FINAL PRESENTATION

Issue tracker

GROUP 1

Maurici Abad · Ulrich Firpion

SePr

ISSUE TRACKER

PREVIEW

https://asw-issue.herokuapp.com

https://asw-issue.herokuapp.com/api-docs

https://github.com/mauriciabad/Issue-Tracker-Rails-ASW

ISSUE TRACKER

APP SECURITY

Secure OAuth 2.0 login (Google login)
- No dealing with passwords
- Faster
Using a Framework
- Forces good practices
- Automatic sanitizing
- Automated dependencies updates
- Easy content access management
Keep security in mind when coding

OUR 3 VULNERABILITIES

Skip Login

Insecure API key

Access admin page

FOUND
VULNERABILITIES

EXPLANATION

https://asw-issue.herokuapp.com/users

CONSEQUENCES

https://asw-issue.herokuapp.com/issues

LOGS

2019-11-06T19:54:05.316727+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] Started GET "/issues.json" for 80.113.51.180 at 2019-11-06 19:54:05 +0000
2019-11-06T19:54:05.334847+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] Processing by IssuesController#index as JSON
2019-11-06T19:54:05.479662+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60]   [1m[36mUser Load (2.6ms)[0m  [1m[34mSELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2[0m  [["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.496284+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60]   [1m[36mIssue Load (1.5ms)[0m  [1m[34mSELECT "issues".* FROM "issues"[0m
2019-11-06T19:54:05.550989+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (1.8ms)[0m  [1m[34mSELECT COUNT(*) FROM "votes" WHERE "votes"."issue_id" = $1[0m  [["issue_id", 48]]
2019-11-06T19:54:05.562313+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (2.6ms)[0m  [1m[34mSELECT COUNT(*) FROM "watches" WHERE "watches"."issue_id" = $1[0m  [["issue_id", 48]]
2019-11-06T19:54:05.569127+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mVote Exists (1.8ms)[0m  [1m[34mSELECT  1 AS one FROM "votes" WHERE "votes"."issue_id" = $1 AND "votes"."id" = $2 LIMIT $3[0m  [["issue_id", 48], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.576155+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mWatch Exists (2.2ms)[0m  [1m[34mSELECT  1 AS one FROM "watches" WHERE "watches"."issue_id" = $1 AND "watches"."id" = $2 LIMIT $3[0m  [["issue_id", 48], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.587944+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mUser Load (2.1ms)[0m  [1m[34mSELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2[0m  [["id", 6], ["LIMIT", 1]]
2019-11-06T19:54:05.590308+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (1.3ms)[0m  [1m[34mSELECT COUNT(*) FROM "votes" WHERE "votes"."issue_id" = $1[0m  [["issue_id", 49]]
2019-11-06T19:54:05.592541+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (1.6ms)[0m  [1m[34mSELECT COUNT(*) FROM "watches" WHERE "watches"."issue_id" = $1[0m  [["issue_id", 49]]
2019-11-06T19:54:05.595111+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mVote Exists (2.0ms)[0m  [1m[34mSELECT  1 AS one FROM "votes" WHERE "votes"."issue_id" = $1 AND "votes"."id" = $2 LIMIT $3[0m  [["issue_id", 49], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.597117+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mWatch Exists (1.4ms)[0m  [1m[34mSELECT  1 AS one FROM "watches" WHERE "watches"."issue_id" = $1 AND "watches"."id" = $2 LIMIT $3[0m  [["issue_id", 49], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.597693+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mCACHE User Load (0.0ms)[0m  [1m[34mSELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2[0m  [["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.601461+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (2.7ms)[0m  [1m[34mSELECT COUNT(*) FROM "votes" WHERE "votes"."issue_id" = $1[0m  [["issue_id", 50]]
2019-11-06T19:54:05.603342+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (1.2ms)[0m  [1m[34mSELECT COUNT(*) FROM "watches" WHERE "watches"."issue_id" = $1[0m  [["issue_id", 50]]
2019-11-06T19:54:05.604952+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mVote Exists (1.0ms)[0m  [1m[34mSELECT  1 AS one FROM "votes" WHERE "votes"."issue_id" = $1 AND "votes"."id" = $2 LIMIT $3[0m  [["issue_id", 50], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.606755+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mWatch Exists (1.3ms)[0m  [1m[34mSELECT  1 AS one FROM "watches" WHERE "watches"."issue_id" = $1 AND "watches"."id" = $2 LIMIT $3[0m  [["issue_id", 50], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.607282+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mCACHE User Load (0.0ms)[0m  [1m[34mSELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2[0m  [["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.610617+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (2.2ms)[0m  [1m[34mSELECT COUNT(*) FROM "votes" WHERE "votes"."issue_id" = $1[0m  [["issue_id", 51]]
2019-11-06T19:54:05.613541+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (2.2ms)[0m  [1m[34mSELECT COUNT(*) FROM "watches" WHERE "watches"."issue_id" = $1[0m  [["issue_id", 51]]
2019-11-06T19:54:05.615422+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mVote Exists (1.3ms)[0m  [1m[34mSELECT  1 AS one FROM "votes" WHERE "votes"."issue_id" = $1 AND "votes"."id" = $2 LIMIT $3[0m  [["issue_id", 51], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.617785+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mWatch Exists (1.7ms)[0m  [1m[34mSELECT  1 AS one FROM "watches" WHERE "watches"."issue_id" = $1 AND "watches"."id" = $2 LIMIT $3[0m  [["issue_id", 51], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.618359+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mCACHE User Load (0.0ms)[0m  [1m[34mSELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2[0m  [["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.620295+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (1.0ms)[0m  [1m[34mSELECT COUNT(*) FROM "votes" WHERE "votes"."issue_id" = $1[0m  [["issue_id", 52]]
2019-11-06T19:54:05.622474+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (1.6ms)[0m  [1m[34mSELECT COUNT(*) FROM "watches" WHERE "watches"."issue_id" = $1[0m  [["issue_id", 52]]
2019-11-06T19:54:05.625467+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mVote Exists (2.1ms)[0m  [1m[34mSELECT  1 AS one FROM "votes" WHERE "votes"."issue_id" = $1 AND "votes"."id" = $2 LIMIT $3[0m  [["issue_id", 52], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.627315+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mWatch Exists (1.1ms)[0m  [1m[34mSELECT  1 AS one FROM "watches" WHERE "watches"."issue_id" = $1 AND "watches"."id" = $2 LIMIT $3[0m  [["issue_id", 52], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.628211+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mCACHE User Load (0.0ms)[0m  [1m[34mSELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2[0m  [["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.630147+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (0.8ms)[0m  [1m[34mSELECT COUNT(*) FROM "votes" WHERE "votes"."issue_id" = $1[0m  [["issue_id", 53]]
2019-11-06T19:54:05.631661+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (0.9ms)[0m  [1m[34mSELECT COUNT(*) FROM "watches" WHERE "watches"."issue_id" = $1[0m  [["issue_id", 53]]
2019-11-06T19:54:05.633201+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mVote Exists (0.9ms)[0m  [1m[34mSELECT  1 AS one FROM "votes" WHERE "votes"."issue_id" = $1 AND "votes"."id" = $2 LIMIT $3[0m  [["issue_id", 53], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.634699+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mWatch Exists (1.0ms)[0m  [1m[34mSELECT  1 AS one FROM "watches" WHERE "watches"."issue_id" = $1 AND "watches"."id" = $2 LIMIT $3[0m  [["issue_id", 53], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.635259+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mCACHE User Load (0.0ms)[0m  [1m[34mSELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2[0m  [["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.637760+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (1.5ms)[0m  [1m[34mSELECT COUNT(*) FROM "votes" WHERE "votes"."issue_id" = $1[0m  [["issue_id", 54]]
2019-11-06T19:54:05.639488+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (1.1ms)[0m  [1m[34mSELECT COUNT(*) FROM "watches" WHERE "watches"."issue_id" = $1[0m  [["issue_id", 54]]
2019-11-06T19:54:05.640961+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mVote Exists (0.9ms)[0m  [1m[34mSELECT  1 AS one FROM "votes" WHERE "votes"."issue_id" = $1 AND "votes"."id" = $2 LIMIT $3[0m  [["issue_id", 54], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.642597+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mWatch Exists (1.1ms)[0m  [1m[34mSELECT  1 AS one FROM "watches" WHERE "watches"."issue_id" = $1 AND "watches"."id" = $2 LIMIT $3[0m  [["issue_id", 54], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.643131+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mCACHE User Load (0.0ms)[0m  [1m[34mSELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2[0m  [["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.645953+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (1.8ms)[0m  [1m[34mSELECT COUNT(*) FROM "votes" WHERE "votes"."issue_id" = $1[0m  [["issue_id", 7]]
2019-11-06T19:54:05.649887+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[35m (3.2ms)[0m  [1m[34mSELECT COUNT(*) FROM "watches" WHERE "watches"."issue_id" = $1[0m  [["issue_id", 7]]
2019-11-06T19:54:05.654741+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mVote Exists (4.1ms)[0m  [1m[34mSELECT  1 AS one FROM "votes" WHERE "votes"."issue_id" = $1 AND "votes"."id" = $2 LIMIT $3[0m  [["issue_id", 7], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.658015+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mWatch Exists (1.9ms)[0m  [1m[34mSELECT  1 AS one FROM "watches" WHERE "watches"."issue_id" = $1 AND "watches"."id" = $2 LIMIT $3[0m  [["issue_id", 7], ["id", 47], ["LIMIT", 1]]
2019-11-06T19:54:05.660494+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers]   [1m[36mUser Load (1.7ms)[0m  [1m[34mSELECT  "users".* FROM "users" WHERE "users"."id" = $1 LIMIT $2[0m  [["id", 5], ["LIMIT", 1]]
2019-11-06T19:54:05.661065+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] [active_model_serializers] Rendered ActiveModel::Serializer::CollectionSerializer with ActiveModelSerializers::Adapter::Attributes (132.15ms)
2019-11-06T19:54:05.661275+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] Completed 500 Internal Server Error in 326ms (ActiveRecord: 131.3ms)
2019-11-06T19:54:05.662121+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60]   
2019-11-06T19:54:05.662285+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] NoMethodError (undefined method `as_json_summary' for nil:NilClass):
2019-11-06T19:54:05.662291+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60]   
2019-11-06T19:54:05.662330+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] app/serializers/index_issue_serializer.rb:21:in `_links'
2019-11-06T19:54:05.662332+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] app/controllers/issues_controller.rb:77:in `block (2 levels) in index'
2019-11-06T19:54:05.662333+00:00 app[web.1]: [4d49b98d-6559-42af-87d1-5c61f1d58f60] app/controllers/issues_controller.rb:75:in `index'

WHY?

class IndexIssueSerializer < IssueSerializer
  attribute :voted_by_current_user, if: :current_user?
  attribute :watched_by_current_user, if: :current_user?
  attributes :_links

  def current_user?
    true if current_user
  end

  def voted_by_current_user
    object.votes.exists?(current_user.id)
  end

  def watched_by_current_user
    object.watches.exists?(current_user.id)
  end

  def _links
    links = {
        self: { href: "/issues/#{object.id}" },
        creator: object.user.as_json_summary,
    }
    links
  end
end

NoMethodError (undefined method `as_json_summary' for nil:NilClass):

/app/serializers/issue_serializer.rb

SOLUTION

class Issue < ApplicationRecord
  belongs_to :user
  has_many :comment, dependent: :destroy
  has_many :votes, dependent: :destroy
  has_many :watches, dependent: :destroy
  has_one_attached :file
end

class Issue < ApplicationRecord
  belongs_to :user, on_delete: :cascade
  has_many :comment, dependent: :destroy
  has_many :votes, dependent: :destroy
  has_many :watches, dependent: :destroy
  has_one_attached :file
end

/app/models/issue.rb

SECURITY
DEMOS

XSS - Security demo

<scrip>alert(1)</script>

SQL Injection - Security demo

' OR 1 = 1; #

<?php 
  echo htmlspecialchars($data); 
?>

<?php 
  $email = isset($_POST["email"]);
  if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    die("Invalid email");
  }
?>

All data echoed

RECOMMENDATIONS

Escape special characters

Validate data in Server

QUESTIONS

FINAL PRESENTATION

Issue tracker

GROUP 1

Maurici Abad · Ulrich Firpion

SePr

SePr - Final Presentation

By Maurici Abad Gutierrez

SePr - Final Presentation

Maurici Abad Gutierrez

Hi! I'm a Software Engineering student who loves JavaScript, User Experience design and Pasta.

FINAL PRESENTATION

ISSUE TRACKER

PREVIEW

ISSUE TRACKER

APP SECURITY

OUR 3 VULNERABILITIES

FOUND VULNERABILITIES

EXPLANATION

CONSEQUENCES

LOGS

WHY?

SOLUTION

SECURITY DEMOS

XSS - Security demo

SQL Injection - Security demo

RECOMMENDATIONS

QUESTIONS

FINAL PRESENTATION

SePr - Final Presentation

More from Maurici Abad Gutierrez

FOUND
VULNERABILITIES

SECURITY
DEMOS