diff --git a/modules/2-owasp.livemd b/modules/2-owasp.livemd index 4b31bf5..c2a9926 100644 --- a/modules/2-owasp.livemd +++ b/modules/2-owasp.livemd @@ -1,3 +1,5 @@ + + # ESCT: Part 2 - OWASP ```elixir @@ -101,25 +103,29 @@ Notable CWEs included are CWE-259: Use of Hard-coded Password, CWE-327: Broken o _Please uncomment the function call that you believe is correct._ - + ```elixir result = - defmodule PasswordCompare do - def option_one(password, md5_hash) do - case :crypto.hash(:md5, password) == md5_hash do - true -> :entry_granted_op1 - false -> :entry_denied_op1 + ( + defmodule PasswordCompare do + def option_one(password, md5_hash) do + case :crypto.hash(:md5, password) == md5_hash do + true -> :entry_granted_op1 + false -> :entry_denied_op1 + end end - end - def option_two(password, bcrypt_salted_hash) do - case Bcrypt.verify_pass(password, bcrypt_salted_hash) do - true -> :entry_granted_op2 - false -> :entry_denied_op2 + def option_two(password, bcrypt_salted_hash) do + case Bcrypt.verify_pass(password, bcrypt_salted_hash) do + true -> :entry_granted_op2 + false -> :entry_denied_op2 + end end end - end + + PasswordCompare.option_two("users_password", bcrypt_salted_hash) + ) case GradingClient.check_answer(OWASP, 1, result) do :correct -> @@ -257,7 +263,7 @@ _Please change the atom below to the name of the vulnerable package installed in _HINT: Check the changelogs for each dependency._ - + ```elixir result = @@ -266,7 +272,7 @@ result = Kino.Input.select("Answer", ecto: "Ecto v2.2.2", nx: "Nx v0.5.0", - plug: "Plug v1.3.2" + plug: "Plug v1.4.0" ) Kino.render(answer) diff --git a/modules/3-ssdlc.livemd b/modules/3-ssdlc.livemd index 276c1e2..8e967a0 100644 --- a/modules/3-ssdlc.livemd +++ b/modules/3-ssdlc.livemd @@ -1,3 +1,5 @@ + + # ESCT: Part 3 - Secure SDLC Concepts ```elixir @@ -47,10 +49,10 @@ A very easy way to prevent secrets being added to files is to access them via En _Use `System.get_env/1` on line 2._ - + ```elixir -result = super_secret_password = "p@ssw0rd" +result = super_secret_password = System.get_env("envar_secret") case GradingClient.check_answer(SDLC, 1, result) do :correct -> diff --git a/modules/4-graphql.livemd b/modules/4-graphql.livemd index 19e716c..5853198 100644 --- a/modules/4-graphql.livemd +++ b/modules/4-graphql.livemd @@ -1,3 +1,5 @@ + + # ESCT: Part 4 - GraphQL Security ```elixir @@ -59,7 +61,7 @@ It can also intercept responses to ensure no schema data is being leaked in any **Which of the OWASP API Security Top 10 2019 issues does disabling introspection queries address?** - + ```elixir result = @@ -106,7 +108,7 @@ OWASP recommends explicitly defining and enforcing all API response payload sche **Select the best example of a “good” error message, from the perspective of developer who is writing code that is intended to inform a user (who may or may not be a malicious actor) that the action they have attempted was unsuccessful:** - + ```elixir result = diff --git a/modules/5-elixir.livemd b/modules/5-elixir.livemd index a3afc69..ff3d126 100644 --- a/modules/5-elixir.livemd +++ b/modules/5-elixir.livemd @@ -1,3 +1,5 @@ + + # ESCT: Part 5 - Elixir Security ```elixir @@ -50,7 +52,7 @@ Beware of functions in applications/libraries that create atoms from input value _You should get a `true` result when you successfully fix the function._ - + ```elixir result = @@ -58,7 +60,7 @@ result = malicious_user_input = UUID.uuid4() try do - malicious_user_input |> String.to_atom() + malicious_user_input |> String.to_existing_atom() rescue e -> e end @@ -181,7 +183,7 @@ user_input = "HASH_OF_asdfasdf" Benchwarmer.benchmark(fn -> Susceptible.compare(user_input, password) end) Benchwarmer.benchmark(fn -> Constant.compare(user_input, password) end) -# IO.puts(:comparison_ran) +IO.puts(:comparison_ran) ``` ## Boolean Coercion @@ -213,7 +215,7 @@ The latter will raise a `BadBooleanError` when the function returns `:ok` or `{: _Uncomment the if statement that uses the correct boolean comparison._ - + ```elixir result = @@ -234,6 +236,9 @@ result = :ok try do + if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do + :you_let_a_baddie_in + end rescue e -> e end @@ -304,12 +309,12 @@ This prevents the table from being read by other processes, such as remote shell **We have decided that we do not want this ETS table to be read from other processes, so try making it private:** - + ```elixir result = ( - secret_table = :ets.new(:secret_table, [:public]) + secret_table = :ets.new(:secret_table, [:private]) :ets.info(secret_table)[:protection] ) diff --git a/modules/6-cookies.livemd b/modules/6-cookies.livemd index ec4f5a4..c2d2830 100644 --- a/modules/6-cookies.livemd +++ b/modules/6-cookies.livemd @@ -1,3 +1,5 @@ + + # ESCT: Part 6 - Cookie Security @@ -181,12 +183,18 @@ In the Phoenix Framework, you would use functionality found within the [Plug lib _Fill out the `put_resp_cookie/4` function arguments with the settings outlined in the previous section, no other code changes should be necessary._ - + ```elixir result = ( - cookie_name = "CHANGE_ME" + cookie_name = "__Host" + + conn = + Plug.Conn.put_resp_cookie( + conn, + cookie_name, + <<0::8, 42::8>>, path: "/", secure: true, http_only: true, same_site: "Strict") cookie = conn diff --git a/modules/7-anti-patterns.livemd b/modules/7-anti-patterns.livemd index 3904a6d..680867a 100644 --- a/modules/7-anti-patterns.livemd +++ b/modules/7-anti-patterns.livemd @@ -1,3 +1,5 @@ + + # ESCT: Part 7 - Security Anti-Patterns ```elixir @@ -73,7 +75,7 @@ Penguin.slide([3, 4, 5, 2, 1]) **What sorting algorithm is the module above using?** - + ```elixir result = diff --git a/modules/8-cicd.livemd b/modules/8-cicd.livemd index 729ce41..d59675a 100644 --- a/modules/8-cicd.livemd +++ b/modules/8-cicd.livemd @@ -1,3 +1,5 @@ + + # ESCT: Part 8 - CI/CD Tools ```elixir