Break-It Cheetsheet
!! This page should only be visible to students in the break-it phase. Alternative: only release it after a half of the Break-it phase. !!
This is a list of most likely introduced vulnerabilities. There is no guarantee that any of them will be introduced by a given team, but we believe they are a good starting point for the Break-it phase.
Security analysts often rely on such lists in the penetration testing phase. For example, OWASP provides a comprehensive collection of cheat sheets, which serve the same purpose. We strongly recommend using those as well, but in addition, we provide this list, tailored to the specifications you received.
ToDo (Cris): detail each entry and reference the corresponding problematic spec. Reference external resources, e.g., scientific papers.
Improper authentication
All the SSO-related problems Soheil mentioned.
XXE
Hopefully some of the pdf parsers are vulnerable to this if used naively
RCE
If the pdf library handles the JS code inside the pdf in a careless way.
Information disclosure
All the problems Giancarlo mentioned regarding URLs to PDFs, e.g., using links like “file://”.
Path traversal
I guess most of the frameworks are not vulnerable to this, e.g., for their views, but naively implementing saving/reading pdf files can result in this.
CPU-based DoS attack
Synchronous operations: if they do the pdf processing in the main thread/loop
XML/ZIP Bomb
Again, we need to see if the parsers usually allow this.
Zip slip
If we allow the upload of zip archives as discussed.
Account hijacking
All the bugs related to login/account management.
Logic bugs
I guess there will be quite some bugs regarding authorization checks.
CSRF
I guess a lot of the students will forget to protect privileged operations for this, e.g., changing password.
(No)SQL injection
Very unlikely I think, but we may see this if we ask the students to implement some client-side validation, e.g, not rely blindly on forms to submit data, but ask them to serialize the data as JSON first and then send it to the server. In this way, we may increase the chance for NoSQL injection.
Command Injection/RCE
Should we give them a binary to run, e.g., a compression library?
XSS
We can use the vulnerable component, e.g., broken sanitizer, to increase the chance of XSS. We can also ask for features that are prone to this, e.g., print the user agent of the visitor.