The final project (undertaken during the last 2 weeks) of the Makers Academy course. The aim of this project was to gain an understanding in cyber security. A simple web app was developed (a basic twitter clone) with a test driven approach using few libraries and no frameworks. Employing a 'from the ground up' approach created various challenges which lead to the need for a custom-built HTML/Ruby templating-engine, ORM, http-server/middleware and hashing algorithm. This was to bypass the inherent security features implemented by well developed libraries/frameworks, allowing the app to be used as an environment to discover, exploit and document various security vulnerabilities. Subsequently this knowledge was used to develop suitable countermeasures.
-
ruby v2.4.1
get latest version here: https://www.ruby-lang.org/en/downloads/
-
PostgreSQL v10.1
-
Mozilla Firefox (for capybara tests)
get latest version here: https://www.mozilla.org/en-GB/firefox/new/
Getting the repo:
$ git clone https://github.com/LarsFin/Making-a-secure-web-app.git
$ cd Making-a-secure-web-app
Configuring environment:
$ gem install bundler
$ ruby db-reset.rb
$ bundle install
Running app:
$ ruby server.db
-> then visit
https://localhost:3000
What you should see
Links to flow diagrams: request/response cycle, control flow diagram
Tested in rspec with capybara using selenium webdriver. 100% test coverage (evaluated by SimpleCov).
Test suite consists of:
- regression tests (for known vulnerabilities)
- unit tests
- feature tests
all tests used to expose vulnerabilities do not run but are stored in spec/hacks folder.
Running tests:
$ rspec
A few sites that gave us insight into well-known hacking techniques.