Part
0
setting up your environment
to complete this assignment you will need the git vcs

github actions python
3
and the django web framework

which you can install with pip install django

some additional tools that may be useful for this

Question

Part
0
: Setting up Your Environment
To complete this assignment, you will need the git VCS
,
GitHub Actions, python
3
and the Django web framework
(
which you can install with pip install django
)
.
Some additional tools that may be useful for this assignment
(
but are not necessary
)
are sqlite, burp suite, the python requests library, and the web development console of your favorite browser. If you are running a
*
NIX system, these tools should be preinstalled and
/
or available in your distribution's package manager. Like in the last assignment, we will not be checking for git best practices like writing good commit messages. However, we will be checking for signed commits since they are security relevant. Additionally, it is in your best interest to continue to follow git best practices.
When you are ready to begin the project, use the GitHub Classroom invitation to create your repository. You should also create a GitHub Actions YAML file, which you will use to test your program later.
After cloning your repository, be sure to generate the database that Django relies on
.
This can be done by running the commands:
python
3
manage.py makemigrations LegacySite
python
3
manage.py migrate
python
3
manage.py shell
-
c 'import import
_
dbs
'
Read through the models.py and views.py files
(
and the helper functions in extras.py
)
in the LegacySite folder to get a feel for what the website is doing and how. You can also try running the test server and interacting with the site by running the following command and browsing to
1
2
7
.
0
.
0
.
1
:
8
0
0
0
.
python
3
manage.py runserver
Part
1
: Auditing and Test Cases
For this part, your job will be to find some flaws in the program, and then create test cases that expose flaws in the program. You should write:
One attack, that exploits a XSS
(
cross
-
site scripting
)
vulnerability to call the javascript alert
(
"
hello
"
)
.
One attack that allows you to force another user to gift a gift card to your account without their knowledge.
One attack that allows you to obtain the salted password for a user given their username. The database contains a user named admin that you can use for testing the attack.
One attack that allows you to run arbitrary commands on the server.
A text file, bugs.txt explaining the bug triggered by each of your attacks and how to remediate each bug. This write
-
up should be stored in the root of the repository.
These attacks can take the form of a supplied URL, a gift card file, a web page, a javascript function, or some other method of attack. To create your attacks, you may want to look at the HTML source code of the templates and the code of each view, and find a way they can be exploited. Tools like burp suite can help in finding ways to attack the site, but are not required.
Please submit these attacks in a folder called part
1
in your git repository:
xss
.
txt: A URL starting with
/
foo
,
when visited in a browser, causes alert
(
"
hello
"
)
to be executed.
xsrf
.
html: An HTML page that, when opened in a browser, causes a gift card to be gifted to a user named test
2
by the currently logged
-
in user. This user is already created for you by default, and will have the password test
2
.
sqli.gftcrd: A gift card file
(
in JSON format
)
that, when uploaded to a vulnerable form on the site, that will retrieve the admin user's password hash.
cmdi.txt: A text file where the first line should be the vulnerable URL, and the remaining lines are of the form variable
=
value, representing a POST request that will execute the command touch pwned on the server. If successful, this will create an empty text file called pwned. For example, your file should look like:
/
foo
/
2
var
1
=
bar
var
2
=
baz
cmdi.gftcrd: a gift card file that is uploaded with your command injection request.
Fixes and Testing
Finally, fix the vulnerabilities that are exploited by your attacks, and verify that the attacks no longer succeed on your site. You are allowed to use Django plugins and other libraries to fix these vulnerabilities if necessary, but please add any new libraries you use to requirements.txt
.
To make sure that these bugs don't come up again as the code evolves, write some test cases for Django that verify that the vulnerability is no longer present. Then have GitHub Actions run these tests with each push.
Tests can be run using Django's built
-
in test infrastructure. Create your tests in LegacySite
/
tests
.
py and then run python manage.py test. You should be able to write all of your tests using the built
-
in Django test client
-
-
there's no need to use something like Selenium. This will also simplify your GitHub Actions testing, which can also just run python manage.py test.
You also do not need to carry out the actual attack in the test; you can check that your fix is working as intended. For example, when testing CSRF
,
it would be challenging to actually open the xsrf
.
html page and carry out the CSRF attack from inside the test case. Instead, you can mimic what the attack does by making

Natalie Cardenas · Answer

Setting Up Your Environment

To begin this assignment, you should ensure that the following software is installed and functioning correctly:

Git Version Control System (VCS): Required to clone and manage your repository.
GitHub Actions: This will be used to run tests automatically whenever you push changes to GitHub.
Python 3: You'll need this for Django and running your project.
Django Web Framework: Install it via pip with pip install django.

Optional (but helpful) tools:

SQLite: Useful for interacting with your Django database.
Burp Suite: A tool for finding vulnerabilities in web applications.
Python Requests Library: For making HTTP requests in Python. You can install it using pip install requests.
Web Development Console: Most browsers provide developer tools for inspecting web pages and testing JavaScript code.

Make sure you have a GitHub Classroom invitation to start your repository. Create a GitHub Actions YAML file to automate testing later on.

Initial Configuration

Clone the Repository: Use the URL provided by your GitHub Classroom invitation to create your repository.

Database Setup: After cloning, generate the Django database using these commands:

python3 manage.py makemigrations LegacySite
python3 manage.py migrate
python3 manage.py shell -c 'import import_dbs'

Review Code: Familiarize yourself with the models.py, views.py, and any helper functions in extras.py to understand how the site operates.
Run the Server for Testing: Initiate the Django test server to interact with the site:
```
python3 manage.py runserver
```
Navigate to 127.0.0.1:8000 in your browser to explore the running application.

Part 1: Auditing and Test Cases

Your task is to find security flaws in the application and create test cases that exploit these vulnerabilities. Write the following attacks/exploitation methods:

Cross-Site Scripting (XSS) Attack: Create a URL that triggers alert("hello").
Cross-Site Request Forgery (CSRF) Attack: Devise an HTML page that tricks a user into gifting a card without their knowledge.
SQL Injection Attack: Invent a method to retrieve an admin user's password hash.
Command Injection Attack: Allow arbitrary server-side command execution using an uploaded gift card file.

Deliverables

XSS: xss.txt containing the vulnerable URL.
CSRF: xsrf.html that executes the CSRF attack.
SQL Injection: sqli.gftcrd in JSON format for a gift card file.
Command Injection: Create cmdi.txt and cmdi.gftcrd files with specifications for injection.

Documenting and Fixing Vulnerabilities

Include a bugs.txt file detailing:

Exploited vulnerability.
Description of each attack method.
Suggestions for remediating each flaw.

Fix and Verify

Remediation: Address the identified vulnerabilities, potentially using additional libraries.
Testing: Utilize Django's testing framework to confirm vulnerabilities are fixed. Implement tests in LegacySite/tests.py.
Continuous Integration (CI): Configure GitHub Actions to automatically run these Django tests upon each code push.

Run the tests locally with:

python manage.py test

Key Testing Insights

For instance, instead of executing a CSRF attack, implement a test that simulates the specific unauthorized request triggered by the attack, ensuring that your fix prevents it. Ensure your CI pipeline reflects this by setting up the corresponding YAML configuration in GitHub Actions.

Finally, ensure all vulnerable areas are secured and that tests successfully prevent their exploitation while maintaining web functionality. This approach will result in a robust and secure application ready for real-world interaction.

Questions

Answers :

Your Answer

Reply as a guest

Try Now AI powered Content Automation