claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity
Files
0fa6052f69a48b6831fe92bb80585b5efe101abe
flaskpaste/documentation/security-testing-status.md
Username 0fa6052f69 docs: update security testing status with completed tests 
- Add race condition testing results (HEAD triggers burn-after-read)
- Add timing attack analysis (PBKDF2 constant-time verified)
- Mark RPM, AVI, WAV MIME signatures as fixed
- Update security controls table with new verifications
2025-12-25 23:58:42 +01:00

5.9 KiB
Raw Blame History

Security Testing Status

Tracking security testing progress and remaining tasks.

Completed Testing

Local Fuzzer (tests/fuzz/run_fuzz.py)

Phase Tests Status
Reconnaissance 25 endpoints probed PASS
Input Fuzzing Binary, unicode, size limits PASS
Injection Attacks SQLi, XSS, SSTI, command injection PASS
Auth/Authz Header spoofing, privilege escalation PASS
Business Logic Burn-after-read, expiry, dedup PASS
Cryptography PoW token replay, timing PASS

Production Fuzzer (mymx.me/paste)

Phase Tests Status
Content Fuzzing Null bytes, unicode, 50KB, control chars PASS
Injection Testing SQLi, SSTI, XSS, command, path traversal PASS
Header Injection Host override, XFF chains, SQLi in headers PASS
Path Fuzzing Traversal, URL encoding, long paths PASS
MIME Detection GIF+JS, PNG+HTML, PDF+HTML polyglots PASS

MIME Detection (Polyglot Attacks)

Attack Vector Payload Result
PNG + HTML Magic bytes + script tag Served as image/png
GIF + JavaScript GIF89a + JS comment trick Served as image/gif
PDF + ZIP PDF header + ZIP trailer Served as application/pdf
SVG + Script XML with embedded script Served as text/plain
JPEG + PHP JFIF + PHP code Served as image/jpeg

Race Condition Testing

Test Method Result
Burn-after-read bypass HEAD then GET SAFE - HEAD triggers deletion

Verified via server logs: Burn-after-read paste deleted via HEAD: <id>

Timing Attack Analysis

Tested authentication endpoints for timing oracle vulnerabilities (2025-12-25):

Endpoint Test Variance Result
Password verification Correct vs Wrong 2.3% SAFE
Password verification Correct vs None 2.1% SAFE
Paste existence Valid vs Invalid ID Expected OK (DB lookup)
Auth header Valid vs Invalid format Expected OK (DB lookup)

Password verification uses PBKDF2 with 600,000 iterations (~900ms constant-time). No password oracle vulnerability - timing variance within acceptable bounds.

Remaining Tasks

MIME Detection - Additional Formats

Tested on production (2025-12-25):

[x] WebP (image/webp)                 PASS
[x] TIFF-LE (image/tiff)              PASS
[x] TIFF-BE (image/tiff)              PASS
[x] BMP (image/bmp)                   PASS
[x] ICO (image/x-icon)                PASS
[x] WebM (video/webm)                 PASS
[x] MP4 (video/mp4)                   PASS
[x] MP3 (audio/mpeg)                  PASS
[x] MP3-ID3 (audio/mpeg)              PASS
[x] FLAC (audio/flac)                 PASS
[x] OGG (audio/ogg)                   PASS
[x] 7z (application/x-7z-compressed)  PASS
[x] RAR (application/vnd.rar)         PASS
[x] XZ (application/x-xz)             PASS
[x] BZ2 (application/x-bzip2)         PASS
[x] WASM (application/wasm)           PASS
[x] MachO-32 (application/x-mach-binary) PASS
[x] MachO-64 (application/x-mach-binary) PASS

Fallback to text/plain (safe default):
[~] MOV  - ftyp offset varies
[~] CAB  - Signature not implemented
[~] DEB  - Signature not implemented
[~] AR   - Signature not implemented

Fixed (2025-12-25):
[x] RPM  - Added signature (0xEDABEEDB)
[x] AVI  - Fixed RIFF subtype detection
[x] WAV  - Fixed RIFF subtype detection

Known issues:
[!] JavaClass - Detected as Mach-O (0xCAFEBABE collision, unfixable)

Not tested (no signature defined):
[ ] AVIF, HEIC, MKV, TAR, DMG, ISO, DOCX/XLSX/PPTX, ODF

Fuzzing Improvements

[ ] Add --target option to run_fuzz.py for external testing
[ ] Implement adaptive rate limiting in production fuzzer
[ ] Add hypothesis property-based tests for MIME detection
[ ] Create polyglot generator for automated MIME confusion testing
[x] Add timing attack tests for authentication endpoints

Penetration Testing (from PENTEST_PLAN.md)

[x] Race condition: Burn-after-read via HEAD then GET (SAFE)
[ ] Race condition: Content hash deduplication counter
[ ] DoS: Memory exhaustion via unique IP rate limits
[ ] DoS: Anti-flood list growth under load
[ ] CLI: Clipboard command injection validation
[ ] CLI: Certificate file permission exposure

Documentation

[ ] Add remaining MIME test results to security assessment
[ ] Document rate limiting behavior under attack
[ ] Create threat model diagram
[ ] Add security headers audit to CI pipeline

Test Commands

# Local fuzzer (starts isolated server)
./venv/bin/python tests/fuzz/run_fuzz.py --verbose

# Quick smoke test
./venv/bin/python tests/fuzz/run_fuzz.py --quick

# Specific phases only
./venv/bin/python tests/fuzz/run_fuzz.py --phases 1,2,3

# Hypothesis tests (via pytest)
./venv/bin/pytest tests/test_fuzz.py -v

# Production fuzzer (rate limited)
python /tmp/prod_fuzz.py

Security Controls Verified

Control Implementation Verified
X-Content-Type-Options nosniff Yes
Content-Security-Policy default-src 'none' Yes
X-Frame-Options DENY Yes
Magic byte detection First 16 bytes, 45 signatures Yes
Input sanitization Werkzeug header handling Yes
SQL injection prevention SQLAlchemy parameterized queries Yes
SSTI prevention No user content in templates Yes
Path traversal prevention ID validation regex Yes
Constant-time password check PBKDF2 600k iterations Yes
Burn-after-read race condition HEAD triggers deletion Yes
RIFF container detection Subtype check (WEBP/AVI/WAVE) Yes

Notes

  • Production testing requires rate limit awareness (1.5s+ delay)
  • X-SSL-Client-SHA1 spoofing requires TRUSTED_PROXY_SECRET in production
  • /metrics endpoint intentionally exposed for Prometheus
  • Hypothesis tests use Flask test client (in-memory, not network)
View Git Blame Copy Permalink