AY2425 Secure Coding Assignment
This project is a vulnerability assessment and mitigation exercise performed on the Snapsell web application. The security evaluation follows the OWASP Top 10 (2021), identifying critical security flaws and implementing secure coding practices to mitigate them.
The final program has been patched from the original source code given by the school.
Configure the backend server: In the root directory of the program folder, run the following commands
cd /Backend
npm i
npm run startConfigure the frontend server: In the root directory of the program folder, run the following commands
cd /Frontend
npm i
npm run startSetting up .env: Create the .env file in the /Backend folder
JWT_SECRET_KEY=""
JWT_EXPIRES_IN=1m || Any duration
JWT_ALGORITHM=HS256 || Any algorithm
Run the application by navigating to https://localhost:3001/loginpage.html
Vulnerability:
Users could edit/delete other users' listings due to missing authentication checks.
Fix:
- Implemented JWT-based authentication & authorization middleware.
Vulnerability:
SQL Injection via search bar and Stored XSS in listing fields.
Fix:
- Used parameterized queries to prevent SQL Injection.
- Implemented input sanitization with RegEx to prevent XSS attacks.
Vulnerability:
Plaintext password storage and weak/default passwords allowed.
Fix:
- Enforced bcrypt hashing for password storage.
- Implemented password strength validation using RegEx.
Vulnerability:
Hardcoded JWT secret key and plaintext login credentials transmitted over HTTP.
Fix:
- Moved JWT secret key to environment variables.
- Enabled HTTPS with OpenSSL certificates for encrypted communication.
Vulnerability:
No logging for authentication attempts or sensitive actions.
Fix:
- Implemented Winston & Morgan logging libraries for audit trails.
- Logged failed login attempts, unauthorized access, and high-value transactions.