# Security Testing Status Tracking security testing progress and remaining tasks. --- ## Completed Testing ### Local Fuzzer (tests/fuzz/run_fuzz.py) | Phase | Tests | Status | |-------|-------|--------| | Reconnaissance | 25 endpoints probed | PASS | | Input Fuzzing | Binary, unicode, size limits | PASS | | Injection Attacks | SQLi, XSS, SSTI, command injection | PASS | | Auth/Authz | Header spoofing, privilege escalation | PASS | | Business Logic | Burn-after-read, expiry, dedup | PASS | | Cryptography | PoW token replay, timing | PASS | ### Production Fuzzer (mymx.me/paste) | Phase | Tests | Status | |-------|-------|--------| | Content Fuzzing | Null bytes, unicode, 50KB, control chars | PASS | | Injection Testing | SQLi, SSTI, XSS, command, path traversal | PASS | | Header Injection | Host override, XFF chains, SQLi in headers | PASS | | Path Fuzzing | Traversal, URL encoding, long paths | PASS | | MIME Detection | GIF+JS, PNG+HTML, PDF+HTML polyglots | PASS | ### MIME Detection (Polyglot Attacks) | Attack Vector | Payload | Result | |---------------|---------|--------| | PNG + HTML | Magic bytes + script tag | Served as image/png | | GIF + JavaScript | GIF89a + JS comment trick | Served as image/gif | | PDF + ZIP | PDF header + ZIP trailer | Served as application/pdf | | SVG + Script | XML with embedded script | Served as text/plain | | JPEG + PHP | JFIF + PHP code | Served as image/jpeg | ### Race Condition Testing | Test | Method | Result | |------|--------|--------| | Burn-after-read bypass | HEAD then GET | SAFE - HEAD triggers deletion | Verified via server logs: `Burn-after-read paste deleted via HEAD: ` ### Timing Attack Analysis Tested authentication endpoints for timing oracle vulnerabilities (2025-12-25): | Endpoint | Test | Variance | Result | |----------|------|----------|--------| | Password verification | Correct vs Wrong | 2.3% | SAFE | | Password verification | Correct vs None | 2.1% | SAFE | | Paste existence | Valid vs Invalid ID | Expected | OK (DB lookup) | | Auth header | Valid vs Invalid format | Expected | OK (DB lookup) | Password verification uses PBKDF2 with 600,000 iterations (~900ms constant-time). No password oracle vulnerability - timing variance within acceptable bounds. --- ## Remaining Tasks ### MIME Detection - Additional Formats Tested on production (2025-12-25): ``` [x] WebP (image/webp) PASS [x] TIFF-LE (image/tiff) PASS [x] TIFF-BE (image/tiff) PASS [x] BMP (image/bmp) PASS [x] ICO (image/x-icon) PASS [x] WebM (video/webm) PASS [x] MP4 (video/mp4) PASS [x] MP3 (audio/mpeg) PASS [x] MP3-ID3 (audio/mpeg) PASS [x] FLAC (audio/flac) PASS [x] OGG (audio/ogg) PASS [x] 7z (application/x-7z-compressed) PASS [x] RAR (application/vnd.rar) PASS [x] XZ (application/x-xz) PASS [x] BZ2 (application/x-bzip2) PASS [x] WASM (application/wasm) PASS [x] MachO-32 (application/x-mach-binary) PASS [x] MachO-64 (application/x-mach-binary) PASS Fallback to text/plain (safe default): [~] MOV - ftyp offset varies [~] CAB - Signature not implemented [~] DEB - Signature not implemented [~] AR - Signature not implemented Fixed (2025-12-25): [x] RPM - Added signature (0xEDABEEDB) [x] AVI - Fixed RIFF subtype detection [x] WAV - Fixed RIFF subtype detection Known issues: [!] JavaClass - Detected as Mach-O (0xCAFEBABE collision, unfixable) Not tested (no signature defined): [ ] AVIF, HEIC, MKV, TAR, DMG, ISO, DOCX/XLSX/PPTX, ODF ``` ### Fuzzing Improvements ``` [ ] Add --target option to run_fuzz.py for external testing [ ] Implement adaptive rate limiting in production fuzzer [ ] Add hypothesis property-based tests for MIME detection [ ] Create polyglot generator for automated MIME confusion testing [x] Add timing attack tests for authentication endpoints ``` ### Penetration Testing (from PENTEST_PLAN.md) ``` [x] Race condition: Burn-after-read via HEAD then GET (SAFE) [ ] Race condition: Content hash deduplication counter [ ] DoS: Memory exhaustion via unique IP rate limits [ ] DoS: Anti-flood list growth under load [ ] CLI: Clipboard command injection validation [ ] CLI: Certificate file permission exposure ``` ### Documentation ``` [ ] Add remaining MIME test results to security assessment [ ] Document rate limiting behavior under attack [ ] Create threat model diagram [ ] Add security headers audit to CI pipeline ``` --- ## Test Commands ```bash # Local fuzzer (starts isolated server) ./venv/bin/python tests/fuzz/run_fuzz.py --verbose # Quick smoke test ./venv/bin/python tests/fuzz/run_fuzz.py --quick # Specific phases only ./venv/bin/python tests/fuzz/run_fuzz.py --phases 1,2,3 # Hypothesis tests (via pytest) ./venv/bin/pytest tests/test_fuzz.py -v # Production fuzzer (rate limited) python /tmp/prod_fuzz.py ``` --- ## Security Controls Verified | Control | Implementation | Verified | |---------|----------------|----------| | X-Content-Type-Options | nosniff | Yes | | Content-Security-Policy | default-src 'none' | Yes | | X-Frame-Options | DENY | Yes | | Magic byte detection | First 16 bytes, 45 signatures | Yes | | Input sanitization | Werkzeug header handling | Yes | | SQL injection prevention | SQLAlchemy parameterized queries | Yes | | SSTI prevention | No user content in templates | Yes | | Path traversal prevention | ID validation regex | Yes | | Constant-time password check | PBKDF2 600k iterations | Yes | | Burn-after-read race condition | HEAD triggers deletion | Yes | | RIFF container detection | Subtype check (WEBP/AVI/WAVE) | Yes | --- ## Notes - Production testing requires rate limit awareness (1.5s+ delay) - X-SSL-Client-SHA1 spoofing requires TRUSTED_PROXY_SECRET in production - /metrics endpoint intentionally exposed for Prometheus - Hypothesis tests use Flask test client (in-memory, not network)