Web application that contains five different security flaws from the OWASP top ten list. Project is done for the course https://cybersecuritybase.github.io/
It is recommended not to reuse this code, because it contains security issues.
Application has two users:
sam/salasana
admin/password
After login user can sign in to a event and logout. Admin user can also see list of all signees.
Prerequisite is that Maven is installed. Application can be run using:
mvn spring-boot:run
- Login using admin/password or sam/salasana
- Fill in any input to the first field
- Fill in this (or similar sql statement) to a message field:
Second'); UPDATE Signup set message='EVIL MESSAGE'; -- -
- Issue: All messages are updated to “EVIL MESSAGE”. Messages are visible at page http://localhost:8080/admin/admin
It is recommended to use JPA’s standard methods instead of custom code for the database connection.
Class SignupController includes suggested fixes that are currently commented out. Fix is done by removing these two lines db_injection.addSignupToDb(name, message);
and List<Signup> allSignups = db_injection.readSignupsFromDb();
and commenting in lines that use Spring Security's and JPA's standard methods. Class CustomDbHelpers becomes obsolete and it can be removed completely. After fix code looks like this:
@RequestMapping(value = "/form", method = RequestMethod.POST)
public String submitForm(@RequestParam String name, @RequestParam String message) {
signupRepository.save(new Signup(name, message, null));
return "done";
}
@RequestMapping(value = "/admin/admin", method = RequestMethod.GET)
public String loadAdmin(Model model) {
List<Signup> allSignups = signupRepository.findAll();
model.addAttribute("signups", allSignups);
return "admin/admin";
}
- Log in
- Fill this to a name field (message can be empty):
evil',(select username,password from Users where userid=1))-- -
- Issue: Message field of a latest signup contains username and password for the user id 1. Open page http://localhost:8080/admin/admin to view login details.
It is recommended that route to the SQL injection is fixed similarly as in the previous issue A1. In addition, passwords should be hashed.
Class SecurityConfiguration includes fix that is currently commented out. When this line is commented in, password encryption is enabled: auth.userDetailsService(userDetailsService).passwordEncoder(passwordencoder());
After fix, hashed passwords need to be updated to the database for the default users.
- Login as admin user
- Fill in any name
- Fill in this (or similar html) to the Message field:
<script>alert("Evil Message!");</script>
- Open admin page http://localhost:8080/admin/admin
- Issue: Page displays alert dialog
Script becomes visible because admin view displays message as unescaped text. Fix can be done by changing data-th-utext
to data-th-text
in the file admin.html.
- Login as non-admin user: sam/salasana
- Notice that form page does not display link to the admin page. This link is visible when admin user (admin/password) logs in.
- Navigate to the admin page using direct address: http://localhost:8080/admin/admin
- Issue: Basic level user has access to the admin page
Class SecurityConfiguration contains suggested fix, where admin user level is required to access requests in the folder admin. When fix is commented in, code looks like this:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasAuthority("ROLE_ADMIN")
.anyRequest().authenticated().and()
.formLogin().permitAll();
}
It is important to notice, that authorization in the html template does not include backend validation. In other words, this line in the html template restricts only link visibility for the admin role.
<div sec:authorize="hasAuthority('ROLE_ADMIN')"><a href="/admin/admin">Admin page</a></div>
- Open command line and navigate to a project folder
- Run OWASP Dependency Check using command
mvn dependency-check:check
- Open a dependency-check report when scan is finished. Report is located in the target folder.
- Issue:* As writing this, scanner found 16 vulnerabilities and 5 vulnerable dependencies.
Open pom.xml and update version number of a spring-boot-starter-parent to the last stable release 1.5.9.RELEASE
. Less vulnerabilities are expected when scan is re-run.