add feature

.student_resources/SQL_Injection/README.md

@@ -8,9 +8,9 @@ A SQL injection attack consists of inserting or "injecting" SQL code via the inp
 
 1. In any form, try known SQL injections.
 
-    - `105 OR 1=1`
-    - `" OR ""="`
-    - `105; DROP TABLE users`
+   - `105 OR 1=1`
+   - `" OR ""="`
+   - `105; DROP TABLE users`
 
 ```SQL
 --You need to force:
@@ -25,7 +25,7 @@ SELECT * FROM users WHERE username = '105' OR 1=1 AND password = '105' OR 1=1;
 ## How to countermeasure this vulnerability
 
 - Regular [code reviews](../security_testing_approaches/README.md#Code_review)
-- Avoid languages like PHP
+- Update backend languages (most versions of PHP are vulnerable)
 - Implement an [API](..\flask_safe_API\README.md) with built-in security as the interface to the SQL database
 - Implement [Defensive data handling](../defensive_data_handling/README.md).
 - Require authentication before accepting any form of input

.student_resources/invalid_forward_and_redirect/README.md

@@ -0,0 +1,25 @@
+# Invalid Forward and Redirect
+
+Invalid (or unvalidated) forwards and redirects are a form of user controlled input where a web application accepts untrusted input that could cause the web application to redirect. Because the domain name in the modified link is identical to the trusted domain name, phishing attempts may have a more trustworthy appearance.
+
+This vulnerability is often combined with a CSRF, man in the middle or a website spoofing as a more complex threat vector.
+
+```http
+https://www.trustedwebsite.com/examples/example.php?url=http://malicious.com
+```
+
+| Protocol | subdomain | domain             | path     | endpoint     | parameters               |
+| -------- | --------- | ------------------ | -------- | ------------ | ------------------------ |
+| https    | www       | trustedwebsite.com | examples | example.html | url=http://malicious.com |
+
+## How to penetrate test for this vulnerability
+
+1. Look for forms collecting URL's that are rendered on the front end, enter a malicious URL and see if validates and renders.
+2. Look for frontend URL, path or endpoint parameter passing and construct a URL to an untrusted domain and test if the site will redirect.
+
+## How to countermeasure this vulnerability
+
+1. Code review
+2. Explicitly declare URL in the backend code and do not allow URLS to be manipulated by input.
+3. Validate inputs, if a form requires URL's use regular expressions to explicitly define the URL specifications (HTTPS, subdomains, domains, paths and endpoints were possible) and exclusions ( >, <, ?, etc). This is particularly important if the input will be rendered on the front end or processed in the backend.
+4. Update backend languages (early versions of asp.net are vulnerable)

main.py

@@ -1,6 +1,7 @@
 from flask import Flask
 from flask import render_template
 from flask import request
+from flask import redirect
 import user_management as dbHandler
 
 # Code snippet for logging a message
@@ -36,6 +37,9 @@ def signup():
 @app.route("/index.html", methods=["POST", "GET", "PUT", "PATCH", "DELETE"])
 @app.route("/", methods=["POST", "GET"])
 def home():
+    if request.args.get("url"):
+        url = request.args.get("url", "")
+        return redirect(url, code=302)
     if request.method == "POST":
         username = request.form["username"]
         password = request.form["password"]

templates/layout.html

@@ -15,11 +15,11 @@
             <img src="static\images\logo.svg" alt="The unsecure website logo." />
             <h1>The Unsecure PWA</h1>
             <ul class="topnav">
-                <li><a href="index.html">Home</a></li>
-                <li><a href="signup.html">Signup</a></li>
+                <li><a href="/">Home</a></li>
+                <li><a href="?url=/signup.html">Signup</a></li>
                 {% if state %}
-                    <li><a href="success.html">Success</a></li>
-                    <li><a href="index.html">Logout</a></li>
+                    <li><a href="?url=/success.html">Success</a></li>
+                    <li><a href="/">Logout</a></li>
                 {% endif %}
             </ul>
         </nav>