HTTPS SSH

Cyber Security Base - Course Project I

The code in this repo is based on starter code provided on Github at https://github.com/cybersecuritybase/cybersecuritybase-project.

Available users (username:password)

  • ted:president
    • can add events
    • can sign up to events
    • can see attendees for any event
  • joe:citizen
    • can sign up to events
    • can view list of events signed up

Issues and suggested fixes

Issue: Security Misconfiguration

Steps to reproduce:

  1. Open any page with a form
  2. View (HTML) source code of the web page using Developer Tools
  3. Observe that the form elements does not contain any CSRF tokens

Suggested fixes:

  1. Remove the line http.csrf().disable(); from class sec.project.config.SecurityConfiguration

Issue: Missing Function Level Access Control

Normal user should not be able to add an event. However, the form for adding new events does not enforce permissions.

Steps to reproduce:

  1. Log in with user joe
  2. With a "lucky guess", go to http://localhost:8080/add
  3. Add new event using the form
  4. Redirect will fail with permission error after sending the form but new event was just added. The event is visible in the events list for all users now.

Suggested fixes:

  1. From ManagerController, change request mappings for addEventForm() and addEvent() to point into /admin/add as the admin folder required ADMIN role (defined in SecurityConfiguration)
  2. Then you should change the admin links in fragment.html to point to this new url too
  3. Alternatively from these same two methods check the proper permissions using Authentication object and act accordingly.

Issue: SQL Injection

Steps to reproduce:

  1. Log in as ted
  2. Go to Admin: add new event page. When adding an event, type this in url field: ');drop table Event;--
  3. You will start get error messages like nested exception is org.hibernate.exception.SQLGrammarException: could not prepare statement from certain pages of the app.
  4. (optional) Restart the app to get this table recreated if you want to play more with it.

Suggested fixes:

  1. Use prepared statements in ManagerController
  2. import sec.project.repository.EventRepository;
  3. Add @Autowired private EventRepository eventRepository;
  4. Edit addEvent() method to look like this:

    List<Event> event = eventRepository.findByName(name);
    if (event == null || event.isEmpty()) {
    eventRepository.save(new Event(name, url));
    return "redirect:admin";
    } else {
    model.addAttribute("message", "Event '" + name + "' already added");
    return "error";
    }

Issue: Unvalidated Redirects and Forwards

Steps to reproduce:

  1. Log in as ted
  2. Go to Admin: add new event page
  3. Type anything to event name and add to url field
  4. Send the form and go to Admin page
  5. Click the link for the event you just created and you'll be redirected to Add new event page.
  6. (optional) You can try the redirect for example with http://google.com as a url too.

Suggested fixes:

  1. Add some whitelisting rules for the url in RedirectController before doing the actual redirect.

Issue: Cross-Site Scripting (XSS)

Steps to reproduce:

  1. Log in as ted
  2. Go to Admin: add new event page
  3. For event name, type for example this <script>alert("hacked?");</script>
  4. Script will be run when Admin page is opened

Suggested fixes:

  1. In admin.html, line containing <h2 th:utext="${event.name}">event name</h2>, replace utext with text.