CS5331 Submission

Dockerfile

@@ -1,14 +1,36 @@
-FROM ubuntu:latest
+#FROM ubuntu:latest
+FROM nodeintegration/nginx-modsecurity
+
+# init runit
+RUN touch /etc/inittab
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y -q runit
+
+
 RUN apt-get update
 RUN apt-get install -y python-pip
-RUN apt-get install -y apache2
-RUN pip install -U pip
-RUN pip install -U flask
-RUN pip install -U flask-cors
-RUN echo "ServerName localhost  " >> /etc/apache2/apache2.conf
-RUN echo "$user     hard    nproc       20" >> /etc/security/limits.conf
+COPY requirements.txt requirements.txt
+RUN pip install -r requirements.txt
+#RUN echo "ServerName localhost  " >> /etc/apache2/apache2.conf
+RUN echo "$user     hard    nproc       100" >> /etc/security/limits.conf
 ADD ./src/service /service
 ADD ./src/html /var/www/html
+ADD ./conf/cs5331_db.conf /cs5331_db.conf
 EXPOSE 80
 EXPOSE 8080
-CMD ["/bin/bash", "/service/start_services.sh"]
+#CMD ["/bin/bash", "/service/start_services.sh"]
+
+# nginx cleanup
+RUN rm -fv /etc/nginx/conf.d/default.conf
+
+# nginx apps
+COPY ./resources/nginx/* /etc/nginx/conf.d/
+
+# copy services
+COPY resources/service /etc/service
+RUN find /etc -name run
+RUN chmod +x /etc/service/*/run
+
+# setup runit
+COPY ./resources/sbin/runit_bootstrap /usr/sbin/runit_bootstrap
+RUN chmod 755 /usr/sbin/runit_bootstrap
+ENTRYPOINT ["/usr/sbin/runit_bootstrap"]

README.md

@@ -1,7 +1,6 @@
 # rest-api-development
 
 CS5331 Assignment 1 Project Reference Repository
-
 ## Instructions
 
 Your objective is to implement a web application that provides the endpoints
@@ -53,7 +52,6 @@ sudo ./run.sh
 (Docker CE installation instructions are from this
 [link](https://docs.docker.com/install/linux/docker-ce/ubuntu/#install-using-the-repository).)
 
-**Please consult your assignment hand-out for detailed setup information.**
 
 ## Grading
 
@@ -81,63 +79,119 @@ curl http://localhost:8080
 
 If a response is received, you're good to go.
 
-**Please replace the details below with information relevant to your team.**
 
 ## Screenshots
+### UI Input Validation
+![](./img/Registration_MinimumCharacterValidation.JPG)
 
-Please replace the example screenshots with screenshots of your completed
-project. Feel free to include more than one.
+### Members Page
+![](./img/Members.JPG)
 
-![Sample Screenshot](./img/samplescreenshot.png)
+### Register Page
+![](./img/register.JPG)
 
-## Administration and Evaluation
+### Login Page
+![](./img/login.JPG)
+
+### Home Page
+![](./img/publicDiary_Home.JPG)
 
-Please fill out this section with details relevant to your team.
+### Private Diaries Page
+![](./img/privateDiary.JPG)
 
+### Create/Update Diary Page
+![](./img/CreateNew.JPG)
+
+## Administration and Evaluation
 ### Team Members
 
-1. Member 1 Name
-2. Member 2 Name
-3. Member 3 Name
-4. Member 4 Name
+1. Caroline Astolfi
+2. Jaliya Chathuranga Waidyathilake
+3. Jayson Lomtong Cena
+4. Rafael Peres Da Silva
 
 ### Short Answer Questions
 
 #### Question 1: Briefly describe the web technology stack used in your implementation.
 
-Answer: Please replace this sentence with your answer.
+##### Backend
+- Docker with runit init daemon inside to manage services
+- Nginx with modsecurity for web proxy which proxies port 80(static) and 8080(API)
+- Python with Flask for web framework and SQLAlchemy for ORM
+- Database is sqlite and modeled in python
+
+##### Frontend
+- HTML/CSS3
+- Bootstrap
+- Jquery
+- Ajax
+- Window sessionStorage is used for token storage
+
 
 #### Question 2: Are there any security considerations your team thought about?
 
-Answer: Please replace this sentence with your answer.
+- Window sessionStorage is used to store the token once user is logged-in. Access to the token value is restricted to the same scheme + hostname + port.
+- Token is cleared when the browser closes or user logs-out
+- To restrict XSS attacks in client side
+  - `JSON.stringify()` is used for the JS object serialization(encode data) 
+  - `JSON.parse()` is used for the deserialization 
+- Only external Javascripts are used as opposed to inline or scripts on the same page
+- To restrict SQL injection attacks, all queries are executed using SQLAlchemy ORM, which by default quotes special characters – semicolons or apostrophes and more advanced restrictions.
+- Serve API on the same port(tcp/80 in this case) as the static files to simplify CORS configs
+  - This was currently disabled to prevent automated grading script from failing
+- Use JWT (JSON Web Tokens) to store user-critical states(i.e. session) on the client side
+- Password hash + salt stored on the database complying with NIST guideline
+- Username/Password complexity requirements (minimum-length: 5 characters)
+  - Add more strict password requirements (alphanumeric, special chars, minimum 8 chararcters) in the future
 
 #### Question 3: Are there any improvements you would make to the API specification to improve the security of the web application?
 
-Answer: Please replace this sentence with your answer.
+- Use JWT for session handling
+- Associate IP with token (probably too strict specially with eyeballs who are getting dynamic IPs from ISPs)
+- Limit the size of fields i.e. diary content
+- Limit the size of request payload
+- Do not pass technical details on the response (e.g. stack traces)
+- X-Content-Type-Options: nosniff
+- Input validation on the server-side specially on diary content. This can be viewed publicly and can do XSS on viewers
 
 #### Question 4: Are there any additional features you would like to highlight?
 
-Answer: Please replace this sentence with your answer.
+- Make it more REST-ful (and easier to debug on the webserver’s access/error logs)
+  - Response codes: `5xx` response code for errors, `403` for auth failures
+  - `PUT` for new diary entries, `POST`/`UPDATE` for updates, `DELETE` for deletes
+  - `/diary/<id>` for accessing diaries (update/delete/get)
 
 #### Question 5: Is your web application vulnerable? If yes, how and why? If not, what measures did you take to secure it?
 
-Answer: Please replace this sentence with your answer.
+Answer: Yes web application is vulnerable.
+
+- Dictionary/brute-force attacks can be done on auth endpoints
+  - Ratelimit was in-place on the API but it was temporarily disabled to prevent automated grading script from getting rate-limited
+- client server communication is taken place over HTTP. So it is vulnerable to attacks associated with insecure HTTP.
+- Connection can be hijacked since token is visible during the HTTP communication 
+- XSS attacks due to resource (images, js etc.) downloads over HTTP
+- Window.sessionStorage is used over cookies, however it is still vulnerable to XSS
+- Client side Ajax requests and responses are sanitized/encoded/escaped. However still vulnerable to other types of XSS.
+
 
 #### Feedback: Is there any other feedback you would like to give?
 
-Answer: Please replace this sentence with your answer.
+- it's fun
 
 ### Declaration
 
 #### Please declare your individual contributions to the assignment:
 
-1. Member 1 Name
-    - Integrated feature x into component y
-    - Implemented z
-2. Member 2 Name
-    - Wrote the front-end code
-3. Member 3 Name
-    - Designed the database schema
-4. Member 4 Name
-    - Implemented x
 
+1. Caroline Astolfi
+  - Designed the database schema and created the database files
+2. Jaliya Chathuranga Waidyathilake
+  - Ui design, front end scripts. Ajax request/response
+  - Integration and testing
+3. Jayson Lomtong Cena
+  - Updated docker env to nginx and runit and other docker env fixes
+  - Authentication endpoint
+  - Test script for validating compliance with API specification
+4. Rafael Peres Da Silva
+  - Initial User endpoint
+ - Diary endpoint

conf/cs5331_db.conf

@@ -0,0 +1,2 @@
+[DB]
+dbname=cs5331

database/WebSecu_DB_diary.sql

@@ -0,0 +1,59 @@
+CREATE DATABASE  IF NOT EXISTS `WebSecu_DB` /*!40100 DEFAULT CHARACTER SET latin1 */;
+USE `WebSecu_DB`;
+-- MySQL dump 10.13  Distrib 5.7.17, for macos10.12 (x86_64)
+--
+-- Host: localhost    Database: WebSecu_DB
+-- ------------------------------------------------------
+-- Server version	5.7.21
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+--
+-- Table structure for table `diary`
+--
+
+DROP TABLE IF EXISTS `diary`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `diary` (
+  `userid` int(11) NOT NULL,
+  `title` text NOT NULL,
+  `public` tinyint(1) NOT NULL,
+  `text` text,
+  `publish_date` datetime NOT NULL,
+  `author` varchar(45) DEFAULT NULL,
+  `diary_id` int(11) NOT NULL AUTO_INCREMENT,
+  UNIQUE KEY `diary_id_UNIQUE` (`diary_id`),
+  KEY `userid_idx` (`userid`),
+  CONSTRAINT `userid` FOREIGN KEY (`userid`) REFERENCES `users` (`userid`) ON DELETE NO ACTION ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `diary`
+--
+
+LOCK TABLES `diary` WRITE;
+/*!40000 ALTER TABLE `diary` DISABLE KEYS */;
+/*!40000 ALTER TABLE `diary` ENABLE KEYS */;
+UNLOCK TABLES;
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+-- Dump completed on 2018-02-24  9:55:25

database/WebSecu_DB_token.sql

@@ -0,0 +1,55 @@
+CREATE DATABASE  IF NOT EXISTS `WebSecu_DB` /*!40100 DEFAULT CHARACTER SET latin1 */;
+USE `WebSecu_DB`;
+-- MySQL dump 10.13  Distrib 5.7.17, for macos10.12 (x86_64)
+--
+-- Host: localhost    Database: WebSecu_DB
+-- ------------------------------------------------------
+-- Server version	5.7.21
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+--
+-- Table structure for table `token`
+--
+
+DROP TABLE IF EXISTS `token`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `token` (
+  `userid` int(11) NOT NULL,
+  `token` varchar(36) DEFAULT NULL,
+  `validity` tinyint(1) DEFAULT NULL,
+  UNIQUE KEY `userid_UNIQUE` (`userid`),
+  UNIQUE KEY `token_UNIQUE` (`token`),
+  CONSTRAINT `f_userid` FOREIGN KEY (`userid`) REFERENCES `users` (`userid`) ON DELETE NO ACTION ON UPDATE NO ACTION
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `token`
+--
+
+LOCK TABLES `token` WRITE;
+/*!40000 ALTER TABLE `token` DISABLE KEYS */;
+/*!40000 ALTER TABLE `token` ENABLE KEYS */;
+UNLOCK TABLES;
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+-- Dump completed on 2018-02-24  9:55:25

database/WebSecu_DB_users.sql

@@ -0,0 +1,58 @@
+CREATE DATABASE  IF NOT EXISTS `WebSecu_DB` /*!40100 DEFAULT CHARACTER SET latin1 */;
+USE `WebSecu_DB`;
+-- MySQL dump 10.13  Distrib 5.7.17, for macos10.12 (x86_64)
+--
+-- Host: localhost    Database: WebSecu_DB
+-- ------------------------------------------------------
+-- Server version	5.7.21
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+--
+-- Table structure for table `users`
+--
+
+DROP TABLE IF EXISTS `users`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `users` (
+  `userid` int(11) NOT NULL AUTO_INCREMENT,
+  `username` varchar(45) NOT NULL,
+  `full_name` text NOT NULL,
+  `age` int(11) unsigned NOT NULL,
+  `hash_password` text NOT NULL,
+  `salt` text,
+  PRIMARY KEY (`userid`),
+  UNIQUE KEY `userid_UNIQUE` (`userid`),
+  UNIQUE KEY `username_UNIQUE` (`username`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Dumping data for table `users`
+--
+
+LOCK TABLES `users` WRITE;
+/*!40000 ALTER TABLE `users` DISABLE KEYS */;
+/*!40000 ALTER TABLE `users` ENABLE KEYS */;
+UNLOCK TABLES;
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+-- Dump completed on 2018-02-24  9:55:25

requirements.txt

@@ -0,0 +1,7 @@
+pip
+flask
+flask-cors
+configparser
+Flask-SQLAlchemy
+PyJWT
+uuid