: 0 additions & 16 deletions src/envoy-proxy/config/envoy-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,6 @@ static_resources:
prefix: /ad-service
route:
cluster: ad_service_cluster
- match:
prefix: /like-service
route:
cluster: like_service_cluster
clusters:
- name: frontend_cluster
dns_lookup_family: V4_ONLY
Expand All @@ -91,15 +87,3 @@ static_resources:
socket_address:
address: unguard-ad-service
port_value: 80
- name: like_service_cluster
dns_lookup_family: V4_ONLY
type: STRICT_DNS
load_assignment:
cluster_name: like_service_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: unguard-like-service
port_value: 80
Loading

0 comments on commit fb332cc

Please sign in to comment.