vcaw
/
public
forked from root/public
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Merge pull request #487 from 01-edu/forum-security 

forum security
content-update
LEEDASILVA 4 years ago committed by GitHub
parent
7aff5f5b9e 9c4997988b
commit
4e3f1dc549
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 102 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 51
      subjects/forum/forum-security.audit.en.md
  2. 51
      subjects/forum/forum-security.en.md

51
subjects/forum/forum-security.audit.en.md
unescape_control_characters View File

@ -0,0 +1,51 @@
#### Functional
##### Try opening the forum.
###### Does the URL contain HTTPS?
###### Is the project implementing [cipher suites](https://www.iana.org/assignments/tls-parameters/tls-parameters.xml)?
###### Is the Go TLS structure well configured?
###### Is the [server](https://golang.org/pkg/net/http/#Server) timeout reduced (Read, write and IdleTimeout)?
###### Does the project implement [Rate limiting](https://en.wikipedia.org/wiki/Rate_limiting) (avoiding [DoS attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack))?
##### Try to access the database.
###### Does the database present a password for protection?
##### Try creating a user. Go to the database using the command `"sqlite3 <database-name>"` and run `"SELECT * FROM <user-table>;"` to select all users.
###### Are the passwords encrypted?
##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)).
###### Does the session cookie present a UUID(Universal Unique Identifier)?
###### Does the project present a way to configure the certificates information, either via .env or config files or another method?
###### Are only the allowed packages being used?
#### General
###### +Does the project implement their own certificates for the HTTPS protocol?
###### +Does the project implement UUID(Universal Unique Identifier) for the user session?
#### Basic
###### +Does the project runs quickly and effectively? (no unnecessary data requests, etc)
###### +Does the code obey the [good practices](https://public.01-edu.org/subjects/good-practices.en)?
###### +Is there a test file for this code?
#### Social
###### +Did you learn anything from this project?
###### +Can it be open-sourced / be used for other sources?
###### +Would you recommend/nominate this program as an example for the rest of the school?

51
subjects/forum/forum-security.en.md
unescape_control_characters View File

@ -0,0 +1,51 @@
## forum-security
### Objectives
You must follow the same [principles](https://public.01-edu.org/subjects/forum/forum.en) as the first subject.
For this project you must take into account the security of your forum.
- You should implement a Hypertext Transfer Protocol Secure ([HTTPS](https://www.globalsign.com/en/blog/the-difference-between-http-and-https)) protocol :
- Encrypted connection : for this you will have to generate an SSL certificate, you can think of this like a identity card for your website. You can create your certificates or use "Certificate Authorities"(CA's)
- Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state.
- The implementation of [Rate Limiting](https://en.wikipedia.org/wiki/Rate_limiting) must be present on this project
- You should encrypt :
- Clients passwords
- Database, for this you will have to create a password for your database.
This project will help you learn about :
- HTTPS
- [Cipher suites](https://www.iana.org/assignments/tls-parameters/tls-parameters.xml)
- Goroutines
- Channels
- Rate Limiting
- Encryption
- password
- session/cookies
- Universal Unique Identifier (UUID)
### Hints
- You can take a look at the `openssl` manual.
- For the session cookies you can take a look at the [Universal Unique Identifier (UUID)](https://en.wikipedia.org/wiki/Universally_unique_identifier)
### Instructions
- You must handle website errors, HTTPS status.
- You must handle all sort of technical errors.
- The code must respect the [**good practices**](https://public.01-edu.org/subjects/good-practices.en).
- It is recommended that the code should present a **test file**.
### Allowed packages
- All [standard go](https://golang.org/pkg/) packages are allowed.
- golang.org/x/crypto/bcrypt
- github.com/satori/go.uuid
- github.com/mattn/go-sqlite3
- golang.org/x/crypto/acme/autocert
Write Preview
Loading…
Cancel
Save