From f8094741dd0ab3b0f70e2ed1d216d1cd4c40d533 Mon Sep 17 00:00:00 2001 From: Nick Mitchell Date: Thu, 25 Jun 2026 11:18:41 -0400 Subject: [PATCH 1/2] nick --- grading_server/mix.lock | 8 ++++---- modules/2-owasp.livemd | 30 +++++++++++++++++------------- modules/3-ssdlc.livemd | 4 ++-- modules/5-elixir.livemd | 17 ++++++++++------- modules/6-cookies.livemd | 15 +++++++++++++-- 5 files changed, 46 insertions(+), 28 deletions(-) diff --git a/grading_server/mix.lock b/grading_server/mix.lock index 289515f..03a53e0 100644 --- a/grading_server/mix.lock +++ b/grading_server/mix.lock @@ -12,7 +12,7 @@ "ecto_sql": {:hex, :ecto_sql, "3.9.2", "34227501abe92dba10d9c3495ab6770e75e79b836d114c41108a4bf2ce200ad5", [:mix], [{:db_connection, "~> 2.5 or ~> 2.4.1", [hex: :db_connection, repo: "hexpm", optional: false]}, {:ecto, "~> 3.9.2", [hex: :ecto, repo: "hexpm", optional: false]}, {:myxql, "~> 0.6.0", [hex: :myxql, repo: "hexpm", optional: true]}, {:postgrex, "~> 0.16.0 or ~> 1.0", [hex: :postgrex, repo: "hexpm", optional: true]}, {:tds, "~> 2.1.1 or ~> 2.2", [hex: :tds, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.0 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "1eb5eeb4358fdbcd42eac11c1fbd87e3affd7904e639d77903c1358b2abd3f70"}, "file_system": {:hex, :file_system, "0.2.10", "fb082005a9cd1711c05b5248710f8826b02d7d1784e7c3451f9c1231d4fc162d", [:mix], [], "hexpm", "41195edbfb562a593726eda3b3e8b103a309b733ad25f3d642ba49696bf715dc"}, "jason": {:hex, :jason, "1.4.0", "e855647bc964a44e2f67df589ccf49105ae039d4179db7f6271dfd3843dc27e6", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "79a3791085b2a0f743ca04cec0f7be26443738779d09302e01318f97bdb82121"}, - "mime": {:hex, :mime, "2.0.3", "3676436d3d1f7b81b5a2d2bd8405f412c677558c81b1c92be58c00562bb59095", [:mix], [], "hexpm", "27a30bf0db44d25eecba73755acf4068cbfe26a4372f9eb3e4ea3a45956bff6b"}, + "mime": {:hex, :mime, "2.0.7", "b8d739037be7cd402aee1ba0306edfdef982687ee7e9859bee6198c1e7e2f128", [], [], "hexpm", "6171188e399ee16023ffc5b76ce445eb6d9672e2e241d2df6050f3c771e80ccd"}, "phoenix": {:hex, :phoenix, "1.6.15", "0a1d96bbc10747fd83525370d691953cdb6f3ccbac61aa01b4acb012474b047d", [:mix], [{:castore, ">= 0.0.0", [hex: :castore, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 2.0", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:phoenix_view, "~> 1.0 or ~> 2.0", [hex: :phoenix_view, repo: "hexpm", optional: false]}, {:plug, "~> 1.10", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.2", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:plug_crypto, "~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "d70ab9fbf6b394755ea88b644d34d79d8b146e490973151f248cacd122d20672"}, "phoenix_ecto": {:hex, :phoenix_ecto, "4.4.0", "0672ed4e4808b3fbed494dded89958e22fb882de47a97634c0b13e7b0b5f7720", [:mix], [{:ecto, "~> 3.3", [hex: :ecto, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 2.14.2 or ~> 3.0", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:plug, "~> 1.9", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "09864e558ed31ee00bd48fcc1d4fc58ae9678c9e81649075431e69dbabb43cc1"}, "phoenix_html": {:hex, :phoenix_html, "3.2.0", "1c1219d4b6cb22ac72f12f73dc5fad6c7563104d083f711c3fcd8551a1f4ae11", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "36ec97ba56d25c0136ef1992c37957e4246b649d620958a1f9fa86165f8bc54f"}, @@ -21,14 +21,14 @@ "phoenix_pubsub": {:hex, :phoenix_pubsub, "2.1.1", "ba04e489ef03763bf28a17eb2eaddc2c20c6d217e2150a61e3298b0f4c2012b5", [:mix], [], "hexpm", "81367c6d1eea5878ad726be80808eb5a787a23dee699f96e72b1109c57cdd8d9"}, "phoenix_template": {:hex, :phoenix_template, "1.0.1", "85f79e3ad1b0180abb43f9725973e3b8c2c3354a87245f91431eec60553ed3ef", [:mix], [{:phoenix_html, "~> 2.14.2 or ~> 3.0", [hex: :phoenix_html, repo: "hexpm", optional: true]}], "hexpm", "157dc078f6226334c91cb32c1865bf3911686f8bcd6bcff86736f6253e6993ee"}, "phoenix_view": {:hex, :phoenix_view, "2.0.2", "6bd4d2fd595ef80d33b439ede6a19326b78f0f1d8d62b9a318e3d9c1af351098", [:mix], [{:phoenix_html, "~> 2.14.2 or ~> 3.0", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:phoenix_template, "~> 1.0", [hex: :phoenix_template, repo: "hexpm", optional: false]}], "hexpm", "a929e7230ea5c7ee0e149ffcf44ce7cf7f4b6d2bfe1752dd7c084cdff152d36f"}, - "plug": {:hex, :plug, "1.14.0", "ba4f558468f69cbd9f6b356d25443d0b796fbdc887e03fa89001384a9cac638f", [:mix], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4.3 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "bf020432c7d4feb7b3af16a0c2701455cbbbb95e5b6866132cb09eb0c29adc14"}, + "plug": {:hex, :plug, "1.20.1", "82cdee1d7535d4f4db5c5602a7fd49512d64690be54fd62374856ee70e62eb29", [], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2 or ~> 2.0", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4.3 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "892d2a1a7a3f5368c5a3b9067bba1050c031495f48c430ec00b09691dbf211b7"}, "plug_cowboy": {:hex, :plug_cowboy, "2.6.0", "d1cf12ff96a1ca4f52207c5271a6c351a4733f413803488d75b70ccf44aebec2", [:mix], [{:cowboy, "~> 2.7", [hex: :cowboy, repo: "hexpm", optional: false]}, {:cowboy_telemetry, "~> 0.3", [hex: :cowboy_telemetry, repo: "hexpm", optional: false]}, {:plug, "~> 1.14", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "073cf20b753ce6682ed72905cd62a2d4bd9bad1bf9f7feb02a1b8e525bd94fa6"}, - "plug_crypto": {:hex, :plug_crypto, "1.2.3", "8f77d13aeb32bfd9e654cb68f0af517b371fb34c56c9f2b58fe3df1235c1251a", [:mix], [], "hexpm", "b5672099c6ad5c202c45f5a403f21a3411247f164e4a8fab056e5cd8a290f4a2"}, + "plug_crypto": {:hex, :plug_crypto, "1.2.5", "918772575e48e81e455818229bf719d4ab4181fcbf7f85b68a35620f78d89ced", [], [], "hexpm", "26549a1d6345e2172eb1c233866756ae44a9609bd33ee6f99147ab3fd87fd842"}, "postgrex": {:hex, :postgrex, "0.16.5", "fcc4035cc90e23933c5d69a9cd686e329469446ef7abba2cf70f08e2c4b69810", [:mix], [{:connection, "~> 1.1", [hex: :connection, repo: "hexpm", optional: false]}, {:db_connection, "~> 2.1", [hex: :db_connection, repo: "hexpm", optional: false]}, {:decimal, "~> 1.5 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:table, "~> 0.1.0", [hex: :table, repo: "hexpm", optional: true]}], "hexpm", "edead639dc6e882618c01d8fc891214c481ab9a3788dfe38dd5e37fd1d5fb2e8"}, "ranch": {:hex, :ranch, "1.8.0", "8c7a100a139fd57f17327b6413e4167ac559fbc04ca7448e9be9057311597a1d", [:make, :rebar3], [], "hexpm", "49fbcfd3682fab1f5d109351b61257676da1a2fdbe295904176d5e521a2ddfe5"}, "simple_token_authentication": {:hex, :simple_token_authentication, "0.7.0", "5621af0367ee37d71b90d0d9346fdde097ac1daab18c070252e59db620de2e3e", [:mix], [{:plug, ">= 1.3.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "6100de9482b04603b22ecba0b4f93beab1827fdf9dfda6f0dab59830f6815357"}, "sobelow": {:hex, :sobelow, "0.12.2", "45f4d500e09f95fdb5a7b94c2838d6b26625828751d9f1127174055a78542cf5", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}], "hexpm", "2f0b617dce551db651145662b84c8da4f158e7abe049a76daaaae2282df01c5d"}, - "telemetry": {:hex, :telemetry, "1.2.1", "68fdfe8d8f05a8428483a97d7aab2f268aaff24b49e0f599faa091f1d4e7f61c", [:rebar3], [], "hexpm", "dad9ce9d8effc621708f99eac538ef1cbe05d6a874dd741de2e689c47feafed5"}, + "telemetry": {:hex, :telemetry, "1.4.2", "a0cb522801dffb1c49fe6e30561badffc7b6d0e180db1300df759faa22062855", [], [], "hexpm", "928f6495066506077862c0d1646609eed891a4326bee3126ba54b60af61febb1"}, "telemetry_metrics": {:hex, :telemetry_metrics, "0.6.1", "315d9163a1d4660aedc3fee73f33f1d355dcc76c5c3ab3d59e76e3edf80eef1f", [:mix], [{:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "7be9e0871c41732c233be71e4be11b96e56177bf15dde64a8ac9ce72ac9834c6"}, "telemetry_poller": {:hex, :telemetry_poller, "1.0.0", "db91bb424e07f2bb6e73926fcafbfcbcb295f0193e0a00e825e589a0a47e8453", [:rebar3], [{:telemetry, "~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "b3a24eafd66c3f42da30fc3ca7dda1e9d546c12250a2d60d7b81d264fbec4f6e"}, "yamerl": {:hex, :yamerl, "0.10.0", "4ff81fee2f1f6a46f1700c0d880b24d193ddb74bd14ef42cb0bcf46e81ef2f8e", [:rebar3], [], "hexpm", "346adb2963f1051dc837a2364e4acf6eb7d80097c0f53cbdc3046ec8ec4b4e6e"}, diff --git a/modules/2-owasp.livemd b/modules/2-owasp.livemd index 4b31bf5..192b986 100644 --- a/modules/2-owasp.livemd +++ b/modules/2-owasp.livemd @@ -101,25 +101,29 @@ Notable CWEs included are CWE-259: Use of Hard-coded Password, CWE-327: Broken o _Please uncomment the function call that you believe is correct._ - + ```elixir result = - defmodule PasswordCompare do - def option_one(password, md5_hash) do - case :crypto.hash(:md5, password) == md5_hash do - true -> :entry_granted_op1 - false -> :entry_denied_op1 + ( + defmodule PasswordCompare do + def option_one(password, md5_hash) do + case :crypto.hash(:md5, password) == md5_hash do + true -> :entry_granted_op1 + false -> :entry_denied_op1 + end end - end - def option_two(password, bcrypt_salted_hash) do - case Bcrypt.verify_pass(password, bcrypt_salted_hash) do - true -> :entry_granted_op2 - false -> :entry_denied_op2 + def option_two(password, bcrypt_salted_hash) do + case Bcrypt.verify_pass(password, bcrypt_salted_hash) do + true -> :entry_granted_op2 + false -> :entry_denied_op2 + end end end - end + + PasswordCompare.option_two("users_password", bcrypt_salted_hash) + ) case GradingClient.check_answer(OWASP, 1, result) do :correct -> @@ -257,7 +261,7 @@ _Please change the atom below to the name of the vulnerable package installed in _HINT: Check the changelogs for each dependency._ - + ```elixir result = diff --git a/modules/3-ssdlc.livemd b/modules/3-ssdlc.livemd index 276c1e2..b948c47 100644 --- a/modules/3-ssdlc.livemd +++ b/modules/3-ssdlc.livemd @@ -47,10 +47,10 @@ A very easy way to prevent secrets being added to files is to access them via En _Use `System.get_env/1` on line 2._ - + ```elixir -result = super_secret_password = "p@ssw0rd" +result = super_secret_password = System.get_env("envar_secret") case GradingClient.check_answer(SDLC, 1, result) do :correct -> diff --git a/modules/5-elixir.livemd b/modules/5-elixir.livemd index a3afc69..ed64366 100644 --- a/modules/5-elixir.livemd +++ b/modules/5-elixir.livemd @@ -50,7 +50,7 @@ Beware of functions in applications/libraries that create atoms from input value _You should get a `true` result when you successfully fix the function._ - + ```elixir result = @@ -58,7 +58,7 @@ result = malicious_user_input = UUID.uuid4() try do - malicious_user_input |> String.to_atom() + malicious_user_input |> String.to_existing_atom() rescue e -> e end @@ -175,13 +175,13 @@ end password = "HASH_OF_THE_USERS_ACTUAL_PASSWORD" # DO NOT EDIT ANY CODE ABOVE THIS LINE ===================== -user_input = "HASH_OF_asdfasdf" +user_input = "Ht89uh530492h035498ht2p8h5t9pg82y4395orthg29p3485rht09p28345tg9puh5tg9p3uh2tp983ho98t2po85uhtg9o83u4h598u2tg349p58t" # DO NOT EDIT ANY CODE BELOW THIS LINE (you may uncomment IO.puts) ============= Benchwarmer.benchmark(fn -> Susceptible.compare(user_input, password) end) Benchwarmer.benchmark(fn -> Constant.compare(user_input, password) end) -# IO.puts(:comparison_ran) +IO.puts(:comparison_ran) ``` ## Boolean Coercion @@ -213,7 +213,7 @@ The latter will raise a `BadBooleanError` when the function returns `:ok` or `{: _Uncomment the if statement that uses the correct boolean comparison._ - + ```elixir result = @@ -234,6 +234,9 @@ result = :ok try do + if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do + :you_let_a_baddie_in + end rescue e -> e end @@ -304,12 +307,12 @@ This prevents the table from being read by other processes, such as remote shell **We have decided that we do not want this ETS table to be read from other processes, so try making it private:** - + ```elixir result = ( - secret_table = :ets.new(:secret_table, [:public]) + secret_table = :ets.new(:secret_table, [:private]) :ets.info(secret_table)[:protection] ) diff --git a/modules/6-cookies.livemd b/modules/6-cookies.livemd index ec4f5a4..aaa44f0 100644 --- a/modules/6-cookies.livemd +++ b/modules/6-cookies.livemd @@ -181,12 +181,23 @@ In the Phoenix Framework, you would use functionality found within the [Plug lib _Fill out the `put_resp_cookie/4` function arguments with the settings outlined in the previous section, no other code changes should be necessary._ - + ```elixir result = ( - cookie_name = "CHANGE_ME" + cookie_name = "__Host-test-cookie" + + Plug.Conn.put_resp_cookie( + conn, + cookie_name, + <<0::8, 42::8>>, + domain: "example.com", + path: "/", + secure: true, + http_only: true, + same_site: "Strict" + ) cookie = conn From 60722fa9bd3618e0c734f683f56d95e28536d499 Mon Sep 17 00:00:00 2001 From: Nick Mitchell Date: Fri, 26 Jun 2026 14:17:24 -0400 Subject: [PATCH 2/2] update package more betterer --- modules/2-owasp.livemd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/2-owasp.livemd b/modules/2-owasp.livemd index 192b986..3a47087 100644 --- a/modules/2-owasp.livemd +++ b/modules/2-owasp.livemd @@ -261,7 +261,7 @@ _Please change the atom below to the name of the vulnerable package installed in _HINT: Check the changelogs for each dependency._ - + ```elixir result = @@ -270,7 +270,7 @@ result = Kino.Input.select("Answer", ecto: "Ecto v2.2.2", nx: "Nx v0.5.0", - plug: "Plug v1.3.2" + plug: "Plug v1.20.1" ) Kino.render(answer)