VSinerva/csb-project-1
Archived
1
0
Fork 0
Code Activity

Add flaw 4: weak passwords allowed

Browse source
This commit is contained in:
Vili Sinervä 2024-11-25 17:16:29 +02:00
parent 05fec8a837
commit e8f671d66e
No known key found for this signature in database
GPG key ID: DF8FEAF54EFAC996
3 changed files with 16 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -40,7 +40,12 @@ SQL Injection (Unsanitized SQL query for search)
FLAW 4: FLAW 4:
> ADD EXACT SOURCE LINK > ADD EXACT SOURCE LINK
Identification and Authentication Failure (No password strength checks) (Identification and Authentication Failures) As is, the application performs no checks for weak passwords.
This makes users more vulnerable to attacks based on trying common and weak passwords, escpecially if the password database gets leaked (See also flaws 2 and 3).
The fix for this issue is to perform server-side validation on new passwords, and checking that they are reasonable.
Django includes a simple built-in validator which checks that the password has a minimum length (default 8, in this app 10), is not too similar to the username, is not a common password (20000 password list) and is not purely numeric.
These checks are implemented in the commented out code, and would significantly improve the situation.
FLAW 5: FLAW 5:
> ADD EXACT SOURCE LINK > ADD EXACT SOURCE LINK

12
notes/views.py
View file

@ -99,11 +99,13 @@ def register_view(request):
# Password validation # Password validation
if password1 != password2: if password1 != password2:
errors.append("Passwords don't match.") errors.append("Passwords don't match.")
try: # FLAW 4:
validate_password(password1) # Adding some sensible password validation would fix the problem
except ValidationError as error: # try:
for message in error.messages: # validate_password(password1)
errors.append(message) # except ValidationError as error:
# for message in error.messages:
# errors.append(message)
if not errors: if not errors:
user = User.objects.create_user(username=username, password=password1) user = User.objects.create_user(username=username, password=password1)

3
project/settings.py
View file

@ -91,6 +91,9 @@ AUTH_PASSWORD_VALIDATORS = [
}, },
{ {
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator', 'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
'OPTIONS': {
'min_length': 10,
}
}, },
{ {
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator', 'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',