This is a list of most likely introduced vulnerabilities. There is no guarantee that any of them will be introduced by a given team, but we believe they are a good starting point for the Break-it phase.
Security analysts often rely on such lists in the penetration testing phase. For example, OWASP provides a comprehensive collection of cheat sheets, which serve the same purpose. We strongly recommend using those as well, but in addition, we provide this list, tailored to the specifications you received.
: detail each entry and reference the corresponding problematic spec. Reference external resources, e.g., scientific papers.
All the SSO-related problems Soheil mentioned.
Hopefully some of the pdf parsers are vulnerable to this if used naively
If the pdf library handles the JS code inside the pdf in a careless way.
All the problems Giancarlo mentioned regarding URLs to PDFs, e.g., using links like “file://”.
I guess most of the frameworks are not vulnerable to this, e.g., for their views, but naively implementing saving/reading pdf files can result in this.
CPU-based DoS attack
Synchronous operations: if they do the pdf processing in the main thread/loop
Again, we need to see if the parsers usually allow this.
If we allow the upload of zip archives as discussed.
All the bugs related to login/account management.
I guess there will be quite some bugs regarding authorization checks.
I guess a lot of the students will forget to protect privileged operations for this, e.g., changing password.
Very unlikely I think, but we may see this if we ask the students to implement some client-side validation, e.g, not rely blindly on forms to submit data, but ask them to serialize the data as JSON first and then send it to the server. In this way, we may increase the chance for NoSQL injection.
Should we give them a binary to run, e.g., a compression library?
We can use the vulnerable component, e.g., broken sanitizer, to increase the chance of XSS. We can also ask for features that are prone to this, e.g., print the user agent of the visitor.