Object-Oriented Software Engineering

Assignment 8: Security

Working on the Assignment

SQL Injection

20 points

  1. Disable the protection for SQL Injection in the delete() method of the ItemsRepository class. Follow the same procedure we did in lecture for the update() method.

    How did you change the code to do that?

  2. Forge a request in Postman to explore the vulnerability. Remember that the identifier is in the URL, so you want to create a request just like “Mark item as done”, except with something other than {{itemIdentifier}} in the URL. Come up with something such that if the SQL Injection succeeded then all items would be deleted from the database in a single request. Think about what you’d have to append to DELETE FROM items WHERE identifier = to make that happen.

    What did you put in place of {{itemIdentifier}} in the URL?

  3. But that doesn’t work. Why?

Cross-Site Scripting (XSS)

20 points

  1. Consider the TODOOSE code base at the xss branch, in which the XSS protection in React has been disabled. Write an item description which renders a button that, when clicked, simulates a click on every checkbox on the page, marking all items as done and removing them from the database.

  2. After the lecture I learned that there are ways to run JavaScript even without user interaction—that is, without having to trick the user into clicking a button, for example! Write an item description that explores this vulnerability and causes an alert('Spooky') to show up as soon as the user opens TODOOSE on the browser.

User Management

Server

25 points

In lecture we talked about how it’s insecure to store passwords in plaintext on the database, and how to use bcrypt to fix this. Carry out the implementation, starting with the TODOOSE code base at the user-management branch. You only need to work on the server—the tests may be failing and the client may be broken.

Client

25 points

I found this library and it gave me an idea: Instead of running bcrypt on the server, how about we run it on the client? On user signup and user login, the browser could run bcrypt on the password and pass the resulting string to the server. The server wouldn’t run bcrypt at all.

Do you think this would be as secure as the implementation above? Why?

Refactoring

10 points

Read the notes on refactoring. Revisit your answer to the Technology part of Assignment 3. Discuss at least two refactorings from the catalog that you performed even though you didn’t know their names: What are they? Where did you use them? And so forth.

Submission

⚠️  Your assignment is submitted only when you submit the form below.

Assignment

For example, jhu-oose-example-student.
Don’t include an @ sign at the beginning—this isn’t a mention.
GitHub identifiers do not start with 2019-student-.

For example, 48092726db45fd4bcde21e3712ac2d8e4a094797.
Graders will look at the code base as of this commit.
The code base as of this commit must include the filled in template at assignments/8.md.
You may find the commit identifier on the commits page at https://github.com/jhu-oose/2019-student-<identifier>/commits/master. Usually you want the most recent commit.

Anonymous Feedback on Lecture 8

Confidence


Relevance


Difficulty


Pace


Anonymous Feedback on Assignment 8

Confidence


Relevance


Difficulty


Load


⚠️  Don’t submit this form multiple times.

If you run into problems, send an email to assignment-submission@jhu-oose.com. Include the information about the submission: your GitHub Identifier and the Commit Identifier. Don’t include any information about the feedback—it’s anonymous.