The_Unsecure_PWA

[!Caution]

DISCLAIMER

This progressive web app has been designed with a range of security vulnerabilities. The app has been specifically designed for students studying the NESA HSC Software Engineering Course. The app is NOT secure and should only be used in a sandbox environment.

The Unsecure PWA

Your client, “The Unsecure PWA Company”, has engaged you as a software engineering security specialist to provide expert advice on the security and privacy of their application. This progressive web app is currently in the testing and debugging phase of the software development lifecycle.

The task

You are to run a range of security tests and scans along with a white/grey/black box analysis of the application/source code to identify as many security and privacy vulnerabilities as possible. You are then required to prepare a professionally written report for your client that includes:

An overview of your approach to the technical analysis.
Document out-of-the-scope privacy and security issues of your report, including;
- Security or privacy issues that cannot be mitigated by technical engineering solutions
- Security issues that must be tested in the production environment
Identify all security or privacy vulnerabilities you discovered and provide an impact assessment of each.
Provide recommendations for “The Unsecure PWA Company’s” security and privacy by design approach going forward.
Design and develop implementations using HTML/CSS/JS/SQL/JSON/Python code and/or web content changes as required to patch each vulnerability you discover.

Sandbox Environments

Sandboxing creates a safe place to install or execute a program, particularly a suspicious one, without exposing the rest of your system or network. It keeps the code contained in a test environment, so it can’t change the state of the host machine, operating system or networked resources. Simple-to-use sandbox environments for Python Flask are listed below, and the UI should be accessed from the latest version of a secure browser such as Chromium or Edge.

GitHub Codespaces
CodeSandbox.io note: CodeSandbox.io requires manual configuration of the VM after deploying the template
Docker Container

[!Important] The Unsecure PWA includes the .codesandbox, .devcontainer and .vscode to auto-configure all the above sandboxes.

Other Sandbox options:

Virtual machine
Ubuntu on a USB or in a virtual machine
Qubes OS in a virtual machine

[!Tip]

Teaching advice:

This app has been designed as either a teaching tool, an assessment tool, an assessment as a learning tool or a professional learning tool. As a teaching tool the teacher can use the app to demonstrate discrete vulnerabilities and then teach the preferred patch method. As an assessment tool the students should be taught the knowledge and skills, then given the app to analyse and report on before designing and developing appropriate patches (patching all will be time-prohibitive). As an assessment as a learning tool teachers can teach vulnerabilities in the app and then support students to design and develop patches while assessing them formatively. As a professional learning tool teachers can use the app to deepen their understanding of vulnerabilities, threat assessment and vulnerability patch design.

Dependencies & Deployment

Dependencies

VSCode
Python 3.x
GIT 2.x.x +
Flask: pip install flask
The resources and samples in .student_resources require additional dependencies. Please refer to the README.md in each folder.

[!Important] MacOS users may have a pip3 soft link instead of pip, run the below commands to see what path your system is configured with and use that command through the project.
pip show pip
pip3 show pip

Deployment

git clone https://github.com/TempeHS/The_Unsecure_PWA.git
CD The_Unsecure_PWA
python main.py

Once deployed, the app can be accessed on either:

http://localhost:5000
http://127.0.0.1:5000
http://{10.185.x.x}:5000 where 10.185.x.x is the LAN IP address for the host

[!Tip] Many of the resources in .student_resources have been written assuming the student is running the app locally, so http://127.0.0.1:5000 has been used. If the teacher is hosting the app and students are black-box testing, then the HTML/JS in the examples will need changing to reference the remote URL.

Support

To support students first understanding specific security vulnerabilities and privacy issues and then follow a best practice approach to patching them, the links below have been provided with most resources provided from the .student_resources folder and specifically aligned to the NESA Course Specifications and NESA Software Engineering Syllabus.

Security support

Security testing approaches for the NESA Software Engineering Syllabus.
Web Security Testing Guide (WSTG) Project a very detailed resource for web application developers.
ZAPROXY Open source penetration testing application.

Privacy issues support

Solution implementation support

Cybersecurity Definitions

Metalanguage	Definition
Attack vector	An approach to exploiting multiple vulnerabilities
Brute force	Use trial and error or bulk attempts to crack a system or software
Exploit	The act of using a vulnerability to enter or compromise software or system
Phishing	A wide base attack that is ‘fishing’ for success
Social engineering	Use of deception to manipulate individuals into divulging confidential or personal information
Spear phishing	A targetted attack where the threat actor has personal knowledge of the victim
Threat actor	A person or group with malicious intentions
Vulnerability	A weakness in a system, hardware or software
Whale phishing	A targetted attack by a threat actor where the victim is known to have escalated authorisation in a system or software

The Unsecure PWA by Ben Jones is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International

This site is open source. Improve this page.