In this assignment, you will review a web application to uncover security vulnerabilities. The code is in the exercise4 folder in the class files. You may find it helpful to run the application to understand what it does. To login, use credentials frank/test.
Focus your analysis on the areas described in the checklist below. If you find additional vulnerabilities, you are welcome to include them in your report, but you will be graded primarily on the checklist items.
Create a report following these instructions. Delete everything except the title page and the academic integrity statement, then write the body of your report. Organize your report using the OWASP Top 10 categories that are relevant to the checklist below, with a separate heading for each category. For each category, describe
For each item you describe:
Are any SQL commands constructed dynamically? If so, have values inserted into the command that come from the user been properly escaped, sanitized, or otherwise validated to prevent SQL injection?
Are all dynamically generated outputs properly sanitized or encoded to prevent XSS? Note that the application does not do the full encoding recommended by the OWASP XSS cheat sheet. Don’t mention that in your report; just mention any exploitable problems that you find.
Is a CSRF attack possible? The application uses CSRF protection. Review the code to determine whether the CSRF controls in place are adequate.
Is it possible to access areas of the application that should require authorization without logging in?
Is it possible to manipulate the URL or submitted form data to access information or perform actions that the user is not authorized to access / perform?
Upload your report.pdf to your submission repo.