Broken Access Control demo

Author: AndriiPiatakha

Diff for: online-store.core/src/main/java/com/itbulls/learnit/onlinestore/core/facades/ProductFacade.java

@@ -21,4 +21,6 @@ List<Product> getProductsLikeNameForPageWithLimit(String searchQuery, Integer pa
 
 	Product getProductById(Integer parameter);
 
+	Product getProductByGuid(String guid);
+
 }

Diff for: online-store.core/src/main/java/com/itbulls/learnit/onlinestore/core/facades/impl/DefaultProductFacade.java

@@ -74,4 +74,9 @@ public Product getProductById(Integer productId) {
 		return productConverter.convertProductDtoToProduct(productDao.getProductById(productId));
 	}
 
+	@Override
+	public Product getProductByGuid(String guid) {
+		return productConverter.convertProductDtoToProduct(productDao.getProductByGuid(guid));
+	}
+
 }

Diff for: online-store.persistence/src/main/java/com/itbulls/learnit/onlinestore/persistence/dao/ProductDao.java

@@ -22,5 +22,7 @@ public interface ProductDao {
 	Integer getProductCountForSearch(String searchQuery);
 
 	List<ProductDto> getProductsLikeNameForPageWithLimit(String searchQuery, Integer page, Integer paginationLimit);
+
+	ProductDto getProductByGuid(String guid);
 
 }

Diff for: online-store.persistence/src/main/java/com/itbulls/learnit/onlinestore/persistence/dao/impl/MySqlJdbcProductDao.java

@@ -62,6 +62,7 @@ private ProductDto populateProductDto(ResultSet rs) throws SQLException {
 		product.setCategoryDto(categoryDao.getCategoryByCategoryId(rs.getInt("category_id")));
 		product.setImgName(rs.getString("img_name"));
 		product.setDescription(rs.getString("description"));
+		product.setGuid(rs.getString("guid"));
 		return product;
 	}
 
@@ -217,5 +218,25 @@ public List<ProductDto> getProductsLikeNameForPageWithLimit(String searchQuery,
 		}
 		return null;
 	}
+
+
+	@Override
+	public ProductDto getProductByGuid(String guid) {
+		try (var conn = DBUtils.getConnection();
+				var ps = conn.prepareStatement("SELECT * FROM product WHERE guid = ?")) {
+			
+			ps.setString(1, guid);
+			try (var rs = ps.executeQuery()) {
+				
+				if (rs.next()) {
+					ProductDto product = populateProductDto(rs);
+					return product;
+				}
+			}
+		} catch (SQLException e) {
+			e.printStackTrace();
+		}
+		return null;
+	}
 
 }

Diff for: online-store.persistence/src/main/java/com/itbulls/learnit/onlinestore/persistence/dto/ProductDto.java

@@ -10,6 +10,7 @@ public class ProductDto {
 	private CategoryDto categoryDto;
 	private String imgName;
 	private String description;
+	private String guid;
 
 	public int getId() {
 		return id;
@@ -47,5 +48,11 @@ public String getDescription() {
 	public void setDescription(String description) {
 		this.description = description;
 	}
+	public void setGuid(String guid) {
+		this.guid = guid;
+	}
+	public String getGuid() {
+		return this.guid;
+	}
 
 }

Diff for: online-store.persistence/src/main/java/com/itbulls/learnit/onlinestore/persistence/dto/converters/ProductDtoToProductConverter.java

@@ -38,6 +38,7 @@ public Product convertProductDtoToProduct(ProductDto productDto) {
 				product.setCategoryName(productDto.getCategoryDto().getCategoryName());
 			product.setImgName(productDto.getImgName());
 			product.setDescription(productDto.getDescription());
+			product.setGuid(productDto.getGuid());
 		}
 		return product;
 	}
@@ -60,6 +61,7 @@ private ProductDto convertProductToProductDto(Product product) {
 		productDto.setProductName(product.getProductName());
 		productDto.setImgName(product.getImgName());
 		productDto.setDescription(product.getDescription());
+		productDto.setGuid(product.getGuid());
 		return productDto;
 	}
 

Diff for: online-store.persistence/src/main/java/com/itbulls/learnit/onlinestore/persistence/enteties/Product.java

@@ -27,4 +27,8 @@ public interface Product extends Serializable {
 	void setDescription(String description);
 
 	String getDescription();
+
+	void setGuid(String guid);
+
+	String getGuid();
 }

Diff for: online-store.persistence/src/main/java/com/itbulls/learnit/onlinestore/persistence/enteties/impl/ComparableProduct.java

@@ -10,6 +10,7 @@ public class ComparableProduct implements Product, Comparable<Product> {
 	private double price;
 	private String imgName;
 	private String description;
+	private String guid;
 
 	public ComparableProduct() {
 	}
@@ -92,4 +93,14 @@ public String getDescription() {
 		return this.description;
 	}
 
+	@Override
+	public void setGuid(String guid) {
+		this.guid = guid;
+	}
+
+	@Override
+	public String getGuid() {
+		return this.guid;
+	}
+
 }

Diff for: online-store.persistence/src/main/java/com/itbulls/learnit/onlinestore/persistence/enteties/impl/DefaultProduct.java

@@ -10,6 +10,7 @@ public class DefaultProduct implements Product {
 	private double price;
 	private String imgName;
 	private String description;
+	private String guid;
 
 	public DefaultProduct() {
 	}
@@ -82,4 +83,14 @@ public String getDescription() {
 	public void setDescription(String description) {
 		this.description = description;
 	}
+
+	@Override
+	public void setGuid(String guid) {
+		this.guid = guid;
+	}
+
+	@Override
+	public String getGuid() {
+		return this.guid;
+	}
 }

Diff for: online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/controllers/EditProfileServlet.java

@@ -0,0 +1,95 @@
+package com.itbulls.learnit.onlinestore.web.controllers;
+
+import java.io.IOException;
+import java.util.ResourceBundle;
+
+import com.itbulls.learnit.onlinestore.core.facades.UserFacade;
+import com.itbulls.learnit.onlinestore.core.facades.impl.DefaultUserFacade;
+import com.itbulls.learnit.onlinestore.core.services.Validator;
+import com.itbulls.learnit.onlinestore.core.services.impl.PasswordValidator;
+import com.itbulls.learnit.onlinestore.persistence.enteties.User;
+import com.itbulls.learnit.onlinestore.web.Configurations;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+@WebServlet("/edit-profile")
+public class EditProfileServlet extends HttpServlet {
+	private UserFacade userFacade = DefaultUserFacade.getInstance();
+	private Validator passValidator = PasswordValidator.getInstance();
+	private ResourceBundle rb = ResourceBundle.getBundle(Configurations.RESOURCE_BUNDLE_BASE_NAME);
+	
+	
+	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// TODO - if not logged in - then redirect to the sign in
+		User loggedInUser = (User)request.getSession().getAttribute(SignInServlet.LOGGED_IN_USER_ATTR);
+		
+		if (loggedInUser == null) {
+			String baseUrl = request.getScheme()
+				      + "://"
+				      + request.getServerName()
+				      + ":"
+				      + request.getServerPort()
+				      + request.getServletContext().getContextPath();
+			response.sendRedirect(baseUrl + "/signin");
+			
+		} else {
+			request.getRequestDispatcher(Configurations.VIEWS_PATH_RESOLVER + "editProfile.jsp").forward(request, response);
+		}
+		
+		
+	}
+
+	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		String baseUrl = request.getScheme()
+			      + "://"
+			      + request.getServerName()
+			      + ":"
+			      + request.getServerPort()
+			      + request.getServletContext().getContextPath();
+		
+		User loggedInUser = (User)request.getSession().getAttribute(SignInServlet.LOGGED_IN_USER_ATTR);
+		// need to do this to extract latest state of the user
+		User user = userFacade.getUserById(loggedInUser.getId());
+		user.setFirstName(request.getParameter("firstName"));
+		user.setLastName(request.getParameter("lastName"));
+		String emailParameter = request.getParameter("email");
+		user.setEmail(emailParameter);
+		String newPasswordParameter = request.getParameter("newPassword");
+		if (newPasswordParameter != null && !newPasswordParameter.isEmpty()) {
+			user.setPassword(newPasswordParameter);
+		}
+		
+		
+		User userByEmail = userFacade.getUserByEmail(user.getEmail());
+		
+		if (userByEmail != null && !emailParameter.equals(loggedInUser.getEmail())) {
+			request.getSession().setAttribute("errMsg", rb.getString("signup.err.msg.email.exists"));
+			response.sendRedirect(baseUrl + "/edit-profile");
+			return;
+		}
+		
+		System.out.println(request.getParameter("password").equals(loggedInUser.getPassword()));
+		System.out.println(loggedInUser.getPassword());
+		
+		if (!request.getParameter("password").equals(loggedInUser.getPassword())) {
+			request.getSession().setAttribute("errMsg", rb.getString("signup.err.msg.old.password.wrong"));
+			response.sendRedirect(baseUrl + "/edit-profile");
+			return;
+		}
+		
+		if (newPasswordParameter != null && !newPasswordParameter.isEmpty() && !passValidator.isValid(user.getPassword())) {
+			request.getSession().setAttribute("errMsg", rb.getString("signup.err.msg.special.character"));
+			response.sendRedirect(baseUrl + "/edit-profile");
+			return;
+		}
+	
+		
+		userFacade.updateUser(user);
+		response.sendRedirect(baseUrl + "/my-profile");
+	}
+
+}

Diff for: online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/bac/problem/GetPictureServlet.java

@@ -0,0 +1,26 @@
+package com.itbulls.learnit.onlinestore.web.owasp.bac.problem;
+
+import jakarta.servlet.http.HttpServlet;
+import java.io.IOException;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+@WebServlet("/get-pic")
+public class GetPictureServlet extends HttpServlet {
+	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		String picName = request.getParameter("name");
+		if (picName != null && !picName.isBlank()) {
+			request.getRequestDispatcher("images/" + picName).forward(request, response);
+		}
+		
+		/*
+		 * Validations can be bypassed:
+		 * - instead of ../ I can use %2e%2e%2f
+		 * - instead of validation of file extension, I can pass null byte
+		 * 
+		 */
+		
+	}
+}

Diff for: online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/bac/problem/UserProfileServlet.java

@@ -0,0 +1,45 @@
+package com.itbulls.learnit.onlinestore.web.owasp.bac.problem;
+
+import jakarta.servlet.http.HttpServlet;
+import java.io.IOException;
+import java.util.List;
+
+import com.itbulls.learnit.onlinestore.core.facades.UserFacade;
+import com.itbulls.learnit.onlinestore.core.facades.impl.DefaultUserFacade;
+import com.itbulls.learnit.onlinestore.persistence.enteties.User;
+import com.itbulls.learnit.onlinestore.web.Configurations;
+import com.itbulls.learnit.onlinestore.web.controllers.SignInServlet;
+import com.itbulls.learnit.onlinestore.web.filters.PartnerCodeFilter;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+@WebServlet("/user-profile")
+public class UserProfileServlet extends HttpServlet {
+
+	private UserFacade userFacade = DefaultUserFacade.getInstance();
+
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		String stringId = request.getParameter("id");
+		if (stringId != null && !stringId.isBlank()) {
+			User user = userFacade.getUserById(Integer.valueOf(stringId));
+			
+			String baseUrl = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort()
+					+ request.getServletContext().getContextPath();
+			String partnerLink = baseUrl + "?" + PartnerCodeFilter.PARTNER_CODE_PARAMETER_NAME + "="
+					+ user.getPartnerCode();
+			List<User> referrals = userFacade.getReferralsForUser(user);
+			request.setAttribute(SignInServlet.LOGGED_IN_USER_ATTR, user);
+			request.setAttribute("referrals", referrals);
+			request.setAttribute("partnerLink", partnerLink);
+			request.getRequestDispatcher(Configurations.VIEWS_PATH_RESOLVER + "/myProfile.jsp").forward(request,
+					response);
+		} else {
+			request.getRequestDispatcher(Configurations.VIEWS_PATH_RESOLVER + "/signin.jsp").forward(request, response);
+		}
+
+	}
+}

Diff for: online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/bac/solution/GetPictureServlet.java

@@ -0,0 +1,54 @@
+package com.itbulls.learnit.onlinestore.web.owasp.bac.solution;
+
+import jakarta.servlet.http.HttpServlet;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import jakarta.servlet.ServletContext;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.annotation.WebServlet;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+@WebServlet("/get-pic-solution")
+public class GetPictureServlet extends HttpServlet {
+	
+	private List<String> imageNames = new ArrayList<>();
+	
+	
+	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		populateImageNames();
+		
+		String picName = request.getParameter("name");
+		if (picName != null && !picName.isBlank()) {
+			if (imageNames.contains(picName)) {
+				request.getRequestDispatcher("images/" + picName).forward(request, response);
+			} else {
+				response.getWriter().println("No picutre with such name is available.");
+			}
+		}
+	}
+
+
+	private void populateImageNames() throws MalformedURLException {
+		ServletContext context = getServletContext();
+		URL imagesUrl = context.getResource("/images");
+		try {
+			Path imagesPath = Paths.get(imagesUrl.toURI());
+			File f = imagesPath.toFile();
+			Arrays.stream(f.listFiles()).forEach(image -> imageNames.add(image.getName()));
+		} catch (URISyntaxException e) {
+			e.printStackTrace();
+		}
+	}
+}