Assignment 1 - Vulnerable App
Description
This assignment will focus on the existence of vulnerabilities in software projects, and their avoidance. The objective is for students to develop a small application, with a simple and clear purpose. An online shop, a forum, a wiki, or a RESTFull service are good examples of what is expected. The application should provide its function without errors, without inconsistent behaviour, and without pages/sections/fragments that do not fit the purpose of the application.
However, this application should also suffer from a specific set of weaknesses, which are not obvious to the casual user, but may be used to compromise the application, or the system.
Students should provide both a flawed and a correct version of the application, together with a report demonstrating the vulnerabilities implemented. A number of 6 vulnerabilities should be implemented.
For all vulnerabilities:
- The CWE must be identified;
- The implementation must follow the logic and purpose of the application (not special pages just for the vulnerability);
- The vulnerability must be visible to an attacker (an atacker must be able to detect it);
- Students should be able to demonstrate the vulnerability (prove that it exists);
A bonus of 10% can be provided if the vulnerability is subtle (needs a careful analysis), can be attributed to a bug (developer can repudiate having authored the vulnerability on purpose).
It is expected that a user can fully understand the purpose of the application, and use it. Implementation can be simple and some functions may be missing (e.g. if it’s a book store, the back-end can be omitted). After reading the report, a reader should be able to understand the application, the vulnerabilities, their exploration and impact, and how they can be avoided.
The project is expected to be implemented by a group of 3 students, and MUST reside in a private repository in the github/detiuaveiro organization, using the Github Classroom functionality (this is mandatory).
The application must be developed as a Docker container, because the next assignment will require all projects to be instantiated.
Project delivery
Delivery should consist of a repository with at least three folders and a file:
app: contains the insecure application with related Docker files (docker-compose can be used);app_fixed: contains the secure application with related Docker files;analysis: contains scripts/textual descriptions/logs/screen captures demonstrating the exploration of each vulnerability and the fixes implemented;README.md: contains the project description, authors, identifies vulnerabilities implemented;
Projects will be graded according to the implementation and exploration of the vulnerabilities, the CWE Score of all vulnerabilities, and the documentation produced.
This project is expected to be authored by the students enrolled in the course. The use of existing code snippets, applications, or any other external functional element without proper acknowledgement is strictly forbidden. Themes and python/php/javascript libraries can be used, as long as the vulnerabilities are created by the students. If any content lacking proper acknowledgment is found in other sources, the current rules regarding plagiarism will be followed.