NML Says

Data Security 7, Web Applications II

References for this Part

https://owasp.org/www-project-web-security-testing-guide/stable/

https://www.zaproxy.org/

https://owasp.org/www-project-webgoat/

Model Solutions Previous Lesson

DS.6.0

We do not expect you to have finished this exercise given the limited amount of time.

We will give you a couple of general overview hints on backend web applications that may be useful in the current exercise.

The router(s) are the central element of such application in that they receive user requests and assign controller to deal with the requests. The controllers do the logics of the applications. They build the response to the request and as help they call on model functions to read or write necessary dat into files and/or databases. When done they return the completed response to the user.

A router may look like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
const express = require('express');
const router = express.Router();

const con = require('../controllers/controllers');

// ...

router.post('/quote', con.isAuth, con.postQuote, function (req, res) {
    res.status(201).json({qid: res.locals.qid});
});

// ...

In line 8 con.isAuth and conPostQuote are controller functions that serve as application specific middleware.

A controller function may look like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
const model = require('../models/dbhandlers');

// ...

exports.postQuote = async function(req, res, next) {
    try {
        await model.insertQuote(req, res, next);
        next();
    } catch (err) {
        console.log(err);
        return res.status(500).json({message: err.message});
    }
};

// ...

A model function in turn could be something like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
const sqlite3 = require("better-sqlite3");

// Start db connection
const connect = async function () {
    try {
        const db = await new sqlite3(path.resolve('db/sampleAPI.db'), {fileMustExist: true});
        return db;
    } catch (err) {
            console.error(err);
    }
};

// ...

module.exports = {
	// ...

    insertQuote: async function (req, res, next) {
        try {
            let db = await connect();
            let sql = 'insert into quote (date, quote, ref)) values(?, ?, ?)';
            let query = db.prepare(sql);
            let rc = await query.run(req.body.date, req.body.quote, req.body.ref);
            return rc;
        } catch (err) {
            res.status(400).json(err.message);
        }
    }
}

If you need to pass info from one middleware function to the next. You may create the necessary variable in the response object such as:

1
	res.locals.auth = true;

where your variable is auth and its value is true or whatever you need it to be.

Resources for securing web applications:

https://owasp.org/www-project-web-security-testing-guide/stable/ found in the refs above

https://owasp.org/www-project-web-security-testing-guide/stable/3-The_OWASP_Testing_Framework/ Check out sections 3 through 3.4

https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/ This chapter has many hints on ways to secure your application while testing before deployment.

https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/A-Testing_Tools_Resource Appendix A has a long list of tools you may apply in testing the security of your application. john, hashcat, and hydra are on the list. https://www.zaproxy.org/, mentioned in the refs is another.

Exercises

The intention of exercises today is to continue your work on Exercise DS.6.0 in order to hand it in before next weeks session.