adding another path traversal level, changing some names, and startin…

…g in on simplifying refactors

dojo.yml

@@ -342,77 +342,3 @@ modules:
     slides: 1OER4qdFD4JjxaAhMr9axcIUk4-oNskl7LwRC7LXtqnU
 
 - id: web-security
-  name: Web Security
-  description: Exploit various web security vulnerabilities.
-  challenges:
-  - id: level-1
-    name: level1
-    description: Exploit a path traversal vulnerability
-  - id: level-2
-    name: level2
-    description: Exploit a command injection vulnerability
-  - id: level-3
-    name: level3
-    description: Exploit an authentication bypass vulnerability 
-  - id: level-4
-    name: level4
-    description: Exploit a structured query language injection vulnerability to login
-  - id: level-5
-    name: level5
-    description: Exploit a structured query language injection vulnerability to leak data
-  - id: level-6
-    name: level6
-    description: Exploit a structured query language injection vulnerability with an unknown database structure
-  - id: level-7
-    name: level7
-    description: Exploit a structured query language injection vulnerability to blindly leak data
-  - id: level-8
-    name: level8
-    description: Exploit a cross site scripting vulnerability
-  - id: level-9
-    name: level9
-    description: Exploit a cross site scripting vulnerability with more complicated context
-  - id: level-10
-    name: level10
-    description: Exploit a cross site scripting vulnerability to cause a user action
-  - id: level-11
-    name: level11
-    description: Exploit a cross site request forgery vulnerability
-  - id: level-12
-    name: level12
-    description: Exploit a cross site request forgery vulnerability where the request must POST
-  - id: level-13
-    name: level13
-    description: Exploit a cross site scripting vulnerability to exfiltrate user session data
-  - id: level-14
-    name: level14
-    description: Exploit a cross site scripting vulnerability to exfiltrate user data
-  - id: level-15
-    name: level15
-    description: Exploit a (memory corruption) stack injection vulnerability
-  resources:
-  - name: "Web Security: Introduction"
-    type: lecture
-    video: AKTYVWCi6ss
-    playlist: PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg
-    slides: 1ATO_U0aUlk2LRhlnIwdqTkDfu-lWRb5xoLDv0NQLPs8
-  - name: "Web Security: Structured Query Language"
-    type: lecture
-    video: 433mRGcpHeA
-    playlist: PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg
-    slides: 1KpvjoFnlC9HcUJbkg-_VASf2JETMwEZjpzO0uGSoCo4
-  - name: "Web Security: Injection"
-    type: lecture
-    video: sdStLx3_Q0M
-    playlist: PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg
-    slides: 1rP8IIc_6B8Z7KpqBGxkneIzAjURRQ-YlkJV-_4dF-SM
-  - name: "Web Security: Same-Origin Policy"
-    type: lecture
-    video: b1NOCHm4t_s
-    playlist: PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg
-    slides: 1KkiR8B_9xQilW_yq6W9FZ6xBN78V0S1aH1XvQfufYIk
-  - name: "Tooling Documentation"
-    type: markdown
-    content: |
-      - [python -m http.server](https://docs.python.org/library/http.server.html)
-      - [JavaScript Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch)

web-security/DESCRIPTION.md

@@ -0,0 +1,8 @@
+You have learned Linux and HTTP.
+Now, let's put these together!
+
+Web content is served up via the internet by _web servers_, and like everything else, these web servers, and the pages that they serve up, contain vulnerabilities!
+In this module, you will wrap yourself in the mysteries of the web, exploring various types of vulnerabilities that can occur.
+As you work through this module, keep in mind, these aren't theoretical curiosities: these are common, critical vulnerabilities that occur _all the time_.
+
+Now, dive in, and hack!

web-security/level-1/DESCRIPTION.md

@@ -0,0 +1,7 @@
+This level will explore the intersection of Linux path resolution, when done naively, and unexpected web requests from an attacker.
+We've implemented a simple web server for you --- it will serve up files from /challenge/files over HTTP.
+Can you trick it into giving you the flag?
+
+The webserver program is `/challenge/server`.
+You can run it just like any other challenge, then talk to it over HTTP (using a different terminal or a web browser).
+We recommend reading through its code to understand what it is doing and to find the weakness!

web-security/level-1/files/index.html

@@ -0,0 +1 @@
+Welcome to Web Security!

web-security/level-1/server

@@ -0,0 +1,24 @@
+#!/opt/pwn.college/python
+
+import flask
+import os
+
+app = flask.Flask(__name__)
+
+@app.route("/", methods=["GET", "POST"])
+@app.route("/<path:path>", methods=["GET", "POST"])
+def challenge(path="index.html"):
+    requested_path = app.root_path + "/files/" + path
+    real_path = os.path.realpath(requested_path)
+
+    try:
+        return open(requested_path).read()
+    except PermissionError:
+        flask.abort(403, real_path)
+    except FileNotFoundError:
+        flask.abort(404, real_path)
+    except Exception as e:
+        flask.abort(500, real_path + ":" + str(e))
+
+app.secret_key = open("/flag").read().strip()
+app.run("challenge.localhost", int(os.environ.get("HTTP_PORT", 80)))

web-security/module.yml

@@ -0,0 +1,74 @@
+name: Web Security
+challenges:
+- id: level-1
+  name: Path Traversal 1
+- id: path-traversal-2
+  name: Path Traversal 2
+- id: level-2
+  name: CMDi
+  description: Exploit a command injection vulnerability
+- id: level-3
+  name: Authentication Bypass
+  description: Exploit an authentication bypass vulnerability 
+- id: level-4
+  name: SQLi 1
+  description: Exploit a structured query language injection vulnerability to login
+- id: level-5
+  name: SQLi 2
+  description: Exploit a structured query language injection vulnerability to leak data
+- id: level-6
+  name: SQLi 3
+  description: Exploit a structured query language injection vulnerability with an unknown database structure
+- id: level-7
+  name: SQLi 4
+  description: Exploit a structured query language injection vulnerability to blindly leak data
+- id: level-8
+  name: XSS 1
+  description: Exploit a cross site scripting vulnerability
+- id: level-9
+  name: XSS 2
+  description: Exploit a cross site scripting vulnerability with more complicated context
+- id: level-10
+  name: XSS 3
+  description: Exploit a cross site scripting vulnerability to cause a user action
+- id: level-11
+  name: SSRF 1
+  description: Exploit a cross site request forgery vulnerability
+- id: level-12
+  name: SSRF 2
+  description: Exploit a cross site request forgery vulnerability where the request must POST
+- id: level-13
+  name: SSRF 3
+  description: Exploit a cross site scripting vulnerability to exfiltrate user session data
+- id: level-14
+  name: SSRF 4
+  description: Exploit a cross site scripting vulnerability to exfiltrate user data
+- id: level-15
+  name: Web Pwn
+  description: Exploit a (memory corruption) stack injection vulnerability
+resources:
+- name: "Web Security: Introduction"
+  type: lecture
+  video: AKTYVWCi6ss
+  playlist: PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg
+  slides: 1ATO_U0aUlk2LRhlnIwdqTkDfu-lWRb5xoLDv0NQLPs8
+- name: "Web Security: Structured Query Language"
+  type: lecture
+  video: 433mRGcpHeA
+  playlist: PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg
+  slides: 1KpvjoFnlC9HcUJbkg-_VASf2JETMwEZjpzO0uGSoCo4
+- name: "Web Security: Injection"
+  type: lecture
+  video: sdStLx3_Q0M
+  playlist: PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg
+  slides: 1rP8IIc_6B8Z7KpqBGxkneIzAjURRQ-YlkJV-_4dF-SM
+- name: "Web Security: Same-Origin Policy"
+  type: lecture
+  video: b1NOCHm4t_s
+  playlist: PL-ymxv0nOtqrvXLSALV5SQ5v3oyKY4DWg
+  slides: 1KkiR8B_9xQilW_yq6W9FZ6xBN78V0S1aH1XvQfufYIk
+- name: "Tooling Documentation"
+  type: markdown
+  content: |
+    - [python -m http.server](https://docs.python.org/library/http.server.html)
+    - [JavaScript Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch)

web-security/path-traversal-2/.config

@@ -0,0 +1 @@
+1

web-security/path-traversal-2/DESCRIPTION.md

@@ -0,0 +1,3 @@
+Great job on the last level!
+This level tries to stop you from traversing the path.
+Can you still traverse it?

web-security/path-traversal-2/files/fortunes/fortune-1.txt

@@ -0,0 +1,2 @@
+You can observe a lot just by watching.
+		-- Yogi Berra

web-security/path-traversal-2/files/fortunes/fortune-2.txt

@@ -0,0 +1,2 @@
+Haste makes waste.
+		-- John Heywood

web-security/path-traversal-2/files/fortunes/fortune-3.txt

@@ -0,0 +1,2 @@
+TV is chewing gum for the eyes.
+		-- Frank Lloyd Wright

web-security/path-traversal-2/files/index.html

@@ -0,0 +1,4 @@
+You rascal! We've secured this server. You'll have to content yourself with
+<a href="fortunes/fortune-1.txt">a</a>
+<a href="fortunes/fortune-2.txt">few</a>
+<a href="fortunes/fortune-3.txt">fortunes</a>.

web-security/path-traversal-2/server

@@ -0,0 +1,24 @@
+#!/opt/pwn.college/python
+
+import flask
+import os
+
+app = flask.Flask(__name__)
+
+@app.route("/", methods=["GET", "POST"])
+@app.route("/<path:path>", methods=["GET", "POST"])
+def challenge(path="index.html"):
+    requested_path = app.root_path + "/files/" + path.strip("/.")
+    real_path = os.path.realpath(requested_path)
+
+    try:
+        return open(requested_path).read()
+    except PermissionError:
+        flask.abort(403, real_path)
+    except FileNotFoundError:
+        flask.abort(404, real_path)
+    except Exception as e:
+        flask.abort(500, real_path + ":" + str(e))
+
+app.secret_key = open("/flag").read().strip()
+app.run("challenge.localhost", int(os.environ.get("HTTP_PORT", 80)))