Skip to content

Commit

Permalink
Merge branch 'feature/add-auth-to-ws-20241111' into development
Browse files Browse the repository at this point in the history
  • Loading branch information
@webpwnized
webpwnized committed Nov 18, 2024
2 parents 6e1ba05 + f80dabc commit d2207fc
Show file tree
Hide file tree
Showing 6 changed files with 292 additions and 26 deletions.
10 changes: 10 additions & 0 deletions src/includes/main-menu.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -716,6 +716,11 @@
Documentation
</a>
</li>
<li>
<a href="./webservices/rest/ws-login.php">
Login
</a>
</li>
<li>
<a href="./webservices/rest/ws-test-connectivity.php">
Test Connectivity
Expand Down Expand Up @@ -749,6 +754,11 @@
Documentation
</a>
</li>
<li>
<a href="./webservices/soap/ws-login.php">
Login
</a>
</li>
<li>
<a href="">Test Pages</a>
<ul>
Expand Down
1 change: 1 addition & 0 deletions src/set-up-database.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ function format($pMessage, $pLevel) {
("CHook", "JollyRoger", "Gator-hater", false, "Captain", "Hook", "' . bin2hex(random_bytes(16)) . '", "' . bin2hex(random_bytes(32)) . '"),
("james", "i<3devs", "Occupation: Researcher", false, "James", "Jardine", "' . bin2hex(random_bytes(16)) . '", "' . bin2hex(random_bytes(32)) . '"),
("ed", "pentest", "Commandline KungFu anyone?", false, "Ed", "Skoudis", "' . bin2hex(random_bytes(16)) . '", "' . bin2hex(random_bytes(32)) . '"),
("joe", "holly", "Off by one error", false, "Joe", "Holly", "' . bin2hex(random_bytes(16)) . '", "' . bin2hex(random_bytes(32)) . '"),
("peter", "initech123", "I dont like my job", false, "Peter", "Gibbons", "' . bin2hex(random_bytes(16)) . '", "' . bin2hex(random_bytes(32)) . '"),
("milton", "stapler", "Wheres my stapler?", false, "Milton", "Waddams", "' . bin2hex(random_bytes(16)) . '", "' . bin2hex(random_bytes(32)) . '"),
("bill", "tpsreports", "Did you get the memo?", true, "Bill", "Lumbergh", "' . bin2hex(random_bytes(16)) . '", "' . bin2hex(random_bytes(32)) . '"),
Expand Down
114 changes: 106 additions & 8 deletions src/webservices/soap/docs/soap-services.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,22 @@
a:hover {
text-decoration: underline;
}
.note {
.note, .auth-note {
background-color: #e7f3fe;
border-left: 6px solid #2196F3;
margin: 1rem 0;
padding: 1rem;
}
code {
background-color: #f4f4f4;
padding: 0.2rem 0.4rem;
font-size: 0.9rem;
}
pre {
background-color: #f4f4f4;
padding: 1rem;
overflow-x: auto;
}
</style>
</head>
<body>
Expand All @@ -52,17 +62,105 @@ <h2>Available SOAP Services</h2>
<li><a href="ws-echo.html">WS Echo Service</a> - A simple echo service to test message transmission.</li>
<li><a href="ws-test-connectivity.html">WS Test Connectivity Service</a> - Verifies connectivity with the API.</li>
<li><a href="ws-user-account.html">WS User Account Service</a> - Manages user accounts (CRUD operations).</li>
<li><a href="ws-login.html">WS Login Service</a> - Authenticates clients and returns a JWT for further requests.</li>
</ul>

<h2>Understanding Security Levels and Authentication</h2>
<p>This system has multiple security levels that affect access to the web services:</p>
<ul>
<li><strong>Security Level 0</strong> - No authentication required. You can send requests without any additional headers or tokens.</li>
<li><strong>Security Level 1 or Higher</strong> - Authentication with a JWT token is required for all services except <code>ws-login</code>. You must obtain a JWT token by logging in through the <code>ws-login</code> endpoint using your <code>client_id</code> and <code>client_secret</code>.</li>
</ul>

<div class="auth-note">
<strong>Important:</strong> At security level 1 or higher, you must include a JWT token in the <code>Authorization</code> header for each request. Without a valid token, you will receive a <code>401 Unauthorized</code> error.
</div>

<h2>Step-by-Step Guide to Using JWT Authentication</h2>
<ol>
<li>
<strong>Log In to Obtain a JWT Token:</strong>
Send a POST request to the <a href="ws-login.html">WS Login Service</a> using your <code>client_id</code> and <code>client_secret</code> to authenticate. If successful, the response will include a JWT token.
<p><strong>Example (curl):</strong></p>
<pre><code>curl -X POST http://mutillidae.localhost/webservices/soap/ws-login.php \
-H "Content-Type: text/xml" \
--data "&lt;soapenv:Envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' \
xmlns:urn='urn:ws-login'&gt;
&lt;soapenv:Header/&gt;
&lt;soapenv:Body&gt;
&lt;urn:login&gt;
&lt;client_id&gt;your-client-id&lt;/client_id&gt;
&lt;client_secret&gt;your-client-secret&lt;/client_secret&gt;
&lt;audience&gt;target-audience-url&lt;/audience&gt;
&lt;/urn:login&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;"</code></pre>
<p>The response will include a token in the format:</p>
<pre><code>{
"access_token": "your-jwt-token-here",
"token_type": "bearer",
"expires_in": 3600,
"timestamp": "2024-11-17T19:30:00Z"
}</code></pre>
</li>

<li>
<strong>Save the Token:</strong> Copy the JWT token from the response and store it securely. You will need to include it in the Authorization header of each authenticated request.
</li>

<li>
<strong>Include the Token in Requests:</strong> When calling any authenticated endpoint, include the token in the Authorization header using the format <code>Bearer &lt;your-token&gt;</code>.
</li>

<h3>Examples of Making Authenticated Requests</h3>
<h4>Using curl</h4>
<p>Below is an example of an authenticated request using <code>curl</code>:</p>
<pre><code>curl -X POST http://mutillidae.localhost/webservices/soap/ws-user-account.php \
-H "Content-Type: text/xml" \
-H "Authorization: Bearer &lt;your-token&gt;" \
--data "&lt;soapenv:Envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' \
xmlns:urn='urn:ws-user-account'&gt;
&lt;soapenv:Header/&gt;
&lt;soapenv:Body&gt;
&lt;urn:getUser&gt;
&lt;username&gt;john&lt;/username&gt;
&lt;/urn:getUser&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;"</code></pre>

<h4>Using Burp Suite</h4>
<p>To send an authenticated request in Burp Suite:</p>
<ol>
<li>Open <strong>Burp Suite</strong> and navigate to the <strong>Repeater</strong> tab.</li>
<li>Enter the URL in the Request line, such as:
<pre><code>POST /webservices/soap/ws-user-account.php HTTP/1.1
Host: mutillidae.localhost
Content-Type: text/xml
Authorization: Bearer your-jwt-token-here</code></pre>
</li>
<li>In the <strong>Headers</strong> section, ensure the Authorization header is included:
<pre><code>Authorization: Bearer your-jwt-token-here</code></pre>
</li>
<li>Click <strong>Send</strong> to submit the request. If the token is valid, you will receive a successful response from the server.</li>
</ol>
</ol>

<h2>How to Use the Services</h2>
<p>Each service page provides:</p>
<ul>
<li>An overview of the service functionality.</li>
<li>Examples of requests using Burp Repeater and <code>curl</code>.</li>
<li>Details about the expected response from the service.</li>
<li>Troubleshooting tips in case of issues.</li>
</ul>

<h2>How to Use This Documentation</h2>
<p>Each service documentation page provides:</p>
<h2>Troubleshooting Common Issues</h2>
<ul>
<li>A description of the service and its purpose.</li>
<li>Supported SOAP methods with example requests and responses.</li>
<li>Step-by-step guides for interacting with the service using Burp Repeater and <code>curl</code>.</li>
<li>Troubleshooting tips for common issues.</li>
<li><strong>401 Unauthorized:</strong> Make sure your request includes a valid JWT token in the <code>Authorization</code> header. If you haven't obtained a token yet, refer to the "Log In to Obtain a JWT Token" section.</li>
<li><strong>400 Bad Request:</strong> Verify that your request follows the correct SOAP structure and all required parameters are included. Missing or incorrectly formatted parameters can cause this error.</li>
<li><strong>500 Internal Server Error:</strong> This usually indicates a server-side issue. Check the SOAP response for detailed error messages and ensure the server is functioning correctly.</li>
</ul>

<p>If you encounter any issues or have questions, feel free to reach out to your instructor or refer to the troubleshooting sections in the individual documentation pages.</p>
<p>If you encounter other issues, please consult the documentation or contact support for assistance.</p>
</body>
</html>
154 changes: 154 additions & 0 deletions src/webservices/soap/docs/ws-login.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@


<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>SOAP WS Login Service Documentation</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #f5f5f5;
padding: 2rem;
}
h1, h2 {
color: #2c3e50;
}
pre {
background-color: #ecf0f1;
padding: 1rem;
border-radius: 5px;
overflow-x: auto;
}
code {
font-family: Consolas, "Courier New", monospace;
}
ul {
line-height: 1.8;
}
.note {
background-color: #e7f3fe;
border-left: 6px solid #2196F3;
margin: 1rem 0;
padding: 1rem;
}
</style>
</head>
<body>
<h1>SOAP WS Login Service Documentation</h1>
<p>The <strong>SOAP WS Login Service</strong> allows clients to authenticate using their <code>client_id</code> and <code>client_secret</code>, receiving a JSON Web Token (JWT) for further interaction with secured services.</p>

<h2>Endpoint</h2>
<pre><code>POST /webservices/soap/ws-login.php</code></pre>

<h2>Request Parameters</h2>
<ul>
<li><b>client_id</b> (string, required): A 32-character unique identifier for the client.</li>
<li><b>client_secret</b> (string, required): A 64-character secret associated with the client ID.</li>
<li><b>audience</b> (string, required): The intended audience for the token, typically the endpoint you want to access.</li>
</ul>

<h2>Example Request Using Burp Repeater</h2>
<p>Here’s how to send a SOAP request to the login service using Burp Repeater:</p>
<pre><code>POST /webservices/soap/ws-login.php HTTP/1.1
Host: mutillidae.localhost
Content-Type: text/xml; charset=utf-8
SOAPAction: "urn:ws-login#login"
Content-Length: [length]
Connection: close

&lt;soapenv:Envelope xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot;
xmlns:urn=&quot;urn:ws-login&quot;&gt;
&lt;soapenv:Header/&gt;
&lt;soapenv:Body&gt;
&lt;urn:login&gt;
&lt;client_id&gt;fb975a0e0248994221b3a6e87ba92fe9&lt;/client_id&gt;
&lt;client_secret&gt;f1d10934f1525ebfdf0b08a2413a3a3f683eaae3913489c786e496e403ab7bff&lt;/client_secret&gt;
&lt;audience&gt;http://mutillidae.localhost/webservices/soap/ws-user-account.php&lt;/audience&gt;
&lt;/urn:login&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;</code></pre>

<p><strong>Instructions:</strong></p>
<ol>
<li>Open Burp Suite and navigate to the Repeater tab.</li>
<li>Copy the above request and paste it into the Repeater window.</li>
<li>Update the <code>Content-Length</code> header to match the byte size of the body.</li>
<li>Click <strong>Send</strong> to see the response.</li>
</ol>

<h2>Example Request Using <code>curl</code></h2>
<p>If you prefer using the command line, here’s how to send the same request with <code>curl</code>:</p>
<pre><code>
curl -X POST "http://mutillidae.localhost/webservices/soap/ws-login.php" \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: "urn:ws-login#login"" \
--data '&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;soapenv:Envelope xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:urn=&quot;urn:ws-login&quot;&gt;
&lt;soapenv:Header/&gt;
&lt;soapenv:Body&gt;
&lt;urn:login&gt;
&lt;client_id&gt;fb975a0e0248994221b3a6e87ba92fe9&lt;/client_id&gt;
&lt;client_secret&gt;f1d10934f1525ebfdf0b08a2413a3a3f683eaae3913489c786e496e403ab7bff&lt;/client_secret&gt;
&lt;audience&gt;http://mutillidae.localhost/webservices/soap/ws-user-account.php&lt;/audience&gt;
&lt;/urn:login&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;'</code></pre>

<p><strong>Instructions:</strong></p>
<ol>
<li>Open a terminal or command prompt.</li>
<li>Copy and paste the above <code>curl</code> command.</li>
<li>Replace <code>fb975a0e0248994221b3a6e87ba92fe9</code> and <code>f1d10934f1525ebfdf0b08a2413a3a3f683eaae3913489c786e496e403ab7bff</code> with valid values.</li>
<li>Press <strong>Enter</strong> to send the request and view the response.</li>
</ol>

<h2>Expected Response</h2>
<p>Upon successful authentication, the server will respond with a JWT token:</p>
<pre><code>&lt;?xml version=&quot;1.0&quot;?&gt;
&lt;response&gt;
&lt;access_token&gt;your-jwt-token&lt;/access_token&gt;
&lt;token_type&gt;bearer&lt;/token_type&gt;
&lt;expires_in&gt;3600&lt;/expires_in&gt;
&lt;timestamp&gt;2024-11-18T12:00:00Z&lt;/timestamp&gt;
&lt;/response&gt;</code></pre>

<h2>Using the JWT Token in Subsequent Requests</h2>
<p>After obtaining the token, include it in the <code>Authorization</code> header for future SOAP or REST requests. For example:</p>

<h3>Example Using curl</h3>
<p>To call an authenticated endpoint, such as <code>ws-user-account</code>:</p>
<pre><code>
curl -X POST "http://mutillidae.localhost/webservices/soap/ws-user-account.php" \
-H "Content-Type: text/xml; charset=utf-8" \
-H "SOAPAction: "urn:ws-user-account#getUser"" \
-H "Authorization: Bearer your-jwt-token" \
--data '&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;soapenv:Envelope xmlns:soapenv=&quot;http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:urn=&quot;urn:ws-user-account&quot;&gt;
&lt;soapenv:Header/&gt;
&lt;soapenv:Body&gt;
&lt;urn:getUser&gt;
&lt;username&gt;some-user&lt;/username&gt;
&lt;/urn:getUser&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;'</code></pre>

<h3>Example Using Burp Repeater</h3>
<p>To include the token in Burp Suite:</p>
<ol>
<li>Paste the token in the <code>Authorization</code> header of your request:</li>
<pre><code>Authorization: Bearer your-jwt-token</code></pre>
<li>Send the request to a secured endpoint.</li>
</ol>

<div class="note">
<strong>Troubleshooting Tips:</strong>
<ul>
<li>Ensure the <code>SOAPAction</code> header matches the registered action for the service.</li>
<li>Check for proper XML formatting and valid <code>client_id</code> and <code>client_secret</code> values.</li>
<li>If authentication fails, verify the <code>audience</code> matches a valid endpoint.</li>
</ul>
</div>
</body>
</html>
8 changes: 4 additions & 4 deletions src/webservices/soap/docs/ws-user-account.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,8 +181,8 @@ <h4>Burp Repeater Request:</h4>
&lt;soapenv:Header/&gt;
&lt;soapenv:Body&gt;
&lt;urn:deleteUser&gt;
&lt;username&gt;Joe&lt;/username&gt;
&lt;password&gt;Holly&lt;/password&gt;
&lt;username&gt;joe&lt;/username&gt;
&lt;password&gt;holly&lt;/password&gt;
&lt;/urn:deleteUser&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;
Expand All @@ -197,8 +197,8 @@ <h4>curl Command:</h4>
&lt;soapenv:Header/&gt;
&lt;soapenv:Body&gt;
&lt;urn:deleteUser&gt;
&lt;username&gt;Joe&lt;/username&gt;
&lt;password&gt;Holly&lt;/password&gt;
&lt;username&gt;joe&lt;/username&gt;
&lt;password&gt;holly&lt;/password&gt;
&lt;/urn:deleteUser&gt;
&lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;"
Expand Down
Loading

0 comments on commit d2207fc

Please sign in to comment.