Added labs

Author: alanta

2.1 Lab - Recon.md

@@ -0,0 +1,16 @@
+Let's see what we can figure out about a company, just by poking around.
+
+Visit [dnsdumpster](https://dnsdumpster.com/) and query the main domain for your company
+
+* What hosts are there? What software are they running?
+* Does any of the detected version have a vulnerability?
+  *You can google for the software and version to find known issues*
+* Can you connect to ports that you shouldn't be able to?
+* Are there any tests sites online? 
+* What cloud or hosting providers are used?
+* Where is the company e-mail hosted?
+
+Browse around the site
+* What technologies does the company use? Good sources are job openings and linkedIn profiles of employees.
+* Are there active parts on the site? What APIs do they call?
+* What CMS does the site use? Is it WordPress?

3.1 Lab - Code review.md

@@ -0,0 +1,26 @@
+# Lab - Code review
+
+Consider the following login method. Find (at least) 3 points to improve in this code
+```csharp
+public static async Task<IResult> Login([FromBody]LoginRequest model, [FromServices]Database db)  
+{  
+    // We don't store plaintext passwords in the database, obviously  
+    var hashedPassword = Users.HashPassword(model.Password);  
+    var command = new SQLiteCommand(  
+        // Use parameterized queries to prevent SQL injection  
+        "SELECT * FROM users WHERE name = @name and hashedpassword = @pw",   
+        db.Db);
+
+    command.Parameters.AddWithValue("@name", model.Name);  
+    command.Parameters.AddWithValue("@pw", hashedPassword);  
+  
+    await using (var reader = command.ExecuteReader())  
+    {        
+        while (reader.Read())  
+        {
+            return Results.Text($"User {reader["name"] as string} logged in.");  
+        }    
+    }  
+    return Results.Unauthorized();  
+}
+```

3.2 Lab - Bad API.md

@@ -0,0 +1,17 @@
+# Lab : Bad API
+
+The [BadAPI github repo](https://github.com/alanta/BadApi) demonstrates a bunch of the common OWASP issues. It also has some tests. We're going to add some more tests to validate that improved version of the code behaves correctly.
+
+The test should be an out-side-in test; simulate calling the API and verify that the response is correct. This demonstrated in the test called []()
+
+Keep in mind that good tests follow a couple of guidelines:
+* Use the Arrange / Assert / Act pattern : test only one thing at a time
+* Don't use branching logic
+* Keep the test short
+* Test names should use human readable language to express what the test is doing
+
+Assignment:
+* Pick one of the scenarios
+* Define what would be considered a _good_ response to various inputs
+* Implement these scenarios as tests
+

5.1 Lab - Caesars cipher.md

@@ -0,0 +1,42 @@
+# Lab: Caesar's cipher
+
+Use [CyberChef](https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,false,12)) to 'encrypt' a chunk of text, use the `ROT13` operation. (See the end of this lab for an example text)
+
+* Play around with the settings to see what changes
+* Change one or more letters in the input, what does that do to the output?
+
+## Cracking Caesars cipher
+It took 800 years before the vulnerability of this cipher was widely known and described. Let's see if we can do better!
+
+* Can you figure out how to crack it before trying the next step?
+---
+* Add a `Frequency Distribution` operation after the `ROT13` Operation.
+  *The chart show how often each value appears in the encoded text*
+* Now increase and decrease the `Amount` field, observe what happens to the frequency distribution
+
+### Explanation
+Each language has a characteristic pattern letter frequency. It may differ a bit but given enough text, the spikes will always be the same. For Dutch, the letter e is by far the most common letter.
+
+* What would be a way to improve the strength of this 'encryption'
+
+### Sample text
+
+```
+Duurzaamheid in ons dagelijks leven
+
+In de moderne wereld is duurzaamheid een steeds belangrijker onderwerp geworden. De opwarming van de aarde, de afname van biodiversiteit en de uitputting van natuurlijke hulpbronnen dwingen ons om bewuster na te denken over onze keuzes. Duurzaamheid is niet langer alleen een verantwoordelijkheid van overheden en grote bedrijven, maar ook van ons als individuen.
+
+Een van de eenvoudigste manieren om bij te dragen aan duurzaamheid is door bewuster om te gaan met energie. Door bijvoorbeeld LED-lampen te gebruiken, elektrische apparaten uit te schakelen wanneer ze niet in gebruik zijn, en gebruik te maken van hernieuwbare energiebronnen zoals zonnepanelen, kunnen we onze ecologische voetafdruk aanzienlijk verkleinen. Het verminderen van energieverspilling heeft niet alleen een positief effect op het milieu, maar ook op onze portemonnee.
+
+Daarnaast speelt het verminderen van afval een cruciale rol. Plasticvervuiling is wereldwijd een groot probleem geworden. We kunnen onze bijdrage aan dit probleem verkleinen door herbruikbare producten te gebruiken, zoals boodschappentassen, flessen en rietjes. Het scheiden van afval en het recyclen van materialen helpt ook om de afvalberg te verminderen. Bovendien kunnen we composteren om organisch afval om te zetten in nuttige voedingsstoffen voor de tuin.
+
+Een ander belangrijk aspect van duurzaamheid is bewuste consumptie. De keuzes die we maken met betrekking tot voedsel en kleding hebben een grote impact op het milieu. Door lokaal en seizoensgebonden voedsel te kopen, ondersteunen we niet alleen lokale boeren, maar verminderen we ook de CO2-uitstoot die gepaard gaat met transport. Het kiezen voor biologische producten zonder schadelijke pesticiden draagt bij aan het behoud van de biodiversiteit.
+
+Wat kleding betreft, is de zogenaamde "fast fashion"-industrie een grote vervuiler. Door te investeren in kwalitatief hoogwaardige kledingstukken die langer meegaan, tweedehands kleding te kopen, of kapotte kleding te repareren in plaats van weg te gooien, kunnen we de negatieve impact van onze kledingkeuzes verminderen.
+
+Ook mobiliteit speelt een grote rol in duurzaamheid. Door vaker de fiets te pakken, gebruik te maken van het openbaar vervoer, of elektrisch te rijden, kunnen we bijdragen aan schonere lucht en minder verkeersopstoppingen. Daarnaast is het delen van ritten via carpooling een effectieve manier om het aantal voertuigen op de weg te verminderen.
+
+Ten slotte is bewustwording en educatie essentieel. Het informeren van vrienden, familie en de gemeenschap over het belang van duurzaamheid kan leiden tot een groter collectief effect. Kleine acties van velen maken immers een groot verschil.
+
+Duurzaamheid is geen modewoord, maar een noodzaak. Door kleine veranderingen in onze dagelijkse gewoontes te maken, kunnen we een enorme impact hebben op de planeet. Samen kunnen we een meer duurzame en leefbare toekomst creëren voor onszelf en voor de generaties die nog komen.
+```

6.1 Lab - Your own CA.md

@@ -0,0 +1,34 @@
+## 1. Setup your own CA
+* Install [Step CLI](https://smallstep.com/docs/step-cli/installation/)
+> You may need to restart your terminal after installing this tool to update the path variable. If you have Chocolatey installed, you can run `refreshenv` to update the path variable.
+
+* Open a powershell terminal, preferably PowerShell 7
+* Create a new folder for this lab and cd into it.
+* Initialize your CA.
+
+>  👉️ Make sure to keep the password, we'll need it again in the next steps.
+```powershell
+step ca init --deployment-type standalone --name MyLocalDomain --dns mycompany.local --address 127.0.0.1:443 --provisioner MyCompany 
+```
+This generates a root and intermediate certificate under the `.step/certs` folder in your home directory. The corresponding keys are stored in the `.step/secrets` folder.
+
+Use [CyberChef](https://gchq.github.io/CyberChef/) to explore the certificate (_Parse X.509 Certificate_). 
+
+You should be able to see all the parts of the certificate; it's extensions, it's public key and signature.
+
+🔍️ What type of key does the certificate use?
+🔍️ What are the differences between the root and intermediate certificate?
+
+## 2. Generate leaf certificates
+
+```powershell
+step certificate create api1.localhost api1.crt api1.key `
+    --profile leaf --not-after=48h `
+    --ca ~/.step/certs/intermediate_ca.crt `
+    --ca-key ~/.step/secrets/intermediate_ca_key
+```
+
+Use [CyberChef](https://gchq.github.io/CyberChef/) to explore the leaf certificate (_Parse X.509 Certificate_). 
+
+🔍️ What are the differences between the CA certs and the leaf cert?
+

6.2 Lab - TLS.md

@@ -0,0 +1,63 @@
+
+## 1. Create a pfx file
+
+For ASP.NET it's easiest to create a PKCS#12 file from the key and the certificate chain. To build the chain, we need to include both the intermediate and the root ca cert in the file. Make sure you set a password for the output file.
+```powershell
+step certificate p12 api1.pfx api1.crt api1.key `
+  --ca ~/.step/certs/intermediate_ca.crt `
+  --ca ~/.step/certs/root_ca.crt
+```
+
+### 2. Create a server
+
+Create a new dotnet web api:
+```
+dotnet new webapi --name server
+```
+
+Edit the `appsettings.development.json` file to add the following section to instruct the built-in web server, Kestrel, to use our certificate
+```json
+"Kestrel": {
+  "Certificates": {
+    "Default": {
+       "Path": "../api1.pfx"
+     }
+   }
+}
+```
+Since we've set a password on the certificate file, we need to specify that as well.
+We're obviously NOT going to store the certificate password in source code. Instead we'll use [user secrets](https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets)
+
+Change into the folder where the server project is: `cd server`
+
+First, initialize user secrets for the project:
+```powershell
+dotnet user-secrets init
+```
+Then store the password for the certificate:
+```powershell
+dotnet user-secrets set Kestrel:Certificates:Default:Password TopSecret
+```
+Make sure you replace `TopSecret` with the password for your .pfx file.
+
+You should now be able to run the project:
+```powershell
+dotnet run --launch-profile https
+```
+
+The output shows you what port is used for HTTPS, open a browser and navigate to https://api1.localhost:PORT/weatherforecast
+
+`PORT` is different for each project you create, so you'll have to look at the console output to find the https port.
+
+Your browser will show a warning. You should be able to bypass this using the `advanced` button.  
+
+🔍️ Inspect the certificate by clicking on the lock icon.
+
+Alternatively, you can use `curl` to view the certificate:
+
+``` powershell
+curl -v https://api1.localhost:PORT/weatherforecast --insecure
+```
+
+🔍️ Why is the certificate not accepted by the browser or curl? What would be a way to resolve the issue?
+

6.3 Lab - mTLS.md

@@ -0,0 +1,153 @@
+
+Setting up mTLS with a client certificate is a bit more involved than just using a server certificate. In this lab, we'll create a client certificate and use it to authenticate the client to the server, and vice versa.
+
+## 1. Create a pfx file
+
+Go back to the CA you created earlier. Generate another certificate:
+
+```powershell
+step certificate create api1.localhost app.crt app.key `
+    --profile leaf --not-after=48h `
+    --ca ./certs/intermediate_ca.crt `
+    --ca-key ./secrets/intermediate_ca_key
+```
+
+```powershell
+step certificate p12 app.pfx api1.crt app.key `
+  --ca ~/.step/certs/intermediate_ca.crt `
+  --ca ~/.step/certs/root_ca.crt
+```
+
+### 2. Create a client application
+
+Create a new dotnet console application:
+```
+dotnet new console --name client
+```
+
+We'll use user secrets to store the password for the certificate.
+
+Change into the folder where the server project is: `cd server`
+
+First, initialize user secrets for the project:
+```powershell
+dotnet user-secrets init
+```
+Then store the password for the certificate:
+```powershell
+dotnet user-secrets set Certificates:Password TopSecret
+```
+Make sure you replace `TopSecret` with the password for your .pfx file.
+
+### 3. Load the certificate
+
+This is a simple console application so we need to setup the configuration to get the password from user secrets.
+
+Add the following packages to the project:
+```
+Microsoft.Extensions.Configuration
+Microsoft.Extensions.Configuration.Binder
+Microsoft.Extensions.Configuration.EnvironmentVariables
+Microsoft.Extensions.Configuration.Json
+Microsoft.Extensions.Configuration.UserSecrets
+```
+ 
+Then add the following code to the `Program.cs` file:
+
+```csharp
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Configuration;
+
+var configuration = new ConfigurationBuilder()
+    .SetBasePath(Directory.GetCurrentDirectory())
+    .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
+    .AddEnvironmentVariables()
+    .AddUserSecrets<Program>()
+    .Build();
+
+// configure the client to use the certificate in ../api2.pfx
+var certificateCollection = X509CertificateLoader.LoadPkcs12CollectionFromFile("path_to/app.pfx", 
+    configuration.GetValue<string>("Certificates:Password") ?? throw new InvalidOperationException("Setting Certificates:Password not found in configuration"));
+```
+
+👉️ Make sure you update the path to the certificate
+
+Now let's call the server.
+
+```csharp
+// Create an HTTP client with the certificate
+var client = new HttpClient(new HttpClientHandler
+{
+    ClientCertificateOptions = ClientCertificateOption.Manual,
+    ClientCertificates = { clientCertificate },
+})
+{
+    BaseAddress = new Uri("https://api1.localhost:7033")
+};
+
+// Call the server
+var forecast= await client.GetAsync("/weatherforecast");
+
+var content = await forecast.Content.ReadAsStringAsync();
+
+// Print the result
+Console.WriteLine(content);
+```
+
+Now, run the client application and see if you get a response from the server.
+
+🔍️ This fails. The server accepted the client certificate, but the client is not accepting the server certificate. Why is that?
+
+## 4. Accept the server certificate
+
+To accept the server certificate, we could install the root certificate in the trusted root store. However, that is not a workable solution in a production environment where certificates may be rotated frequently.
+Instead, we can use a custom certificate validation callback to accept the server certificate.
+
+Add the following code to the `Program.cs` file to get the root and intermediate certificates:
+
+```csharp
+var intermediateCaCertificate = certificateCollection.FirstOrDefault(c => c.Subject.Contains("Intermediate")) 
+  ?? throw new InvalidOperationException("Intermediate cert not found");
+var rootCaCertificate = certificateCollection.FirstOrDefault(c => c.Subject.Contains("Root")) 
+  ?? throw new InvalidOperationException("Root cert not found");
+```
+
+Then add a `ServerCertificateCustomValidationCallback` to the `HttpClientHandler` to accept the server certificate:
+
+```csharp
+    ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
+    {
+        if (errors == SslPolicyErrors.None)
+        {
+            // Basic validation passed, the server used a valid, trusted certificate
+            return true;
+        };
+
+        bool validateLocalChain = (errors == SslPolicyErrors.RemoteCertificateChainErrors
+                                   && chain!.ChainStatus.Length == 1
+                                   && chain.ChainStatus[0].Status == X509ChainStatusFlags.PartialChain);
+        
+        if (!validateLocalChain)
+        {
+            return false;
+        }
+
+        var customChain = new X509Chain();
+        // Can't do a revocation check, our CA is not online
+        customChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+        // Our CA is not in the trusted root store
+        customChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
+
+        // Add the intermediate and root CA to the chain policy
+        customChain.ChainPolicy.ExtraStore.Add(intermediateCaCertificate);
+        customChain.ChainPolicy.ExtraStore.Add(rootCaCertificate);
+
+        // Validate the server certificate
+        bool isValid = customChain.Build(cert!);
+
+        return isValid;
+    }
+```
+
+🔍️ Take a moment to understand what this code does.

7.1 Lab - Threat modeling.md

@@ -0,0 +1,28 @@
+How would you break into your own application?
+What’s the worst thing that can happen? 
+Is there anything you are secretly worried about? 
+How would you try to abuse your system? 
+Are there undocumented workarounds? 
+If you were an evil version of yourself, what’s the worst you could do? 
+
+## What are we working on?
+Pick a service or asset to model. 
+
+For example:
+* An API recently built
+* An older system that you worry about
+* Something more personal, like your mailbox or bank account
+## What can go wrong?
+Assess risks and potential impact
+
+* What if the service becomes unresponsive?
+* Is there sensitive data? What happens if that data is deleted or exfiltrated?
+* What can a bad actor do if he gets in?
+ 
+## What are we going to do about it?
+- Accept: decide that the business impact is acceptable, and document who has chosen to accept the risk
+- Eliminate: remove components that make the vulnerability possible
+- Mitigate: add checks or controls that reduce the risk impact, or the chances of its occurrence
+- Transfer: Transfer risk to an insurer or customer.
+
+## Did we do a good job?