Skip to content

paul007ex/vulnEcommMVC

BranchesTags

Repository files navigation

[# πŸš€ VulnerableECommerceMVC Lab – πŸš€

Author: Paul Volosen, CISSP
GitHub: paul007ex/vulnEcommMVC
LinkedIn: paulvolosen

πŸ“‹ Table of Contents

  1. Lab Overview
  2. Learning Outcomes
  3. Prerequisites & Setup
  4. Project Structure
  5. Phase Walkthrough
  6. Use-Case Deep Dives
  7. Threat Modeling & Compliance
  8. Attack & Test Matrix
  9. Extension Ideas
  10. Resources & Further Reading
  11. Feedback & Contributing

πŸ” Lab Overview

This hands-on lab simulates legacy auth mistakes and modern remediations in a .NET MVC app.
You will clone, compile, attack, fix, and map everything to real-world frameworks:

β€’ STRIDE threat model
β€’ NIST SSDF
β€’ OWASP SAMM
β€’ PCI-DSS v4.0
β€’ ISO 27001:2022
β€’ GDPR/CCPA

πŸŽ“ Learning Outcomes

By completing this lab, you will be able to:

  • πŸ”“ Identify and exploit common auth flaws
  • πŸ”„ Validate and secure redirect endpoints
  • πŸ”‘ Migrate from Basic-Auth β†’ SHA-256 β†’ HMAC
  • πŸ›‘οΈ Map fixes to security standards & compliance
  • πŸ“Š Build a repeatable attack/test matrix
  • πŸ”§ Extend to modern SSO (SAML/OIDC) demos

βš™οΈ Prerequisites & Setup

  1. Install

  2. Clone & Run

    git clone https://github.com/paul007ex/vulnEcommMVC.git
cd vulnEcommMVC
dotnet restore
dotnet run

  3. Verify

    • App: http://localhost:5000
    • Swagger UI (if enabled): http://localhost:5000/swagger

πŸ“‚ Project Structure

πŸ“¦ vulnEcommMVC
 ┣ πŸ“œ Program.cs
 ┣ πŸ“œ DataStore.cs       ← In-memory β€œSQL” tables
 ┣ πŸ“œ User.cs            ← Model + roles
 ┣ πŸ“‚ Controllers/
 ┃   ┣ πŸ“œ HomeController.cs       ← Insecure Basic-Auth over HTTP
 ┃   ┣ πŸ“œ SecureLoginController.cs← HTTPS + SHA-256
 ┃   ┣ πŸ“œ LoginController.cs      ← MVC Form login (no CSRF!)
 ┃   ┣ πŸ“œ RedirectController.cs   ← Blind-redirect demo
 ┃   β”— πŸ“œ HmacController.cs       ← HMAC signature demo
 ┣ πŸ“œ tests.sh           ← curl attack & validation scripts
 ┣ πŸ“œ INSTRUCTIONS.md    ← This master README source
 β”— πŸ“œ Explanation-*.md   ← Per-feature deep dives

πŸ— Phase Walkthrough

1) Hello World Console      β†’ helloworld.cs
2) Minimal HTTP Server      β†’ Program.cs
3) In-Memory Data Store     β†’ DataStore.cs + User.cs
4) Use-Case #1: Open Redirect
5) Use-Case #2: Basic-Auth Leak
6) Use-Case #3: Base64 Misuse β†’ HMAC

πŸ“Œ Use-Case Deep Dives

Use-Case 1: Open Redirect

Vulnerability: Unvalidated returnUrl parameter allows phishing & credential capture.

curl -v "http://localhost:5000/redirect?to=https://evil.com"

ASCII Flow – Before

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”    GET /redirect?to=https://evil.com    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Browser β”‚ ──────────────────────────────────────► β”‚ RedirectController β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                                         β”‚ no validation      β”‚
                                                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                                                             β”‚
                                                             β–Ό
                                                      302 Location=https://evil.com

Remediation Fix:

if (!IsAllowedDomain(returnUrl)) 
    return BadRequest("Invalid redirect");
return Redirect(returnUrl);

Use-Case 2: Basic Auth Leak

Vulnerability: HTTP Basic Auth over plaintext reveals Base64-encoded creds.

curl -v -u admin:password http://localhost:5000/secure/basic

ASCII Flow

Browser ──▢ β€œAuthorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l”
   ↓ decode
HomeController ──► Compare plaintext vs. DataStore

Remediation Fixes:

  • Enforce HTTPS only
  • Migrate credentials to SHA-256 hashing
  • Implement rate limiting & account lockouts

Use-Case 3: Base64 Misuse β†’ HMAC

Vulnerability: Base64 β€œsignature” is trivially forgeable β†’ payload tampering.

Before

GET /cart/add?item=123&sig=MTIzCg==

Attack Example

# Change item β†’ 999, recalc Base64
curl "http://localhost:5000/cart/add?item=999&sig=$(echo -n '999' | base64)"

After: HMAC Signature

GET /auth/hmac?item=123&ts=1610000000&sig=<HMAC_SHA256(item|ts)>

// HMAC Validation Snippet
string payload = $"{item}|{ts}";
byte[] computed = CryptoUtils.ComputeHMAC(secretKey, payload);
if (!CryptoUtils.FixedTimeEquals(sigBytes, computed))
    return Unauthorized();

πŸ›‘οΈ Threat Modeling & Compliance

Threat STRIDE NIST SSDF OWASP SAMM Compliance Example
Open Redirect Tampering RV.1, RV.2 Design ISO 27001 A.14: Secure System Dev
Basic Auth Leak Info Disc PW.3 Implementation PCI-DSS 8.3.1–6: Strong Auth
HMAC Bypass Spoofing PW.4, RV.4 Verification GDPR Art 32: Integrity & Confidentiality
CSRF (Form-Login) Elevation RV.3 Operations NIST 800-53 AC-4: Session Integrity

Legend:
β€’ PW – Password & Auth
β€’ RV – Runtime Validation

πŸ§ͺ Attack & Test Matrix

Execute bash tests.sh to run all scenarios:

# 1) Open Redirect Attack
curl -i "http://localhost:5000/redirect?to=https://evil.com"

# 2) Insecure Basic-Auth Attempt
curl -v -u admin:password http://localhost:5000/secure/basic

# 3) Base64 Tampering
curl "http://localhost:5000/cart/add?item=999&sig=$(echo -n '999' | base64)"

# 4) HMAC Tampering
curl "http://localhost:5000/auth/hmac?item=123&ts=0&sig=invalid"

✨ Extension Ideas

  • ▢️ SAML/OIDC Integration: Simulate SSO broker & validate SAML assertions
  • ▢️ POST Form Support: HMAC auth via form POST payloads
  • ▢️ CI/CD Security Gates: Integrate checks in GitHub Actions or Azure Pipelines
  • ▢️ Automated Threat Diagrams: Export STRIDE via OWASP Threat Dragon

πŸ“š Resources & Further Reading

](https://github.com/paul007ex/vulnEcommMVC)

About

A vulnerable dotNet MVC application

www.breachsafe.io

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages