VSinerva/csb-project-1
Archived
1
0
Fork 0
Code Activity
A very insecure web app for the University of Helsinki Cyber Security Base -course
This repository has been archived on 2025-03-30. You can view files and clone it, but you cannot make any changes to it's state, such as pushing and creating new issues, pull requests or comments.
11 commits 1 branch 0 tags 64 KiB
Find a file
Vili Sinervä e8f671d66e
Add flaw 4: weak passwords allowed
2024-11-25 17:16:29 +02:00
notes Add flaw 4: weak passwords allowed 2024-11-25 17:16:29 +02:00
project Add flaw 4: weak passwords allowed 2024-11-25 17:16:29 +02:00
.gitignore Initial commit 2024-11-24 14:20:48 +02:00
LICENSE Initial commit 2024-11-24 14:20:48 +02:00
manage.py Reorder files 2024-11-24 16:45:26 +02:00
README.md Add flaw 4: weak passwords allowed 2024-11-25 17:16:29 +02:00

README.md

Cyber Security Base course project 1

Purpose

A very insecure web app for the University of Helsinki Cyber Security Base -course. The point is to demonstrate common cyber security problems and their fixes.

Description of vulnerabilities

NOTE: More detailed description of problems coming soon.

I am using the 2021 OWASP Top Ten list.

LINK: https://github.com/VSinerva/csb-project-1

I am using the basic Django template, so no instructions are included.

FLAW 1:

ADD EXACT SOURCE LINK

(Broken Access Control) Right now, the notes are identified and deleted with a simple sequential ID. This makes it trivial for a logged in user to delete notes from other users. The malicious user simply needs to edit the client-side URL of their POST request.

The issue can easily be fixed by adding the commented out ownership check before deleting a note. The check compares the logged in user to the owner of the note, and only deletes the note if they match. This should never cause a problem for a normal user, but it makes sure that the note being deleted belongs to the logged in user.

FLAW 2:

ADD EXACT SOURCE LINK

Cryptographic Failure (Weak/No password hashing)

FLAW 3:

ADD EXACT SOURCE LINK

SQL Injection (Unsanitized SQL query for search)

FLAW 4:

ADD EXACT SOURCE LINK

(Identification and Authentication Failures) As is, the application performs no checks for weak passwords. This makes users more vulnerable to attacks based on trying common and weak passwords, escpecially if the password database gets leaked (See also flaws 2 and 3).

The fix for this issue is to perform server-side validation on new passwords, and checking that they are reasonable. Django includes a simple built-in validator which checks that the password has a minimum length (default 8, in this app 10), is not too similar to the username, is not a common password (20000 password list) and is not purely numeric. These checks are implemented in the commented out code, and would significantly improve the situation.

FLAW 5:

ADD EXACT SOURCE LINK

CSRF (No CSRF token for Delete)