Upload New File

448c761a · Joonatan Ovaska · a9698217 · 448c761a
Commit 448c761a authored Jan 24, 2022 by Joonatan Ovaska
--- a/Week03_Assignment.md
+++ b/Week03_Assignment.md
+# Week03 assignment (total of 20 pts)
+
+Preparation:
+ * Update Wasdat. Example flow in `was-students-2022` directory:
+   * `docker-compose -f docker-compose-week2-special.yml down -v`	# removes volumes of the week2 special version of the Wasdat (test data you created will be removed)
+   * `git pull`
+   * `docker-compose up --force-recreate -d`
+
+ * Optional: If you want Broken Access Control challenges to be visible in score board, you need to start the container with "NODE_ENV=unsafe", e.g.
+   * `docker run --rm -p 3000:3000 --env "NODE_ENV=unsafe" bkimminich/juice-shop`
+   * Might also require you to reset progress data (save to file + restore if you want to keep it for yourself)
+
+## First part A5:2017-Broken Access Control (10 pts)
+
+Assignments (10 pts):
+ * [Other] Real Broken Access Control bugs (3 pts, 1 point each)
+   * Find and describe three published vulnerabilities that result from having Broken Access Control
+   * For each, include at least short description of the bug, potential impact and how it could be (or was) fixed
+ * [Issue report] **Target => Juice Shop**: View another user's shopping basket (3.5 pts)
+   * Task: https://pwning.owasp-juice.shop/part2/broken-access-control.html#view-another-users-shopping-basket
+     * Complete the challenge
+     * You may use the hacking Instructor that you can launch from the /#/score-board
+   * In your report:
+     * You don't need to document the preparation steps - focus on the exploit step and describing why it works
+     * As usual, refer to "Issue report" from Assignment instructions (don't forget mitigation section!)
+       * For mitigation tips, check https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html
+	   * **Don't forgot impact estimation**
+ * [Issue report] **Target => Juice Shop**: Feedback in another users name (3.5 pts)
+   * Task: https://pwning.owasp-juice.shop/part2/broken-access-control.html#post-some-feedback-in-another-users-name
+     * Complete the challenge
+     * You may use the hacking Instructor that you can launch from the /#/score-board
+   * In your report:
+     * You don't need to document the preparation steps - focus on the exploit step and describing why it works
+     * As usual, refer to "Issue report" from Assignment instructions (don't forget mitigation section!)
+       * For mitigation tips, check https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html
+	   * **Don't forgot impact estimation**
+
+## Second part  A8:2013-Cross-Site Request Forgery (5 pts)
+
+**CSRF assignments**
+
+* [Reading Report] RWBH Chapter 11: Cross-Site Request Forgery (pp. 29-40) (2 pts)
+   * Not all authentication methods could be used with CSRF attacks (like non-cookie JWTs), but the two presented in the book can. What are those? (1 point)
+   * Describe briefly how you can mitigate CSRF attacks (1 point)
+ * [Issue report] **Target => Juice Shop**: CSRF username (3 pts)
+   * Let's check CSRF in action after reading the chapter
+   * Task: https://pwning.owasp-juice.shop/part2/broken-access-control.html#change-the-name-of-a-user-by-performing-cross-site-request-forgery-from-another-origin
+     * Check template CSRF exploit for this, fill in the missing parts
+   * Looks like squarefree's editor is offline. You can use another web editor or serve your own HTML exploit file from current folder using:
+     * `python3 -mhttp.server`
+     * Score board won't recognize this, but challenge is complete when you can observe the username was changed
+   * In your report:
+     * Include the exploit you used
+     * You don't need to document the preparation steps
+     * As usual, refer to "Issue report" from Assignment instructions (don't forget mitigation section!)
+       * For mitigation tips, check https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html
+	   * **Don't forgot impact estimation**
+
+## Third part A6:2017-Security Misconfigurations (5 pts)
+
+**Security misconfiguration assignments**
+
+* [Reading] RWBH Chapter 18: Application Logic and Configuration Vulnerabilities (pp. 177-190)
+
+* [Issue report] **Target => WasDat**: security misconfigurations (5 points)
+
+Introduction
+
+Based on the chapter 18 and [OWASP A6 Security Misconfiguration](https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguratio) recall what type of misconfigurations and logic errors you have encountered (**but preferably not reported**) in WasDat application in past weeks. You can also perform manual search or use web application scanners such as ZAP or Nikto to hunt configuration mistakes and logic errors. Remember to use tools results only to support your findings, not as entire answer. After all, scanning tools might provide useful information, but you must always verify results they produce manually for false positives. Remember also to add the commands you have used to the report.
+
+If you decide to use issue(s) you have already reported you must also complete two (2) [Security Misconfiguration challenges](https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-misconfiguration.html) from Juice Shop. Prove with screenshots. Remember also that you cannot just copy paste earlier issue reports, you must review it and rewrite it.
+
+Include to the report
+
+Select the two (2) most obvious and high impact misconfigurations or logic errors to you and inspect them more thoroughly. Then, answer to the following questions:
+
+1) What kind of configuration/logic error is in question? How it can be reproduced? Support your text with relevant screenshots from the application and tools. (0,5 points / report)
+2) What kind of configuration change would be required to mitigate the problem you have found? (1 points / report)
+3) Estimate level of impact. Furthermore, consider how the information or weakness the error exposes can be used for bad purposes or exploited. (1 points / report)
+
+* [Examples]
+
+Title: Application X exposes deprecated login page  
+Description: Application X exposes deprecated login page if parameter `/login?oldLogin=True` is set. This indicates that application's code base contains parts of obsolete code that should be reviewed and removed.  
+
+Steps to produce:  
+  - Browse `https://applicationx.com/login?oldLogin=True`  
+  - See the screenshot  
+
+Mitigation:  
+  - Review the code base and remove obsolete parts if there is no valid reason to keep the old functionality available
+  - See: [CWE-448: Obsolete Feature in UI](https://cwe.mitre.org/data/definitions/448.html)
+  - Further reading: https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration
+  
+Impact estimation: 
+
+Medium severity. Applications exposing obsolete login pages has been exploited to gain unprivileged access to applications. See: "Article describing how deprecated login pages has been used to gain non-privileged access to applications".
+
+---
+
+Title: Application X does not handle errors properly  
+Description: Application X does not handle errors properly leaking information about the system application is run on  
+
+Steps to produce:  
+  - `curl https://applicationx.com/login?oldLogin=False`  
+  - See the screenshot  
+
+Mitigation:  
+  - Review the code base from obsolete functionality and if possible remove obsolete code
+  - Review the code base for bad error handling and ensure that the application handles malformed user inputs, parameters, etc. gracefully. Fuzz test the application to support your review work.
+  - See: [CWE-448: Obsolete Feature in UI](https://cwe.mitre.org/data/definitions/448.html)
+  - See: [CWE-209: Generation of Error Message Containing Sensitive Information](https://cwe.mitre.org/data/definitions/209.html)
+
+Impact estimation: 
+
+Medium severity. Application leaks sensitive information about the underlying system. This information enlarges the attack surface giving opportunity to search valid vulnerabilities and exploits for the system. In worst scenario, if attacker has foothold on system attacker can perform privilege escalation compromising the whole system.