Vulnerability Overview - capstone-hermes/hermes-fullstack GitHub Wiki

Vulnerability Overview

Overview

The Weak Website implements a comprehensive set of security vulnerabilities based on the OWASP Application Security Verification Standard (ASVS) Level 1 requirements. This page provides a complete mapping of implemented vulnerabilities, their locations in the codebase, and their educational significance.

🚨 Educational Purpose

These vulnerabilities are intentionally implemented for educational purposes:

  • Understanding common web application security flaws
  • Practicing penetration testing techniques
  • Learning secure coding principles through negative examples
  • Demonstrating real-world attack scenarios

OWASP ASVS Mapping

V2: Authentication Verification Requirements

V2.1: Password Security Requirements

ASVS ID Vulnerability Implementation Impact Code Location
V2.1.1 Insufficient password length Min 6 chars allowed Weak passwords auth.service.ts:53-57
V2.1.2 Password truncation 20 character limit Password bypass password.helper.ts:15-18
V2.1.3 Unicode normalization bypass Password truncation Authentication bypass password.helper.ts:15-18
V2.1.4 ASCII-only restriction Rejects non-ASCII chars Usability issue auth.service.ts:48-51
V2.1.5 Password change failure Always fails Cannot change passwords auth.service.ts:84-85
V2.1.6 No current password verification Ignores current password Unauthorized changes auth.service.ts:91-92
V2.1.7 No breached password check No breach database Compromised passwords auth.service.ts:65-66
V2.1.8 No password strength feedback No strength indicator Weak password selection auth.service.ts:39-40
V2.1.9 Overly restrictive composition Complex requirements Poor user experience password.helper.ts:35-55
V2.1.10 No password history No previous passwords stored Password reuse auth.service.ts:124-129

V2.2: General Authenticator Requirements

ASVS ID Vulnerability Implementation Impact
V2.2.1 SQL injection in authentication Raw SQL queries Authentication bypass
V2.2.3 Hardcoded JWT secret 'hardcoded-secret' Token forgery

V3: Session Management Verification Requirements

ASVS ID Vulnerability Implementation Impact Code Location
V3.1.1 Weak session tokens Hardcoded JWT secret Session hijacking auth.service.ts:35
V3.2.1 Session token exposure Logged in plain text Token theft auth.service.ts:37
V3.3.1 No session timeout Tokens never expire Persistent access auth.service.ts:35

V4: Access Control Verification Requirements

ASVS ID Vulnerability Implementation Impact
V4.1.1 No authorization checks Missing access controls Privilege escalation
V4.2.1 Direct object references Predictable resource IDs Data access

V5: Validation, Sanitization and Encoding Requirements

V5.1: Input Validation Requirements

ASVS ID Vulnerability Implementation Impact Code Location
V5.1.1 HTTP parameter pollution Vulnerable middleware Parameter manipulation vulnerable-params.middleware.ts
V5.1.2 No input validation Raw input processing Various injection attacks Multiple locations
V5.1.3 No input sanitization Direct database storage XSS, SQLi post.service.ts:20

V5.2: Sanitization and Sandboxing Requirements

ASVS ID Vulnerability Implementation Impact
V5.2.1 No output encoding Raw HTML rendering Stored XSS
V5.2.2 No sanitization Direct content display Script execution

V5.3: Output Encoding and Injection Prevention Requirements

ASVS ID Vulnerability Implementation Impact
V5.3.1 SQL injection String concatenation Data breach
V5.3.2 XSS vulnerabilities No encoding Client-side attacks
V5.3.3 Command injection Direct command execution Server compromise

V7: Error Handling and Logging Verification Requirements

ASVS ID Vulnerability Implementation Impact Code Location
V7.1.1 Sensitive data in logs Credentials logged Information disclosure auth.service.ts:21,37
V7.1.2 Excessive logging System details logged Information gathering Multiple locations
V7.4.1 Detailed error messages Stack traces exposed System information vulnerable-exception.filter.ts

V8: Data Protection Verification Requirements

ASVS ID Vulnerability Implementation Impact
V8.2.1 Plain text passwords No hashing Credential theft
V8.2.2 Sensitive data exposure Unencrypted storage Data breach
V8.3.1 No data classification All data treated equally Over-exposure

V12: File and Resources Verification Requirements

V12.1: File Upload Requirements

ASVS ID Vulnerability Implementation Impact Code Location
V12.1.1 No file size limits 1GB uploads allowed DoS attacks file.controller.ts:49-51
V12.1.2 No file type validation All types accepted Malicious uploads file.controller.ts:44-46

V12.3: File Execution Requirements

ASVS ID Vulnerability Implementation Impact Code Location
V12.3.1 Path traversal No path validation System file access file.controller.ts:91-116
V12.3.2 Local file inclusion Direct file access Source code exposure file.controller.ts:67-87
V12.3.3 Remote file inclusion URL fetching SSRF attacks file.controller.ts:119-137
V12.3.4 Reflective file download User-controlled headers Content injection file.controller.ts:139-152
V12.3.5 OS command injection Direct command execution Server compromise file.controller.ts:154-178

V12.4: File Storage Requirements

ASVS ID Vulnerability Implementation Impact
V12.4.1 Files in web root Uploads accessible Direct execution
V12.4.2 No antivirus scanning Malware uploads System infection

V12.5: File Download Requirements

ASVS ID Vulnerability Implementation Impact
V12.5.1 No extension restrictions All files downloadable Data exfiltration
V12.5.2 Dangerous content types Scripts executable Client-side attacks

Vulnerability Categories

1. Injection Vulnerabilities

SQL Injection

Locations:

  • Authentication system (auth.service.ts)
  • User registration (auth.service.ts)
  • Password change (auth.service.ts)

Attack Vectors:

  • Authentication bypass
  • Data extraction
  • Database manipulation
  • Privilege escalation

Cross-Site Scripting (XSS)

Locations:

  • Post content system (post.service.ts)
  • Error messages (various)
  • File upload responses (file.controller.ts)

Types:

  • Stored XSS in posts
  • Reflected XSS in errors
  • DOM-based XSS in client

Command Injection

Locations:

  • File execution endpoint (file.controller.ts:154-178)

Capabilities:

  • Operating system access
  • File system manipulation
  • Network communication
  • Service installation

2. Authentication and Session Management

Authentication Bypass

Methods:

  • SQL injection in login
  • Parameter pollution
  • JWT token manipulation

Session Vulnerabilities

  • Hardcoded JWT secrets
  • No token expiration
  • Token logging
  • Weak encryption

3. Access Control Issues

Authorization Flaws

  • Missing access controls
  • Direct object references
  • Privilege escalation paths

File Access Control

  • Path traversal attacks
  • Unrestricted file access
  • Administrative file exposure

4. Input Validation Failures

Parameter Pollution

  • Global middleware vulnerability
  • Last parameter wins logic
  • Authentication bypass potential

File Upload Issues

  • No type restrictions
  • No size limits
  • Malicious file execution
  • Path traversal in filenames

5. Information Disclosure

Sensitive Data Exposure

  • Passwords in logs
  • JWT tokens in responses
  • System information in errors
  • Database details in exceptions

Error Information

  • Stack traces exposed
  • File paths revealed
  • Configuration details
  • System architecture

Attack Chain Examples

1. Complete System Compromise

1. SQL Injection → Admin Access
   ↓
2. File Upload → Web Shell
   ↓
3. Command Injection → System Access
   ↓
4. Data Exfiltration → Complete Breach

2. Client-Side Attack Chain

1. XSS in Posts → Script Injection
   ↓
2. Session Hijacking → Account Takeover
   ↓
3. Social Engineering → Credential Theft
   ↓
4. Lateral Movement → Multiple Accounts

3. Data Breach Scenario

1. Authentication Bypass → Initial Access
   ↓
2. Path Traversal → Configuration Files
   ↓
3. Database Credentials → Direct DB Access
   ↓
4. Full Data Extraction → Privacy Breach

Impact Assessment

Critical Vulnerabilities

  • SQL Injection: Complete database compromise
  • Command Injection: Full server control
  • Authentication Bypass: Administrative access
  • File Upload: Remote code execution

High Impact

  • XSS: Client-side attacks and session theft
  • Path Traversal: System file access
  • Information Disclosure: Sensitive data exposure
  • Parameter Pollution: Logic bypass

Medium Impact

  • Weak Password Policies: Credential compromise
  • Session Management: Session hijacking
  • Error Handling: Information gathering
  • File Access: Data exfiltration

Business Impact Scenarios

1. Data Breach

  • User credentials exposed through SQL injection
  • Personal information theft via database access
  • Regulatory compliance violations (GDPR, CCPA)
  • Reputation damage and customer loss

2. System Compromise

  • Server takeover via command injection
  • Malware installation through file uploads
  • Network lateral movement from compromised system
  • Service disruption and downtime

3. Client-Side Attacks

  • User session hijacking through XSS
  • Credential theft via fake login forms
  • Malware distribution to application users
  • Social engineering attacks

Educational Value

For Students

  • Real-world examples of common vulnerabilities
  • Hands-on practice with exploitation techniques
  • Understanding impact of security failures
  • Learning secure coding through negative examples

For Developers

  • Vulnerability patterns to avoid in production
  • Security testing methodologies
  • Defensive programming techniques
  • Secure development lifecycle awareness

For Security Professionals

  • Penetration testing practice environment
  • Tool testing and technique refinement
  • Training material for security awareness
  • Certification preparation resources

Remediation Examples

SQL Injection Prevention

// Vulnerable (current implementation)
const user = await this.userRepository.query(
  `SELECT * FROM user WHERE email = '${email}'`
);

// Secure alternative
const user = await this.userRepository.findOne({
  where: { email }  // Parameterized query
});

XSS Prevention

// Vulnerable (current implementation)
<div dangerouslySetInnerHTML={{ __html: content }} />

// Secure alternative
<div>{content}</div>  // React auto-escapes

File Upload Security

// Vulnerable (current implementation)
filename: (req, file, cb) => {
  const filename = file.originalname;  // Direct use
  cb(null, filename);
}

// Secure alternative
filename: (req, file, cb) => {
  const filename = sanitize(file.originalname);  // Sanitized
  cb(null, `${Date.now()}-${filename}`);  // Unique names
}

Testing Priorities

Phase 1: Critical Vulnerabilities

  1. SQL injection in authentication
  2. Command injection in file operations
  3. File upload restrictions
  4. XSS in post content

Phase 2: Access Control

  1. Authentication bypass techniques
  2. Parameter pollution exploitation
  3. Path traversal attacks
  4. Session management flaws

Phase 3: Information Disclosure

  1. Error message analysis
  2. Log file examination
  3. Configuration exposure
  4. System fingerprinting

Next Steps:

Related Documentation:

⚠️ **GitHub.com Fallback** ⚠️