Skip to content

zjasonshen/CodepathWebSecurityWeek4

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

docker

docker

 
 

globitek

globitek

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

docker-compose.yml

docker-compose.yml

 
 

globitek_week4.sql

globitek_week4.sql

 
 

Repository files navigation

Project 4 - Forgery, Theft, and Hijacking Prevention

Time spent: 7 hours spent in total

User Stories

The following required functionality is completed:

1. [X] Required: Test for initial vulnerabilities

2. [X] Required: Configure sessions

  • Required: Only allow session IDs to come from cookies
  • Required: Expire after one day
  • Required: Use cookies which are marked as HttpOnly

3. [X] Required: Complete Login page.

  • Required: Show an error message when username is not found.
  • Required: Show an error message when username is found but password does not match.
  • Required: After login, store user ID in session data.
  • Required: After login, store user last login time in session data.
  • Required: Regenerate the session ID at the appropriate point.

4. [X] Required: Require login to access staff area pages.

  • Required: Add a login requirement to almost all staff area pages.
  • Required: Write code for last_login_is_recent().

5. [X] Required: Complete Logout page.

  • Required: Add code to destroy the user's session file after logging out.

6. [X] Required: Add CSRF protections to the state forms.

  • Required: Create a CSRF token.
  • Required: Add CSRF tokens to forms.
  • Required: Compare tokens against the stored version of the token.
  • Required: Only process forms data sent by POST requests.
  • Required: Confirm request referer is from the same domain as the host.
  • Required: Store the CSRF token in the user's session.
  • Required: Add the same CSRF token to the login form as a hidden input.
  • Required: When submitted, confirm that session and form tokens match.
  • Required: If tokens do not match, show an error message.
  • Required: Make sure that a logged-in user can use pages as expected.

7. [X] Required: Ensure the application is not vulnerable to XSS attacks.

8. [X] Required: Ensure the application is not vulnerable to SQL Injection attacks.

9. [X] Required: Run all tests from Objective 1 again and confirm that your application is no longer vulnerable to any test.

The following advanced user stories are optional:

  • Bonus Objective 1: Identify security flaw in Objective #4 (requiring login on staff pages)

    • Identify the security principal not being followed.
    • Write a short description of how the code could be modified to be more secure.

  • Bonus Objective 2: Add CSRF protections to all forms in the staff directory

  • Bonus Objective 3: CSRF tokens only valid for 10 minutes.

  • Bonus Objective 4: Sessions are valid only if user-agent string matches previous value.

  • Advanced Objective: Set/Get Signed-Encrypted Cookie

    • Create "public/set_secret_cookie.php".
    • Create "public/get_secret_cookie.php".
    • Encrypt and sign cookie before storing.
    • Verify cookie is signed correctly or show error message.
    • Decrypt cookie.

Video Walkthrough

Here's a walkthrough of implemented user stories:

Video Walkthrough

GIF created with LiceCap.

Notes

The security principle that the login of the staff pages doesn't follow is to never trust users. The reason that is a major security flaw is that any user has the ability to modify/delete any entry in the database. In order for the system to be more secure users should have limited write/modify access but still maintain full read access. Restrict the users to only be able to modify/delete the entries they created. Have a root account that has access to modify user accounts. Users shouldn't be able to modify other users.

Docker instructions:

1. Install Docker.

2. In the root of this folder enter the following commands

docker-compose -d up

This command will setup the download and setup the containers needed for this project.

docker-compose exec mysql /bin/bash

SSH into mysql server to load the database file

mysql -u jason -p globitek < /var/www/html/globitek_week4.sql

You will be prompted for a password which is "codepath"

3. Now you can open a browser and view the website at:

localhost:8080/globitek/public/index.php

License

Copyright [2017] [Jason Shen]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

About

No description or website provided.

Topics

mysql docker php sql injection session xss csrf websecurity

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages