Commit a9698217 authored by Joonatan Ovaska's avatar Joonatan Ovaska
Browse files

Update Assignment_instructions.md

parent e5f8d891
......@@ -97,10 +97,13 @@ Imaginary system target.app is used in example reports.
* Steps to produce:
* ```curl -X POST https://target.app.com/admin/settings --data "site_title=foobar"``` (good: concrete command that does the job. easy to replicate)
* Observe the site's title has changed to "foobar"
* Impact estimation:
* High severity. In worst case scenario attacker can takeover the application. Potential total compromise of application.
* Mitigation:
* Modify settings endpoint to check for authentication&authorization properly
* See: https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html (good: it's good to be able to provide a link or links that provide more information and guidance)
* See: https://imaginary-web-framework-targetapp-is-made-with.com/docs/best-practices/authorization (excellent: if you are able, it's great to refer to guidance that is most relevant to target application)
## Example: Issue report (too few details, misses key points)
......@@ -109,6 +112,8 @@ Imaginary system target.app is used in example reports.
* Steps to produce:
* Use curl to change settings (bad: not enough information to replicate the finding)
* (bad: no steps for verification. reader still unsure what was possible)
* Impact estimation:
* High severity. In worst case scenario attacker can takeover the application. Potential total compromise of application.
* Mitigation:
* Fix the settings page (bad: the description is too vague for the reader to guess what should be fixed!)
......@@ -125,6 +130,8 @@ Imaginary system target.app is used in example reports.
* [a legendary tale containing dragons describing the hard-fought victory you had when setting up current VirtualBox Guest Additions for legacy FreeBSD from 2009. copy-paste works now!]
* ```curl -X POST https://target.app.com/admin/settings -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: text/plain' -H 'Referer: https://target.app.com/' [plus 1000 characters of other non-interesting headers] --data "site_title=foobar"```
* Observe the site's title has changed to "foobar" [using some method that is way trickier than just opening a browser window, consisting of e.g. self-aware bots you have built]
* Impact estimation:
* High severity. In worst case scenario attacker can takeover the application. Potential total compromise of application.
* Mitigation:
* [50 pages long study with references about history, importance and current status of authorization support in modern web frameworks which is passable as a bachelor's thesis] (bad: ask for help) (badv2: misses the point: auth system was not used but probably was available, as other site was deemed fine)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment