Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 18 additions & 14 deletions modules/2-owasp.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -101,25 +101,29 @@ Notable CWEs included are CWE-259: Use of Hard-coded Password, CWE-327: Broken o

_Please uncomment the function call that you believe is correct._

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjT1dBU1A6MVxuZGVmbW9kdWxlIFBhc3N3b3JkQ29tcGFyZSBkb1xuICBkZWYgb3B0aW9uX29uZShwYXNzd29yZCwgbWQ1X2hhc2gpIGRvXG4gICAgY2FzZSA6Y3J5cHRvLmhhc2goOm1kNSwgcGFzc3dvcmQpID09IG1kNV9oYXNoIGRvXG4gICAgICB0cnVlIC0+IDplbnRyeV9ncmFudGVkX29wMVxuICAgICAgZmFsc2UgLT4gOmVudHJ5X2RlbmllZF9vcDFcbiAgICBlbmRcbiAgZW5kXG5cbiAgZGVmIG9wdGlvbl90d28ocGFzc3dvcmQsIGJjcnlwdF9zYWx0ZWRfaGFzaCkgZG9cbiAgICBjYXNlIEJjcnlwdC52ZXJpZnlfcGFzcyhwYXNzd29yZCwgYmNyeXB0X3NhbHRlZF9oYXNoKSBkb1xuICAgICAgdHJ1ZSAtPiA6ZW50cnlfZ3JhbnRlZF9vcDJcbiAgICAgIGZhbHNlIC0+IDplbnRyeV9kZW5pZWRfb3AyXG4gICAgZW5kXG4gIGVuZFxuZW5kXG5cbiMgRE8gTk9UIENIQU5HRSBDT0RFIEFCT1ZFIFRISVMgTElORSA9PT09PT09PT09PT09PT09PT09PT09PT09XG5cbiMgUGFzc3dvcmRDb21wYXJlLm9wdGlvbl9vbmUoXCJ1c2Vyc19wYXNzd29yZFwiLCBtZDVfaGFzaClcbiMgUGFzc3dvcmRDb21wYXJlLm9wdGlvbl90d28oXCJ1c2Vyc19wYXNzd29yZFwiLCBiY3J5cHRfc2FsdGVkX2hhc2gpIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjT1dBU1A6MVxuZGVmbW9kdWxlIFBhc3N3b3JkQ29tcGFyZSBkb1xuICBkZWYgb3B0aW9uX29uZShwYXNzd29yZCwgbWQ1X2hhc2gpIGRvXG4gICAgY2FzZSA6Y3J5cHRvLmhhc2goOm1kNSwgcGFzc3dvcmQpID09IG1kNV9oYXNoIGRvXG4gICAgICB0cnVlIC0+IDplbnRyeV9ncmFudGVkX29wMVxuICAgICAgZmFsc2UgLT4gOmVudHJ5X2RlbmllZF9vcDFcbiAgICBlbmRcbiAgZW5kXG5cbiAgZGVmIG9wdGlvbl90d28ocGFzc3dvcmQsIGJjcnlwdF9zYWx0ZWRfaGFzaCkgZG9cbiAgICBjYXNlIEJjcnlwdC52ZXJpZnlfcGFzcyhwYXNzd29yZCwgYmNyeXB0X3NhbHRlZF9oYXNoKSBkb1xuICAgICAgdHJ1ZSAtPiA6ZW50cnlfZ3JhbnRlZF9vcDJcbiAgICAgIGZhbHNlIC0+IDplbnRyeV9kZW5pZWRfb3AyXG4gICAgZW5kXG4gIGVuZFxuZW5kXG5cbiMgRE8gTk9UIENIQU5HRSBDT0RFIEFCT1ZFIFRISVMgTElORSA9PT09PT09PT09PT09PT09PT09PT09PT09XG5cbiMgUGFzc3dvcmRDb21wYXJlLm9wdGlvbl9vbmUoXCJ1c2Vyc19wYXNzd29yZFwiLCBtZDVfaGFzaClcblBhc3N3b3JkQ29tcGFyZS5vcHRpb25fdHdvKFwidXNlcnNfcGFzc3dvcmRcIiwgYmNyeXB0X3NhbHRlZF9oYXNoKSJ9","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result =
defmodule PasswordCompare do
def option_one(password, md5_hash) do
case :crypto.hash(:md5, password) == md5_hash do
true -> :entry_granted_op1
false -> :entry_denied_op1
(
defmodule PasswordCompare do
def option_one(password, md5_hash) do
case :crypto.hash(:md5, password) == md5_hash do
true -> :entry_granted_op1
false -> :entry_denied_op1
end
end
end

def option_two(password, bcrypt_salted_hash) do
case Bcrypt.verify_pass(password, bcrypt_salted_hash) do
true -> :entry_granted_op2
false -> :entry_denied_op2
def option_two(password, bcrypt_salted_hash) do
case Bcrypt.verify_pass(password, bcrypt_salted_hash) do
true -> :entry_granted_op2
false -> :entry_denied_op2
end
end
end
end

PasswordCompare.option_two("users_password", bcrypt_salted_hash)
)

case GradingClient.check_answer(OWASP, 1, result) do
:correct ->
Expand Down Expand Up @@ -257,7 +261,7 @@ _Please change the atom below to the name of the vulnerable package installed in

_HINT: Check the changelogs for each dependency._

<!-- livebook:{"attrs":"eyJtb2R1bGVfaWQiOm51bGwsInF1ZXN0aW9uX2lkIjpudWxsLCJzb3VyY2UiOiIjT1dBU1A6MlxuYW5zd2VyID0gXG4gIEtpbm8uSW5wdXQuc2VsZWN0KFwiQW5zd2VyXCIsIFtcbiAgICB7OmVjdG8sIFwiRWN0byB2Mi4yLjJcIn0sXG4gICAgezpueCwgXCJOeCB2MC41LjBcIn0sXG4gICAgezpwbHVnLCBcIlBsdWcgdjEuMy4yXCJ9XG4gIF0pXG5cbktpbm8ucmVuZGVyKGFuc3dlcilcblxuS2luby5JbnB1dC5yZWFkKGFuc3dlcikifQ","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjT1dBU1A6MlxuYW5zd2VyID0gXG4gIEtpbm8uSW5wdXQuc2VsZWN0KFwiQW5zd2VyXCIsIFtcbiAgICB7OmVjdG8sIFwiRWN0byB2Mi4yLjJcIn0sXG4gICAgezpueCwgXCJOeCB2MC41LjBcIn0sXG4gICAgezpwbHVnLCBcIlBsdWcgdjEuMjAuMVwifVxuICBdKVxuXG5LaW5vLnJlbmRlcihhbnN3ZXIpXG5cbktpbm8uSW5wdXQucmVhZChhbnN3ZXIpIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result =
Expand All @@ -266,7 +270,7 @@ result =
Kino.Input.select("Answer",
ecto: "Ecto v2.2.2",
nx: "Nx v0.5.0",
plug: "Plug v1.3.2"
plug: "Plug v1.20.1"
)

Kino.render(answer)
Expand Down
4 changes: 2 additions & 2 deletions modules/3-ssdlc.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,10 @@ A very easy way to prevent secrets being added to files is to access them via En

_Use `System.get_env/1` on line 2._

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIFNETEM6MVxuc3VwZXJfc2VjcmV0X3Bhc3N3b3JkID0gXCJwQHNzdzByZFwiIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIFNETEM6MVxuc3VwZXJfc2VjcmV0X3Bhc3N3b3JkID0gU3lzdGVtLmdldF9lbnYoXCJlbnZhcl9zZWNyZXRcIikifQ","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result = super_secret_password = "p@ssw0rd"
result = super_secret_password = System.get_env("envar_secret")

case GradingClient.check_answer(SDLC, 1, result) do
:correct ->
Expand Down
17 changes: 10 additions & 7 deletions modules/5-elixir.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -50,15 +50,15 @@ Beware of functions in applications/libraries that create atoms from input value

_You should get a `true` result when you successfully fix the function._

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWToxXG5tYWxpY2lvdXNfdXNlcl9pbnB1dCA9IFVVSUQudXVpZDQoKVxuXG50cnkgZG9cbiAgbWFsaWNpb3VzX3VzZXJfaW5wdXRcbiAgIyBPTkxZIENIQU5HRSBORVhUIExJTkVcbiAgfD4gU3RyaW5nLnRvX2F0b20oKVxucmVzY3VlXG4gIGUgLT4gZVxuZW5kIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWToxXG5tYWxpY2lvdXNfdXNlcl9pbnB1dCA9IFVVSUQudXVpZDQoKVxuXG50cnkgZG9cbiAgbWFsaWNpb3VzX3VzZXJfaW5wdXRcbiAgIyBPTkxZIENIQU5HRSBORVhUIExJTkVcbiAgfD4gU3RyaW5nLnRvX2V4aXN0aW5nX2F0b20oKVxucmVzY3VlXG4gIGUgLT4gZVxuZW5kIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result =
(
malicious_user_input = UUID.uuid4()

try do
malicious_user_input |> String.to_atom()
malicious_user_input |> String.to_existing_atom()
rescue
e -> e
end
Expand Down Expand Up @@ -175,13 +175,13 @@ end
password = "HASH_OF_THE_USERS_ACTUAL_PASSWORD"
# DO NOT EDIT ANY CODE ABOVE THIS LINE =====================

user_input = "HASH_OF_asdfasdf"
user_input = "HASH_OF_asdfasdflkajsdflkajsdlfkjasdlfkjaldsfkjaldskjflakdsjflaksdjflakjdsflakjsdf"

# DO NOT EDIT ANY CODE BELOW THIS LINE (you may uncomment IO.puts) =============
Benchwarmer.benchmark(fn -> Susceptible.compare(user_input, password) end)
Benchwarmer.benchmark(fn -> Constant.compare(user_input, password) end)

# IO.puts(:comparison_ran)
IO.puts(:comparison_ran)
```

## Boolean Coercion
Expand Down Expand Up @@ -213,7 +213,7 @@ The latter will raise a `BadBooleanError` when the function returns `:ok` or `{:

_Uncomment the if statement that uses the correct boolean comparison._

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWToyXG5cbmRlZm1vZHVsZSBTZWN1cml0eUNoZWNrIGRvXG4gIGRlZiB2YWxpZGF0ZShpbnB1dCwgcGFzc3dvcmRfaGFzaCkgZG9cbiAgICBjYXNlIFBsdWcuQ3J5cHRvLnNlY3VyZV9jb21wYXJlKGlucHV0LCBwYXNzd29yZF9oYXNoKSBkb1xuICAgICAgdHJ1ZSAtPiA6b2tcbiAgICAgIGZhbHNlIC0+IDphY2Nlc3NfZGVuaWVkXG4gICAgZW5kXG4gIGVuZFxuXG4gIGRlZmV4Y2VwdGlvbiBtZXNzYWdlOiBcIlRoZXJlIHdhcyBhbiBpc3N1ZVwiXG5lbmRcblxucGFzc3dvcmQgPSBcInNvbWVfc2VjdXJlX3Bhc3N3b3JkX2hhc2hcIlxudXNlcl9pbnB1dCA9IFwic29tZV9zdHJpbmdfd2hpY2hfb2J2aW91c2x5X2lzbnRfdGhlX3NhbWVfYXNfdGhlX3Bhc3N3b3JkXCJcbjpva1xuIyBETyBOT1QgRURJVCBBTlkgQ09ERSBBQk9WRSBUSElTIExJTkUgPT09PT09PT09PT09PT09PT09PT09XG5cbnRyeSBkb1xuIyBpZiBTZWN1cml0eUNoZWNrLnZhbGlkYXRlKHVzZXJfaW5wdXQsIHBhc3N3b3JkKSBvciByYWlzZShTZWN1cml0eUNoZWNrKSBkbyA6eW91X2xldF9hX2JhZGRpZV9pbiBlbmRcbiMgaWYgU2VjdXJpdHlDaGVjay52YWxpZGF0ZSh1c2VyX2lucHV0LCBwYXNzd29yZCkgfHwgcmFpc2UoU2VjdXJpdHlDaGVjaykgZG8gOnlvdV9sZXRfYV9iYWRkaWVfaW4gZW5kXG5yZXNjdWVcbiAgZSAtPiBlXG5lbmQifQ","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWToyXG5cbmRlZm1vZHVsZSBTZWN1cml0eUNoZWNrIGRvXG4gIGRlZiB2YWxpZGF0ZShpbnB1dCwgcGFzc3dvcmRfaGFzaCkgZG9cbiAgICBjYXNlIFBsdWcuQ3J5cHRvLnNlY3VyZV9jb21wYXJlKGlucHV0LCBwYXNzd29yZF9oYXNoKSBkb1xuICAgICAgdHJ1ZSAtPiA6b2tcbiAgICAgIGZhbHNlIC0+IDphY2Nlc3NfZGVuaWVkXG4gICAgZW5kXG4gIGVuZFxuXG4gIGRlZmV4Y2VwdGlvbiBtZXNzYWdlOiBcIlRoZXJlIHdhcyBhbiBpc3N1ZVwiXG5lbmRcblxucGFzc3dvcmQgPSBcInNvbWVfc2VjdXJlX3Bhc3N3b3JkX2hhc2hcIlxudXNlcl9pbnB1dCA9IFwic29tZV9zdHJpbmdfd2hpY2hfb2J2aW91c2x5X2lzbnRfdGhlX3NhbWVfYXNfdGhlX3Bhc3N3b3JkXCJcbjpva1xuIyBETyBOT1QgRURJVCBBTlkgQ09ERSBBQk9WRSBUSElTIExJTkUgPT09PT09PT09PT09PT09PT09PT09XG5cbnRyeSBkb1xuaWYgU2VjdXJpdHlDaGVjay52YWxpZGF0ZSh1c2VyX2lucHV0LCBwYXNzd29yZCkgb3IgcmFpc2UoU2VjdXJpdHlDaGVjaykgZG8gOnlvdV9sZXRfYV9iYWRkaWVfaW4gZW5kXG4jIGlmIFNlY3VyaXR5Q2hlY2sudmFsaWRhdGUodXNlcl9pbnB1dCwgcGFzc3dvcmQpIHx8IHJhaXNlKFNlY3VyaXR5Q2hlY2spIGRvIDp5b3VfbGV0X2FfYmFkZGllX2luIGVuZFxucmVzY3VlXG4gIGUgLT4gZVxuZW5kIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result =
Expand All @@ -234,6 +234,9 @@ result =
:ok

try do
if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do
:you_let_a_baddie_in
end
rescue
e -> e
end
Expand Down Expand Up @@ -304,12 +307,12 @@ This prevents the table from being read by other processes, such as remote shell

**We have decided that we do not want this ETS table to be read from other processes, so try making it private:**

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWTozXG5cbiMgT05MWSBFRElUIFRISVMgTElORVxuc2VjcmV0X3RhYmxlID0gOmV0cy5uZXcoOnNlY3JldF90YWJsZSwgWzpwdWJsaWNdKVxuOmV0cy5pbmZvKHNlY3JldF90YWJsZSlbOnByb3RlY3Rpb25dIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWTozXG5cbiMgT05MWSBFRElUIFRISVMgTElORVxuc2VjcmV0X3RhYmxlID0gOmV0cy5uZXcoOnNlY3JldF90YWJsZSwgWzpwcml2YXRlXSlcbjpldHMuaW5mbyhzZWNyZXRfdGFibGUpWzpwcm90ZWN0aW9uXSJ9","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result =
(
secret_table = :ets.new(:secret_table, [:public])
secret_table = :ets.new(:secret_table, [:private])
:ets.info(secret_table)[:protection]
)

Expand Down
10 changes: 8 additions & 2 deletions modules/6-cookies.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -181,12 +181,18 @@ In the Phoenix Framework, you would use functionality found within the [Plug lib

_Fill out the `put_resp_cookie/4` function arguments with the settings outlined in the previous section, no other code changes should be necessary._

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIENPT0tJRV9TRUNVUklUWToxIFxuXG5jb29raWVfbmFtZSA9IFwiQ0hBTkdFX01FXCJcblxuIyBVbmNvbW1lbnQgYW5kIGNoYW5nZSB0aGUgcHV0X3Jlc3BfY29va2llIGNhbGwgYmVsb3dcbiMgY29ubiA9XG4jICAgUGx1Zy5Db25uLnB1dF9yZXNwX2Nvb2tpZShcbiMgICAgIGNvbm4sXG4jICAgICBjb29raWVfbmFtZSxcbiMgICAgIDw8MDo6OCwgNDI6Ojg+PixcbiMgICAgIGRvbWFpbjogLi4uLFxuIyAgICAgcGF0aDogLi4uLFxuIyAgICAgc2VjdXJlOiAuLi4sXG4jICAgICBodHRwX29ubHk6IC4uLixcbiMgICAgIHNhbWVfc2l0ZTogLi4uXG4jICAgKVxuXG5jb29raWUgPSBcbiAgY29ublxuICB8PiBQbHVnLkNvbm4uZmV0Y2hfY29va2llcygpXG4gIHw+IFBsdWcuQ29ubi5nZXRfcmVzcF9jb29raWVzKClcbiAgfD4gTWFwLmZldGNoIShjb29raWVfbmFtZSlcblxue2Nvb2tpZSwgYmluYXJ5X3BhcnQoY29va2llX25hbWUsIDAsIDYpfSJ9","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIENPT0tJRV9TRUNVUklUWToxIFxuXG5jb29raWVfbmFtZSA9IFwiX19Ib3N0LW15Y29va2llXCJcblxuY29ubiA9XG4gIFBsdWcuQ29ubi5wdXRfcmVzcF9jb29raWUoXG4gICAgY29ubixcbiAgICBjb29raWVfbmFtZSxcbiAgICA8PDA6OjgsIDQyOjo4Pj4sXG4gICAgcGF0aDogXCIvXCIsXG4gICAgc2VjdXJlOiB0cnVlLFxuICAgIGh0dHBfb25seTogdHJ1ZSxcbiAgICBzYW1lX3NpdGU6IFwiU3RyaWN0XCJcbiAgKVxuXG5jb29raWUgPSBcbiAgY29ublxuICB8PiBQbHVnLkNvbm4uZmV0Y2hfY29va2llcygpXG4gIHw+IFBsdWcuQ29ubi5nZXRfcmVzcF9jb29raWVzKClcbiAgfD4gTWFwLmZldGNoIShjb29raWVfbmFtZSlcblxue2Nvb2tpZSwgYmluYXJ5X3BhcnQoY29va2llX25hbWUsIDAsIDYpfSJ9","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result =
(
cookie_name = "CHANGE_ME"
cookie_name = "__Host-mycookie"

conn =
Plug.Conn.put_resp_cookie(
conn,
cookie_name,
<<0::8, 42::8>>, path: "/", secure: true, http_only: true, same_site: "Strict")

cookie =
conn
Expand Down