-
Notifications
You must be signed in to change notification settings - Fork 0
Security Architecture
Valentin MAUREL edited this page May 24, 2025
·
1 revision
This application contains intentional security vulnerabilities for educational purposes. Never deploy in production environments.
The Weak Website is deliberately designed with poor security architecture to demonstrate common security failures in web applications. This document outlines both the intentionally flawed security design and proper security architecture principles for educational comparison.
graph TD
A[User Login Request] --> B[Plain Text Password]
B --> C[SQL Query Concatenation]
C --> D[Database Query]
D --> E[Hardcoded JWT Secret]
E --> F[Predictable Token Generation]
F --> G[Client Storage]
Security Flaws:
- Plain text password transmission
- SQL injection vulnerability in authentication
- Hardcoded JWT secrets
- No password hashing
- Missing rate limiting
- No account lockout mechanisms
graph TD
A[User Request] --> B[JWT Token Check]
B --> C[No Permission Validation]
C --> D[Direct Object Access]
D --> E[Privilege Escalation]
Authorization Weaknesses:
- Missing role-based access control (RBAC)
- No permission matrix
- Insecure direct object references
- Missing horizontal privilege checks
- No audit logging
graph LR
A[Client] --> B[Unencrypted HTTP]
B --> C[Server]
C --> D[Plain Text Database]
D --> E[Unencrypted Storage]
Data Protection Failures:
- No HTTPS enforcement
- Unencrypted database connections
- Plain text password storage
- No data classification
- Missing encryption at rest
// Vulnerable React component
function PostContent({ content }) {
return <div dangerouslySetInnerHTML={{ __html: content }} />;
}Impact Areas:
- Session hijacking
- Credential theft
- UI manipulation
- Malware distribution
- Missing Content Security Policy (CSP)
- No input validation on frontend
- Exposed sensitive information in JavaScript
- Missing CSRF protection
// No input validation
@Post('create')
async createPost(@Body() postData: any) {
// Direct database insertion without validation
return this.postService.create(postData);
}- Missing rate limiting
- No business rule validation
- Insufficient authorization checks
- Race condition vulnerabilities
-- Vulnerable query construction
SELECT * FROM users WHERE id = ${userId}
-- No parameterized queries
-- Missing access controls
-- Verbose error messagesDatabase Weaknesses:
- SQL injection vulnerabilities
- Missing database encryption
- Overprivileged database accounts
- No audit logging
Current (Vulnerable) Response Headers:
HTTP/1.1 200 OK
Content-Type: application/json
Set-Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Missing Security Headers:
Strict-Transport-SecurityContent-Security-PolicyX-Frame-OptionsX-Content-Type-OptionsReferrer-Policy
Missing Security Events:
- Failed login attempts
- Privilege escalation attempts
- Suspicious file uploads
- SQL injection attempts
- Data access patterns
// Vulnerable session handling
const token = jwt.sign({ userId }, 'hardcoded-secret', { expiresIn: '1y' });Session Security Issues:
- Hardcoded JWT secrets
- Long session timeouts
- No session invalidation
- Missing secure cookie flags
sequenceDiagram
participant C as Client
participant S as Server
participant DB as Database
participant Auth as Auth Service
C->>S: HTTPS Login Request
S->>S: Rate Limit Check
S->>S: Input Validation
S->>DB: Parameterized Query
DB->>S: Hashed Password
S->>S: Password Verification
S->>Auth: Generate Secure Token
Auth->>S: Signed JWT
S->>C: Secure Cookie (HttpOnly, Secure)
graph TD
A[Web Application Firewall] --> B[Load Balancer]
B --> C[Reverse Proxy]
C --> D[Application Server]
D --> E[Database Firewall]
E --> F[Encrypted Database]
G[SIEM/Monitoring] --> A
G --> B
G --> C
G --> D
G --> E
G --> F
graph LR
A[Client HTTPS] --> B[TLS Termination]
B --> C[Input Validation]
C --> D[Authorization Check]
D --> E[Business Logic]
E --> F[Encrypted DB Connection]
F --> G[Encrypted Storage]
| Vulnerability | Anti-Pattern (Current) | Secure Pattern |
|---|---|---|
| Password Storage | Plain text | Bcrypt/Argon2 hashing |
| SQL Injection | String concatenation | Parameterized queries |
| Session Management | Hardcoded secrets | Crypto-strong secrets |
| Rate Limiting | None | Token bucket/sliding window |
| Vulnerability | Anti-Pattern (Current) | Secure Pattern |
|---|---|---|
| Access Control | No checks | RBAC/ABAC |
| Direct Object References | Direct access | Indirect references |
| Privilege Escalation | No validation | Principle of least privilege |
| Audit Logging | None | Comprehensive logging |
| Vulnerability | Anti-Pattern (Current) | Secure Pattern |
|---|---|---|
| XSS | No sanitization | Context-aware encoding |
| SQL Injection | String building | Prepared statements |
| File Upload | No restrictions | Strict validation |
| Command Injection | Direct execution | Sandboxed execution |
- Current (Weak): No encryption, plain text storage
- Proper: End-to-end encryption, data classification
- Current (Weak): No data validation, tampering possible
- Proper: Digital signatures, checksums, audit trails
- Current (Weak): No DDoS protection, single points of failure
- Proper: Load balancing, redundancy, rate limiting
graph TD
A[Never Trust] --> B[Always Verify]
B --> C[Least Privilege Access]
C --> D[Continuous Monitoring]
D --> E[Micro-segmentation]
E --> F[Encryption Everywhere]
Zero Trust Principles:
- Verify explicitly: Authenticate and authorize every access
- Use least privilege: Minimal access rights
- Assume breach: Monitor and respond to threats
graph TD
A[Threat Modeling] --> B[Secure Design]
B --> C[Security Code Review]
C --> D[Security Testing]
D --> E[Security Deployment]
E --> F[Security Monitoring]
F --> A
- HTTPS enforcement
- Network segmentation
- Firewall rules
- DDoS protection
- Input validation
- Output encoding
- Authentication controls
- Authorization mechanisms
- Encryption at rest
- Encryption in transit
- Access controls
- Audit logging
graph TD
A[Application Logs] --> D[SIEM Platform]
B[Security Events] --> D
C[Audit Trails] --> D
D --> E[Alert Engine]
E --> F[Incident Response]
F --> G[Threat Intelligence]
G --> H[Security Improvements]
- Threat Modeling: Learn to identify potential attack vectors
- Defense in Depth: Understand layered security approaches
- Secure by Design: Design security into applications from start
- Risk Assessment: Evaluate and prioritize security risks
- Security Testing: Systematic vulnerability assessment
- Code Review: Identify security flaws in source code
- Incident Response: Respond to security breaches
- Compliance: Understand regulatory requirements
- Security Architect: Design secure systems
- Penetration Tester: Assess security posture
- Security Engineer: Implement security controls
- DevSecOps: Integrate security into development
- Testing Methodology - Systematic security testing
- Vulnerability Overview - Comprehensive vulnerability catalog
- Tools and Scripts - Security testing automation