Secure Code Warrior OWASP Web Top 10 2021 A1-A2 1: Broken Access Control and 2: Cryptographic Failures

Let’s start with the most critical application weaknesses. These challenges get you the foundations of 1: Broken Access Control and 2: Cryptographic Failures

Broken Access Control 

Access Control - Missing Function Level Access Control

CRUD features for user accounts should be allowed to a limited circle of people who have access to system maintenance. For this, a role-based authorization mechanism has been applied with the [Authorize (Roles =" Admin ")] attribute. The users without the "Admin" role won't get access to admin features since authorization middleware will restrict unauthorized requests.

 

 

Cross-site Request Forgery - Cross-site Request Forgery

The POST method is not protected against Cross-Site Request Forgery. The application does not differentiate between requests coming from the user's session or from another session. An attacker could therefore succeed in performing actions on behalf of other users. State-changing requests in particular, such as a password change or a purchase, are interesting to attackers.

The ValidateAntiForgeryToken attribute has been added above the POST method, so the application is properly protected against CSRF attacks. State-changing requests are properly protected this way. The application generates a unique and random token, and uses it to verify that the requests are legitimate.

 

Cryptographic Failures

Sensitive Data Storage - Plain Text Storage of Passwords

Passwords are stored as plain text in the database. If an attacker gains access to the database and key, all stored passwords will be compromised.

 

Passwords are hashed using Argon2 before they are stored in the database. Argon2 implementation automatically generates a safe hash for every password. It is a memory-hard password hashing function which not only make it computationally expensive, but it also uses a lot of memory (which can be configured). This means that it is much more difficult to attack Argon2 hashes using GPUs or dedicated hardware.

 

The system stores user passwords in plain text. Anyone who would gain access to the database will be able to get personal passwords of the users and use them for bad purposes.

It's recommended to use a modern password hashing algorithm such as Argon2. Argon2 is considered one of the strongest password encryption algorithms on the market.

 

Insufficient Transport Layer Protection - Unprotected Transport of Sensitive Information

Using the TLS encrypted protocol protects the personal data of users when they are sent to the server. But the wrong method of transmitting data is used so that user data still can be stored in browser history or server logs. Also, the application sends user data via the SMTP service to the user's email address without any protection, and this data can be stored for a long time. Consider finding a way not to send the user's data without any protection and not store them anywhere in the plain text without the consent of the user.

Using the TLS encrypted protocol protects the personal data of users when they are sent to the server. But the wrong method of transmitting data is used so that user data still can be stored in browser history or server logs. Also, the application sends user data via the SMTP service to the user's email address without any protection, and this data can be stored for a long time. Consider finding a way not to send the user's data without any protection and not store them anywhere in the plain text without the consent of the user.

 

Insufficient Transport Layer Protection - Unprotected Transport of Sensitive Information

The POST method is safe for sending user data to the server since it is sent in the request body; therefore, it is not stored in the server’s logs or the browser history. Also, the sending of personal data to the user's email without consent is not carried out; thereby, the data will not be saved without the user's actions outside the application.

 

作者:Chuck Lu    GitHub