From 46905d7bcfb607084afef69f4b79f1114cf1968a Mon Sep 17 00:00:00 2001 From: Davan Basran Date: Fri, 19 Jul 2024 16:40:39 -0400 Subject: [PATCH 1/2] complete training: Davan Basran --- modules/2-owasp.livemd | 4 ++-- modules/3-ssdlc.livemd | 2 +- modules/4-graphql.livemd | 4 ++-- modules/5-elixir.livemd | 8 ++++---- modules/6-cookies.livemd | 12 ++++++------ modules/7-anti-patterns.livemd | 2 +- 6 files changed, 16 insertions(+), 16 deletions(-) diff --git a/modules/2-owasp.livemd b/modules/2-owasp.livemd index c60e52b..d9307fc 100644 --- a/modules/2-owasp.livemd +++ b/modules/2-owasp.livemd @@ -123,7 +123,7 @@ end # DO NOT CHANGE CODE ABOVE THIS LINE ========================= # PasswordCompare.option_one("users_password", md5_hash) -# PasswordCompare.option_two("users_password", bcrypt_salted_hash) +PasswordCompare.option_two("users_password", bcrypt_salted_hash) ``` @@ -252,7 +252,7 @@ _HINT: Installed dependencies can be found at the very top, it was the very firs ```elixir # CHANGE ME -vulnerable_dependency = :vulnerable_dependency +vulnerable_dependency = :phoenix # DO NOT CHANGE CODE BELOW THIS LINE ============================ Application.spec(vulnerable_dependency)[:vsn] |> List.to_string() |> IO.puts() diff --git a/modules/3-ssdlc.livemd b/modules/3-ssdlc.livemd index 6afce3a..9d6f37e 100644 --- a/modules/3-ssdlc.livemd +++ b/modules/3-ssdlc.livemd @@ -47,7 +47,7 @@ _Use `System.get_env/1` on line 2._ ```elixir # let's assume there is an environment variable named 'envar_secret' -super_secret_password = "p@ssw0rd" +super_secret_password = System.get_env("envar_secret") # DO NOT CHANGE CODE BELOW THIS COMMENT IO.puts(super_secret_password) diff --git a/modules/4-graphql.livemd b/modules/4-graphql.livemd index 24d9a3f..28845ce 100644 --- a/modules/4-graphql.livemd +++ b/modules/4-graphql.livemd @@ -64,7 +64,7 @@ _Uncomment the line with your answer._ ```elixir # answer = :API6_2019_Mass_Assignment # answer = :API10_2019_Insufficient_Logging_Monitoring -# answer = :API3_2019_Excessive_Data_Exposure +answer = :API3_2019_Excessive_Data_Exposure # answer = :API4_2019_Lack_of_Resources_Rate_Limiting IO.puts(answer) @@ -92,7 +92,7 @@ _Uncomment the item number (1-4) with your answer_ ```elixir # ------------------------------------------------------------- -# answer = 1 +answer = 1 # # HTTP/2 401 Unauthorized # Date: Tues, 16 Aug 2022 21:06:42 GMT diff --git a/modules/5-elixir.livemd b/modules/5-elixir.livemd index 73c1dc2..3565dc7 100644 --- a/modules/5-elixir.livemd +++ b/modules/5-elixir.livemd @@ -60,7 +60,7 @@ prev_count = :erlang.system_info(:atom_count) try do malicious_user_input # ONLY CHANGE LINE 8 - |> String.to_atom() + |> String.to_existing_atom() rescue e -> {ArgumentError, e} end @@ -176,7 +176,7 @@ Benchee.run(%{ "Constant" => fn -> Constant.compare(user_input, password) end }, time: 3, warmup: 2) -# IO.puts(:comparison_ran) +IO.puts(:comparison_ran) ``` ## Boolean Coercion @@ -225,7 +225,7 @@ user_input = "some_string_which_obviously_isnt_the_same_as_the_password" :ok # DO NOT EDIT ANY CODE ABOVE THIS LINE ===================== -# if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do :you_let_a_baddie_in end +if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do :you_let_a_baddie_in end # if SecurityCheck.validate(user_input, password) || raise(SecurityCheck) do :you_let_a_baddie_in end ``` @@ -284,7 +284,7 @@ This prevents the table from being read by other processes, such as remote shell ```elixir # ONLY EDIT THIS LINE -secret_table = :ets.new(:secret_table, [:public]) +secret_table = :ets.new(:secret_table, [:private]) :ets.info(secret_table)[:protection] ``` diff --git a/modules/6-cookies.livemd b/modules/6-cookies.livemd index c261b9a..14bea51 100644 --- a/modules/6-cookies.livemd +++ b/modules/6-cookies.livemd @@ -180,17 +180,17 @@ In the Phoenix Framework, you would use functionality found within the [Plug lib _Fill out the `put_resp_cookie/4` function arguments with the settings outlined in the previous section, no other code changes should be necessary._ ```elixir -cookie_name = "CHANGE_ME_TOO" +cookie_name = "my-cookie" conn |> Plug.Conn.put_resp_cookie( cookie_name, - <<42::16>> + <<42::16>>, # domain: , - # path: , - # secure: , - # http_only: , - # same_site: + path: "/", + secure: true, + http_only: true, + same_site: :strict ) ``` diff --git a/modules/7-anti-patterns.livemd b/modules/7-anti-patterns.livemd index 7de1d62..a55abcf 100644 --- a/modules/7-anti-patterns.livemd +++ b/modules/7-anti-patterns.livemd @@ -78,7 +78,7 @@ _Uncomment the line with your answer._ ```elixir # answer = :bubble_sort # answer = :merge_sort -# answer = :quick_sort +answer = :quick_sort # answer = :random_sort IO.puts(answer) From 0d15333d7a160128aebe16d6f195dc2b185bd6ce Mon Sep 17 00:00:00 2001 From: Davan Basran Date: Fri, 19 Jul 2024 16:45:49 -0400 Subject: [PATCH 2/2] complete training: Davan Basran --- modules/2-owasp.livemd | 2 +- modules/6-cookies.livemd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/2-owasp.livemd b/modules/2-owasp.livemd index d9307fc..44e9ce0 100644 --- a/modules/2-owasp.livemd +++ b/modules/2-owasp.livemd @@ -252,7 +252,7 @@ _HINT: Installed dependencies can be found at the very top, it was the very firs ```elixir # CHANGE ME -vulnerable_dependency = :phoenix +vulnerable_dependency = :plug # DO NOT CHANGE CODE BELOW THIS LINE ============================ Application.spec(vulnerable_dependency)[:vsn] |> List.to_string() |> IO.puts() diff --git a/modules/6-cookies.livemd b/modules/6-cookies.livemd index 14bea51..1e9861c 100644 --- a/modules/6-cookies.livemd +++ b/modules/6-cookies.livemd @@ -186,7 +186,7 @@ conn |> Plug.Conn.put_resp_cookie( cookie_name, <<42::16>>, - # domain: , + #domain: "www.example.com", path: "/", secure: true, http_only: true,