Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[A8][Amarelo Designs] Fix the Insecure Deserialization vulnerability changing Pickle to JWT #422

Closed
wants to merge 2 commits into from
Closed

[A8][Amarelo Designs] Fix the Insecure Deserialization vulnerability changing Pickle to JWT #422

wants to merge 2 commits into from

Conversation

secampos
Copy link

This solution refers to which of the apps?

A8 - Amarelo Designs

What did you do to mitigate the vulnerability?

The vulnerability was fixed changing the Pickle to JWT.

@gustavocovas gustavocovas self-requested a review May 25, 2020 17:02
gustavocovas
gustavocovas reviewed May 25, 2020
View reviewed changes
Copy link
Contributor

@gustavocovas gustavocovas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, @secampos! Your implementation of JWT instead of Pickle-based tokens looks very good! 🐼 🚀

I just left a suggestion regarding a hardcoded admin password in the source code

owasp-top10-2017-apps/a8/amarelo-designs/app/app.py
"username":username,
"admin":True,
"sessionId":token,
"exp": datetime.datetime.utcnow() + datetime.timedelta(seconds=600)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very good!

owasp-top10-2017-apps/a8/amarelo-designs/app/app.py Outdated
@@ -19,11 +22,20 @@ def login():

if username == "admin" and password == "admin":
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about chaning this default password here? Using an environment variable as you did with JWT_SECRET_KEY would be great

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @gustavocovas. Now the application is getting the user's credentials from the environment variables.

gustavocovas
gustavocovas approved these changes May 28, 2020
View reviewed changes
Copy link
Contributor

@gustavocovas gustavocovas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, @secampos!

@gustavocovas gustavocovas added the mitigation solution 🔒 This is a possible way to fix this vulnerability label May 28, 2020
@cyberhat121 cyberhat121 mentioned this pull request Dec 20, 2023
Open
@sathishvjd sathishvjd mentioned this pull request Dec 20, 2023
Open
@sathishcyberintelsysnew sathishcyberintelsysnew mentioned this pull request Dec 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gustavocovas gustavocovas gustavocovas approved these changes

Assignees

@gustavocovas gustavocovas

Labels
A8-OWASP-2017 Amarelo Designs mitigation solution 🔒 This is a possible way to fix this vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@secampos @gustavocovas @rafaveira3