Pen testing staging 2025

examples/bash/.environment

@@ -0,0 +1 @@
+.environment-fu-test

examples/bash/.environment-dr-test

@@ -0,0 +1,11 @@
+idp_url="https://auth.forms-staging.cdssandbox.xyz"
+api_url="https://api.forms-staging.cdssandbox.xyz"
+project_id=275372254274006635
+
+json_key_file="cmfmmallr0001x00113h7f9bt_private_api_key.json"
+if [ -z "$json_key_file" ]; then
+  echo "Private key file not found.  Please make sure it is in the script directory and ends with '_private_api_key.json'"
+  exit 1
+fi
+
+form_id="$(jq -r '.formId' "$json_key_file")"

examples/bash/.environment-fu-test

@@ -0,0 +1,11 @@
+idp_url="https://auth.forms-staging.cdssandbox.xyz"
+api_url="https://api.forms-staging.cdssandbox.xyz"
+project_id=275372254274006635
+
+json_key_file="cmfpf1r2k0000l40c7bh6prk0_private_api_key.json"
+if [ -z "$json_key_file" ]; then
+  echo "Private key file not found.  Please make sure it is in the script directory and ends with '_private_api_key.json'"
+  exit 1
+fi
+
+form_id="$(jq -r '.formId' "$json_key_file")"

examples/bash/.environment-fu-test-dos

@@ -0,0 +1,11 @@
+idp_url="https://auth.forms-staging.cdssandbox.xyz"
+api_url="https://api.forms-staging.cdssandbox.xyz"
+project_id=275372254274006635
+
+json_key_file="cmgqm283l0002x001ex4arv1b_private_api_key.json"
+if [ -z "$json_key_file" ]; then
+  echo "Private key file not found.  Please make sure it is in the script directory and ends with '_private_api_key.json'"
+  exit 1
+fi
+
+form_id="$(jq -r '.formId' "$json_key_file")"

examples/bash/no_confirm_retrieve_save_form_submissions.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+set -euo pipefail
+
+truncate_string() {
+    local str="$1"
+    local maxlen=2000
+
+    if [ ${#str} -gt "2000" ]; then
+        echo "${str:0:2000}..."
+    else
+        echo "$str"
+    fi
+}
+
+echo -e "\nGenerating access token..."
+
+access_token=$(./get_access_token.sh)
+
+echo -e "\nRetrieving form template...\n";
+
+form_template=$(./get_form_template.sh "$access_token")
+
+echo $(truncate_string "$form_template")
+
+echo -e "\nRetrieving new form submissions..."
+
+new_form_submissions=$(./get_new_form_submissions.sh "$access_token")
+
+count=0
+
+if [ "$(echo "$new_form_submissions" | jq 'length')" -eq 0 ]; then
+    echo -e "\nCould not find any new form submission!"
+else
+    count=$((count+1))
+    echo -e "\nNew form submissions:"
+    echo "$new_form_submissions" | jq -r '[.[].name] | join(", ")'
+
+    echo -e "\nRetrieving, decrypting and confirming form submissions..."
+
+    echo "$new_form_submissions" | jq -r '.[].name' | while IFS= read -r new_form_submission_name; do
+        echo -e "\nProcessing $new_form_submission_name...\n"
+
+        echo "Retrieving encrypted submission..."
+
+        encrypted_form_submission=$(./get_form_submission.sh "$access_token" "$new_form_submission_name")
+
+        echo -e "\nEncrypted submission:"
+        echo $(truncate_string $(echo "$encrypted_form_submission" | jq -r '.encryptedResponses'))
+
+        echo -e "\nDecrypting submission..."
+
+        decrypted_form_submission=$(./decrypt_form_submission.sh "$encrypted_form_submission")
+
+        echo -e "\nDecrypted submission:"
+        echo $(truncate_string "$decrypted_form_submission")
+
+        echo -e "\nVerifying submission integrity...\n"
+
+        answers=$(echo $decrypted_form_submission | jq -r '.answers')
+        checksum=$(echo $decrypted_form_submission | jq -r '.checksum')
+        confirmation_code=$(echo $decrypted_form_submission | jq -r '.confirmationCode')
+
+        echo $(./validate_form_submission.sh "$answers" "$checksum")
+
+        mkdir -p "$new_form_submission_name"
+
+        echo -e "\nSaving submission answers..."
+
+        echo "$answers" > "$new_form_submission_name/answers.json"
+
+        list_of_attachments=$(echo "$decrypted_form_submission" | jq -c '.attachments[]?')
+
+        if [ ! -z "$list_of_attachments" ]; then
+          echo -e "\nSaving submission attachments...\n"
+
+          echo "$list_of_attachments" | while IFS= read -r attachment; do
+            file_name=$(echo "$attachment" | jq -r '.name')
+            download_link=$(echo "$attachment" | jq -r '.downloadLink')
+            is_potentially_malicious=$(echo "$attachment" | jq -r '.isPotentiallyMalicious')
+
+            curl -vsSL "$download_link" -o "$new_form_submission_name/$file_name"
+
+            msg="Submission attachment '$file_name' has been saved"
+            if [ "$is_potentially_malicious" = true ]; then
+                msg="$msg (flagged as potentially malicious)"
+            fi
+            echo "$msg"
+          done
+        fi
+
+        echo -e "\nSubmission saved in folder named '${new_form_submission_name}'"
+
+        #echo -e "\nConfirming submission..."
+
+        #./confirm_form_submission.sh "$access_token" "$new_form_submission_name" "$confirmation_code" > /dev/null
+
+        #echo -e "\nSubmission confirmed"
+
+        #read -n 1 -s -r -p $'\n=> Press any key to continue processing form submissions or Ctrl-C to exit' </dev/tty
+        #echo
+    done
+fi
+
+echo "Retrieved $count submissions"

src/openapi/openapi-auth-staging.json

@@ -0,0 +1,58 @@
+{
+    "openapi":"3.0.3",
+    "info": {
+      "title":"Forms Data Retrieval Authentication API",
+      "version":"1.0"
+    },
+    "servers": [
+        {
+            "url":"https://auth.forms-staging.cdssandbox.xyz"
+        }
+    ],
+    "components": {
+    },
+    "paths": {
+        "/oauth/v2/token": {
+            "post": {
+                "description": "",
+                "parameters": [],
+                "requestBody": {
+                    "required": true,
+                    "content": {
+                        "application/x-www-form-urlencoded": {
+                            "schema": {
+                                "type": "object",
+                                "properties": {
+                                    "grant_type": {
+                                        "type": "string"
+                                    },
+                                    "assertion": {
+                                        "type": "string"
+                                    },
+                                    "scope": {
+                                        "type": "string"
+                                    }
+                                },
+                                "required": [
+                                    "grant_type",
+                                    "assertion",
+                                    "scope"
+                                ],
+                                "example": {
+                                    "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
+                                    "assertion": "ewogICAgImFsZyI6ICJSUzI1NiIsCiAgICAia2lkIjogIjMzODQwMzY4MTk5NTA2OTU5OCIKICB9.ewogICAgImlzcyI6ICIzMzg0MDM2ODEzMDcyMDM3NDIiLAogICAgInN1YiI6ICIzMzg0MDM2ODEzMDcyMDM3NDIiLAogICAgImF1ZCI6ICJodHRwczovL2F1dGguZm9ybXMtc3RhZ2luZy5jZHNzYW5kYm94Lnh5eiIsCiAgICAiaWF0IjogMTc1ODg5ODc1OCwKICAgICJleHAiOiAxNzU4ODk4ODE4CiAgfQ.rA5KtWjrdfNij8VQ1nSqF1iRlWtD6chxnmbi17pPMwTofMhYqzG6OdukH4r1YSs02YW3gOgtjlF6rZdcAyD1UMm6H9OnnKyChPccmMqkzGVKxngkCr1b5dQRB448b7qiY750sajQAhA1Hyn3qjmS1X8v228fNpzzrPMNCxNPES_Nh7ZTUjIY1xUuKFXpzevLmJiMsKlS7NCP3ISCJDXBl76Mfw41uRbhUPznTYwcDK2IE2UdB1HZKwSwKrDfhL_Q4_-wto4fJSmuk6BCCf5niLpa0EYMVukaTXH_rLxfH4G_sQVkqAyjz8q_nT3IEyzlvpwgwyT2FEv5rYhKVAVD-g",
+                                    "scope": "openid profile urn:zitadel:iam:org:project:id:275372254274006635:aud"
+                                }
+                            }
+                        }
+                    }
+                },
+                "responses": {
+                    "200": {
+                        "description": "OK"
+                    }
+                }
+            }
+        }
+    }
+}