Add flaw 2: weak hashing
This commit is contained in:
parent
e8f671d66e
commit
0d8bedf002
2 changed files with 21 additions and 4 deletions
17
README.md
17
README.md
|
|
@ -18,8 +18,8 @@ I am using the basic Django template, so no instructions are included.
|
||||||
FLAW 1:
|
FLAW 1:
|
||||||
> ADD EXACT SOURCE LINK
|
> ADD EXACT SOURCE LINK
|
||||||
|
|
||||||
(Broken Access Control) Right now, the notes are identified and deleted with a simple sequential ID.
|
(Broken Access Control) Right now, the notes are identified and deleted with a simple sequential ID, with no ownership or permission checks.
|
||||||
This makes it trivial for a logged in user to delete notes from other users.
|
This makes it trivial for any logged in user to delete notes from other users.
|
||||||
The malicious user simply needs to edit the client-side URL of their POST request.
|
The malicious user simply needs to edit the client-side URL of their POST request.
|
||||||
|
|
||||||
The issue can easily be fixed by adding the commented out ownership check before deleting a note.
|
The issue can easily be fixed by adding the commented out ownership check before deleting a note.
|
||||||
|
|
@ -30,7 +30,16 @@ belongs to the logged in user.
|
||||||
FLAW 2:
|
FLAW 2:
|
||||||
> ADD EXACT SOURCE LINK
|
> ADD EXACT SOURCE LINK
|
||||||
|
|
||||||
Cryptographic Failure (Weak/No password hashing)
|
(Cryptographic Failures) The current settings for the application has unsalted MD5 as the password hashing algorithm.
|
||||||
|
This in insecure for several reasons.
|
||||||
|
MD5 is considered broken for cryptographic purposes, and has been for years, because modern hardware can check guessed passwords too quickly.
|
||||||
|
This is made worse by the lack of a salt (a unique random string added to each users password before hashing), because all users with the same password will have the same hash.
|
||||||
|
With these settings, the hashing is so broken that you can type the hash for a weak password (See also flaws 3 and 4) into a search engine and get the password!
|
||||||
|
|
||||||
|
The fix is to use a secure hashing algorithm, like PBKDF2 or Argon2 (both with the appropriate parameters).
|
||||||
|
This will make the hashes much harder to break for any reasonably strong password.
|
||||||
|
The algorithms mentioned above have been commented out in the code.
|
||||||
|
If users already exist with weakly hashed passwords, a more complicated migration (re-hash on login or storing hashes of the MD5 hashes) is needed.
|
||||||
|
|
||||||
FLAW 3:
|
FLAW 3:
|
||||||
> ADD EXACT SOURCE LINK
|
> ADD EXACT SOURCE LINK
|
||||||
|
|
@ -50,4 +59,4 @@ These checks are implemented in the commented out code, and would significantly
|
||||||
FLAW 5:
|
FLAW 5:
|
||||||
> ADD EXACT SOURCE LINK
|
> ADD EXACT SOURCE LINK
|
||||||
|
|
||||||
CSRF (No CSRF token for Delete)
|
Misconfiguration
|
||||||
|
|
|
||||||
|
|
@ -103,6 +103,14 @@ AUTH_PASSWORD_VALIDATORS = [
|
||||||
},
|
},
|
||||||
]
|
]
|
||||||
|
|
||||||
|
PASSWORD_HASHERS = [
|
||||||
|
# FLAW 2:
|
||||||
|
# Changing to one of the far safer hashing algorithms commented out below would fix the issue
|
||||||
|
# 'django.contrib.auth.hashers.Argon2PasswordHasher',
|
||||||
|
# 'django.contrib.auth.hashers.PBKDF2PasswordHasher',
|
||||||
|
'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
# Internationalization
|
# Internationalization
|
||||||
# https://docs.djangoproject.com/en/3.2/topics/i18n/
|
# https://docs.djangoproject.com/en/3.2/topics/i18n/
|
||||||
|
|
|
||||||
Reference in a new issue