Description
This work will focuses on the presence of vulnerabilities from the perspective of developers. It is the twin of Assignment 4. The objective is for students to take an existing application and add carefully designed vulnerabilities to it, while following some rules, and with a competitive flavor.
The Rules:
- Students should enroll in the github classroom assignment provided by the faculty
- The repository will include a target application which will be the focus of the developments.
- Students should add new vulnerabilities to the application while keeping the application normal function. The application should not be immediately broken or crash by the addition of the vulnerability.
- At least one new vulnerability should be added every three weeks (Oct 11, Nov 01, Nov 22, Dec 06).
- When adding a new vulnerability, the reasoning behind the vulnerability, the exploit proof of concept and writeup should also be added.
- The application shall expose a resource named
/securityproviding a list of tuples indicating the vulnerabilities present. One example would be20241009 - Information Leakage, which will indicate that there is at least one vulnerability of this type.
One vulnerability of at least 6 of the following categories should be added:
- Information Leakage
- Cross Site Scripting
- Server Side Template Injection
- SQL Injection
- Cryptographic failure
- Server-Side Request Forgery with Sensitive Data Exposure
- Identification and Authentication Failures
- Buffer overflow or printf vulnerability
A dedicated virtual machine will be used to host the repositories and make them available to other students.
This assignment should be done by groups of 4 students.
Grading
Development shall be made through the github classroom repository.
Each repository should have a folder named app with the vulnerable application, and a folder named poc with the proof of concept (a README.MD, the poc and other files and images). The app folder shall have two main files, named manage.py and requirements.txt, which will be used to start the application inside a container.
Grading will consider the following:
- The number of hours that the application is running
- The implementation of the vulnerabilities on time.
- The detail in the PoCs and Writeups
- How many times the vulnerabilities were found by other students.
Notes
It is very important that, at the end of the day, the code is running. We strongly recommend the use of a development branch for the execution of the work, committing the changes to the main branch when a vulnerability is implemented. This way, the code in the main branch will always be running.