c1RFNzcV

1We assessed commit `35c5f57cf`
2
3# Findings
4
5## 1. Cross-Site Request Forgery
6
7### Description
8
9The application is susceptible to forgery vulnerability.
10
11### Recommendation
12
13`protect_from_forgery` should be configured with `with: :exception`
14
15## 2. Insecure Direct Object Reference (IDOR)
16
17### Description
18
19Describe some stuff.
20
21### Recommendation
22
23Recommend some stuff.
24
25---
26
27# Notes for you/your team
28
29## Behavior
30
31* What does it do? (business purpose)
32  * application to communicate passwords over the web.
33
34* Who does it do this for?
35  * public
36
37* What kind of information will it hold?
38  * passwords, other secrets (PII, API keys, etc)
39
40* What are the different types of roles?
41* What aspects concern your client/customer/staff the most?
42
43## Tech Stack
44
45* Framework & Language
46  * Rails/Ruby
47
48* 3rd party components, Examples:
49  * Building libraries
50    * gem
51    * foreman
52
53* Datastore
54  * SQLite3
55
56## Brainstorming / Risks
57
58* It uses ubuntu as its base container image.. could have used a lighter version
59* It can be integrated with slack.
60* Encryption key and salt can be found in environment.rb hence GitHub.
61* Cryptography uses AES 128 CBC as default which is sort of OK... (AES-CBC typically requires a 256 bit key to be considered secure)
62* Password is encrypted and stored into database.
63
64## Checklist of things to review based on Brainstorming and Tech Stack
65
66- [ ] Look at gem packages esp. `rack-attack`, `ezcrypto`
67- [ ] How passwords are stored
68- [ ] Find out the default value for `config.action_controller.allow_forgery_protection`.. this is disabled in test environment. `config.action_controller.allow_forgery_protection` enables or disables CSRF protection. By default this is false in test mode and true in all other modes
69- [ ] `config.force_ssl` only enabled for `PWPUSH COM`
70
71## Mapping / Routes
72
73- [ ] `GET /lulz LulzController.java`
74- [ ] `POST /admin/rofl AdminRoflController.java`
75
76## Mapping / Authorization Decorators
77
78- [ ] `authenticate_user`
79
80## Mapping / Files
81
82- [ ] /config/envinroment.rb
83
84
85== Brakeman Report ==
86== Brakeman Report ==
87
88Application Path: /Users/jonathan.loe/source/owasp-training/PasswordPusher
89Rails Version: 4.2.11.1
90Brakeman Version: 4.7.1
91Scan Date: 2019-10-31 13:23:50 +1100
92Duration: 0.393581 seconds
93Checks Run: BasicAuth, BasicAuthTimingAttack, ContentTag, CookieSerialization, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, SprocketsPathTraversal, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing
94
95== Overview ==
96
97Controllers: 6
98Models: 3
99Templates: 21
100Errors: 0
101Security Warnings: 3
102
103== Warning Types ==
104
105Cross-Site Request Forgery: 1
106Cross-Site Scripting: 1
107Mass Assignment: 1
108
109== Warnings ==
110
111Confidence: Medium
112Category: Cross-Site Request Forgery
113Check: ForgerySetting
114Message: `protect_from_forgery` should be configured with `with: :exception`
115File: app/controllers/application_controller.rb
116
117Confidence: Medium
118Category: Cross-Site Scripting
119Check: RenderInline
120Message: Unescaped model attribute rendered inline
121Code: render(text => Password.new.errors, { :layout => false })
122File: app/controllers/commands_controller.rb
123Line: 73
124
125Confidence: Weak
126Category: Mass Assignment
127Check: ModelAttrAccessible
128Message: Potentially dangerous attribute available for mass assignment
129Code: :password_id
130File: app/models/view.rb