Skip to content

Commit

Permalink
Fix code formatting
Browse files Browse the repository at this point in the history
  • Loading branch information
@ckarande
ckarande committed Nov 9, 2014
1 parent 5c69587 commit 5cec41c
Show file tree
Hide file tree
Showing 6 changed files with 40 additions and 31 deletions.
3 changes: 2 additions & 1 deletion app/views/layout.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/dashboard">
<span style="font-size: x-large"><span class="fa fa-bullseye"></span> Retire<b>Easy</b>
<span style="font-size: x-large">
<span class="fa fa-bullseye"></span>Retire<b>Easy</b>
</span>
<span style="font-size: medium">Employee Retirement Savings Management</span>
</a>
Expand Down
25 changes: 13 additions & 12 deletions app/views/login.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,12 @@
<ul class="nav navbar-nav navbar-right navbar-user">

<li class="dropdown user-dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><i class="fa fa-info-circle"></i></a>
<a href="#" class="dropdown-toggle" data-toggle="dropdown" style="font-size: larger"><i class="fa fa-info-circle"></i></a>
<ul class="dropdown-menu alert-dropdown" style="min-width: 350px; padding: 10px">
<li>
<p>
The OWASP Node Goat is an educational Node.js web application vulnerable to the <a target="_blank" href="https://www.owasp.org/index.php/Top_10_2013-Top_10"> OWASP Top 10</a> risks. </p>
<p>It is intended to show how each of these vulnerabilities can manifest
in a Node.js specific way, and provides the subsequent mitigation for each with source code examples.
The OWASP Node Goat is an educational Node.js web application vulnerable to the <a target="_blank" href="https://www.owasp.org/index.php/Top_10_2013-Top_10"> OWASP Top 10</a> risks.</p>
<p>It is intended to show how each of these vulnerabilities can manifest in a Node.js specific way, and provides the subsequent mitigation for each with source code examples.
</p>
<p>To start hacking the application, login using the form below, or access the tutorial guide to know more.</p>

Expand All @@ -65,7 +64,7 @@
<div class="row">
<div class="col-lg-12">
<div style="text-align: center; padding: 30px">
<img src="/images/owasplogo.png" height="80px">
<img src="/images/owasplogo.png" height="80px">
</div>
</div>
</div>
Expand All @@ -77,20 +76,22 @@
<div class="col-lg-4">
<div class="panel panel-info">
<div class="panel-heading" style="text-align: center">
<a href="/tutorial" target="_blank"> <b><span class="fa fa-book"></span> Tutorial Guide:</b> Learn OWASP Top 10
</a>
<a href="/tutorial" target="_blank"> <b><span class="fa fa-book"></span> Tutorial Guide:</b> Learn OWASP Top 10
</a>
</div>

</div>

<div class="panel panel-default">
<div class="panel-heading" style="text-align: center">
<span style="font-size: x-large"><span class="fa fa-bullseye"> </span> Retire<b>Easy</b>
<div class="panel panel-default">
<div class="panel-heading" style="text-align: center">
<span style="font-size: x-large">
<span class="fa fa-bullseye"></span>Retire<b>Easy</b>
</span>
<br/>
<span style="font-size: medium">Employee Retirement Savings Management</span>
<br/><br/>
</div>
<br/>
<br/>
</div>
<div class="panel-body">


Expand Down
27 changes: 15 additions & 12 deletions app/views/tutorial/a1.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ <h3 class="panel-title">Further Reading</h3>
<h4 class="panel-title">
<a data-toggle="collapse" data-parent="#accordion" href="#collapseTwo">
<i class="fa fa-chevron-down"></i> A1 - 2 SQL and NoSQL Injection
</a>
</a>
</h4>
</div>
<div id="collapseTwo" class="panel-collapse">
Expand All @@ -206,8 +206,7 @@ <h3 class="panel-title">Description</h3>
</div>
<div class="panel-body">
<p>
SQL and NoSQL injections enable an attacker to inject code into the query that would be executed by the database.
These flaws are introduced when software developers create dynamic database queries that include user supplied input.
SQL and NoSQL injections enable an attacker to inject code into the query that would be executed by the database. These flaws are introduced when software developers create dynamic database queries that include user supplied input.
</p>
</div>
</div>
Expand All @@ -220,23 +219,26 @@ <h3 class="panel-title">Attack Mechanics</h3>
<p>Both SQL and NoSQL databases are vulnerable to injection attack. Here is an example of equivalent attack in both cases, where attacker manages to retrieve admin user's record without knowing password:</p>
<h5>1. SQL Injection</h5>
<p>Lets consider an example SQL statement used to authenticate the user with username and password</p>
<pre>SELECT * FROM accounts WHERE username = '$username' AND password = '$password'</pre>
<p>If this statement is not prepared or properly handled when constructed, an attacker may be able to supply <code>admin' --</code> in the username field to access the admin user's account bypassing the condition that checks for the password.
The resultant SQL query would looks like:</p>
<pre>SELECT * FROM accounts WHERE username = 'admin' -- AND password = ''</pre>
<pre>SELECT * FROM accounts WHERE username = '$username' AND password = '$password'</pre>
<p>If this statement is not prepared or properly handled when constructed, an attacker may be able to supply
<code>admin' --</code>in the username field to access the admin user's account bypassing the condition that checks for the password. The resultant SQL query would looks like:</p>
<pre>SELECT * FROM accounts WHERE username = 'admin' -- AND password = ''</pre>
<br/>
<h5>2. NoSQL Injection</h5>
<p>The equivalent of above query for NoSQL MongoDB database is: </p>
<p>The equivalent of above query for NoSQL MongoDB database is:</p>
<pre>db.accounts.find({username: username, password: password});</pre>
<p>While here we are no longer dealing with query language, an attacker can still achieve the same results as SQL injection by supplying JSON input object as below: </p>
<p>While here we are no longer dealing with query language, an attacker can still achieve the same results as SQL injection by supplying JSON input object as below:</p>
<pre>
{
"username": "admin",
"password": {$gt: ""}
}
</pre>
<p>In MongoDB, <code>$gt</code> selects those documents where the value of the field is greater than (i.e. >) the specified value. Thus above statement compares password in database with empty string for greatness, which returns <code>true</code>.</p>
<p> The same results can be achieved using other comparison operator such as <code>$ne</code>.</p>
<p>In MongoDB,
<code>$gt</code>selects those documents where the value of the field is greater than (i.e. >) the specified value. Thus above statement compares password in database with empty string for greatness, which returns
<code>true</code>.</p>
<p>The same results can be achieved using other comparison operator such as
<code>$ne</code>.</p>
</div>
</div>

Expand All @@ -250,7 +252,8 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
<ul>
<li>Prepared Statements: For SQL calls, use prepared statements instead of building dynamic queries using string concatenation. Stored procedures have the same effect as the use of prepared statements when implemented safely</li>
<li>Input Validation: Validate inputs to detect malicious values. For NoSQL databases, also validate input types against expected types</li>
<li>Least Privilege: To minimize the potential damage of a successful injection attack, do not assign DBA or admin type access rights to your application accounts. Similarly minimize the privileges of the operating system account that the database process runs under.</li>
<li>Least Privilege: To minimize the potential damage of a successful injection attack, do not assign DBA or admin type access rights to your application accounts. Similarly minimize the privileges of the operating system account
that the database process runs under.</li>
</ul>
</div>
</div>
Expand Down
2 changes: 1 addition & 1 deletion app/views/tutorial/a10.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ <h3 class="panel-title">Attack Mechanics</h3>

<p>For example, the "Learning Resources" link (
<code>/learn?url=...</code>) in the application redirects to another website without validating the url.
</p>
</p>
<iframe width="560" height="315" src="//www.youtube.com/embed/z98AQF8J_zg?rel=0" frameborder="0" allowfullscreen></iframe>
<p>Here is code from
<code>routes/index.js</code>,
Expand Down
7 changes: 5 additions & 2 deletions app/views/tutorial/a5.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
Here are some node.js and express specific configuration measures:
<ul>
<li>
Use latest stable version of node.js and express (or other web framework you are using). Keep a watch on published vulnerabilities of these. The vulnerabilities for node.js and express.js can be found <a href="http://blog.nodejs.org/vulnerability/">here</a> and <a href="http://expressjs.com/advanced/security-updates.html">here</a>, respectively.
Use latest stable version of node.js and express (or other web framework you are using). Keep a watch on published vulnerabilities of these. The vulnerabilities for node.js and express.js can be found <a href="http://blog.nodejs.org/vulnerability/">here</a> and
<a href="http://expressjs.com/advanced/security-updates.html">here</a>, respectively.
</li>
<li>
Do not run application with root privileges. It may seem necessary to run as root user to access privileged ports such as 80. However, this can achieved either by starting server as root and then downgrading the non-privileged user after listening on
Expand Down Expand Up @@ -82,7 +83,9 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
<h3 class="panel-title">Source Code Example</h3>
</div>
<div class="panel-body">
<div><iframe width="560" height="315" src="//www.youtube.com/embed/lCpnVrD2Neg?rel=0" frameborder="0" allowfullscreen></iframe></div>
<div>
<iframe width="560" height="315" src="//www.youtube.com/embed/lCpnVrD2Neg?rel=0" frameborder="0" allowfullscreen></iframe>
</div>
<p>The default HTTP header x-powered-by can reveal implementation details to an attacker. It can be taken out by including this code in
<code>server.js</code>
<pre>
Expand Down
7 changes: 4 additions & 3 deletions app/views/tutorial/a8.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,9 @@ <h3 class="panel-title">Attack Mechanics</h3>
<div class="panel-body">
<p>
As browsers automatically send credentials like session cookies with HTTP requests to the server where cookies were received from, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.</p>
<p>For example, CSRF vulnerability can be exploited on profile form on the insecure demo application. </p>
<p>For example, CSRF vulnerability can be exploited on profile form on the insecure demo application.</p>
<iframe width="560" height="315" src="//www.youtube.com/embed/vRDykS_2y3I?rel=0" frameborder="0" allowfullscreen></iframe>
<p> To exploit it:
<p>To exploit it:
<ol>
<li>An attacker would need to host a forged form like below on a malicious sever.
<pre>
Expand Down Expand Up @@ -75,7 +75,8 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
<div class="panel-body">
<p>Express csrf middleware provide a very effective way to deal with csrf attack. By default this middleware generates a token named "_csrf" which should be added to requests which mutate state (PUT, POST, DELETE), within a hidden form field,
or query-string, or header fields.</p>
<p> If using method-override middleware, it is very important that it is used before any middleware that needs to know the method of the request, including CSRF middleware. Otherwise an attacker can use non-state mutating methods (such as GET) to bypass the CSRF middleware checks, and use method override header to convert request to desired method.</p>
<p>If using method-override middleware, it is very important that it is used before any middleware that needs to know the method of the request, including CSRF middleware. Otherwise an attacker can use non-state mutating methods (such as
GET) to bypass the CSRF middleware checks, and use method override header to convert request to desired method.</p>
<p>When form is submitted, the middleware checks for existence of token and validates it by matching to the generated token for the response-request pair. If fails to match, it rejects the request. Thus making it really hard for an attacker
to exploit CSRF.
</p>
Expand Down

0 comments on commit 5cec41c

Please sign in to comment.