Update main.go

main.go

@@ -3,21 +3,21 @@ package main
 import (
 	"database/sql"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
+	"strings"
 
 	_ "github.com/lib/pq"
 )
 
-// User represents the database structure we are querying
 type User struct {
 	ID       int
 	Username string
 	Flag     string
 }
 
-// connectDB handles the connection to Supabase/Postgres
 func connectDB() (*sql.DB, error) {
 	connStr := os.Getenv("DATABASE_URL")
 	if connStr == "" {
@@ -27,31 +27,47 @@ func connectDB() (*sql.DB, error) {
 }
 
 func main() {
-	// 1. Serve static HTML for the login page
+	// 1. Endpoint to View Source Code (Crucial for the CTF)
+	http.HandleFunc("/source", func(w http.ResponseWriter, r *http.Request) {
+		content, err := ioutil.ReadFile("main.go")
+		if err != nil {
+			http.Error(w, "Could not read source code.", http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "text/plain")
+		w.Write(content)
+	})
+
+	// 2. Login Page
 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		html := `
 		<!DOCTYPE html>
 		<html>
 		<head>
-			<title>CTF Login Challenge</title>
+			<title>Secure Login System v2.0</title>
 			<link href="https://cdn.jsdelivr.net/npm/tailwindcss@2.2.19/dist/tailwind.min.css" rel="stylesheet">
 		</head>
-		<body class="bg-gray-900 text-white flex items-center justify-center h-screen">
-			<div class="bg-gray-800 p-8 rounded shadow-lg w-96">
-				<h1 class="text-2xl mb-4 text-center font-bold text-red-500">RESTRICTED AREA</h1>
-				<p class="text-gray-400 mb-6 text-center text-sm">Enter admin credentials to retrieve the flag.</p>
+		<body class="bg-gray-900 text-white flex flex-col items-center justify-center h-screen">
+			<div class="bg-gray-800 p-8 rounded shadow-lg w-96 border-t-4 border-blue-500">
+				<h1 class="text-2xl mb-2 text-center font-bold text-blue-400">SECURE GATEWAY</h1>
+				<p class="text-gray-400 mb-6 text-center text-xs">Protected by GoWAF™ technology</p>
+				
 				<form action="/login" method="POST" class="space-y-4">
 					<div>
-						<label class="block text-sm font-medium">Username</label>
-						<input type="text" name="username" class="w-full p-2 bg-gray-700 rounded border border-gray-600 focus:border-red-500 outline-none" placeholder="admin">
+						<label class="block text-sm font-medium text-gray-300">Username</label>
+						<input type="text" name="username" class="w-full p-2 bg-gray-700 rounded border border-gray-600 focus:border-blue-500 outline-none" placeholder="Enter username">
 					</div>
 					<div>
-						<label class="block text-sm font-medium">Password</label>
-						<input type="password" name="password" class="w-full p-2 bg-gray-700 rounded border border-gray-600 focus:border-red-500 outline-none" placeholder="••••••">
+						<label class="block text-sm font-medium text-gray-300">Password</label>
+						<input type="password" name="password" class="w-full p-2 bg-gray-700 rounded border border-gray-600 focus:border-blue-500 outline-none" placeholder="••••••">
 					</div>
-					<button type="submit" class="w-full bg-red-600 hover:bg-red-700 text-white font-bold py-2 px-4 rounded transition">ACCESS SYSTEM</button>
+					<button type="submit" class="w-full bg-blue-600 hover:bg-blue-700 text-white font-bold py-2 px-4 rounded transition">AUTHENTICATE</button>
 				</form>
-				<div class="mt-4 text-xs text-gray-600 text-center">System Version: 1.0.0-VULN</div>
+				
+				<div class="mt-6 border-t border-gray-700 pt-4 text-center">
+					<p class="text-xs text-gray-500">Developers only:</p>
+					<a href="/source" class="text-sm text-blue-400 hover:underline">View Source Code</a>
+				</div>
 			</div>
 		</body>
 		</html>
@@ -60,7 +76,7 @@ func main() {
 		w.Write([]byte(html))
 	})
 
-	// 2. The Vulnerable Login Endpoint
+	// 3. The Hardened (but still vulnerable) Login Endpoint
 	http.HandleFunc("/login", func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodPost {
 			http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
@@ -70,6 +86,29 @@ func main() {
 		username := r.FormValue("username")
 		password := r.FormValue("password")
 
+		// --- CHALLENGE PART 1: HEADER CHECK ---
+		// The student must read the code to realize they need to change their User-Agent.
+		ua := r.Header.Get("User-Agent")
+		if ua != "Secure-CTF-Browser/1.0" {
+			http.Error(w, "Security Alert: Browser not authorized. Please use 'Secure-CTF-Browser/1.0'", http.StatusForbidden)
+			return
+		}
+
+		// --- CHALLENGE PART 2: THE TRAP ---
+		// We explicitly block "admin" to prevent simple brute forcing. 
+		// They must use SQL injection to select the admin row *without* sending "admin" as the username string.
+		if username == "admin" {
+			http.Error(w, "Direct login as 'admin' is disabled for security reasons.", http.StatusForbidden)
+			return
+		}
+
+		// --- CHALLENGE PART 3: THE WAF (Input Filtering) ---
+		// We block spaces. The student must use SQL comments (/**/) or tabs to bypass this.
+		if strings.Contains(username, " ") || strings.Contains(password, " ") {
+			http.Error(w, "WAF Detection: Spaces are not allowed in input fields.", http.StatusBadRequest)
+			return
+		}
+
 		db, err := connectDB()
 		if err != nil {
 			http.Error(w, "Database connection failed", http.StatusInternalServerError)
@@ -78,51 +117,42 @@ func main() {
 		}
 		defer db.Close()
 
-		// --- THE VULNERABILITY IS HERE ---
-		// We are directly formatting the string with user input.
-		// A user can input "' OR '1'='1" to bypass the check.
+		// --- THE VULNERABILITY ---
+		// Still using fmt.Sprintf, but now the input is heavily restricted by the checks above.
 		query := fmt.Sprintf("SELECT id, username, flag FROM users WHERE username = '%s' AND password = '%s'", username, password)
 		
-		// Log the query to the console (useful for debugging the CTF/seeing the injection)
 		log.Printf("Executing Query: %s\n", query)
 
 		var user User
-		// We use QueryRow because we expect one result for a login, but the injection might return the first row (admin)
+		// QueryRow returns the first matching row. If they inject ' OR '1'='1, it will return the first user in the DB (Admin).
 		err = db.QueryRow(query).Scan(&user.ID, &user.Username, &user.Flag)
 
 		if err != nil {
 			if err == sql.ErrNoRows {
 				w.WriteHeader(http.StatusUnauthorized)
-				w.Write([]byte(`
-					<div style="color: red; text-align: center; margin-top: 50px; font-family: monospace;">
-						<h1>ACCESS DENIED</h1>
-						<p>Invalid credentials.</p>
-						<a href="/" style="color: white;">Try Again</a>
-					</div>
-				`))
+				w.Write([]byte("Invalid credentials."))
 			} else {
 				http.Error(w, "Query error: "+err.Error(), http.StatusInternalServerError)
 			}
 			return
 		}
 
-		// If successful (or injected successfully)
+		// Success
 		w.WriteHeader(http.StatusOK)
 		fmt.Fprintf(w, `
-			<div style="color: #4ade80; text-align: center; margin-top: 50px; font-family: monospace; background: #111; padding: 20px;">
-				<h1>ACCESS GRANTED</h1>
-				<p>Welcome, %s</p>
+			<div style="font-family: monospace; background: #111; color: #4ade80; padding: 20px; text-align: center;">
+				<h1>SYSTEM BREACHED</h1>
+				<p>User: %s</p>
 				<p style="font-size: 24px; border: 1px dashed #4ade80; display: inline-block; padding: 10px;">FLAG: %s</p>
 			</div>
 		`, user.Username, user.Flag)
 	})
 
-	// Hugging Face Spaces usually serves on port 7860
 	port := os.Getenv("PORT")
 	if port == "" {
 		port = "7860"
 	}
 
-	log.Printf("CTF Challenge listening on port %s", port)
+	log.Printf("CTF Hard Mode listening on port %s", port)
 	log.Fatal(http.ListenAndServe(":"+port, nil))
 }