The purpose of conducting this security evaluation is to ensure sashimi-note is secure from commonly known web application vulnerabilities. Multiple security tools and manual testing were conducted in different security aspects for this evaluation.

ZAP is a free and open-source security tool by Open Web Application Security Project (OWASP) used to discover security vulnerabilities (such as SQL Injections, XSS and etc) in web applications. ZAP act as a web proxy in between the client and server to intercept and manipulate data

• Note: Security evaluation with ZAP is conducted only on localhost machine.

• Limitations: sashimi-note is a single-page web application which resides in the client's browser and need not communicate with the server after the initial request. As such, ZAP will not be able to intercept and manipulate any data as all the logic and accessing of database are done in the client's browser. The only thing that ZAP could test for is the server's URL resolution during the initial request from the client.

Synk is an online security tool that tests web applications for vulnerable dependencies.

ZAP was used to conduct a URL scan on sashimi-note to discover potential vulnerabilities.

Full Report

• Examples of format types used in format string attack :

  • %p - pointer
  • %x - int as hexadecimal (useful for printing memory addresses)
  • %n - write Brittany data to an arbitrary location

  These format types are dangerous as they could be used to print sensitive data from the server's memory.

• CWE-134: Use of Externally-Controlled Format String

• Although the vulnerability is rated as a ++medium++ priority by ZAP, this vulnerability does not affect the security of sashimi-note as nodejs is not vulnerable to format string attack since it does not have string formatting utility. [Reference: Security Stack Exchange]

• sashimi-note is a single-page web application that resides on the client's browser. The only form of communication between the client and server is the initial request to the server in the form of URL. As proper server configurations are already in place to resolve the URL properly, URL will always be redirected to the sashimi-note index page.

Snyk was used to test sashimi-note for vulnerable module dependencies

shelljs has been detected to be a high severity vulnerable dependency.

Report link: https://snyk.io/test/github/nus-mtp/sashimi-note?tab=vulnerabilities

shelljs is a module which provides portable Unix shell commands for nodejs. This is dangerous as an attacker can execute shell.exec() command externally. The attacker will be able to obtain system information or even inject malicious payload into the system through these commands.

• shelljs is used only for the development ofsashimi-note and not the actual production server. Therefore there is no real security implications on sashimi-note's live web application.
• The purpose of using shelljs is to provide developers with a script to automate the setting up of development environment.
• However there is a possibility that there are other branches of sashimi-note on GitHub could exploit shelljs by modifying the current script to contain a malicious payload. Developers who are working on sashimi-note should be aware of the vulnerabilities of shelljs and be due diligent in reviewing any scripts in the branch to ensure they are safe before executing them on their own system.

As mentioned above on the limitations of using ZAP in testing sashimi-note, a manual testing of using a set of commonly known SQL injection techniques and SQL wildcard characters were used on sashimi-note search and rename functions.

Using SQL wildcard queries like _ and % are allowed in sashimi-note search function.

• Malicious SQL query could be injected to modify/destroy the existing database if input is not properly sanitized.

• Allowing SQL wildcard characters are part of sashimi-note search feature. There are no significant security issue as only reveal all the files and folders that are in the database. There are also no confidential/sensitive information stored in the database.
• For each client, their databases are unique and resides on their own browser. All SQL queries are done on the client's browser as the database. For an attacker to inject an SQL statement, the attacker must first gain control of the client's browser.

• Sanitization of the input. Ensuring there are no special characters before processing the input into the SQL query for rename function. Only allowing SQL wildcard queries _ and % for sashimi-note search function.