forked from username/flaskpaste
4.6 KiB
4.6 KiB
Security Testing Status
Tracking security testing progress and remaining tasks.
Completed Testing
Local Fuzzer (tests/fuzz/run_fuzz.py)
| Phase | Tests | Status |
|---|---|---|
| Reconnaissance | 25 endpoints probed | PASS |
| Input Fuzzing | Binary, unicode, size limits | PASS |
| Injection Attacks | SQLi, XSS, SSTI, command injection | PASS |
| Auth/Authz | Header spoofing, privilege escalation | PASS |
| Business Logic | Burn-after-read, expiry, dedup | PASS |
| Cryptography | PoW token replay, timing | PASS |
Production Fuzzer (mymx.me/paste)
| Phase | Tests | Status |
|---|---|---|
| Content Fuzzing | Null bytes, unicode, 50KB, control chars | PASS |
| Injection Testing | SQLi, SSTI, XSS, command, path traversal | PASS |
| Header Injection | Host override, XFF chains, SQLi in headers | PASS |
| Path Fuzzing | Traversal, URL encoding, long paths | PASS |
| MIME Detection | GIF+JS, PNG+HTML, PDF+HTML polyglots | PASS |
MIME Detection (Polyglot Attacks)
| Attack Vector | Payload | Result |
|---|---|---|
| PNG + HTML | Magic bytes + script tag | Served as image/png |
| GIF + JavaScript | GIF89a + JS comment trick | Served as image/gif |
| PDF + ZIP | PDF header + ZIP trailer | Served as application/pdf |
| SVG + Script | XML with embedded script | Served as text/plain |
| JPEG + PHP | JFIF + PHP code | Served as image/jpeg |
Remaining Tasks
MIME Detection - Additional Formats
33 signatures untested on production:
[ ] WebP (image/webp)
[ ] TIFF (image/tiff)
[ ] BMP (image/bmp)
[ ] ICO (image/x-icon)
[ ] AVIF (image/avif)
[ ] HEIC (image/heic)
[ ] WebM (video/webm)
[ ] MP4 (video/mp4)
[ ] AVI (video/x-msvideo)
[ ] MOV (video/quicktime)
[ ] MKV (video/x-matroska)
[ ] MP3 (audio/mpeg)
[ ] WAV (audio/wav)
[ ] FLAC (audio/flac)
[ ] OGG (audio/ogg)
[ ] WASM (application/wasm)
[ ] 7z (application/x-7z-compressed)
[ ] RAR (application/vnd.rar)
[ ] TAR (application/x-tar)
[ ] XZ (application/x-xz)
[ ] BZ2 (application/x-bzip2)
[ ] DMG (application/x-apple-diskimage)
[ ] ISO (application/x-iso9660-image)
[ ] DEB (application/vnd.debian.binary-package)
[ ] RPM (application/x-rpm)
[ ] CAB (application/vnd.ms-cab-compressed)
[ ] DOCX (application/vnd.openxmlformats...)
[ ] XLSX (application/vnd.openxmlformats...)
[ ] PPTX (application/vnd.openxmlformats...)
[ ] ODF (application/vnd.oasis.opendocument...)
[ ] Java class (application/java-vm)
[ ] Mach-O (application/x-mach-binary)
[ ] AR archive (application/x-archive)
Fuzzing Improvements
[ ] Add --target option to run_fuzz.py for external testing
[ ] Implement adaptive rate limiting in production fuzzer
[ ] Add hypothesis property-based tests for MIME detection
[ ] Create polyglot generator for automated MIME confusion testing
[ ] Add timing attack tests for authentication endpoints
Penetration Testing (from PENTEST_PLAN.md)
[ ] Race condition: Burn-after-read via HEAD then GET
[ ] Race condition: Content hash deduplication counter
[ ] DoS: Memory exhaustion via unique IP rate limits
[ ] DoS: Anti-flood list growth under load
[ ] CLI: Clipboard command injection validation
[ ] CLI: Certificate file permission exposure
Documentation
[ ] Add remaining MIME test results to security assessment
[ ] Document rate limiting behavior under attack
[ ] Create threat model diagram
[ ] Add security headers audit to CI pipeline
Test Commands
# Local fuzzer (starts isolated server)
./venv/bin/python tests/fuzz/run_fuzz.py --verbose
# Quick smoke test
./venv/bin/python tests/fuzz/run_fuzz.py --quick
# Specific phases only
./venv/bin/python tests/fuzz/run_fuzz.py --phases 1,2,3
# Hypothesis tests (via pytest)
./venv/bin/pytest tests/test_fuzz.py -v
# Production fuzzer (rate limited)
python /tmp/prod_fuzz.py
Security Controls Verified
| Control | Implementation | Verified |
|---|---|---|
| X-Content-Type-Options | nosniff | Yes |
| Content-Security-Policy | default-src 'none' | Yes |
| X-Frame-Options | DENY | Yes |
| Magic byte detection | First 16 bytes, 42 signatures | Yes |
| Input sanitization | Werkzeug header handling | Yes |
| SQL injection prevention | SQLAlchemy parameterized queries | Yes |
| SSTI prevention | No user content in templates | Yes |
| Path traversal prevention | ID validation regex | Yes |
Notes
- Production testing requires rate limit awareness (1.5s+ delay)
- X-SSL-Client-SHA1 spoofing requires TRUSTED_PROXY_SECRET in production
- /metrics endpoint intentionally exposed for Prometheus
- Hypothesis tests use Flask test client (in-memory, not network)