This repository contains the starter code for the WebSecurityDemo security exercise used in the BCIT SSD program.
The application is intentionally insecure and is designed to be hardened as part of a graded exercise.
This ASP.NET Core MVC application already includes:
- ASP.NET Core MVC
- ASP.NET Core Identity
- Entity Framework Core with SQLite
- Role and User Role management
- Customer, Role, and UserRole delete functionality (intentionally insecure)
The starter application has the following security vulnerabilities:
-
CSRF vulnerabilities
- Customer, Role, and UserRole delete actions use GET requests.
- No Anti-Forgery Tokens are implemented.
-
No brute-force protection
- Login attempts are not limited.
- Account lockout is not configured.
-
Source control
- This repository is provided as a starting point only.
- Students must publish their secured version to their own GitHub account.
You are required to:
-
Secure delete operations using:
- POST requests
- Anti-Forgery Tokens
-
Implement Identity lockout protection:
- Lock out accounts after 5 failed login attempts
- Lockout duration of 5 minutes (for testing purposes)
-
Push your secured version of the application to your own GitHub repository
-
Submit:
- A link to your GitHub repository
- A short written summary describing:
- Which endpoints were secured
- How lockout was configured
Clone this repository directly in Visual Studio.
Refer to:
“Visual Studio – Cloning from GitHub.pdf”
located on the Learning Hub for step-by-step instructions.
- Do not submit a zip file.
- Do not submit a fork of this repository.
- Visual styling is not graded, focus on security implementation.
© BCIT SSD – Web Security Exercise