Time spent: 5 hours spent in total

The following required functionality is completed:

1. [x] Required: Test for initial vulnerabilities

2. [x] Required: Configure sessions

• Required: Only allow session IDs to come from cookies
• Required: Expire after one day
• Required: Use cookies which are marked as HttpOnly

3. [x] Required: Complete Login page.

• Required: Show an error message when username is not found.
• Required: Show an error message when username is found but password does not match.
• Required: After login, store user ID in session data.
• Required: After login, store user last login time in session data.
• Required: Regenerate the session ID at the appropriate point.

4. [x] Required: Require login to access staff area pages.

• Required: Add a login requirement to almost all staff area pages.
• Required: Write code for last_login_is_recent().

5. [x] Required: Complete Logout page.

• Required: Add code to destroy the user's session file after logging out.

6. [x] Required: Add CSRF protections to the state forms.

• Required: Create a CSRF token.
• Required: Add CSRF tokens to forms.
• Required: Compare tokens against the stored version of the token.
• Required: Only process forms data sent by POST requests.
• Required: Confirm request referer is from the same domain as the host.
• Required: Store the CSRF token in the user's session.
• Required: Add the same CSRF token to the login form as a hidden input.
• Required: When submitted, confirm that session and form tokens match.
• Required: If tokens do not match, show an error message.
• Required: Make sure that a logged-in user can use pages as expected.

7. [x] Required: Ensure the application is not vulnerable to XSS attacks.

8. [x] Required: Ensure the application is not vulnerable to SQL Injection attacks.

9. [x] Required: Run all tests from Objective 1 again and confirm that your application is no longer vulnerable to any test.

The following advanced user stories are optional:

• Bonus Objective 1: Identify security flaw in Objective #4 (requiring login on staff pages)

• Identify the security principal not being followed.

• Write a short description of how the code could be modified to be more secure.

• Bonus Objective 2: Add CSRF protections to all forms in the staff directory

• Bonus Objective 3: CSRF tokens only valid for 10 minutes.

• Bonus Objective 4: Sessions are valid only if user-agent string matches previous value.

• Advanced Objective: Set/Get Signed-Encrypted Cookie

• Create "public/set_secret_cookie.php".

• Create "public/get_secret_cookie.php".

• Encrypt and sign cookie before storing.

• Verify cookie is signed correctly or show error message.

• Decrypt cookie.

Here's a walkthrough of implemented user stories:

GIF created with LiceCap.

The security principal that is not being followed in Objective #4 is the principal of least privilege. This system automatically grants every logged-in user access to every action in the CMS. The code should be changed to grant staff members only limited actions such as editing their own information. Destructive actions should require a certain user role, such as admin.

Copyright [2017] [William Huang]

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.