This report is in more readable format at: https://github.com/pihvi/cybersecuritybase-project
- Install latest Node.js, instructions here https://nodejs.org
- Download code from here https://github.com/pihvi/cybersecuritybase-project
- In the code folder run "npm start"
Application allows posting content that others can then see on the application front page. This gives a possibility to do XSS attacks. All input from outside sources should be escaped. Steps to reproduce:
- Open http://localhost:3000
- Login with name "cyber"" and password "sec"
- Submit a new message "<script>alert('pawned')</script>"
- Script given in message is executed in the browser and alert "pawned" is shown.
Application serves static web content i.e. logo in this case to the user in the front page. This might allow other secret content to be accidentaly available in the same folder. Only the content meant for outside should be served from the server. Steps to reproduce:
- Open http://localhost:3000/index.js
- Source code and secrets inside it can be read by anyone.
Appllication uses sessions to identify logged in users. Identifying is based on id in a cookie. This cookie should not be made available through JavaScript as it enables session hijacking attacks. Steps to reproduce:
- Open http://localhost:3000
- Login with name "cyber"" and password "sec"
- Submit a new message "<script>alert(document.cookie)</script>"
- Session id is shown in alert message i.e. it can be accessed with JavaScript and is vulnerable to session hijacking.
Application uses username and passwords to identify users. Passwords should be stored safely and in a way that even when they might be leaked, they can not be easily identified. Steps to reproduce:
- Open http://localhost:3000/index.js
- Password "sec" can be read in plain text.
Apllication is meant only for logged in users, but some endpoints might be missing checks that user is actually logged in. Users can not access the front page without loggin in first and thus they can not see the message posting form before logging in. But when posting the message with the form, the logged in check should also be made. Steps to reproduce:
- Logout if you are logged in (http://localhost:3000/logout)
- Open http://localhost:3000/msg?msg=this+should+not+work
- Login with name "cyber"" and password "sec"
- See message "this should not work" could be posted without being logged in.
Opening links in a phishing email should not be able to modify application data. This can be prevented by adding a session unique secret CSRF token. Steps to reproduce:
- Open http://localhost:3000 to first tab
- Login with name "cyber"" and password "sec"
- Open http://localhost:3000/msg?msg=this+also+should+not+work in another tab
- Reload first tab
- Message "this also should not work" has appeared on the list
Apllication uses dependencies. They should be kept up to date so they would not contain vulnerabilities. Steps to reproduce:
- Look into package.json file and see the dependency "express" is at version "4.4.0"
- See that express version 4.4.0 is listed as affected with vulnerability: https://www.cvedetails.com/cve/CVE-2014-6393/
Application redirects user after login. These redirections should not be made changeable from outside. Steps to reproduce:
- Open http://localhost:3000/logout?dest=https://google.com
- See that you were redirected to Google i.e. outside the application.
The message content should be escaped before rendered to html page. This includes "<" and ">" tags so script or other html content can not be injected to the page.
Code for the fix: https://github.com/pihvi/cybersecuritybase-project/commit/bfa5e41c47a8b3d0477d219ebb05cfa8b93aa510
The static files (logo.png) should be moved to own folder and only that folder should be exposed as static content.
Code for the fix: https://github.com/pihvi/cybersecuritybase-project/commit/602a79a589b0127dbb95b289aee7c53bf28485f6
The cookie should be made http-only so it can not be read with JavaScript.
Code for the fix: https://github.com/pihvi/cybersecuritybase-project/commit/143aae00d8fd6a49aee58571b74c1f812e325969
Passwords should be stored hashed so that it's not even possible to know what is the original password.
Code for the fix: https://github.com/pihvi/cybersecuritybase-project/commit/0533ab99c53528e8e24469b1a1313687337ff5f4
Function accepting the messages should check the user is logged in.
Code for the fix: https://github.com/pihvi/cybersecuritybase-project/commit/eb44085e843a0f89390b31a896b69209d296fa37
A unique CSRF token should be stored in users session and rendered to the users message posting form as hidden input so when message is posted this token can be verified serverside.
Code for the fix: https://github.com/pihvi/cybersecuritybase-project/commit/f04fc4e0066467306a72e63beb52e2c697fde1d4
The express dependency should be updated to the latest version (4.16.2) that is not listed as containing a vulnerability. Also some automation to help keep dependencies up to date would be a good idea. For this project it could be for instance https://greenkeeper.io/
Code for the fix: https://github.com/pihvi/cybersecuritybase-project/commit/857556c0ebac1eee50ed972907161f2ac462f3c4
At logout the user should just be redirected to application front page and not allow the redirection be given in a parameter.
Code for the fix: https://github.com/pihvi/cybersecuritybase-project/commit/ea0ee3914db0efe5f8a2511a6cd0ca99838e7bd2