Caution
This progressive web app has been designed with a range of security vulnerabilities. The app has been specifically designed for students studying the NESA HSC Software Engineering Course. The app is NOT secure and should only be used in a sandbox environment.
Your client, "The Unsecure PWA Company", has engaged you as a software engineering security specialist to provide expert advice on the security and privacy of their application. This progressive web app is currently in the testing and debugging phase of the software development lifecycle.
You are to run a range of security tests and scans along with a white/grey/black box analysis of the application/source code to identify as many security and privacy vulnerabilities as possible. You are then required to prepare a professionally written report for your client that includes:
- An overview of your approach to the technical analysis.
- Document out-of-the-scope privacy and security issues of your report, including;
- Security or privacy issues that cannot be mitigated by technical engineering solutions
- Security issues that must be tested in the production environment
- Identify all security or privacy vulnerabilities you discovered and provide an impact assessment of each.
- Provide recommendations for "The Unsecure PWA Company's" security and privacy by design approach going forward.
- Design and develop implementations using HTML/CSS/JS/SQL/JSON/Python code and/or web content changes as required to patch each vulnerability you discover.
Sandboxing creates a safe place to install or execute a program, particularly a suspicious one, without exposing the rest of your system or network. It keeps the code contained in a test environment, so it can't change the state of the host machine, operating system or networked resources. Simple-to-use sandbox environments for Python Flask are listed below, and the UI should be accessed from the latest version of a secure browser such as Chromium or Edge.
- GitHub Codespaces
- CodeSandbox.io note: CodeSandbox.io requires manual configuration of the VM after deploying the template
- Docker Container
Important
The Unsecure PWA includes the .codesandbox, .devcontainer and .vscode to auto-configure all the above sandboxes.
Other Sandbox options:
- Virtual machine
- Ubuntu on a USB or in a virtual machine
- Qubes OS in a virtual machine
Tip
This app has been designed as either a teaching tool, an assessment tool, an assessment as a learning tool or a professional learning tool. As a teaching tool the teacher can use the app to demonstrate discrete vulnerabilities and then teach the preferred patch method. As an assessment tool the students should be taught the knowledge and skills, then given the app to analyse and report on before designing and developing appropriate patches (patching all will be time-prohibitive). As an assessment as a learning tool teachers can teach vulnerabilities in the app and then support students to design and develop patches while assessing them formatively. As a professional learning tool teachers can use the app to deepen their understanding of vulnerabilities, threat assessment and vulnerability patch design.
- VSCode
- Python 3.x
- GIT 2.x.x +
- Flask:
pip install flask - The resources and samples in .student_resources require additional dependencies. Please refer to the README.md in each folder.
Important
MacOS users may have a pip3 soft link instead of pip, run the below commands to see what path your system is configured with and use that command through the project.
pip show pip
pip3 show pipgit clone https://github.com/TempeHS/The_Unsecure_PWA.git
CD The_Unsecure_PWA
python main.pyOnce deployed, the app can be accessed on either:
- http://localhost:5000
- http://127.0.0.1:5000
- http://{10.185.x.x}:5000 where 10.185.x.x is the LAN IP address for the host
Tip
Many of the resources in .student_resources have been written assuming the student is running the app locally, so http://127.0.0.1:5000 has been used. If the teacher is hosting the app and students are black-box testing, then the HTML/JS in the examples will need changing to reference the remote URL.
To support students first understanding specific security vulnerabilities and privacy issues and then follow a best practice approach to patching them, the links below have been provided with most resources provided from the .student_resources folder and specifically aligned to the NESA Course Specifications and NESA Software Engineering Syllabus.
- Security testing approaches for the NESA Software Engineering Syllabus.
- Web Security Testing Guide (WSTG) Project a very detailed resource for web application developers.
- ZAPROXY Open source penetration testing application.
- Australian Government Privacy.
- How to create an app that complies with data privacy regulations.
- Australian Government - Responding to cyber security incidents.
- Broken Authentication and Session Management.
- Content Security Policy - CSP.
- Create a safe API with Flask.
- Cross Frame Scripting - XFS.
- Cross Site Request Forgery - CSRF.
- Cross Site Scripting - XSS.
- Encrypting passwords.
- Exception management.
- Defensive data handling.
- Invalid forwards and redirects.
- Race conditions.
- Secure input form attributes.
- SQL injection.
- SSL & TLS Encryption.
- Two Factor Authentication - 2FA.
| Metalanguage | Definition |
|---|---|
| Attack vector | An approach to exploiting multiple vulnerabilities |
| Brute force | Use trial and error or bulk attempts to crack a system or software |
| Exploit | The act of using a vulnerability to enter or compromise software or system |
| Phishing | A wide base attack that is 'fishing' for success |
| Social engineering | Use of deception to manipulate individuals into divulging confidential or personal information |
| Spear phishing | A targetted attack where the threat actor has personal knowledge of the victim |
| Threat actor | A person or group with malicious intentions |
| Vulnerability | A weakness in a system, hardware or software |
| Whale phishing | A targetted attack by a threat actor where the victim is known to have escalated authorisation in a system or software |
The Unsecure PWA by Ben Jones is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
