john
/
mooc-securing-software-21-projects
1
0
Fork 0
Code
mooc-securing-software-21-p.../project1
History
John Ahlroos e83a95367c
Add commented out fix 		2021-03-03 08:47:58 +02:00
..
project1 Add commented out fix 2021-03-03 08:47:58 +02:00
static Added XXE vulnerability 2021-03-02 20:57:11 +02:00
templates Added XXE vulnerability 2021-03-02 20:57:11 +02:00
README.md Add commented out fix 2021-03-03 08:47:58 +02:00
manage.py Generated project 1 stub 2021-03-02 09:34:42 +02:00

README.md

Cyber Security Base 2021 - Project 1

This project is course project (Project 1) for the online course https://cybersecuritybase.mooc.fi/.

The project SHOULD NOT be used for anything else than for the project course as it is insecure and against all best security practices.

Getting started

To run the project first run

python manage.py migrate

Create some users for the systems so you can log in

python manage.py createsuperuser

Then to start the server run

python manage.py runserver

Purpose of project

The project demonstrates the following vulnerabilities:

XXS injection for redirecting to another site

The Login screen has a security vulnerability in the Username field where by entering a correctly formatted string the Login screen can be used as a redirect to another site.

This can be demonstrated by clicking on the XSS injection attack (site redirect) and clicking submit.

The Login screen can also directly be abused (without submittinh the FORM) by accessing the this link.

Insecure credential management

The Login screen additionally will send the username and password as HTTP GET parameters so they will also be exposed in server logs and the browser history.

Access control vulnerability in product filtering

You can view all products in the system simply by giving the filter parameter to the url. You can test this out via the link on the login screen.

XSS injection for stealing cookie

Once you have successfully logged in you can test another XSS vulnerability in the "Add product:" field by injecting a script tag in the product name field. This can be simulated with the XSS injection attack (steal cookies) link as well.

SQL inject attack to list users and other sensitive data of system

The "Find Product by Name" field can be used for SQL injection attacks to get any information from the system database. An example of this can been seen by clicking the Sql injection attack (Get all users of system along with their details) link. Once you click search you will be taken to a page that lists all users of the system.

Using Components with Known Vulnerabilities

The system uses the insecure PullDOM library for processing XML imports. This gives access to the following vulnerability.

XXE vulnerability in processing XML product imports

The system provides a utility to import product defined in XML. By using a XML file the ENTITY header can be used to pull information from the system. It can be tested by uploading the /static/products.xml file.