Skip to content

Activity 3 Questions

Jump to bottom
cws4197 edited this page Nov 23, 2019 · 4 revisions
  • Provide a link to the test cases you generated for this activity.

Travis CI Build #111

  • How do you ensure that users that navigate to the protected pages cannot bypass authentication requirements?

A session cookie is set with the user ID and user name. The cookie must exist and have these values in order for the user to be logged in. The application checks for these requirements upon attempting to access a protected page, and redirects to the login page if these conditions are not met.

Our application is implemented in Flask. We are using Flask's default "itsdangerous" serializer to encode session cookies, signed with a 128-bit secret key. Without knowing the secret key, the client can't modify the session cookie to impersonate another user.

  • How do you protect against session fixation?

Our application assigns a random 128-bit session ID to the user when they sign in. If the session ID is modified or moved between users, the assigned session ID will not match the session ID provided by the user and the user will be logged out. This prevents session fixation and session hijacking.

  • How do you ensure that if your database gets stolen passwords aren’t exposed?

The passwords stored in our database are salted with a random 16-bit salt and then encrypted using SHA-256. The hashing protects against our users' passwords being exposed, while the salt helps break common rainbow-table attacks.

  • How do you prevent password brute force?

Our application uses Flask-Limiter to limit the number of login attempts per minute to 10. This number would be lower if not for our automated tests.

  • How do you prevent username enumeration?

The incorrect.html page does not specify whether a username or password exists, only that the combination does not exist.

  • What happens if your sessionID is predictable, how do you prevent that?

If the session ID is predictable, an attacker can impersonate another user by obtaining their session ID, although in this case they would also need Flask's secret key that the application encodes cookies with. However, our session ID and our secret key are sufficiently unpredictable as they use Python's pseudorandom number generator.

footer

Clone this wiki locally