From fef99ec3926ee2889495aff30174bdc6631c22be Mon Sep 17 00:00:00 2001 From: lee Date: Wed, 4 Mar 2020 18:02:08 +0000 Subject: [PATCH 1/7] forum security --- subjects/forum/forum-security.audit.en.md | 38 ++++++++++++++++++++ subjects/forum/forum-security.en.md | 42 +++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 subjects/forum/forum-security.audit.en.md create mode 100644 subjects/forum/forum-security.en.md diff --git a/subjects/forum/forum-security.audit.en.md b/subjects/forum/forum-security.audit.en.md new file mode 100644 index 00000000..0f58d6c9 --- /dev/null +++ b/subjects/forum/forum-security.audit.en.md @@ -0,0 +1,38 @@ +#### Functional + +##### Try opening the forum. +###### Does the URL contain HTTPS? + +###### Is the Go TLS structure well configured? + +###### Is the database encrypt? + +##### Try creating a user. Go to the database using the command `"sqlite3 "` and run `"SELECT * FROM ;"` to select all users. +###### Are the passwords encrypted? + +##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)). +###### Does the session cookie present a unique identifier? + +#### General + +###### +Does the project implement their own certificates for the HTTPS protocol? + +###### +Does the project implement UUI(Universal Unique Identifier) for the user session? + +###### +Does the project implement [environment variables](https://en.wikipedia.org/wiki/Environment_variable) (.env file), for the TLS certificates? + +#### Basic + +###### +Does the project runs quickly and effectively? (no unnecessary data requests, etc) + +###### +Does the code obey the [good practices](https://public.01-edu.org/subjects/good-practices.en)? + +###### +Is there a test file for this code? + +#### Social + +###### +Did you learn anything from this project? + +###### +Can it be open-sourced / be used for other sources? + +###### +Would you recommend/nominate this program as an example for the rest of the school? diff --git a/subjects/forum/forum-security.en.md b/subjects/forum/forum-security.en.md new file mode 100644 index 00000000..ebcb1cd3 --- /dev/null +++ b/subjects/forum/forum-security.en.md @@ -0,0 +1,42 @@ +## forum-security + +### Objectives + +You must follow the same [principles](https://public.01-edu.org/subjects/forum/forum.en) as the first subject. + +For this project you must take into account the security of your forum. + +- You should implement a Hypertext Transfer Protocol Secure ([HTTPS](https://www.globalsign.com/en/blog/the-difference-between-http-and-https)) protocol : + - Encrypted connection : for this you will have to generate an SSL certificate, you can think of this like a identity card for your website. You can create your certificates or use "Certificate Authorities"(CA's) + +- You should encrypt : + - Clients passwords + - Database + - Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. + +This project will help you learn about : + +- HTTPS +- Encryption + - Database + - password + - session/cookies + - Universal Unique Identifier (UUI) + +### Hints + +- You can take a look at the `openssl` manual. +- For the session cookies you can take a look at the [Universal Unique Identifier (UUI)](https://en.wikipedia.org/wiki/Universally_unique_identifier) + +### Instructions + +- You must handle website errors, HTTPS status. +- You must handle all sort of technical errors. +- The code must respect the [**good practices**](https://public.01-edu.org/subjects/good-practices.en). +- It is recommend that the code should present a **test file**. + +### Allowed packages + +- All [standard go](https://golang.org/pkg/) packages are allowed. +- golang.org/x/crypto/bcrypt +- github.com/satori/go.uuid From 9d7c9696a4b1b362d670e8e5c24032994b48cfa8 Mon Sep 17 00:00:00 2001 From: lee Date: Thu, 5 Mar 2020 15:08:36 +0000 Subject: [PATCH 2/7] some corrections --- subjects/forum/forum-security.audit.en.md | 11 +++++++---- subjects/forum/forum-security.en.md | 8 +++++--- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/subjects/forum/forum-security.audit.en.md b/subjects/forum/forum-security.audit.en.md index 0f58d6c9..c4f7922c 100644 --- a/subjects/forum/forum-security.audit.en.md +++ b/subjects/forum/forum-security.audit.en.md @@ -5,7 +5,8 @@ ###### Is the Go TLS structure well configured? -###### Is the database encrypt? +##### Try to access the database. +###### Does the database present a password for protection? ##### Try creating a user. Go to the database using the command `"sqlite3 "` and run `"SELECT * FROM ;"` to select all users. ###### Are the passwords encrypted? @@ -13,13 +14,15 @@ ##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)). ###### Does the session cookie present a unique identifier? +###### Can you configure the certificates information, either via env or config file? + +###### Are the allowed packages being respected? + #### General ###### +Does the project implement their own certificates for the HTTPS protocol? -###### +Does the project implement UUI(Universal Unique Identifier) for the user session? - -###### +Does the project implement [environment variables](https://en.wikipedia.org/wiki/Environment_variable) (.env file), for the TLS certificates? +###### +Does the project implement UUID(Universal Unique Identifier) for the user session? #### Basic diff --git a/subjects/forum/forum-security.en.md b/subjects/forum/forum-security.en.md index ebcb1cd3..a03a346b 100644 --- a/subjects/forum/forum-security.en.md +++ b/subjects/forum/forum-security.en.md @@ -11,7 +11,7 @@ For this project you must take into account the security of your forum. - You should encrypt : - Clients passwords - - Database + - Database, for this will have to create a password for your database and encrypt the communication channel. - Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. This project will help you learn about : @@ -21,12 +21,12 @@ This project will help you learn about : - Database - password - session/cookies - - Universal Unique Identifier (UUI) + - Universal Unique Identifier (UUID) ### Hints - You can take a look at the `openssl` manual. -- For the session cookies you can take a look at the [Universal Unique Identifier (UUI)](https://en.wikipedia.org/wiki/Universally_unique_identifier) +- For the session cookies you can take a look at the [Universal Unique Identifier (UUID)](https://en.wikipedia.org/wiki/Universally_unique_identifier) ### Instructions @@ -40,3 +40,5 @@ This project will help you learn about : - All [standard go](https://golang.org/pkg/) packages are allowed. - golang.org/x/crypto/bcrypt - github.com/satori/go.uuid +- github.com/mattn/go-sqlite3 +- golang.org/x/crypto/acme/autocert From 8c1eb1e15ddfaf6e36ba70c094674a7e0042e607 Mon Sep 17 00:00:00 2001 From: lee Date: Thu, 5 Mar 2020 22:38:20 +0000 Subject: [PATCH 3/7] corrections and adding cipher suites questions --- subjects/forum/forum-security.audit.en.md | 10 +++++++++- subjects/forum/forum-security.en.md | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/subjects/forum/forum-security.audit.en.md b/subjects/forum/forum-security.audit.en.md index c4f7922c..bd1639c4 100644 --- a/subjects/forum/forum-security.audit.en.md +++ b/subjects/forum/forum-security.audit.en.md @@ -1,20 +1,28 @@ #### Functional ##### Try opening the forum. + ###### Does the URL contain HTTPS? +###### Is the project implementing [cipher suites](https://www.iana.org/assignments/tls-parameters/tls-parameters.xml)? + ###### Is the Go TLS structure well configured? +###### Is the [server](https://golang.org/pkg/net/http/#Server) timeout reduced (Read, write and IdleTimeout)? (enabling attackers to take their time) + ##### Try to access the database. + ###### Does the database present a password for protection? ##### Try creating a user. Go to the database using the command `"sqlite3 "` and run `"SELECT * FROM ;"` to select all users. + ###### Are the passwords encrypted? ##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)). + ###### Does the session cookie present a unique identifier? -###### Can you configure the certificates information, either via env or config file? +###### Does the project present a way to configure the certificates information, either via .env or config files or other method? ###### Are the allowed packages being respected? diff --git a/subjects/forum/forum-security.en.md b/subjects/forum/forum-security.en.md index a03a346b..b6fc8487 100644 --- a/subjects/forum/forum-security.en.md +++ b/subjects/forum/forum-security.en.md @@ -17,8 +17,8 @@ For this project you must take into account the security of your forum. This project will help you learn about : - HTTPS +- [Cipher suites](https://www.iana.org/assignments/tls-parameters/tls-parameters.xml) - Encryption - - Database - password - session/cookies - Universal Unique Identifier (UUID) From 5cb03c40ea56bd20ac7df3e4d7dde4fd19365f8d Mon Sep 17 00:00:00 2001 From: lee Date: Fri, 6 Mar 2020 11:42:56 +0000 Subject: [PATCH 4/7] adding rate limiting --- subjects/forum/forum-security.audit.en.md | 2 ++ subjects/forum/forum-security.en.md | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/subjects/forum/forum-security.audit.en.md b/subjects/forum/forum-security.audit.en.md index bd1639c4..e29e5a07 100644 --- a/subjects/forum/forum-security.audit.en.md +++ b/subjects/forum/forum-security.audit.en.md @@ -10,6 +10,8 @@ ###### Is the [server](https://golang.org/pkg/net/http/#Server) timeout reduced (Read, write and IdleTimeout)? (enabling attackers to take their time) +###### Does the project implement [Rate limiting](https://en.wikipedia.org/wiki/Rate_limiting) (avoiding [DoS attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack))? + ##### Try to access the database. ###### Does the database present a password for protection? diff --git a/subjects/forum/forum-security.en.md b/subjects/forum/forum-security.en.md index b6fc8487..2e54d6fb 100644 --- a/subjects/forum/forum-security.en.md +++ b/subjects/forum/forum-security.en.md @@ -14,10 +14,15 @@ For this project you must take into account the security of your forum. - Database, for this will have to create a password for your database and encrypt the communication channel. - Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. +- The implementation of [Rate Limiting](https://en.wikipedia.org/wiki/Rate_limiting) must be present on this project + This project will help you learn about : - HTTPS - [Cipher suites](https://www.iana.org/assignments/tls-parameters/tls-parameters.xml) +- Goroutines +- Channels +- Rate Limiting - Encryption - password - session/cookies From e6b66e5b77c548bbb19f0231b91d02510b6c1883 Mon Sep 17 00:00:00 2001 From: lee Date: Mon, 16 Mar 2020 12:09:36 +0000 Subject: [PATCH 5/7] removing somethings --- subjects/forum/forum-security.audit.en.md | 4 ++-- subjects/forum/forum-security.en.md | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/subjects/forum/forum-security.audit.en.md b/subjects/forum/forum-security.audit.en.md index e29e5a07..ed3cb558 100644 --- a/subjects/forum/forum-security.audit.en.md +++ b/subjects/forum/forum-security.audit.en.md @@ -8,7 +8,7 @@ ###### Is the Go TLS structure well configured? -###### Is the [server](https://golang.org/pkg/net/http/#Server) timeout reduced (Read, write and IdleTimeout)? (enabling attackers to take their time) +###### Is the [server](https://golang.org/pkg/net/http/#Server) timeout reduced (Read, write and IdleTimeout)? ###### Does the project implement [Rate limiting](https://en.wikipedia.org/wiki/Rate_limiting) (avoiding [DoS attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack))? @@ -22,7 +22,7 @@ ##### Try to login into the forum and open the inspector(CTRL+SHIFT+i) and go to the storage to see the cookies(this can be different depending on the [browser](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools)). -###### Does the session cookie present a unique identifier? +###### Does the session cookie present a UUID(Universal Unique Identifier)? ###### Does the project present a way to configure the certificates information, either via .env or config files or other method? diff --git a/subjects/forum/forum-security.en.md b/subjects/forum/forum-security.en.md index 2e54d6fb..886d297c 100644 --- a/subjects/forum/forum-security.en.md +++ b/subjects/forum/forum-security.en.md @@ -9,13 +9,14 @@ For this project you must take into account the security of your forum. - You should implement a Hypertext Transfer Protocol Secure ([HTTPS](https://www.globalsign.com/en/blog/the-difference-between-http-and-https)) protocol : - Encrypted connection : for this you will have to generate an SSL certificate, you can think of this like a identity card for your website. You can create your certificates or use "Certificate Authorities"(CA's) -- You should encrypt : - - Clients passwords - - Database, for this will have to create a password for your database and encrypt the communication channel. - - Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. +- Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. - The implementation of [Rate Limiting](https://en.wikipedia.org/wiki/Rate_limiting) must be present on this project +- You should encrypt : + - Clients passwords + - Database, for this you will have to create a password for your database. + This project will help you learn about : - HTTPS From b3de6d147b5355f246e08bf580f8810060820c01 Mon Sep 17 00:00:00 2001 From: Christopher Fremond Date: Wed, 18 Mar 2020 03:31:35 +0000 Subject: [PATCH 6/7] typo --- subjects/forum/forum-security.en.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/subjects/forum/forum-security.en.md b/subjects/forum/forum-security.en.md index 886d297c..f61a1f23 100644 --- a/subjects/forum/forum-security.en.md +++ b/subjects/forum/forum-security.en.md @@ -7,6 +7,7 @@ You must follow the same [principles](https://public.01-edu.org/subjects/forum/f For this project you must take into account the security of your forum. - You should implement a Hypertext Transfer Protocol Secure ([HTTPS](https://www.globalsign.com/en/blog/the-difference-between-http-and-https)) protocol : + - Encrypted connection : for this you will have to generate an SSL certificate, you can think of this like a identity card for your website. You can create your certificates or use "Certificate Authorities"(CA's) - Clients session cookies should be unique. For instance, the session state is stored on the server and the session should present an unique identifier. This way the client has no direct access to it. Therefore, there is no way for attackers to read or tamper with session state. @@ -39,7 +40,7 @@ This project will help you learn about : - You must handle website errors, HTTPS status. - You must handle all sort of technical errors. - The code must respect the [**good practices**](https://public.01-edu.org/subjects/good-practices.en). -- It is recommend that the code should present a **test file**. +- It is recommended that the code should present a **test file**. ### Allowed packages From 9c4997988b2c3b05a71a8f9656c487be36b96dcf Mon Sep 17 00:00:00 2001 From: Christopher Fremond Date: Wed, 18 Mar 2020 03:33:18 +0000 Subject: [PATCH 7/7] clarification --- subjects/forum/forum-security.audit.en.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/subjects/forum/forum-security.audit.en.md b/subjects/forum/forum-security.audit.en.md index ed3cb558..05d9f2e9 100644 --- a/subjects/forum/forum-security.audit.en.md +++ b/subjects/forum/forum-security.audit.en.md @@ -24,9 +24,9 @@ ###### Does the session cookie present a UUID(Universal Unique Identifier)? -###### Does the project present a way to configure the certificates information, either via .env or config files or other method? +###### Does the project present a way to configure the certificates information, either via .env or config files or another method? -###### Are the allowed packages being respected? +###### Are only the allowed packages being used? #### General