2018-08-22 14:42:08 +00:00
|
|
|
# Damn Vulnerable Grade Management (DVGM) - An Intentionally Vulnerable Rails Application
|
2018-08-12 06:57:07 +00:00
|
|
|
|
2018-08-22 14:42:08 +00:00
|
|
|
Damn Vulnerable Grade Management is an **intentionally vulnerable** grade
|
|
|
|
management application that can be used for teaching *security testing* and
|
|
|
|
*security programming*. It aims to be a small application with a realistic use
|
|
|
|
case that contains common vulnerabilities, making it a good target to get
|
|
|
|
started with automatic security testing tools.
|
|
|
|
|
|
|
|
## Known Vulnerabilities
|
|
|
|
|
2018-08-24 16:27:39 +00:00
|
|
|
DVGM contains (at least) the following vulnerabilities:
|
2018-08-22 14:42:08 +00:00
|
|
|
|
|
|
|
* SQL Injection
|
|
|
|
* Cross-Site Scripting (XSS)
|
|
|
|
* DOM Based XSS / Client Side XSS
|
|
|
|
* Missing server-side input validation
|
|
|
|
* Insecure HTTP Headers
|
2018-08-22 15:59:27 +00:00
|
|
|
* Vulnerable dependencies
|
2018-08-22 14:42:08 +00:00
|
|
|
|
|
|
|
## Suggested Static and Dynamic Tools
|
|
|
|
|
|
|
|
We have tried many different tools to automatically find the vulnerabilities,
|
|
|
|
and found the following tools to work best for this kind of application. While
|
|
|
|
none of them finds all contained vulnerabilities, together they cover a
|
|
|
|
reasonable amount:
|
|
|
|
|
|
|
|
* [arachni (1.5.1)](https://github.com/Arachni/arachni)
|
|
|
|
* [zaproxy (OSWASP ZAP, 2.7.0)](https://github.com/zaproxy/zaproxy)
|
2023-10-12 17:01:48 +00:00
|
|
|
* [brakeman](https://github.com/presidentbeef/brakeman)
|
2018-08-12 06:57:07 +00:00
|
|
|
|
|
|
|
## Application Scenario
|
|
|
|
|
2018-08-22 14:42:08 +00:00
|
|
|
Damn Vulnerable Grade Management implements a simplistic system for managing
|
2019-02-07 22:06:16 +00:00
|
|
|
university grades. Students can upload assignments (pdf), view their grades for
|
|
|
|
their assignments and lectures, download their grades as reports, and add
|
|
|
|
comments to the grades which can be viewed by lecturers. The application knows
|
2018-08-22 14:42:08 +00:00
|
|
|
three roles: *admins*, *lecturers*, and *students*.
|
|
|
|
|
|
|
|
* *Admins* can create new students, lecturers, and other admins. Admins can
|
|
|
|
create new lectures, held by any lecturer. Admins can also create, view, and
|
|
|
|
edit new grades for all lectures and students and can create, view, and edit
|
|
|
|
comments.
|
|
|
|
* *Lecturers* can create new students. They can also create new lectures that
|
|
|
|
are being held by them. Lecturers can can view grades for all students, but
|
|
|
|
only enter new grades for their own students. Lecturers can see comments for
|
|
|
|
all grades, but can not change any.
|
2019-02-07 22:06:16 +00:00
|
|
|
* *Students* can upload assignments (pdf). They can also view and comment on
|
|
|
|
their grades for their assignments and overall lectures. For their
|
|
|
|
convenience, they have the ability to filter their grade list by a lecturer
|
|
|
|
name.
|
|
|
|
* All roles are able to log into the system. They can also reset their password
|
|
|
|
by providing the answer to their chosen security question.
|
2018-08-11 08:07:16 +00:00
|
|
|
|
2018-08-23 11:53:24 +00:00
|
|
|
You are Peter, a student and you can log in with `peter` as username and
|
|
|
|
`football` as password. Try and see how much information/control you can gain!
|
|
|
|
|
2018-08-12 06:45:56 +00:00
|
|
|
## Setup
|
|
|
|
|
|
|
|
### Dependencies
|
|
|
|
|
2023-10-12 17:01:48 +00:00
|
|
|
* Ruby 3.1 (and Raild 7) and [bundler](https://github.com/bundler/bundler)
|
2018-08-12 06:45:56 +00:00
|
|
|
|
2018-11-03 20:44:06 +00:00
|
|
|
### Checkout
|
|
|
|
|
|
|
|
The repository can be cloned as usual:
|
|
|
|
|
|
|
|
``` sh
|
|
|
|
git clone https://git.logicalhacking.com/BrowserSecurity/DVGM.git
|
|
|
|
```
|
|
|
|
|
|
|
|
Note, if you authorized to access the confidential solutions of the
|
2018-11-04 19:17:36 +00:00
|
|
|
exercises for DVGM, you can obtain them by executing
|
2018-11-03 20:44:06 +00:00
|
|
|
|
|
|
|
``` sh
|
|
|
|
git submodule update --init --recursive
|
|
|
|
```
|
|
|
|
|
2018-08-12 06:45:56 +00:00
|
|
|
### Installation
|
2017-10-22 18:56:44 +00:00
|
|
|
|
2018-08-22 14:42:08 +00:00
|
|
|
After cloning the repository, install the dependencies; `bundle` will install
|
|
|
|
all dependencies automatically into a project-local directory:
|
2017-10-22 18:56:44 +00:00
|
|
|
|
2018-08-11 08:07:16 +00:00
|
|
|
```bash
|
2018-08-23 22:16:04 +00:00
|
|
|
cd DVGM
|
2018-06-28 23:05:17 +00:00
|
|
|
bundle install --path vendor/bundle
|
|
|
|
```
|
2017-10-22 18:56:44 +00:00
|
|
|
|
2018-08-12 06:45:56 +00:00
|
|
|
### Starting the server
|
2017-10-22 18:56:44 +00:00
|
|
|
|
2018-08-22 14:42:08 +00:00
|
|
|
To make exploration of the app a bit easier, we run DVGM in development mode.
|
2018-09-03 23:07:26 +00:00
|
|
|
This means that
|
2018-08-22 14:42:08 +00:00
|
|
|
|
|
|
|
* on errors, rails will return a detailed debug page, and
|
|
|
|
* changed source files will automatically be picked up, without needing to
|
2018-08-23 11:53:24 +00:00
|
|
|
restart the server (useful for seeing if your fixes work).
|
2018-08-22 14:42:08 +00:00
|
|
|
|
|
|
|
Now, start the server:
|
2017-10-22 18:56:44 +00:00
|
|
|
|
2018-08-11 08:07:16 +00:00
|
|
|
```bash
|
2018-06-28 23:05:17 +00:00
|
|
|
bin/rails server
|
|
|
|
```
|
2018-08-12 06:33:35 +00:00
|
|
|
|
2018-08-22 14:42:08 +00:00
|
|
|
Now, open your browser, go to <http://localhost:3000>, and start exploring!
|
|
|
|
|
2018-08-12 06:33:35 +00:00
|
|
|
## Team
|
|
|
|
|
|
|
|
* [Achim D. Brucker](https://www.brucker.ch/)
|
2018-08-22 14:42:08 +00:00
|
|
|
* [Michael Herzberg](https://www.mherzberg.de/)
|
2023-10-12 17:01:48 +00:00
|
|
|
* [Sakine Yalman](http://emps.exeter.ac.uk/computer-science/staff/sy359)
|
2018-08-12 06:33:35 +00:00
|
|
|
|
|
|
|
## License
|
|
|
|
|
|
|
|
This project is licensed under the GPL 3.0 (or any later version).
|
|
|
|
|
|
|
|
SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
|
|
|
|
## Master Repository
|
|
|
|
|
|
|
|
The master git repository for this project is hosted by the [Software
|
|
|
|
Assurance & Security Research Team](https://logicalhacking.com) at
|
2018-08-22 22:11:02 +00:00
|
|
|
<https://git.logicalhacking.com/BrowserSecurity/DVGM>.
|