Update Postman collections and add documentation

.gitignore

@@ -75,3 +75,4 @@ _[Ss]cripts
 *.dot[Cc]over
 
 tmp/*.db
+.DS_Store

documentation-dvcsharp-book/.gitignore

@@ -1 +1,2 @@
 _book
+.DS_Store

DVCSharp-API.postman_collection.json → documentation-dvcsharp-book/DVCSharp-API.postman_collection.json

@@ -20,12 +20,11 @@
 					"raw": "{\n\t\"name\": \"Test User\",\n\t\"email\": \"[email protected]\",\n\t\"password\": \"test123\",\n\t\"passwordConfirmation\": \"test123\"\n}"
 				},
 				"url": {
-					"raw": "http://localhost:5000/api/registrations",
+					"raw": "http://{{host_and_port}}/api/registrations",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"registrations"
@@ -42,16 +41,15 @@
 				"header": [
 					{
 						"key": "Authorization",
-						"value": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoidGVzdEB0ZXN0LmNvbSIsInJvbGUiOiJVc2VyIiwiZXhwIjoxNTYzNjAzMjg0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0LmxvY2FsLyIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3QubG9jYWwvIn0.gwmVBsF54alL4FiS7H-7yFEKqjoDHmwH_526BbFgP8k"
+						"value": "Bearer {{token}}"
 					}
 				],
 				"url": {
-					"raw": "http://localhost:5000/api/users",
+					"raw": "http://{{host_and_port}}/api/users",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"users"
@@ -67,7 +65,7 @@
 				"header": [
 					{
 						"key": "Authorization",
-						"value": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoidGVzdEB0ZXN0LmNvbSIsInJvbGUiOiJVc2VyIiwiZXhwIjoxNTI2MzgwMzYxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0LmxvY2FsLyIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3QubG9jYWwvIn0.5ZejCtXrq2vZJJQQxQn2GJ9aeZ2OEi8wuuia6fAAR1Q"
+						"value": "Bearer {{token}}"
 					},
 					{
 						"key": "Content-Type",
@@ -79,12 +77,11 @@
 					"raw": "{\n\t\"name\": \"Updated User\",\n\t\"email\": \"[email protected]\",\n\t\"password\": \"newpassword\",\n\t\"passwordConfirmation\": \"newpassword\",\n\t\"role\": \"Administrator\"\n}"
 				},
 				"url": {
-					"raw": "http://localhost:5000/api/users/1",
+					"raw": "http://{{host_and_port}}api/users/1",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"users",
@@ -101,17 +98,15 @@
 				"header": [
 					{
 						"key": "Authorization",
-						"value": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoidGVzdEB0ZXN0LmNvbSIsInJvbGUiOiJVc2VyIiwiZXhwIjoxNTI2Mjg3MTMxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0LmxvY2FsLyIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3QubG9jYWwvIn0.5OOoWWZU26AmHlKOVgbhsQBoJVHQ0h_a0Eli6gfx5jM"
+						"value": "Bearer {{token}}"
 					}
 				],
 				"url": {
-					"raw": "http:/localhost:5000/api/users/import?url=http://ifconfig.co",
+					"raw": "http://{{host_and_port}}/api/users/import?url=http://ifconfig.co",
 					"host": [
-						"http:"
+						"{{host_and_port}}"
 					],
-					"port": "",
 					"path": [
-						"localhost:5000",
 						"api",
 						"users",
 						"import"
@@ -133,16 +128,15 @@
 				"header": [
 					{
 						"key": "Authorization",
-						"value": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoidGVzdEB0ZXN0LmNvbSIsInJvbGUiOiJVc2VyIiwiZXhwIjoxNTI2MzgwMzYxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0LmxvY2FsLyIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3QubG9jYWwvIn0.5ZejCtXrq2vZJJQQxQn2GJ9aeZ2OEi8wuuia6fAAR1Q"
+						"value": "Bearer {{token}}"
 					}
 				],
 				"url": {
-					"raw": "http://localhost:5000/api/tokens/tokenInfo",
+					"raw": "http://{{host_and_port}}/api/tokens/tokenInfo",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"tokens",
@@ -156,14 +150,18 @@
 			"name": "Delete User",
 			"request": {
 				"method": "DELETE",
-				"header": [],
+				"header": [
+					{
+						"key": "Authorization",
+						"value": "Bearer {{admin_token}}"
+					}
+				],
 				"url": {
-					"raw": "http://localhost:5000/api/users/1",
+					"raw": "http://{{host_and_port}}/api/users/1",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"users",
@@ -189,12 +187,11 @@
 					"raw": "{\n\t\"email\": \"[email protected]\",\n\t\"password\": \"test123\"\n}"
 				},
 				"url": {
-					"raw": "http://localhost:5000/api/authorizations",
+					"raw": "http://{{host_and_port}}/api/authorizations",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"authorizations"
@@ -214,12 +211,11 @@
 					}
 				],
 				"url": {
-					"raw": "http://localhost:5000/api/authorizations/GetTokenSSO",
+					"raw": "http://{{host_and_port}}/api/authorizations/GetTokenSSO",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"authorizations",
@@ -244,12 +240,11 @@
 					"raw": "{\n\t\"email\": \"[email protected]\"\n}"
 				},
 				"url": {
-					"raw": "http://localhost:5000/api/passwordresets",
+					"raw": "http://{{host_and_port}}/api/passwordresets",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"passwordresets"
@@ -273,12 +268,11 @@
 					"raw": "{\n\t\"key\": \"b642b4217b34b1e8d3bd915fc65c4452\",\n\t\"password\": \"password123\",\n\t\"passwordConfirmation\": \"password123\"\n}"
 				},
 				"url": {
-					"raw": "http://localhost:5000/api/passwordresets",
+					"raw": "http://{{host_and_port}}/api/passwordresets",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"passwordresets"
@@ -298,12 +292,11 @@
 					}
 				],
 				"url": {
-					"raw": "http://localhost:5000/api/products",
+					"raw": "http://{{host_and_port}}/api/products",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"products"
@@ -323,12 +316,11 @@
 					}
 				],
 				"url": {
-					"raw": "http://localhost:5000/api/products/export",
+					"raw": "http://{{host_and_port}}/api/products/export",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"products",
@@ -349,16 +341,21 @@
 					}
 				],
 				"url": {
-					"raw": "http://localhost:5000/api/products/export",
+					"raw": "http://{{host_and_port}}/api/products/search",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"products",
-						"export"
+						"search"
+					],
+					"query": [
+						{
+							"key": "keyword",
+							"value": "test"
+						}
 					]
 				}
 			},
@@ -379,12 +376,11 @@
 					"raw": "<?xml version=\"1.0\"?>\n<Entities xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n    <Product>\n        <ID>1</ID>\n        <name>Test Product 1</name>\n        <description>Test Product Description</description>\n        <skuId>PROD-001</skuId>\n        <unitPrice>0</unitPrice>\n    </Product>\n    <Product>\n        <ID>2</ID>\n        <name>Test Product 11</name>\n        <description>Test Product Description</description>\n        <skuId>PROD-0011</skuId>\n        <unitPrice>100</unitPrice>\n    </Product>\n</Entities>"
 				},
 				"url": {
-					"raw": "http://localhost:5000/api/products/import",
+					"raw": "http://{{host_and_port}}/api/products/import",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"products",
@@ -409,12 +405,11 @@
 					"raw": "{\n\t\"name\": \"Test Product 11\",\n\t\"description\": \"Test Product Description\",\n\t\"skuId\": \"PROD-0011\",\n\t\"unitPrice\": 100\n}"
 				},
 				"url": {
-					"raw": "http://localhost:5000/api/products",
+					"raw": "http://{{host_and_port}}/api/products",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"products"
@@ -438,12 +433,11 @@
 					"raw": "<?xml version=\"1.0\"?>\n<Entities xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n    <Entity Type=\"dvcsharp_core_api.Models.Product\">\n    \t<Product>\n\t        <name>Test Product 1</name>\n\t        <description>Test Product Description</description>\n\t        <skuId>PROD-001</skuId>\n\t        <unitPrice>0</unitPrice>\n        </Product>\n    </Entity>\n    <Entity Type=\"dvcsharp_core_api.Models.Product\">\n    \t<Product>\n        \t<name>Test Product 11</name>\n        \t<description>Test Product Description</description>\n        \t<skuId>PROD-0011</skuId>\n        \t<unitPrice>100</unitPrice>\n        </Product>\n    </Entity>\n</Entities>"
 				},
 				"url": {
-					"raw": "http://localhost:5000/api/imports",
+					"raw": "http://{{host_and_port}}/api/imports",
 					"protocol": "http",
 					"host": [
-						"localhost"
+						"{{host_and_port}}"
 					],
-					"port": "5000",
 					"path": [
 						"api",
 						"imports"
@@ -453,16 +447,6 @@
 			"response": []
 		}
 	],
-	"auth": {
-		"type": "bearer",
-		"bearer": [
-			{
-				"key": "token",
-				"value": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoidGVzdDFAdGVzdC5jb20iLCJyb2xlIjoiVXNlciIsImV4cCI6MTU2NDA2NDgyNCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdC5sb2NhbC8iLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0LmxvY2FsLyJ9.CblEHNbmxUYVgZhGRkon6GC4julL7WtZtKF-yIRMh1A",
-				"type": "string"
-			}
-		]
-	},
 	"event": [
 		{
 			"listen": "prerequest",
@@ -484,5 +468,11 @@
 				]
 			}
 		}
+	],
+	"variable": [
+		{
+			"key": "host_and_port",
+			"value": "localhost:5000"
+		}
 	]
-}
+}

documentation-dvcsharp-book/README.md

@@ -2,3 +2,5 @@
 
 *DVCSharp* is an intentionally vulnerable API first web application created to demonstrate and practice common vulnerabilities affecting C# based web applications written for .NET Core framework.
 
+
+Start with the file [api_usage](api_usage.md) to configure the application for use and setting up bearer tokens

documentation-dvcsharp-book/SUMMARY.md

@@ -3,6 +3,7 @@
 * [Introduction](README.md)
 * [API Usage](api_usage.md)
 * [OWASP Top 10 Mapping](OWASP-Top-10-Mapping.md)
+* [Postman Collection](DVCSharp-API.postman_collection.json)
 * Attacks
    * [SSO Cookie Authentication Bypass](attacks/sso-cookie-auth-bypass.md)
    * [Insecure JWT Usage](attacks/insecure-jwt-usage.md)

documentation-dvcsharp-book/api_usage.md

@@ -3,7 +3,12 @@
 The *DVCSharp* application supports RESTful APIs to perform various operations such as:
 
 * Register User
+    * Start here to create a user in the application.
+    * Change the membership type to Admin to create a Admin user
 * Authentication and get access token
+    * Use the info you created the account with to POST to the application in order to get a bearer token.
+    * Set the Postman environment variable to be the bearer token.
+    * Authenticate with the Admin account you created to get an Admin level token and then adding it to the Postman variable
 * Get token info
 * Update user
 * Import user
@@ -15,4 +20,4 @@ The *DVCSharp* application supports RESTful APIs to perform various operations s
 * Export products
 * Generic import entities
 
-[Download Postman Collections](data/DVCSharp_postman_v2.json)
+[Download Postman Collection](DVCSharp-API.postman_collection.json)