This "Insecure Blog" contains terrible security mistakes. Fix them and learn! Write your answers here in the README.md and hand the exercise in as a pull request.
This app displays the passwords of all users on
http://localhost:3000/users.
Write a test for this security bug.
Then fix it.
Now all tests should be green.
See https://backend-development.github.io/security.html#slide-4
The Search field for users is open to SQL injection. Use it to find out which users have admin rights.
Write a test for this security bug.
Then fix it.
Now all tests should be green.
See https://backend-development.github.io/security.html#slide-6
This app does not encrypt passwords and does not check if passwords are weak. But let's ignore the encryption of the passwords for now.
Write an integration test that tries to create a user with password '12345678'.
This should fail.
Use the pwned gem to check passwords before
they are stored.
Now all tests should be green.
See https://backend-development.github.io/security.html#slide-13
This app is vunerable to XSS. Let's not fix this by sanitizing the input and/or escaping the output, but let's use a new method: Create a CSP for your app. Try out different versions.
But fist:
- insert some article with a
<script>tag in the description. - find the inline style (flex) and inline script (hover over circular button) in
/articles
WARNING: After changing the file config/initializers/content_security_policy.rb
you need to restart the webserver!
Questions:
- Version:
which settings are need to get bin/webpack-dev-server to work?
- Version:
try to forbid all unsafe-inline script.
- which setting do you need?
- does the XSS still work?
- how about the inline style and inline script?
- Version:
try to use nonce to get the (good) inline script to work again.
which settings to you need in rails?
Which other security problems can you spot, and how can you fix them? Add your list right here: