View Code? Open in Web Editor
NEW
An intentionally-insecure web application built for educational purposes using agile development practices.
License: MIT License
HTML 16.36%
Python 72.79%
Shell 1.78%
Dockerfile 0.21%
CSS 7.05%
JavaScript 1.81%
emmental's People
Stargazers
emmental's Issues
Acceptance Criteria
Authenticated user must be able to upload a video that exists on their local filesystem
Video must be in a valid format
Video must be stored and disk have its metadata added to database/index
Test case must exist for video upload, access/view, and then deletion
Acceptance Criteria
Test is created using pytest
Test asserts that application is running and accessible on port 80
Test asserts that application body contains Hello World
Test is located in directory /tests/
Test is automatically run by Travis CI when submitted in a pull request
Travis CI updates pull request with results of test
Acceptance Criteria
The attached documentation questions are answered in a new wiki page titled Development FAQ: Video Platform
The new wiki page is added to the wiki index on the home page of the wiki
Questions
How do you prevent XSS is this step when displaying the username of the user who uploaded the video?
How do you ensure that users can’t delete videos that aren’t their own?
Acceptance Criteria
The attached documentation questions are answered in a wiki page
Questions
What Web Application security mechanisms are involved in your topology? What security mechanisms would ideally be involved?
What testing framework did you choose and why?
Acceptance Criteria
Page must be the only page accessible to the public.
Page must be located at the root URL.
Page must present the user with the option to create an account or login.
A development guide should exist for consistency across all contributors.
Acceptance Criteria
Requirements are well-defined for user story creation
Requirements are well-defined for moving user stories between progress columns
Requirements are well-defined for creating branches and pushing commits
Requirements are well-defined for creating pull requests
Requirements are well-defined for reviewing pull requests
Requirements are well-defined for merging pull requests
Acceptance Criteria
Player page must allow a user to view a single video
Player page must be designed according to previously-made mockups (loosely)
Acceptance Criteria
The attached documentation questions are answered in a new wiki page titled Development FAQ: Command injection
The new wiki page is added to the wiki index on the home page of the wiki
Questions
How would you fix your code so that this issue is no longer present?
Acceptance Criteria
State diagrams are created according to the Unified Modeling Language (UML) (see link in resources)
State diagrams are stored in the directory /docs/state-diagrams/
State diagrams are well defined for each application component
Resources:
Acceptance Criteria
Video uploader must be able to delete any or all of their uploaded videos
Videos may not be deleted by anyone except the uploader
Test case must exist for video upload, access/view, and then deletion
Video must be deleted from disk
Acceptance Criteria
User must be able to perform command injection.
Test must be created to demonstrate this vulnerability automatically.
Video must be created to demonstrate this vulnerability manually.
Video must be stored in /docs/vulnerabilities/sql-injection/
.
Acceptance Criteria
User must be able to perform SQL injection and receive output that either contains the query being executed or shows results from the database.
Test must be created to demonstrate this vulnerability automatically.
Video must be created to demonstrate this vulnerability manually.
Video must be stored in /docs/vulnerabilities/sql-injection/
.
Acceptance Criteria
Developers should be able to add user stories/issues to the epic
Developers should be able to add user stories to the sprint/milestone
User stories should have a predefined template for consistency
Acceptance Criteria
User must be able to perform an SSRF attack.
Test must be created to demonstrate this vulnerability automatically.
Video must be created to demonstrate this vulnerability manually.
Video must be stored in /docs/vulnerabilities/ssrf/
.
Acceptance Criteria
Network topology is created according to the Unified Modeling Language (UML) (see link in resources)
Network topology is stored in the directory /docs/network-topologies/
Network topology is well-defined and includes each application component
Resources:
Acceptance Criteria
Page must only be accessible after authenticating.
Page must be located at the root URL.
User must be redirected to page after creating account or logging in.
User must be presented with the option of logging out.
Logging out must be handled appropriately by the server and redirect the user to the unauthenticated landing page.
Notes
This page does not yet need to contain any content, it just needs to demonstrate successful authentication. Adding content will come later.
Acceptance Criteria
Users should not be able to make repeated unsuccessful login attempts.
Notes
We should discuss how to best handle this. Probably by using failed login logs from database per IP address.
Acceptance Criteria
Flow graphs are created according to the Unified Modeling Language (UML) (see link in resources)
Flow graphs are stored in the directory /docs/flow-graphs/
Flow graphs are well-defined for each application component
Resources:
Acceptance Criteria
Reverse proxy must be deployed through NGINX.
Reverse proxy must connect to the application server.
Reverse proxy must be the only system exposed to the external network.
Reverse proxy must be deployed through Docker Compose.
Acceptance Criteria
Use cases are created according to the Unified Modeling Language (UML) (see link in resources)
Use cases are stored in the directory /docs/use-cases/
Use cases are well-defined for each application component
Resources:
Acceptance Criteria
Mockup includes all application pages and components
Mockup appears professional and usable
Mockup is of a level of complexity that can be developed in the time requirements for this project
Mockup files are stored in the directory /docs/mockups/
Mockup files include both sources (e.g., .psd, .sketch, etc.) and PNG renders
Acceptance Criteria
Database must be an instance of MariaDB (a better version of MySQL) in Docker.
Database must be deployed via Docker Compose.
Database must follow the documented database schema.
If changes need to be made to the database schema, the documentation must be updated accordingly.
Acceptance Criteria
The attached documentation questions are answered in a new wiki page titled Development FAQ: Server side request forgery (SSRF)
The new wiki page is added to the wiki index on the home page of the wiki
Questions
How would you fix your code so that this issue is no longer present?
How does your test demonstrate SSRF as opposed to just accessing any old endpoint?
Acceptance Criteria
Internal project collaborators should have editing rights on the repository
Notes
Nobody should be able to push to master. All commits should be pushed on separate branches and added as pull requests. They should be merged using the GitHub web interface.
Acceptance Criteria
Code conforms to a single style
Linting and formatting is set up and standardized for consistent development
Acceptance Criteria
Authenticated user must be able to upload a video that exists at a specified web URL
Video must be in a valid format
Video must not be located at a local/private IP address or hostname (including localhost)
Video must be located at a fully-qualified domain name (including TLD)
Video must be stored and disk have its metadata added to database/index
Test case must exist for video upload, access/view, and then deletion
Acceptance Criteria
The attached documentation questions are answered in a wiki page
Questions
What is the URL of your Github project?
How did you breakup your projects and what are the security ramifications?
How did you choose to break down your Epic into various issues (tasks)?
How long did you assign each sprint to be?
Did you deviate from the Agile methodology at all? If yes, what is your reasoning for this?
How do you ensure that after each issue/milestone that security has been verified? How would you identify such issues in an ideal environment?
Acceptance Criteria
The attached documentation questions are answered in a new wiki page titled Development FAQ: Authentication
The new wiki page is added to the wiki index on the home page of the wiki
Questions
Provide a link to the test cases you generated for this activity.
How do you ensure that users that navigate to the protected pages cannot bypass authentication requirements?
How do you protect against session fixation?
How do you ensure that if your database gets stolen passwords aren’t exposed?
How do you prevent password brute force?
How do you prevent username enumeration?
What happens if your sessionID is predictable, how do you prevent that?
Acceptance Criteria
Database schemas are created according to the Unified Modeling Language (UML) (see link in resources)
Database schemas are stored in the directory /docs/database-schemas/
Database schemas are well-defined and include each application component
Resources:
Acceptance Criteria
Current codebase has (near) complete code coverage with unit tests.
Acceptance Criteria
Home page must display all videos from all users uploaded via local file or URL
Home page must be designed according to previously-made mockups
Acceptance Criteria
Application is run using Apache in a Docker container
Apache is fully configured through Docker Compose (see link in resources)
Apache serves application on port 80
Application contains a simple index page displaying Hello World
Resources:
Acceptance Criteria
test_get_video_list
in test_video.py
should check the last match, not the first. This will be the video added by the test.
Acceptance Criteria
User must be able to perform SQL injection while receiving only a success or failure message as output (no query or database results).
Test must be created to demonstrate this vulnerability automatically.
Video must be created to demonstrate this vulnerability manually.
Video must be stored in /docs/vulnerabilities/sql-injection/
.
Acceptance Criteria
Middleware must ensure unauthenticated users cannot access ANY page unless the page is whitelisted to be publicly accessible (deny by default).
The only whitelisted page must be the home (account creation/login) page.
Notes
We must decide if we want to put the video files behind authentication. Serving them statically from NGINX would bypass our authentication, so it may be necessary to serve them via Python after all.
Acceptance Criteria
Appropriate sprints exist to cover initial design epic
Created sprints contain all necessary stories for their completion
Acceptance Criteria
Application server must run Python.
Application server must be able to connect to the database.
Application server must be accessible by NGINX.
Application server must not be exposed to the external network.
Additional:
Functions must exist to create users, log users in, and log users out.
User creation must insert a user ID (GUID), username, and hashed password into the database.
User creation must automatically log the user in.
User login must insert a session ID (GUID) into the database and send that ID to the client.
User logout must remove the session ID from the database.
Acceptance Criteria
The attached documentation questions are answered in a new wiki page titled Development FAQ: SQL injection
The new wiki page is added to the wiki index on the home page of the wiki
Questions
How would you fix your code so that these issues were no longer present?
What are the limitations, if any that, of the SQL injection issues you've included?
Acceptance Criteria
Functions must exist to create users, log users in, and log users out.
User creation must insert a user ID (GUID), username, and hashed password into the database.
User creation must automatically log the user in.
User login must insert a session ID (GUID) into the database and send that ID to the client.
User logout must remove the session ID from the database.