Improper Auth Challenge #131
Conversation
Fixing indentation inconsistency
|
Hello @timmyteo ! Many thanks for the PR, your contributions are very much appreciated. I am wondering whether we already have a challenge for this CWE under a different name: Reliance of Untrusted Inputs in a Security Decision (CWE-807). CWE-807 used to be in the old SANS Top 25 and looks like SANS replaced it with CWE-287 in the latest iteration. In the CWE 807 challenge, the participants bypass the authentication using a query parameter. Whether the reliance on the user input to make a security decision is via a query parameter or a cookie is not very different. The only difference is that participants need to dig a little deeper in the browser debugger for the cookie. I think the attack-gram for CWE-807 can describe CWE-287 as well. Should we perhaps update the CWE-807 challenge description to be on par with the latest SANS Top 25 but keep a reference to the old CWE too? We could keep the challenge id the same (CWE-807) so we don't change the participant completion status, but cover the new taxonomy and also the cookie attack scenario which is less visible to the user. I'm also open to adding the new challenge but I feel we should reconcile the similarities. Let me know your thoughts. |
@paul-ion This makes sense, thanks for pointing this out. I will abandon this PR and consider something else to add in its place. I have ideas around adding a new challenge for each belt level as follows:
If you have any thoughts on a replacement Yellow Belt challenge then let me know, otherwise I will think of something. Also, if you have any feedback on the potential new challenges for each of the belt levels above, let me know. Thanks! |
|
Nice! Here are my thoughts on the proposed new additions: I would really love to see CWE-918, Server Side Request forgery. It is a new entry in Top 25 and an OWASP Top 10 entry and a prominent missing challenge on the Dojo. CWE-209 Generation of Error Message Containing Sensitive Information goes very well with the other information disclosure challenges. Although it's not a SANS Top 25 it's still an important flaw to avoid. CWE-1104 Use of Unmaintained Third Party Components it is kind of already included in the de-serialization challenge CWE-502 because the vulnerability is in a 3rd party component that allows RCE. Is there a SANS CWE closer to Using Components with Known Vulnerabilities? I have some reservations with these types of flaws because they are usually demonstrating a CVE from a different CWE that hasn't been patched. CWE-117 Improper Output Neutralization for Logs (AKA Log Forging) is a pretty cool idea too although also not a Top 25 entry and not very commonly exploited as far as I know. CWE-347 Improper Verification of Cryptographic Signature I believe it will be similar with Download of Code Without Integrity Check although I always felt that challenge could be improved and perhaps this is the next level to it. CWE-384 Session Fixation is also less commonly exploited although it would be pretty cool to see. The following are on the new SANS Top 25 and would be a nice addition too: CWE-94 Improper Control of Generation of Code ('Code Injection') - Participants can generate a JSP with arbitrary code...although we need to be careful with it. The following Top 25 entries are also missing but may be more difficult to implement. CWE-276 Incorrect Default Permissions Finally CWE-20: Improper Input Validation I'm not too sure about, because to me Input Validation is a software defense that is intended to fix many flaws. I feel SANS chose a name that was too generic, although I can see some of the examples are logic errors that are not normally captured in any other category. Perhaps we could have a challenge like Improper Input Validation in a Logical Operation. |
Adding a new Yellow Belt Challenge: Improper Authentication