From fef99ec3926ee2889495aff30174bdc6631c22be Mon Sep 17 00:00:00 2001 From: lee Date: Wed, 4 Mar 2020 18:02:08 +0000 Subject: [PATCH] forum security --- subjects/forum/forum-security.audit.en.md | 38 ++++++++++++++++++++ subjects/forum/forum-security.en.md | 42 +++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 subjects/forum/forum-security.audit.en.md create mode 100644 subjects/forum/forum-security.en.md diff --git a/subjects/forum/forum-security.audit.en.md b/subjects/forum/forum-security.audit.en.md new file mode 100644 index 000000000..0f58d6c95 --- /dev/null +++ b/subjects/forum/forum-security.audit.en.md @@ -0,0 +1,38 @@ +#### Functional + +##### Try opening the forum. +###### Does the URL contain HTTPS? + +###### Is the Go TLS structure well configured? + +###### Is the database encrypt? + +##### Try creating a user. Go to the database using the command `"sqlite3 "` and run `"SELECT * FROM ;"` to select all users. +###### Are the passwords encrypted? + +##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)). +###### Does the session cookie present a unique identifier? + +#### General + +###### +Does the project implement their own certificates for the HTTPS protocol? + +###### +Does the project implement UUI(Universal Unique Identifier) for the user session? + +###### +Does the project implement [environment variables](https://en.wikipedia.org/wiki/Environment_variable) (.env file), for the TLS certificates? + +#### Basic + +###### +Does the project runs quickly and effectively? (no unnecessary data requests, etc) + +###### +Does the code obey the [good practices](https://public.01-edu.org/subjects/good-practices.en)? + +###### +Is there a test file for this code? + +#### Social + +###### +Did you learn anything from this project? + +###### +Can it be open-sourced / be used for other sources? + +###### +Would you recommend/nominate this program as an example for the rest of the school? diff --git a/subjects/forum/forum-security.en.md b/subjects/forum/forum-security.en.md new file mode 100644 index 000000000..ebcb1cd31 --- /dev/null +++ b/subjects/forum/forum-security.en.md @@ -0,0 +1,42 @@ +## forum-security + +### Objectives + +You must follow the same [principles](https://public.01-edu.org/subjects/forum/forum.en) as the first subject. + +For this project you must take into account the security of your forum. + +- You should implement a Hypertext Transfer Protocol Secure ([HTTPS](https://www.globalsign.com/en/blog/the-difference-between-http-and-https)) protocol : + - Encrypted connection : for this you will have to generate an SSL certificate, you can think of this like a identity card for your website. You can create your certificates or use "Certificate Authorities"(CA's) + +- You should encrypt : + - Clients passwords + - Database + - Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. + +This project will help you learn about : + +- HTTPS +- Encryption + - Database + - password + - session/cookies + - Universal Unique Identifier (UUI) + +### Hints + +- You can take a look at the `openssl` manual. +- For the session cookies you can take a look at the [Universal Unique Identifier (UUI)](https://en.wikipedia.org/wiki/Universally_unique_identifier) + +### Instructions + +- You must handle website errors, HTTPS status. +- You must handle all sort of technical errors. +- The code must respect the [**good practices**](https://public.01-edu.org/subjects/good-practices.en). +- It is recommend that the code should present a **test file**. + +### Allowed packages + +- All [standard go](https://golang.org/pkg/) packages are allowed. +- golang.org/x/crypto/bcrypt +- github.com/satori/go.uuid