Security Architecture - capstone-hermes/hermes-fullstack GitHub Wiki
Security Architecture
🚨 Educational Purpose Only
This application contains intentional security vulnerabilities for educational purposes. Never deploy in production environments.
Overview
The Weak Website is deliberately designed with poor security architecture to demonstrate common security failures in web applications. This document outlines both the intentionally flawed security design and proper security architecture principles for educational comparison.
Intentionally Flawed Security Design
Authentication Architecture (Deliberately Weak)
graph TD
A[User Login Request] --> B[Plain Text Password]
B --> C[SQL Query Concatenation]
C --> D[Database Query]
D --> E[Hardcoded JWT Secret]
E --> F[Predictable Token Generation]
F --> G[Client Storage]
Security Flaws:
- Plain text password transmission
- SQL injection vulnerability in authentication
- Hardcoded JWT secrets
- No password hashing
- Missing rate limiting
- No account lockout mechanisms
Authorization Model (Insecure)
graph TD
A[User Request] --> B[JWT Token Check]
B --> C[No Permission Validation]
C --> D[Direct Object Access]
D --> E[Privilege Escalation]
Authorization Weaknesses:
- Missing role-based access control (RBAC)
- No permission matrix
- Insecure direct object references
- Missing horizontal privilege checks
- No audit logging
Data Flow Security (Vulnerable)
graph LR
A[Client] --> B[Unencrypted HTTP]
B --> C[Server]
C --> D[Plain Text Database]
D --> E[Unencrypted Storage]
Data Protection Failures:
- No HTTPS enforcement
- Unencrypted database connections
- Plain text password storage
- No data classification
- Missing encryption at rest
Vulnerability Categories by Layer
Presentation Layer Vulnerabilities
Cross-Site Scripting (XSS)
// Vulnerable React component
function PostContent({ content }) {
return <div dangerouslySetInnerHTML={{ __html: content }} />;
}
Impact Areas:
- Session hijacking
- Credential theft
- UI manipulation
- Malware distribution
Client-Side Security Issues
- Missing Content Security Policy (CSP)
- No input validation on frontend
- Exposed sensitive information in JavaScript
- Missing CSRF protection
Application Layer Vulnerabilities
Input Validation Failures
// No input validation
@Post('create')
async createPost(@Body() postData: any) {
// Direct database insertion without validation
return this.postService.create(postData);
}
Business Logic Flaws
- Missing rate limiting
- No business rule validation
- Insufficient authorization checks
- Race condition vulnerabilities
Data Layer Vulnerabilities
Database Security Issues
-- Vulnerable query construction
SELECT * FROM users WHERE id = ${userId}
-- No parameterized queries
-- Missing access controls
-- Verbose error messages
Database Weaknesses:
- SQL injection vulnerabilities
- Missing database encryption
- Overprivileged database accounts
- No audit logging
Security Control Failures
Missing Security Headers
Current (Vulnerable) Response Headers:
HTTP/1.1 200 OK
Content-Type: application/json
Set-Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Missing Security Headers:
Strict-Transport-SecurityContent-Security-PolicyX-Frame-OptionsX-Content-Type-OptionsReferrer-Policy
Insufficient Logging and Monitoring
Missing Security Events:
- Failed login attempts
- Privilege escalation attempts
- Suspicious file uploads
- SQL injection attempts
- Data access patterns
Insecure Session Management
// Vulnerable session handling
const token = jwt.sign({ userId }, 'hardcoded-secret', { expiresIn: '1y' });
Session Security Issues:
- Hardcoded JWT secrets
- Long session timeouts
- No session invalidation
- Missing secure cookie flags
Proper Security Architecture (Educational Reference)
Secure Authentication Flow
sequenceDiagram
participant C as Client
participant S as Server
participant DB as Database
participant Auth as Auth Service
C->>S: HTTPS Login Request
S->>S: Rate Limit Check
S->>S: Input Validation
S->>DB: Parameterized Query
DB->>S: Hashed Password
S->>S: Password Verification
S->>Auth: Generate Secure Token
Auth->>S: Signed JWT
S->>C: Secure Cookie (HttpOnly, Secure)
Defense in Depth Architecture
graph TD
A[Web Application Firewall] --> B[Load Balancer]
B --> C[Reverse Proxy]
C --> D[Application Server]
D --> E[Database Firewall]
E --> F[Encrypted Database]
G[SIEM/Monitoring] --> A
G --> B
G --> C
G --> D
G --> E
G --> F
Secure Data Flow
graph LR
A[Client HTTPS] --> B[TLS Termination]
B --> C[Input Validation]
C --> D[Authorization Check]
D --> E[Business Logic]
E --> F[Encrypted DB Connection]
F --> G[Encrypted Storage]
Security Patterns vs Anti-Patterns
Authentication Patterns
| Vulnerability | Anti-Pattern (Current) | Secure Pattern |
|---|---|---|
| Password Storage | Plain text | Bcrypt/Argon2 hashing |
| SQL Injection | String concatenation | Parameterized queries |
| Session Management | Hardcoded secrets | Crypto-strong secrets |
| Rate Limiting | None | Token bucket/sliding window |
Authorization Patterns
| Vulnerability | Anti-Pattern (Current) | Secure Pattern |
|---|---|---|
| Access Control | No checks | RBAC/ABAC |
| Direct Object References | Direct access | Indirect references |
| Privilege Escalation | No validation | Principle of least privilege |
| Audit Logging | None | Comprehensive logging |
Input Validation Patterns
| Vulnerability | Anti-Pattern (Current) | Secure Pattern |
|---|---|---|
| XSS | No sanitization | Context-aware encoding |
| SQL Injection | String building | Prepared statements |
| File Upload | No restrictions | Strict validation |
| Command Injection | Direct execution | Sandboxed execution |
Security Architecture Principles
CIA Triad Implementation
Confidentiality
- Current (Weak): No encryption, plain text storage
- Proper: End-to-end encryption, data classification
Integrity
- Current (Weak): No data validation, tampering possible
- Proper: Digital signatures, checksums, audit trails
Availability
- Current (Weak): No DDoS protection, single points of failure
- Proper: Load balancing, redundancy, rate limiting
Zero Trust Architecture
graph TD
A[Never Trust] --> B[Always Verify]
B --> C[Least Privilege Access]
C --> D[Continuous Monitoring]
D --> E[Micro-segmentation]
E --> F[Encryption Everywhere]
Zero Trust Principles:
- Verify explicitly: Authenticate and authorize every access
- Use least privilege: Minimal access rights
- Assume breach: Monitor and respond to threats
Secure Development Lifecycle
graph TD
A[Threat Modeling] --> B[Secure Design]
B --> C[Security Code Review]
C --> D[Security Testing]
D --> E[Security Deployment]
E --> F[Security Monitoring]
F --> A
Remediation Architecture
Layered Security Controls
Network Layer
- HTTPS enforcement
- Network segmentation
- Firewall rules
- DDoS protection
Application Layer
- Input validation
- Output encoding
- Authentication controls
- Authorization mechanisms
Data Layer
- Encryption at rest
- Encryption in transit
- Access controls
- Audit logging
Security Monitoring Architecture
graph TD
A[Application Logs] --> D[SIEM Platform]
B[Security Events] --> D
C[Audit Trails] --> D
D --> E[Alert Engine]
E --> F[Incident Response]
F --> G[Threat Intelligence]
G --> H[Security Improvements]
Educational Learning Objectives
Security Architecture Understanding
- Threat Modeling: Learn to identify potential attack vectors
- Defense in Depth: Understand layered security approaches
- Secure by Design: Design security into applications from start
- Risk Assessment: Evaluate and prioritize security risks
Practical Skills Development
- Security Testing: Systematic vulnerability assessment
- Code Review: Identify security flaws in source code
- Incident Response: Respond to security breaches
- Compliance: Understand regulatory requirements
Career Applications
- Security Architect: Design secure systems
- Penetration Tester: Assess security posture
- Security Engineer: Implement security controls
- DevSecOps: Integrate security into development
Next Steps
- Testing Methodology - Systematic security testing
- Vulnerability Overview - Comprehensive vulnerability catalog
- Tools and Scripts - Security testing automation