Damn Vulnerable Grade Management System - An Intentionally Vulnerable Ruby on Rails App
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
 
 
 
 
 
Achim D. Brucker a5a6032fa2 Cleanup. 2 tygodni temu
app Neutralized branding. 1 rok temu
bin Major overhaul. 1 rok temu
config Fixed deprication warning. 1 rok temu
db Major overhaul. 1 rok temu
doc Updated submodules. 1 rok temu
lib fixed syntax 1 rok temu
log Initial commit. 3 lat temu
public Improved report stuff. 1 rok temu
.gitignore Improved report stuff. 1 rok temu
.gitmodules Added (non-public) solution repository as submodule. 2 lat temu
Gemfile Downgraded some dependencies. 1 rok temu
Gemfile.lock Downgraded some dependencies. 1 rok temu
LICENSE Initial commit. 3 lat temu
README.md Updated README.md with new functionality. 1 rok temu
Rakefile Initial commit. 3 lat temu
config.ru Initial commit. 3 lat temu

README.md

Damn Vulnerable Grade Management (DVGM) - An Intentionally Vulnerable Rails Application

Damn Vulnerable Grade Management is an intentionally vulnerable grade management application that can be used for teaching security testing and security programming. It aims to be a small application with a realistic use case that contains common vulnerabilities, making it a good target to get started with automatic security testing tools.

Known Vulnerabilities

DVGM contains (at least) the following vulnerabilities:

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • DOM Based XSS / Client Side XSS
  • Missing server-side input validation
  • Insecure HTTP Headers
  • Vulnerable dependencies

Suggested Static and Dynamic Tools

We have tried many different tools to automatically find the vulnerabilities, and found the following tools to work best for this kind of application. While none of them finds all contained vulnerabilities, together they cover a reasonable amount:

Application Scenario

Damn Vulnerable Grade Management implements a simplistic system for managing university grades. Students can upload assignments (pdf), view their grades for their assignments and lectures, download their grades as reports, and add comments to the grades which can be viewed by lecturers. The application knows three roles: admins, lecturers, and students.

  • Admins can create new students, lecturers, and other admins. Admins can create new lectures, held by any lecturer. Admins can also create, view, and edit new grades for all lectures and students and can create, view, and edit comments.
  • Lecturers can create new students. They can also create new lectures that are being held by them. Lecturers can can view grades for all students, but only enter new grades for their own students. Lecturers can see comments for all grades, but can not change any.
  • Students can upload assignments (pdf). They can also view and comment on their grades for their assignments and overall lectures. For their convenience, they have the ability to filter their grade list by a lecturer name.
  • All roles are able to log into the system. They can also reset their password by providing the answer to their chosen security question.

You are Peter, a student and you can log in with peter as username and football as password. Try and see how much information/control you can gain!

Setup

Dependencies

Checkout

The repository can be cloned as usual:

git clone https://git.logicalhacking.com/BrowserSecurity/DVGM.git

Note, if you authorized to access the confidential solutions of the exercises for DVGM, you can obtain them by executing

git submodule update --init --recursive

Installation

After cloning the repository, install the dependencies; bundle will install all dependencies automatically into a project-local directory:

cd DVGM
bundle install --path vendor/bundle

Starting the server

To make exploration of the app a bit easier, we run DVGM in development mode. This means that

  • on errors, rails will return a detailed debug page, and
  • changed source files will automatically be picked up, without needing to restart the server (useful for seeing if your fixes work).

Now, start the server:

bin/rails server

Now, open your browser, go to http://localhost:3000, and start exploring!

Team

License

This project is licensed under the GPL 3.0 (or any later version).

SPDX-License-Identifier: GPL-3.0-or-later

Master Repository

The master git repository for this project is hosted by the Software Assurance & Security Research Team at https://git.logicalhacking.com/BrowserSecurity/DVGM.