Skip to content

snyk-labs/ConferenceBooking-DCAIF

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

CoPilot Demo

NOTE: For the most effective demo, clone the project and import into IntelliJ fresh.

1 - Launch the app, browse to: http://localhost:8080

2 - set up the index page

<!-- insert nav fragment here -->
<!-- insert eventsTable fragment here -->

3 - Add search functionality

In SearchRepository.searchTalk:

// lowercase the input
// create a native query to search for talks joined with the person table with the input in the description, title or speaker username
// execute the query
// return the result

In the app: show that the search field works

4 - Demonstrate SQL injection

In the app, put this in the search field:

%'; update talk set start_date = dateadd(hour,-2,CURRENT_TIMESTAMP), end_date = dateadd(hour,1,CURRENT_TIMESTAMP) where id = 1; --

This moves your talk to the top of the list

NOTE: Per the code in AiConferenceBookingApplication, the main speaker (set to username micah by default, will always have talk id 1, 2 & 3)

OR

%'; update talk set start_date = CURRENT_TIMESTAMP, end_date = dateadd(hour,1,CURRENT_TIMESTAMP) --

This sets everyone's talk to the same time

5 - Fix the SQL injection

Delete the previous code in SearchRepository.searchTalk. Then:

// lowercase the input
// create a native query using named parameters to search for talks joined with the person table with the input in the description, title or speaker username
// set the parameter
// return the result of the query

6 - show that the sql injection no longer works using one of the above queries

7 - Add code to support a profile picture

In UploadController.uploadImage:

// get file name
// get path with file separator
// save file to the path
// get the person
// set the image name
// save the person
// add the message

8 - Show that upload of profile picture works

9 - Demonstrate a path traversal attack

Use burpsuite to capture profile pic upload POST use burpsuite to replay pic upload, BUT change the file name to ../image/snyklogo.png

10 - Fix the path traversal attack

Delete the previous code in UploadController.uploadImage. Then:

// get file name
// get path with file separator
// validate that there is not a path traversal by using the normalize method
// check for a path traversal
// save file to the path
// get the person
// set the image name
// save the person
// add the message

11 - Demonstrate that the path traversal attack no longer works

12 - Demonstrate XSS vuln

Use one of the links from the server output to show a speaker's talks listing

Replace the param with XSS:

http://localhost:8080/talks?username=<script>alert(1)</script>

13 - Update the code to provide links to the talks

Uncomment line 41 and comment line 40 in eventsTable.html

14 - Fix the XSS vuln

Use snyk code to scan (it will catch the XSS vuln)

Paste the code in ChatGPT and ask for analysis and fixes

Here's a conversation reference for this: https://chat.openai.com/share/33b59fdc-318e-4df1-8e31-a7d983c7f9f0

Note that the prompt is:

I am going to upload some code. Identify and fix any security vulnerabilities with minimal changes to the code.

Note that the fix ChatGPT provides is too localized and doesn't address the root cause which is found outside the buildTalks method.

Run a snyk scan and show that the vuln is still there.

In the displayTalks method, fix the code right at the top:

username = HtmlUtils.htmlEscape(username);

Run snyk code again and show that the vuln is fixed for realz this time.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published