/tps-report-uploader

Example of insecure Blazor code and how to fix it.

Primary LanguageC#MIT LicenseMIT

TPS Report Uploader

A demonstration of how to exploit and fix vulnerabilities in a .NET 8 Blazor application that I originally presented at Edmonton .NET User Group (EDMUG) in December 2023.

The TPS Report Uploader is a mini capture the flag (CTF). Your goal is to get all the TPS reports for Simar. There is a detailed text walk through that is similar to my in-person presentation and also a video walkthrough.

GitHub Sponsors

Setup

To run the application you need to have .NET 8 SDK installed. To complete the Walk Through you need the following tools:

  • Burp Suite (with Blazor Traffic Processor extension)
  • GoBuster or Docker (more below)

All the tools above have free versions that are sufficient for this demo.

Application

Since this is a demo about fixing vulnerabilities it is recommended to run the TPS Report Uploader application via a IDE (e.g. Rider, Visual Studio, or Visual Studio Code). That way you can find the venerability then fix it on the fly.

The steps to get the app running in development are:

  1. Install .NET 8 and Entity Framework 8.
  2. Clone the repo.
  3. Open the SaturdayMP.Examples.TpsReportUploader.sln in your IDE of choice.
  4. If running on Windows update the SqlLite database path in appsettings.json from DataSource=Data/app.db;Cache=Shared to DataSource=Data\\app.db;Cache=Shared.
  5. Create the DB: dotnet ef database update.
  6. Run the application.

The first time you run the application it will create the SqlLite database at Data/app.data. It will also create some folders at wwwroot/uploads and processed_reports fill them example TPS reports. You can see the seed logic in Data/SeedData.cs.

To reset the DB and files:

  1. Delete the SqlLite DB.
  2. Run dotnet ef database update to recreate the database.
  3. RUn the app. The initialization will re-seed the database, delete and recreate the wwwroot/uploads and processed_reports folders.

Burp Suite

You can download Burp Suite Community edition here. You don't need to enter a email address, just click the "Go straight to downloads" link.

After you have Burp Suite installed you need to install the Blazor extension. The easiest way from Burp Suite is:

  1. Click Extensions->BApp Store.
  2. Search for Blazor Traffic Processor and install it.

GoBuster

If you have Docker installed then GoBuster can be run using Docker Compose (docker-compose.yml):

docker compose run --rm gobuster

The first time you run the above command it will pull the GoBuster Docker image. Future runs will used the cached image. Note: the --rm will remove the GoBuster container after each run. If you want it to exist after each run remove the --rm.

You can also install GoBuster using the various ways outlined in the Easy Install section on their README.

Feedback

If you spot an issue, an improvement, or constructive criticism please open an issue or pull request.

Acknowlegements

Thank to you EDMUG for the opportunity to present. Also thank you to those involved in creating Office Space and TPS reports.