Course project 1 for https://cybersecuritybase.github.io/
Participants can register to the event using a form. They can choose if they want the registration be public or not.
With maven:
git clone
cd
into repo
mvn package
java -jar target/cybersecuritybase-project-1.0-SNAPSHOT.jar
The server should now run at port 8080
- Start the server
- Go to
http://localhost:8080/
- Register to the event.
- Enter
' OR TRUE --
to the filter field. - Click filter
- Now non-public registrations are displayed, incorrectly.
Changing the database queries into prepared statements would fix this problem. So instead of
SELECT * FROM Signup WHERE name = '" + username + "' AND publicness = TRUE
we would use
SELECT * FROM Signup WHERE name = ? AND publicness = TRUE
with prepared statements.
- Start the server
- Go to
http://localhost:8080/
- Register to the event with name
<script>alert("xss flaw");</script>
- Now alert box is displayed in the registree page, and attacker could exploit the flaw with javascript.
(Clear the database entries by deleting .db files in db directory)
Changing the input prompt value from unescaped to escaped in done.html file should fix this problem.
- Start the server
- Go to
http://localhost:8080/signups/2
- Private information is now displayed.
Requiring authentication of users before giving the signup page would fix this problem. Only the personal page should be viewable.
- Make sure database is in original state: remove all .db files in db/ directory (if any).
- Start server.
- Go to
http://localhost:8080/
- Register to the event with name
<img src="http://localhost:8080/signups/1/delete" width="0" height="0" />
- Select registration as public.
- Now when registree list is opened, Jack's signup will be removed.
The server doesn't have any authentication, so anyone opening the done.html page will cause Jack to be removed from the list. Normally this flaw would happen only when Jack opens the page. Using a session token in url or http request would be a solution for this flaw. Also escaping the name string so that img tags could not be used.
Delete the .db files to revert the database to original state.
OWASP Dependency Check was used to identify this flaw. The tool reported one of the flaws to be CVE-2016-9878. This project is using Spring boot framework, which has spring core as a dependency. Spring core version is 4.3.4 so the project has known unsafe component.
To view all of the project dependencies:
cd
into project dir where pom.xml is.mvn dependency:list
or justmvn dependency:list grep spring-core
- Spring framework core version 4.3.4 should be listed.
This flaw can be fixed by changing the parent artifact version in pom.xml from version 1.4.2 to version 1.4.3