Initial commit

security-test-helper.sh

@@ -0,0 +1,124 @@
+#!/bin/bash
+
+##
+# Security Testing Helper Script
+# For manual testing from references/MANUAL_SECURITY_TESTING_CHECKLIST.md
+##
+
+set -e
+
+echo "=== Security Testing Helper ==="
+echo ""
+
+# Function to show current sessions
+show_sessions() {
+    echo "Current active sessions:"
+    mysql -u timebank_cc_dev -p'zea2A8sd{QA,9^pS*2^@Xcltuk.vgV' timebank_cc_2 <<EOF
+SELECT
+    id,
+    user_id,
+    ip_address,
+    last_activity,
+    FROM_UNIXTIME(last_activity) as last_active_time
+FROM sessions
+WHERE last_activity > UNIX_TIMESTAMP(DATE_SUB(NOW(), INTERVAL 2 HOUR))
+ORDER BY last_activity DESC
+LIMIT 10;
+EOF
+}
+
+# Function to show session data
+show_session_data() {
+    local session_id=$1
+    echo "Session data for: $session_id"
+    mysql -u timebank_cc_dev -p'zea2A8sd{QA,9^pS*2^@Xcltuk.vgV' timebank_cc_2 <<EOF
+SELECT
+    id,
+    user_id,
+    payload
+FROM sessions
+WHERE id = '$session_id';
+EOF
+}
+
+# Function to manipulate session
+manipulate_session() {
+    local session_id=$1
+    local new_profile_id=$2
+    local new_profile_type=$3
+
+    echo "Manipulating session: $session_id"
+    echo "  Setting activeProfileId to: $new_profile_id"
+    echo "  Setting activeProfileType to: $new_profile_type"
+
+    php artisan tinker --execute="
+        \$session = DB::table('sessions')->where('id', '$session_id')->first();
+        if (!\$session) {
+            echo 'Session not found';
+            exit(1);
+        }
+
+        // Decode payload
+        \$payload = unserialize(base64_decode(\$session->payload));
+
+        echo 'Current session data:' . PHP_EOL;
+        echo '  activeProfileId: ' . (\$payload['activeProfileId'] ?? 'NOT SET') . PHP_EOL;
+        echo '  activeProfileType: ' . (\$payload['activeProfileType'] ?? 'NOT SET') . PHP_EOL;
+
+        // Modify
+        \$payload['activeProfileId'] = $new_profile_id;
+        \$payload['activeProfileType'] = '$new_profile_type';
+
+        // Encode and save
+        \$newPayload = base64_encode(serialize(\$payload));
+        DB::table('sessions')->where('id', '$session_id')->update(['payload' => \$newPayload]);
+
+        echo PHP_EOL . 'Session updated!' . PHP_EOL;
+        echo '  NEW activeProfileId: $new_profile_id' . PHP_EOL;
+        echo '  NEW activeProfileType: $new_profile_type' . PHP_EOL;
+    "
+}
+
+# Main menu
+echo "What would you like to do?"
+echo "1) Show current sessions"
+echo "2) Show session data"
+echo "3) Manipulate session (change activeProfileId/Type)"
+echo ""
+read -p "Enter choice (1-3): " choice
+
+case $choice in
+    1)
+        show_sessions
+        ;;
+    2)
+        read -p "Enter session ID: " session_id
+        show_session_data "$session_id"
+        ;;
+    3)
+        read -p "Enter session ID: " session_id
+        read -p "Enter new profile ID: " profile_id
+        echo "Profile types:"
+        echo "  1) App\\Models\\User"
+        echo "  2) App\\Models\\Organization"
+        echo "  3) App\\Models\\Bank"
+        echo "  4) App\\Models\\Admin"
+        read -p "Enter profile type (1-4): " type_choice
+
+        case $type_choice in
+            1) profile_type="App\\\\Models\\\\User" ;;
+            2) profile_type="App\\\\Models\\\\Organization" ;;
+            3) profile_type="App\\\\Models\\\\Bank" ;;
+            4) profile_type="App\\\\Models\\\\Admin" ;;
+            *) echo "Invalid choice"; exit 1 ;;
+        esac
+
+        manipulate_session "$session_id" "$profile_id" "$profile_type"
+        echo ""
+        echo "Now refresh your browser to see the changes!"
+        ;;
+    *)
+        echo "Invalid choice"
+        exit 1
+        ;;
+esac