Merge pull request adeyosemanputra#256 from meprajwal/master

Added dockerized lab for sensitive data exposure

Author: RupakBiswas-2304

dockerized_labs/sensitive_data_exposure/Dockerfile

@@ -0,0 +1,19 @@
+FROM python:3.9-slim
+
+WORKDIR /app
+
+COPY requirements.txt .
+
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+
+# Add script to make sure migrations run properly
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 8000
+
+# Use the entrypoint script
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["python", "manage.py", "runserver", "0.0.0.0:8000"]

dockerized_labs/sensitive_data_exposure/README.md

@@ -0,0 +1,75 @@
+# Sensitive Data Exposure Lab
+
+Hey there! 👋 This is a standalone lab I built for "Sensitive Data Exposure" - one of the OWASP Top 10 security vulnerabilities. It's a hands-on way to learn about how data leaks happen and how to prevent them.
+
+## What's This All About?
+
+This lab demonstrates how sensitive information (like credit cards, SSNs, and API keys) can accidentally get exposed in web apps. I've deliberately built in several security flaws so you can practice finding them - it's like a security treasure hunt.
+
+## Getting Started
+
+### What You'll Need
+
+- Docker and Docker Compose (that's it!)
+
+### How to Run It
+
+Just follow these steps:
+
+1. Clone this repo
+2. CD into the project folder
+3. Fire up Docker:
+
+```bash
+docker-compose up -d
+```
+
+4. Open your browser and head to http://localhost:8000
+
+### Quick Testing
+
+Don't want to create an account? No worries! Use the demo login:
+- Username: `demo`
+- Password: `demopass`
+
+### Ugh, It's Not Working!
+
+If you hit database errors, try this:
+
+```bash
+# The nuclear option - rebuild everything
+docker-compose down
+docker-compose up --build
+
+# Or just run the migrations
+docker-compose exec web python manage.py makemigrations dataexposure
+docker-compose exec web python manage.py migrate
+```
+
+## What You'll Learn
+
+This lab will help you:
+1. Spot different ways sensitive data gets leaked
+2. Understand why proper data protection matters
+3. Learn how hackers find and exploit these issues
+4. Discover best practices for keeping sensitive data safe
+
+## The Security Flaws
+
+I've hidden several security problems for you to find (don't peek at this list until you've tried!):
+
+1. Comments in HTML with sensitive data (check the page source!)
+2. JavaScript that exposes API keys
+3. Unprotected API endpoints anyone can access
+4. Data stored in localStorage (check your browser)
+5. Partial data masking that's easy to bypass
+6. A public API that leaks EVERYONE'S data (yikes!)
+7. Missing access controls that let you see other people's info
+
+## Fair Warning ⚠️
+
+This app is INTENTIONALLY INSECURE. Don't put any real personal info in it! And definitely don't deploy it to a public server unless you want to give hackers a practice playground.
+
+---
+
+Happy hacking (ethically, of course)

dockerized_labs/sensitive_data_exposure/dataexposure/__init__.py

@@ -0,0 +1 @@
+# This file is intentionally left empty

dockerized_labs/sensitive_data_exposure/dataexposure/forms.py

@@ -0,0 +1,10 @@
+from django import forms
+from django.contrib.auth.forms import UserCreationForm
+
+class UserLoginForm(forms.Form):
+    username = forms.CharField(max_length=150)
+    password = forms.CharField(widget=forms.PasswordInput)
+
+class UserRegisterForm(UserCreationForm):
+    class Meta(UserCreationForm.Meta):
+        fields = ['username', 'password1', 'password2']

dockerized_labs/sensitive_data_exposure/dataexposure/migrations/0001_initial.py

@@ -0,0 +1,27 @@
+# Generated by Django 3.2.18 on 2025-03-27 18:10
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='UserData',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('credit_card', models.CharField(max_length=16)),
+                ('ssn', models.CharField(max_length=9)),
+                ('api_key', models.CharField(max_length=32)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]

dockerized_labs/sensitive_data_exposure/dataexposure/migrations/__init__.py

@@ -0,0 +1,19 @@
+from django.db import models
+from django.contrib.auth.models import User
+
+class UserData(models.Model):
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    credit_card = models.CharField(max_length=16)  # probly should encrypt this lol
+    ssn = models.CharField(max_length=9)  # this 2, security risk!
+    api_key = models.CharField(max_length=32)  # generated on registration
+    
+    def __str__(self):
+        return f"Data for {self.user.username}"
+    
+    # TODO: add method to mask card number except last 4 digits
+    # Will do it later when have more time
+    
+    # IMPORTANT: If u see OperationalError about missing tables,
+    # run these commands manually:
+    #   python manage.py makemigrations dataexposure
+    #   python manage.py migrate

dockerized_labs/sensitive_data_exposure/dataexposure/models.py

@@ -0,0 +1,29 @@
+from django.urls import path
+from . import views
+
+urlpatterns = [
+    path('', views.index, name='index'),
+    path('about/', views.about, name='about'),
+    path('login/', views.login_view, name='login'),
+    path('register/', views.register_view, name='register'),
+    path('profile/', views.profile_view, name='profile'),
+    
+    # API endpoints demonstrating insecure data exposure (for educational purposes)
+    path('api/user-data/', views.api_data_view, name='api_data'),
+    path('api/all-users/', views.all_users_data_view, name='all_users_data'),
+    
+    path('logout/', views.logout_view, name='logout'),
+    path('lesson/', views.sensitive_data_exposure_lesson, name='lesson'),
+    
+    # TODO - additional URLs to implement:
+    # path('api/v2/user-data/', views.api_data_view_v2, name='api_data_v2'), # secure version
+    # path('settings/', views.user_settings, name='settings'),
+    # path('admin-dashboard/', views.admin_dashboard, name='admin_dashboard'),
+]
+
+# This lab intentionally contains insecure endpoints to demonstrate 
+# sensitive data exposure vulnerabilities. In a real application,
+# these endpoints would require proper authorization checks.
+
+# Note: we should probably organize these better and use routers
+# but this is fine for now

dockerized_labs/sensitive_data_exposure/dataexposure/urls.py

@@ -0,0 +1,142 @@
+from django.shortcuts import render, redirect
+from django.contrib.auth.models import User
+from django.contrib.auth.decorators import login_required
+from django.contrib.auth import authenticate, login, logout
+from django.http import JsonResponse
+from django.contrib import messages
+from .models import UserData
+from .forms import UserLoginForm, UserRegisterForm
+import random
+import string
+
+def index(request):
+    # main landing pg
+    return render(request, 'index.html')
+
+def about(request):
+    # about pg nothing special
+    return render(request, 'about.html')
+
+def login_view(request):
+    if request.method == 'POST':
+        form = UserLoginForm(request.POST)
+        if form.is_valid():
+            username = form.cleaned_data.get('username')
+            password = form.cleaned_data.get('password')
+            user = authenticate(username=username, password=password)
+            if user is not None:
+                login(request, user)
+                messages.success(request, f'Welcome back, {username}! You are now logged in.')
+                return redirect('profile')
+            else:
+                messages.error(request, 'Invalid username or password. Please try again.')
+    else:
+        form = UserLoginForm()
+    
+    return render(request, 'login.html', {'form': form})
+
+def generate_api_key():
+    # generate a random api key
+    # I should probably use a better method but this works for now
+    chars = string.ascii_lowercase + string.digits
+    return ''.join(random.choices(chars, k=16))  # 16 chars should be enough right?
+
+def register_view(request):
+    if request.method == 'POST':
+        form = UserRegisterForm(request.POST)
+        if form.is_valid():
+            username = form.cleaned_data.get('username')
+            password = form.cleaned_data.get('password1')
+            user = User.objects.create_user(username=username, password=password)
+            
+            # Creating sensitive data for the user
+            # Yeah i know this is dummy data but works for demo
+            UserData.objects.create(
+                user=user,
+                credit_card='4111111111111111',  # test visa card number lol
+                ssn='123456789',  # not a real SSN obvs
+                api_key=generate_api_key()  # not very secure api key but whatever
+            )
+            
+            messages.success(request, f'Account created for {username}! You can now log in.')
+            return redirect('login')
+    else:
+        form = UserRegisterForm()
+    
+    return render(request, 'register.html', {'form': form})
+
+@login_required
+def profile_view(request):
+    # show user profile with some data masked
+    try:
+        user_data = UserData.objects.get(user=request.user)
+        # TODO: add audit logging here someday
+    except UserData.DoesNotExist:
+        # If no user data exists, create some dummy data for demo
+        # This should never happen but just in case
+        print(f"Creating missing user data for {request.user.username}")  # debugging stuff
+        user_data = UserData.objects.create(
+            user=request.user,
+            credit_card='4111111111111111',  # test visa card number lol
+            ssn='123456789',  # not a real SSN obvs
+            api_key=generate_api_key()  # not very secure api key but whatever
+        )
+    return render(request, 'profile.html', {'user_data': user_data})
+
+@login_required
+def api_data_view(request):
+    # FIXME: this is insecure AF - just for demo purposes!!
+    # sends all user data as json - bad practice!!
+    try:
+        user_data = UserData.objects.get(user=request.user)
+    except UserData.DoesNotExist:
+        # If no user data exists, create some dummy data for demo
+        user_data = UserData.objects.create(
+            user=request.user,
+            credit_card='4111111111111111',  # test card number
+            ssn='123456789',  # demo SSN
+            api_key=generate_api_key()  # simple api key
+        )
+    
+    data = {
+        'username': request.user.username,
+        'credit_card': user_data.credit_card,
+        'ssn': user_data.ssn,
+        'api_key': user_data.api_key
+    }
+    # Intentionally exposing sensitive data through API
+    # cuz we're teaching about data exposure, duh!
+    return JsonResponse(data)
+
+# Intentionally insecure - for teaching purposes!
+def all_users_data_view(request):
+    # MAJOR SECURITY FLAW: This endpoint allows ANY user (even unauthenticated ones!)
+    # to see ALL users' sensitive data!
+    # This demonstrates why proper authentication/authorization is essential.
+    
+    # Note for students: Notice how there are no checks for who's requesting the data!
+
+    all_users_data = []
+    for user_data in UserData.objects.all():
+        all_users_data.append({
+            'username': user_data.user.username,
+            'credit_card': user_data.credit_card,  # Completely exposed! No masking!
+            'ssn': user_data.ssn,  # Sending full SSN - terrible practice!
+            'api_key': user_data.api_key  # API keys should never be exposed like this
+        })
+    
+    # In a secure application, we would add:
+    # if not request.user.is_authenticated or not request.user.is_staff:
+    #     return JsonResponse({'error': 'Unauthorized'}, status=401)
+    
+    return JsonResponse({'users': all_users_data})
+
+def logout_view(request):
+    # simple logout nothing fancy
+    logout(request)
+    messages.info(request, 'You have been logged out successfully.')
+    return redirect('index')
+
+def sensitive_data_exposure_lesson(request):
+    # lessons page
+    return render(request, 'lesson.html')

dockerized_labs/sensitive_data_exposure/dataexposure/views.py

@@ -0,0 +1,21 @@
+version: '3'
+
+services:
+  web:
+    build: .
+    ports:
+      - "8000:8000"
+    volumes:
+      - .:/app
+    command: >
+      sh -c "python manage.py makemigrations dataexposure &&
+             python manage.py migrate &&
+             python manage.py runserver 0.0.0.0:8000"
+    # hey dont forget to rebuild if u change requirements!!
+    # fixed db issues - make sure migrations run before server starts!!
+    # if still broken try: docker-compose down && docker-compose up --build
+    
+    # NOTE TO SELF: try on different port if 8000 is taken
+    # also need to implement persistant volume for db
+    # ports:
+    #   - "8001:8000"  # alternate port