insecure-go-project/

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/arthurcgc/secDevLabs

Links

Open Source Insights

README ¶

Insecure Go Project

Insecure Go Project is a simple Golang API that contains an example of a Broken Authentication vulnerability.

What is Broken Authentication?

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

The main goal of this app is to discuss how Broken Authentication vulnerabilities can be exploited and to encourage developers to send secDevLabs Pull Requests on how they would mitigate these flaws.

Setup

To start this intentionally insecure application, you will need Docker and Docker Compose. After forking secDevLabs, you must type the following commands to start:

cd secDevLabs/owasp-top10-2017-apps/a2/insecure-go-project

make install

Then simply visit localhost:10002 ! 😆

Get to know the app 🐼

To properly understand how this application works, you can try:

To take a moment to read the app's source code, and see how it works.

Attack narrative

Now that you know the purpose of this app, what could go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or its users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜

👀

Sensitive hardcoded credentials allow an attacker access to the database

After inspecting the application source code, it is possible to identify that some sensitive data from MongoDB are hardcoded on the config.yml, as shown on the picture below:

This issue can also be found on mongo-init.js file, as shown bellow:

🔥

Using this credentials to access local MongoDB, it was possible to check that they are indeed valid:

Secure this app

How would you mitigate this vulnerability? After your changes, an attacker should not be able to:

Find sensitive information (such as passwords or usernames) hardcoded.

PR solutions

[Spoiler alert 🚨 ] To understand how this vulnerability can be mitigated, check out these pull requests!

Contributing

We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉

Directories ¶

Path	Synopsis
app
api
config
db/mongo

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL