The project aims to enhance the security of the Christmas Gift Shop application.
Tasks include utilizing static analysis tools for vulnerability assessment, addressing SQL injection and Cross-site Scripting vulnerabilities,
implementing protection against Cross-site Request Forgery attacks, establishing some role-based authorization mechanisms,
and integrating DevOps practices such as exception handling, logging, and auditing.
Through these measures, the project seeks to fortify the application against potential security threats while promoting best practices in software security and development.
Explore the project »
Report Bug
·
Request Feature
Table of Contents
The project focuses on enhancing the security aspects of the Christmas Gift Shop application, which facilitates gift browsing, rating, and purchasing functionalities. The application allows users to view, search, add, and review gifts, as well as manage user profiles.
Application user interface
Login page
View and search gifts
Page to add a new gift
Details about a gift as well as comments and rating
Users overview
Details about a user
The first part of the projects requires us to utilize SonarQube, a static analysis tool, to generate a comprehensive report identifying vulnerabilities and security hotspots within the project codebase. The report is attached to the project.
The second part of the project requires us to investigate potential XSS and SQL injection vulnerabilities in the comment form of the Gift Details page. We need to mitigate these vulnerabilities and document attack and defense strategies.
SQLi and XSS attacks demonstration
Entering malicious query in the gift comment section
As a result, a new user has been added into the database, with one of the attributes being an XSS script.
The XSS script is triggered during user search.
SQLi and XSS attacks mitigation
Mitigating attacks involves employing a parameterized query (PreparedStatement) within the CommentRepository class, alongside sanitizing input fields for comments through the introduction of the th:text attribute. Additionally, utilizing textContent instead of innerHTML in relevant sections of the persons.html page is crucial to prevent XSS attacks.
It is required next to demonstrate a CSRF attack by altering personal data of a user through a crafted script. Then we have to implement CSRF protection using tokens and document both the attack and defense mechanisms.
CSRF attack demonstration
Launching the attacker server on port 3000 ('npm start' command in the 'csrf-exploit' folder)
Clicking on the trophy image triggers a CSRF attack, resulting in a successful HTTP request
User with id equal to 1 has modified values for the 'First Name' and 'Last Name' attributes as a result of the successful attack
CSRF attack mitigation
It is necessary to implement a mechanism for generating a CSRF token at the session level and embedding it into User Details HTML page, thereby rejecting unauthorized HTTP requests from the attacker server as they lack the required token.
The project requires us to implement permission matrix as defined in the permissions/roles table (in the project specification). Then we have to assign roles to users accordingly and ensure proper database configurations.
Creating new roles and associating them with specific users, as well as introducing new permissions, is done in the 'data.sql' file, where the corresponding relationships are inserted into the appropriate tables.
Subsequently, individual permissions are resolved on the frontend by hiding corresponding UI elements for users without permission, or on the backend through appropriate annotations and logical checks during the execution of relevant endpoints.
It is required to implement exception handling and logging mechanisms throughout the application, focusing on the relevance and categorization of log messages. Then it is necessary to Introduce auditing functionalities to track user actions and ensure the non-repudiation of user actions.
Exception handling is resolved by creating catch branches at appropriate locations, where logging and auditing are performed depending on the operation that triggers the respective exception. Logging and auditing are also carried out in other relevant parts of the code.
To get a local copy up and running follow these simple steps. Setup:
- Clone the repository:
git clone https://github.com/jovan-vukic/secure-gift-shop-app.git
- Build and run the program using your preferred IDE.
Contributions are what makes the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Distributed under the MIT License. See LICENSE for more information.
Jovan - @jovan-vukic
Project Link: https://github.com/jovan-vukic/secure-gift-shop-app
This project was done as part of the course 'Secure Software Development' (13M111RBS) at the University of Belgrade, Faculty of Electrical Engineering.
Used resources:
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent