From 9d7c9696a4b1b362d670e8e5c24032994b48cfa8 Mon Sep 17 00:00:00 2001 From: lee Date: Thu, 5 Mar 2020 15:08:36 +0000 Subject: [PATCH] some corrections --- subjects/forum/forum-security.audit.en.md | 11 +++++++---- subjects/forum/forum-security.en.md | 8 +++++--- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/subjects/forum/forum-security.audit.en.md b/subjects/forum/forum-security.audit.en.md index 0f58d6c95..c4f7922c1 100644 --- a/subjects/forum/forum-security.audit.en.md +++ b/subjects/forum/forum-security.audit.en.md @@ -5,7 +5,8 @@ ###### Is the Go TLS structure well configured? -###### Is the database encrypt? +##### Try to access the database. +###### Does the database present a password for protection? ##### Try creating a user. Go to the database using the command `"sqlite3 "` and run `"SELECT * FROM ;"` to select all users. ###### Are the passwords encrypted? @@ -13,13 +14,15 @@ ##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)). ###### Does the session cookie present a unique identifier? +###### Can you configure the certificates information, either via env or config file? + +###### Are the allowed packages being respected? + #### General ###### +Does the project implement their own certificates for the HTTPS protocol? -###### +Does the project implement UUI(Universal Unique Identifier) for the user session? - -###### +Does the project implement [environment variables](https://en.wikipedia.org/wiki/Environment_variable) (.env file), for the TLS certificates? +###### +Does the project implement UUID(Universal Unique Identifier) for the user session? #### Basic diff --git a/subjects/forum/forum-security.en.md b/subjects/forum/forum-security.en.md index ebcb1cd31..a03a346b3 100644 --- a/subjects/forum/forum-security.en.md +++ b/subjects/forum/forum-security.en.md @@ -11,7 +11,7 @@ For this project you must take into account the security of your forum. - You should encrypt : - Clients passwords - - Database + - Database, for this will have to create a password for your database and encrypt the communication channel. - Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. This project will help you learn about : @@ -21,12 +21,12 @@ This project will help you learn about : - Database - password - session/cookies - - Universal Unique Identifier (UUI) + - Universal Unique Identifier (UUID) ### Hints - You can take a look at the `openssl` manual. -- For the session cookies you can take a look at the [Universal Unique Identifier (UUI)](https://en.wikipedia.org/wiki/Universally_unique_identifier) +- For the session cookies you can take a look at the [Universal Unique Identifier (UUID)](https://en.wikipedia.org/wiki/Universally_unique_identifier) ### Instructions @@ -40,3 +40,5 @@ This project will help you learn about : - All [standard go](https://golang.org/pkg/) packages are allowed. - golang.org/x/crypto/bcrypt - github.com/satori/go.uuid +- github.com/mattn/go-sqlite3 +- golang.org/x/crypto/acme/autocert