Add flaw 5: misconfiguration
This commit is contained in:
parent
0d8bedf002
commit
f8fd726953
2 changed files with 20 additions and 2 deletions
12
README.md
12
README.md
|
@ -14,6 +14,7 @@ I am using the 2021 OWASP Top Ten list.
|
|||
LINK: https://github.com/VSinerva/csb-project-1
|
||||
|
||||
I am using the basic Django template, so no instructions are included.
|
||||
The user accounts `test1:test1` and `test2:test2` have been added to the database for testing purposes.
|
||||
|
||||
FLAW 1:
|
||||
> ADD EXACT SOURCE LINK
|
||||
|
@ -27,6 +28,7 @@ The check compares the logged in user to the owner of the note, and only deletes
|
|||
This should never cause a problem for a normal user, but it makes sure that the note being deleted
|
||||
belongs to the logged in user.
|
||||
|
||||
|
||||
FLAW 2:
|
||||
> ADD EXACT SOURCE LINK
|
||||
|
||||
|
@ -46,6 +48,7 @@ FLAW 3:
|
|||
|
||||
SQL Injection (Unsanitized SQL query for search)
|
||||
|
||||
|
||||
FLAW 4:
|
||||
> ADD EXACT SOURCE LINK
|
||||
|
||||
|
@ -56,7 +59,14 @@ The fix for this issue is to perform server-side validation on new passwords, an
|
|||
Django includes a simple built-in validator which checks that the password has a minimum length (default 8, in this app 10), is not too similar to the username, is not a common password (20000 password list) and is not purely numeric.
|
||||
These checks are implemented in the commented out code, and would significantly improve the situation.
|
||||
|
||||
|
||||
FLAW 5:
|
||||
> ADD EXACT SOURCE LINK
|
||||
|
||||
Misconfiguration
|
||||
(Security Misconfiguration) The current project settings set debug features to always be on, and contains the Django secret key in the public repository.
|
||||
Django in debug mode shows detailed stack traces etc. when errors occur, which could reveal internal information.
|
||||
The secret key is crucial for e.g. session security, so should absolutely never be posted publicly, as it has been here.
|
||||
|
||||
The solution to both of these problems is to load the values from environment variables at runtime.
|
||||
This, in combination with e.g. a .env file, helps to make sure that the correct settings and keys are in use in development and in production.
|
||||
This fix is implemented in the commented out code.
|
||||
|
|
Reference in a new issue