forked from Soham7-dev/AspGoat
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathProgram.cs
More file actions
110 lines (93 loc) · 3.19 KB
/
Program.cs
File metadata and controls
110 lines (93 loc) · 3.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
using AspGoat.Data;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.EntityFrameworkCore;
using Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation;
using AspGoat.Models;
var builder = WebApplication.CreateBuilder(args);
bool csrfLab = builder.Configuration.GetValue<bool>("csrfLab");
// Add services to the container.
builder.Services.AddControllersWithViews().AddRazorRuntimeCompilation();
builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options =>
{
options.LoginPath = "/Account/Login";
options.LogoutPath = "/Account/Logout";
if (csrfLab)
{
// CSRF lab → requires HTTPS in browsers
// Vulnerable as SamSiteMode.None allows both auth and anti-csrf cookies to be included in cross site request
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
}
else
{
options.Cookie.SameSite = SameSiteMode.Lax;
options.Cookie.SecurePolicy = CookieSecurePolicy.None;
}
});
builder.Services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlite(builder.Configuration.GetConnectionString("DefaultConnection")));
var app = builder.Build();
// Seeding fresh data into the database
using (var scope = app.Services.CreateScope())
{
var db = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
// Delete app.db if it already exists
db.Database.EnsureDeleted();
// Create app.db and rebuild the entire Schema from scratch
db.Database.EnsureCreated();
// Users
db.Users.AddRange(
new User
{
// Id will be 1 after reset
UserName = "soham",
PasswordHash = "5f4dcc3b5aa765d61d8327deb882cf99", // "password" (MD5)
Email = "soham@example.com",
LastLoginIP = "103.54.120.77",
Role = "user"
},
new User
{
// Id will be 2
UserName = "admin",
PasswordHash = "21232f297a57a5a743894a0e4a801fc3", // "admin" (MD5)
Email = "admin@example.com",
LastLoginIP = "127.0.0.1",
Role = "admin"
},
new User
{
// Id will be 3
UserName = "guest",
PasswordHash = "084e0343a0486ff05530df6c705c8bb4", // "guest" (MD5)
Email = "guest@example.com",
LastLoginIP = "45.67.88.99",
Role = "user"
}
);
db.SaveChanges();
// EmailIds
db.EmailIds.Add(new EmailId
{
// Id will be 1 after reset
Email = "abc@user.net"
});
db.SaveChanges();
}
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllerRoute(
name: "default",
pattern: "{controller=Account}/{action=Login}/{id?}");
app.Run();