| 1 | #!/bin/bash |
| 2 | # 16 - Business Logic & Race Conditions |
| 3 | # Race conditions use `hey` (tight concurrency) with curl fallback (higher jitter) |
| 4 | # HTTP/1.1, HTTP/2, and HTTP/3 protocol variants included |
| 5 | |
| 6 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" |
| 7 | source "$SCRIPT_DIR/../config.sh" |
| 8 | OUT_FILE="$OUT/16_business_logic.txt" |
| 9 | echo "=== 16. Business Logic ===" | tee "$OUT_FILE" |
| 10 | echo "" | tee -a "$OUT_FILE" |
| 11 | |
| 12 | W() { printf '%s' "$1" | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))"; } |
| 13 | |
| 14 | # โโ 1. Race Condition โ Parallel Key Generation โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ |
| 15 | echo "--- Race Condition: Parallel Key Generation ---" | tee -a "$OUT_FILE" |
| 16 | RACE_URL="$API_TARGET/generate-keys" |
| 17 | RACE_BODY='{"algorithm":"classical"}' |
| 18 | |
| 19 | if command -v hey >/dev/null 2>&1; then |
| 20 | echo " Using hey for tight concurrency (50 requests, 50 concurrent)..." | tee -a "$OUT_FILE" |
| 21 | HEY_OUT=$(hey -n 50 -c 50 -m POST \ |
| 22 | -H 'Content-Type: application/json' \ |
| 23 | -d "$RACE_BODY" \ |
| 24 | -t 15 "$RACE_URL" 2>&1) |
| 25 | echo "$HEY_OUT" | grep -E '(Status|Responses|Requests/sec|200|429|500)' | sed 's/^/ /' | tee -a "$OUT_FILE" |
| 26 | # Check for duplicate keys (all 200 with same response = race vuln) |
| 27 | UNIQUE=$(echo "$HEY_OUT" | grep -c '"key"' || true) |
| 28 | echo " hey summary complete" | tee -a "$OUT_FILE" |
| 29 | else |
| 30 | echo " hey not found โ using curl & (higher jitter, less reliable for race detection)" | tee -a "$OUT_FILE" |
| 31 | TMPDIR_RACE=$(mktemp -d) |
| 32 | for i in $(seq 1 20); do |
| 33 | curl -sk -o "$TMPDIR_RACE/r$i.txt" -w '%{http_code}' --max-time 10 \ |
| 34 | --http2 -X POST -H 'Content-Type: application/json' \ |
| 35 | -d "$RACE_BODY" "$RACE_URL" > "$TMPDIR_RACE/c$i.txt" 2>/dev/null & |
| 36 | done |
| 37 | wait |
| 38 | declare -A RCODES |
| 39 | for i in $(seq 1 20); do |
| 40 | CODE=$(cat "$TMPDIR_RACE/c$i.txt" 2>/dev/null || echo "?") |
| 41 | RCODES[$CODE]=$((${RCODES[$CODE]:-0}+1)) |
| 42 | done |
| 43 | for CODE in "${!RCODES[@]}"; do |
| 44 | echo " HTTP $CODE: ${RCODES[$CODE]}x" | tee -a "$OUT_FILE" |
| 45 | done |
| 46 | rm -rf "$TMPDIR_RACE" |
| 47 | fi |
| 48 | echo "" | tee -a "$OUT_FILE" |
| 49 | |
| 50 | # โโ 2. Race Condition โ Parallel Encrypt (quota/credit abuse) โโโโโโโโโโโโโโโโโ |
| 51 | echo "--- Race Condition: Simultaneous Encrypt (quota bypass) ---" | tee -a "$OUT_FILE" |
| 52 | ENC_URL="$API_TARGET/encrypt" |
| 53 | ENC_BODY='{"data":"race_test","algorithm":"classical"}' |
| 54 | if command -v hey >/dev/null 2>&1; then |
| 55 | HEY_ENC=$(hey -n 100 -c 100 -m POST \ |
| 56 | -H 'Content-Type: application/json' \ |
| 57 | -d "$ENC_BODY" -t 15 "$ENC_URL" 2>&1) |
| 58 | echo "$HEY_ENC" | grep -E '(Status|200|429|500|Requests/sec)' | sed 's/^/ /' | tee -a "$OUT_FILE" |
| 59 | else |
| 60 | declare -A ECODES |
| 61 | for i in $(seq 1 20); do |
| 62 | CODE=$(curl -sk -o /dev/null -w '%{http_code}' --http2 --max-time 10 \ |
| 63 | -X POST -H 'Content-Type: application/json' \ |
| 64 | -d "$ENC_BODY" "$ENC_URL" 2>/dev/null) & |
| 65 | ECODES[$CODE]=$((${ECODES[$CODE]:-0}+1)) |
| 66 | done |
| 67 | wait |
| 68 | for CODE in "${!ECODES[@]}"; do echo " HTTP $CODE: ${ECODES[$CODE]}x" | tee -a "$OUT_FILE"; done |
| 69 | fi |
| 70 | echo "" | tee -a "$OUT_FILE" |
| 71 | |
| 72 | # โโ 3. Negative / Boundary Values โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ |
| 73 | echo "--- Negative / Boundary Values ---" | tee -a "$OUT_FILE" |
| 74 | for VAL in '-1' '0' '2147483648' '-2147483649' '9999999999999999999' 'null' '"Infinity"' '"NaN"' '1e308' '-1e308'; do |
| 75 | CODE=$(curl -sk --http2 -o /dev/null -w '%{http_code}' --max-time 8 \ |
| 76 | -X POST -H 'Content-Type: application/json' \ |
| 77 | -d "{\"data\":\"test\",\"algorithm\":\"classical\",\"size\":$VAL}" \ |
| 78 | "$API_TARGET/encrypt") |
| 79 | echo " [$CODE] size=$VAL" | tee -a "$OUT_FILE" |
| 80 | done |
| 81 | echo "" | tee -a "$OUT_FILE" |
| 82 | |
| 83 | # โโ 4. State Machine Bypass โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ |
| 84 | echo "--- State Machine Bypass ---" | tee -a "$OUT_FILE" |
| 85 | # Decrypt without encrypt (should fail cleanly) |
| 86 | CODE=$(curl -sk --http2 -o /dev/null -w '%{http_code}' --max-time 10 \ |
| 87 | -X POST -H 'Content-Type: application/json' \ |
| 88 | -d '{"data":"dGVzdA==","algorithm":"classical","step":"decrypt"}' \ |
| 89 | "$API_TARGET/decrypt") |
| 90 | echo " [$CODE] Decrypt-without-encrypt (expect 400/401/422)" | tee -a "$OUT_FILE" |
| 91 | |
| 92 | # Skip steps โ batch decrypt with no prior session |
| 93 | CODE=$(curl -sk --http2 -o /dev/null -w '%{http_code}' --max-time 10 \ |
| 94 | -X POST -H 'Content-Type: application/json' \ |
| 95 | -d '{"data":"dGVzdA==","algorithm":"classical","skip_validation":"true"}' \ |
| 96 | "$API_TARGET/decrypt") |
| 97 | echo " [$CODE] skip_validation flag (expect 400/401/403)" | tee -a "$OUT_FILE" |
| 98 | echo "" | tee -a "$OUT_FILE" |
| 99 | |
| 100 | # โโ 5. Integer / Type Confusion โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ |
| 101 | echo "--- Type Confusion ---" | tee -a "$OUT_FILE" |
| 102 | TYPE_PAYLOADS=( |
| 103 | '{"data":12345,"algorithm":"classical"}' |
| 104 | '{"data":true,"algorithm":"classical"}' |
| 105 | '{"data":[],"algorithm":"classical"}' |
| 106 | '{"data":{},"algorithm":"classical"}' |
| 107 | '{"data":"test","algorithm":9999}' |
| 108 | '{"data":"test","algorithm":null}' |
| 109 | '{"data":"test","algorithm":["classical","post-quantum"]}' |
| 110 | ) |
| 111 | for P in "${TYPE_PAYLOADS[@]}"; do |
| 112 | CODE=$(curl -sk --http2 -o /dev/null -w '%{http_code}' --max-time 8 \ |
| 113 | -X POST -H 'Content-Type: application/json' -d "$P" "$API_TARGET/encrypt") |
| 114 | echo " [$CODE] $P" | tee -a "$OUT_FILE" |
| 115 | done |
| 116 | echo "" | tee -a "$OUT_FILE" |
| 117 | |
| 118 | # โโ 6. HTTP Protocol Variant โ Business Logic Consistency โโโโโโโโโโโโโโโโโโโโโ |
| 119 | echo "--- Protocol Consistency (same logic over HTTP/1.1, HTTP/2) ---" | tee -a "$OUT_FILE" |
| 120 | for PROTO_FLAG in "--http1.1" "--http2"; do |
| 121 | CODE=$(curl -sk $PROTO_FLAG -o /dev/null -w '%{http_code}' --max-time 10 \ |
| 122 | -X POST -H 'Content-Type: application/json' \ |
| 123 | -d '{"data":"test","algorithm":"INVALID_ALGO_XYZ"}' \ |
| 124 | "$API_TARGET/encrypt") |
| 125 | echo " [$CODE] Invalid algo via $PROTO_FLAG (should be 400 on both)" | tee -a "$OUT_FILE" |
| 126 | done |
| 127 | echo "" | tee -a "$OUT_FILE" |
| 128 | |
| 129 | echo "=== 16. Business Logic COMPLETE ===" | tee -a "$OUT_FILE" |
| 130 |
Script Viewer
Red Team Suite › 16_business_logic.sh