dsad

vuln-lab/web/www/api/auth.php

@@ -0,0 +1,84 @@
+<?php
+// JWT auth with secret "secret" (top-100 brute list) AND alg:none accepted.
+header("Content-Type: application/json");
+
+// CORS wide open
+if (!empty($_SERVER['HTTP_ORIGIN'])) {
+    header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
+    header("Access-Control-Allow-Credentials: true");
+}
+
+$SECRET = getenv('JWT_SECRET') ?: 'secret';
+
+function b64url_encode($s) { return rtrim(strtr(base64_encode($s), '+/', '-_'), '='); }
+function b64url_decode($s) { return base64_decode(strtr($s, '-_', '+/')); }
+
+function sign($header_json, $payload_json, $secret) {
+    $h = b64url_encode($header_json);
+    $p = b64url_encode($payload_json);
+    $sig = hash_hmac('sha256', "$h.$p", $secret, true);
+    return "$h.$p." . b64url_encode($sig);
+}
+
+function verify($jwt, $secret) {
+    $parts = explode('.', $jwt);
+    if (count($parts) < 2) return null;
+    [$h, $p] = $parts;
+    $header = json_decode(b64url_decode($h), true);
+    $payload = json_decode(b64url_decode($p), true);
+    if (!$header || !$payload) return null;
+
+    $alg = strtolower($header['alg'] ?? '');
+
+    // VULN 1 — accept alg:none
+    if ($alg === 'none' || $alg === '') return $payload;
+
+    // VULN 2 — weak HS256 secret
+    if ($alg === 'hs256') {
+        if (count($parts) !== 3) return null;
+        $sig  = b64url_decode($parts[2]);
+        $want = hash_hmac('sha256', "$h.$p", $secret, true);
+        if (hash_equals($want, $sig)) return $payload;
+    }
+    return null;
+}
+
+// POST creds -> issue token
+$method = $_SERVER['REQUEST_METHOD'];
+$body = json_decode(file_get_contents('php://input'), true) ?: [];
+
+if ($method === 'POST' && isset($body['action']) && $body['action'] === 'login') {
+    $u = $body['username'] ?? '';
+    $p = $body['password'] ?? '';
+    // plaintext check — admin / admin123
+    if ($u === 'admin' && $p === 'admin123') {
+        $jwt = sign(
+            json_encode(['alg' => 'HS256', 'typ' => 'JWT']),
+            json_encode(['sub' => 'admin', 'role' => 'admin', 'iat' => time(), 'exp' => time() + 3600]),
+            $SECRET
+        );
+        echo json_encode(['token' => $jwt, 'expires_in' => 3600]);
+        exit;
+    }
+    http_response_code(401);
+    echo json_encode(['error' => 'bad credentials']);
+    exit;
+}
+
+// GET — show current session from Authorization: Bearer ...
+$hdr = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
+if (preg_match('/Bearer\s+(\S+)/i', $hdr, $m)) {
+    $claims = verify($m[1], $SECRET);
+    if ($claims) {
+        echo json_encode(['authenticated' => true, 'claims' => $claims]);
+        exit;
+    }
+    http_response_code(401);
+    echo json_encode(['error' => 'invalid token']);
+    exit;
+}
+
+echo json_encode([
+    'message' => 'POST {action:"login",username,password} to obtain token',
+    'example' => ['username' => 'admin', 'password' => 'admin123'],
+]);

vuln-lab/web/www/api/me.php

@@ -0,0 +1,7 @@
+<?php
+header("Content-Type: application/json");
+if (!empty($_SERVER['HTTP_ORIGIN'])) {
+    header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
+    header("Access-Control-Allow-Credentials: true");
+}
+echo json_encode(['username' => 'guest', 'role' => 'anonymous']);

vuln-lab/web/www/api/user.php

@@ -0,0 +1,13 @@
+<?php
+header("Content-Type: application/json");
+if (!empty($_SERVER['HTTP_ORIGIN'])) {
+    header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
+    header("Access-Control-Allow-Credentials: true");
+}
+echo json_encode([
+    'id' => 1,
+    'username' => 'admin',
+    'email' => 'admin@insecure.newploit.com',
+    'role' => 'admin',
+    'api_key' => 'sk_live_newploit_AKIAIOSFODNN7EXAMPLE',
+]);