Thanks to visit codestin.com
Credit goes to github.com

Added a vulnerable API module #670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

digininja merged 31 commits into master from api

Jan 29, 2025

Owner

digininja commented Jan 29, 2025

No description provided.

digininja added 30 commits

October 2, 2024 12:27


          starting API build

1fe14d3


          first files

18c38b5


          Basics are working

0f76d3b


          All working and documented

254c11b

I need to make the user system persistent and then add some
vulnerabilities. There are already some in there, but we need some good
ones.


          missing include

e895a43


          low working

979265e


          added api versioning

9097c0f


          medium and low working

97cc416


          RCE and generic options response

6e41e1d


          better description

d0cd7f4


          starting orders

4c3b2ac


          low finished

d7f2316


          improved help page

b53c636


          medium working

a34389f


          tidy space

6e2d8bb


          orders working

42ea586


          login controller written and added to orders

0f758ac


          checking content type

36ab59e


          login is now OAUTH2

7f15de1


          refresh token working but no auth

cb4793b


          login tokens are encrypted and will expire

5f92df7


          All login stuff working

133ce09


          check if decrypt worked ok

677d859


          tidying up the levels

9c193cc


          echo function added

b4d82b1


          more links

0d0a7e1


          typo

0577e1d


          impossible level


          updated composer stuff

eb475ab


          calling openapi openapi, not swagger


          how to generate dynamic docs

9cb5f20

digininja merged commit a96943d into master

2 checks passed

github-advanced-security bot found potential problems

View reviewed changes

vulnerabilities/api/src/LoginController.php

+              			$client_secret = $_SERVER['PHP_AUTH_PW'];
+              			# App auth check
+              			if ($client_id == "1471.dvwa.digi.ninja" && $client_secret == "ABigLongSecret") {

Check failure

Code scanning / Secrets Audit

Cleartext Storage of Sensitive Information. Error

Credential in plaintext? Rule: Env Var
Line: if ($client_id == "1471.dvwa.digi.ninja" && $client_secret == "ABigLongSecret") { Commit: .

github-advanced-security bot found potential problems

View reviewed changes

vulnerabilities/api/public/index.php

+              		}
+              		// pass the request method and order ID to the OrderController and process the HTTP request:
+              		$controller = new OrderController($requestMethod, $version, $orderId);

Check warning

Code scanning / PHP Security Audit

Class Src \ OrderController has no __construct, but arguments were passed. Warning

Class Src \ OrderController has no __construct, but arguments were passed.

vulnerabilities/api/public/index.php

+              		}
+              		// pass the request method and user ID to the UserController and process the HTTP request:
+              		$controller = new UserController($requestMethod, $version, $userId);

Check warning

Code scanning / PHP Security Audit

Class Src \ OrderController has no __construct, but arguments were passed. Warning

Class Src \ UserController has no __construct, but arguments were passed.

vulnerabilities/api/public/index.php

+              		}
+              		$command = $local_uri[2];
+              		$controller = new HealthController($requestMethod, $version, $command);

Check warning

Code scanning / PHP Security Audit

Class Src \ OrderController has no __construct, but arguments were passed. Warning

Class Src \ HealthController has no __construct, but arguments were passed.

vulnerabilities/api/public/index.php

+              		}
+              		$command = $local_uri[2];
+              		$controller = new LoginController($requestMethod, $version, $command);

Check warning

Code scanning / PHP Security Audit

Class Src \ OrderController has no __construct, but arguments were passed. Warning

Class Src \ LoginController has no __construct, but arguments were passed.

vulnerabilities/api/src/HealthController.php

+              	}
+                  #[OAT\Post(
+              		tags: ["health"],

Check warning

Code scanning / PHP Security Audit

Syntax error, unexpected T_STRING on line 22. Warning

Syntax error, unexpected T_STRING on line 22.

vulnerabilities/api/src/UserController.php

+              	}
+                  #[OAT\Get(
+              		tags: ["user"],

Check warning

Code scanning / PHP Security Audit

Syntax error, unexpected T_STRING on line 22. Warning

Syntax error, unexpected T_STRING on line 63.

vulnerabilities/api/src/UserController.php

+              	}
+                  #[OAT\Get(
+              		tags: ["user"],

Check warning

Code scanning / PHP Security Audit

Syntax error, unexpected T_STRING on line 22. Warning

Syntax error, unexpected T_STRING on line 98.

vulnerabilities/api/src/UserController.php

+              	}
+                  #[OAT\Post(
+              		tags: ["user"],

Check warning

Code scanning / PHP Security Audit

Syntax error, unexpected T_STRING on line 22. Warning

Syntax error, unexpected T_STRING on line 126.

vulnerabilities/api/src/UserController.php

+              	}
+                  #[OAT\Put(
+              		tags: ["user"],

Check warning

Code scanning / PHP Security Audit

Syntax error, unexpected T_STRING on line 22. Warning

Syntax error, unexpected T_STRING on line 175.

vulnerabilities/api/src/UserController.php

+              	}
+                  #[OAT\Delete(
+              		tags: ["user"],

Check warning

Code scanning / PHP Security Audit

Syntax error, unexpected T_STRING on line 22. Warning

Syntax error, unexpected T_STRING on line 233.

digininja deleted the api branch

February 26, 2025 09:53

noe-orga-NTT pushed a commit to noe-orga-NTT/DVWA that referenced this pull request


          Merge pull request digininja#670 from digininja/api

2193a88

Added a vulnerable API module

noe-orga-NTT pushed a commit to noe-orga-NTT/DVWA that referenced this pull request


          Merge pull request digininja#670 from digininja/api

a98be29

Added a vulnerable API module

noe-orga-NTT pushed a commit to noe-orga-NTT/DVWA that referenced this pull request


          Merge pull request digininja#670 from digininja/api

4065b67

Added a vulnerable API module

noe-orga-NTT pushed a commit to noe-orga-NTT/DVWA that referenced this pull request


          Merge pull request digininja#670 from digininja/api

16191f7

Added a vulnerable API module

noe-orga-NTT pushed a commit to noe-orga-NTT/DVWA that referenced this pull request


          Merge pull request digininja#670 from digininja/api

e2d3ecc

Added a vulnerable API module

noe-orga-NTT pushed a commit to noe-orga-NTT/DVWA that referenced this pull request


          Merge pull request digininja#670 from digininja/api

db68a06

Added a vulnerable API module

noe-orga-NTT pushed a commit to noe-orga-NTT/DVWA that referenced this pull request


          Merge pull request digininja#670 from digininja/api

aa182e3

Added a vulnerable API module

BrunoCascante pushed a commit to BrunoCascante/DVWA that referenced this pull request


          Merge pull request digininja#670 from digininja/api

f8fd3f1

Added a vulnerable API module

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet