claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity
Files
89eee3378acabe569fdb33defaa532305ca2a876
flaskpaste/PENTEST_PLAN.md
Username 89eee3378a security: implement pentest remediation (PROXY-001, BURN-001, RATE-001) 
PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation

BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior

RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS

Test count: 284 -> 291 (7 new security tests)
2025-12-24 21:42:15 +01:00

399 lines
14 KiB
Markdown
Raw Blame History

# FlaskPaste Penetration Testing Plan
Comprehensive security assessment for the FlaskPaste web application and fpaste CLI tool.
---
## Executive Summary
This plan defines a structured penetration testing methodology targeting:
- **FlaskPaste API** - 22 REST endpoints with authentication, PKI, and abuse prevention
- **fpaste CLI** - Standalone client with encryption, mTLS, and certificate management
Testing uses specialized Claude subagents for different security domains, with findings tracked incrementally for remediation.
---
## Attack Surface Overview
```
┌─────────────────────────────────────────────────────────────────────────────┐
│ FLASKPASTE ATTACK SURFACE
├─────────────────────────────────────────────────────────────────────────────┤
│ Web Application (app/api/routes.py)
│ ├─ Public endpoints (10): /, /health, /challenge, POST /, /<id>, etc.
│ ├─ Authenticated endpoints (6): /pastes, PUT/DELETE /<id>, /pki/*
│ ├─ PKI endpoints (4): /pki, /pki/ca, /pki/issue, /pki/revoke
│ └─ Admin endpoints (2): /pastes?all=1, /audit
│ CLI Tool (fpaste)
│ ├─ Network operations: HTTP requests, mTLS, SSL context
│ ├─ Cryptography: AES-256-GCM encryption, key derivation
│ ├─ File operations: Config files, certificate storage
│ ├─ Subprocess calls: Clipboard integration
│ └─ Certificate generation: RSA/EC key generation
│ Supporting Systems
│ ├─ SQLite database (pastes, certificates, audit logs)
│ ├─ Reverse proxy integration (header-based auth)
│ └─ External dependencies (Flask, cryptography, etc.)
└─────────────────────────────────────────────────────────────────────────────┘
```
---
## Specialized Subagents
### 1. AuthBypass Agent
**Purpose:** Test authentication and authorization vulnerabilities
**Scope:**
- X-SSL-Client-SHA1 header spoofing
- X-Proxy-Secret bypass when unconfigured
- X-Forwarded-For chain manipulation
- Certificate fingerprint forgery
- Trust level escalation (anon → untrusted → trusted → admin)
- Session/token replay attacks
### 2. InputFuzz Agent
**Purpose:** Fuzz all input vectors for injection and validation bypass
**Scope:**
- Paste ID format bypass (regex evasion)
- MIME type confusion attacks
- Content-Type header injection
- JSON payload malformation
- Header value overflow/truncation
- Unicode normalization attacks
- Path traversal attempts
### 3. CryptoAudit Agent
**Purpose:** Analyze cryptographic implementations
**Scope:**
- PoW algorithm weakness analysis
- Token signature verification timing
- PBKDF2 parameter validation
- AES-GCM nonce reuse detection
- Key derivation entropy analysis
- PKI certificate chain validation
- Private key protection assessment
### 4. RaceCondition Agent
**Purpose:** Identify and exploit race conditions
**Scope:**
- Burn-after-read concurrent access
- Content hash deduplication races
- Rate limit window manipulation
- Anti-flood difficulty calculation races
- Certificate issuance/revocation timing
### 5. DoSResilience Agent
**Purpose:** Test denial-of-service resistance
**Scope:**
- Memory exhaustion via rate limit storage
- Anti-flood memory growth
- Large paste upload handling
- PoW difficulty manipulation
- Cleanup function starvation
- Connection pool exhaustion
### 6. InfoLeak Agent
**Purpose:** Discover information disclosure vulnerabilities
**Scope:**
- Error message verbosity
- Paste existence enumeration
- Timing attacks on lookups
- Debug information exposure
- Version/endpoint disclosure
- Audit log data leakage
### 7. CLISecurity Agent
**Purpose:** Audit the fpaste CLI tool
**Scope:**
- Command injection via clipboard tools
- Config file permission issues
- Certificate/key file exposure
- SSL context validation bypass
- URL parsing vulnerabilities
- Subprocess execution safety
### 8. DependencyAudit Agent
**Purpose:** Analyze third-party dependencies
**Scope:**
- Known CVE scanning
- Outdated package detection
- Transitive dependency risks
- Optional dependency failures
- Import error handling
---
## Testing Phases
### Phase 1: Reconnaissance & Configuration
| # | Task | Agent | Priority |
|---|------|-------|----------|
| 1.1 | Map all API endpoints and parameters | InfoLeak | High |
| 1.2 | Identify authentication requirements per endpoint | AuthBypass | High |
| 1.3 | Document default configuration weaknesses | InfoLeak | High |
| 1.4 | Enumerate error message patterns | InfoLeak | Medium |
| 1.5 | Profile response timing baselines | RaceCondition | Medium |
### Phase 2: Authentication & Authorization
| # | Task | Agent | Priority |
|---|------|-------|----------|
| 2.1 | Test X-SSL-Client-SHA1 spoofing without proxy secret | AuthBypass | Critical |
| 2.2 | Verify X-Proxy-Secret HMAC timing resistance | CryptoAudit | High |
| 2.3 | Attempt trust level escalation | AuthBypass | High |
| 2.4 | Test admin endpoint access controls | AuthBypass | High |
| 2.5 | Verify certificate revocation enforcement | AuthBypass | Medium |
| 2.6 | Test X-Forwarded-For chain bypass | AuthBypass | Medium |
### Phase 3: Input Validation
| # | Task | Agent | Priority |
|---|------|-------|----------|
| 3.1 | Fuzz paste ID format validation | InputFuzz | High |
| 3.2 | Test MIME type detection bypass | InputFuzz | Medium |
| 3.3 | Attempt entropy check evasion | InputFuzz | Medium |
| 3.4 | Test Content-Type header injection | InputFuzz | Medium |
| 3.5 | Verify size limit enforcement | InputFuzz | Low |
| 3.6 | Test JSON payload edge cases | InputFuzz | Low |
### Phase 4: Cryptographic Security
| # | Task | Agent | Priority |
|---|------|-------|----------|
| 4.1 | Analyze PoW token structure and replay potential | CryptoAudit | High |
| 4.2 | Verify PBKDF2 iteration count (600k) | CryptoAudit | Low |
| 4.3 | Test password hash timing attacks | CryptoAudit | Medium |
| 4.4 | Audit AES-GCM implementation in CLI | CryptoAudit | Medium |
| 4.5 | Verify PKI private key encryption | CryptoAudit | High |
| 4.6 | Test certificate serial collision | CryptoAudit | Low |
### Phase 5: Race Conditions & Logic Flaws
| # | Task | Agent | Priority |
|---|------|-------|----------|
| 5.1 | Exploit burn-after-read via HEAD then GET | RaceCondition | High |
| 5.2 | Race content hash deduplication counter | RaceCondition | Medium |
| 5.3 | Manipulate rate limit sliding window | RaceCondition | Medium |
| 5.4 | Test anti-flood difficulty race | RaceCondition | Low |
| 5.5 | Concurrent paste update/delete | RaceCondition | Low |
### Phase 6: Denial of Service
| # | Task | Agent | Priority |
|---|------|-------|----------|
| 6.1 | Memory exhaustion via unique IP rate limits | DoSResilience | High |
| 6.2 | Anti-flood list growth under load | DoSResilience | Medium |
| 6.3 | PoW difficulty prediction for timed attacks | DoSResilience | Medium |
| 6.4 | Cleanup function starvation | DoSResilience | Low |
| 6.5 | Large paste memory consumption | DoSResilience | Low |
### Phase 7: CLI Tool Security
| # | Task | Agent | Priority |
|---|------|-------|----------|
| 7.1 | Test clipboard command injection | CLISecurity | High |
| 7.2 | Verify config file permissions | CLISecurity | Medium |
| 7.3 | Test certificate file exposure | CLISecurity | Medium |
| 7.4 | Audit SSL context configuration | CLISecurity | Medium |
| 7.5 | Test URL parsing edge cases | CLISecurity | Low |
| 7.6 | Verify subprocess safety | CLISecurity | Medium |
### Phase 8: Dependency & Supply Chain
| # | Task | Agent | Priority |
|---|------|-------|----------|
| 8.1 | Run pip-audit for known CVEs | DependencyAudit | High |
| 8.2 | Check for outdated packages | DependencyAudit | Medium |
| 8.3 | Audit optional dependency handling | DependencyAudit | Low |
| 8.4 | Review Containerfile for supply chain risks | DependencyAudit | Medium |
---
## Critical Vulnerabilities Identified
```
┌───┬─────────────────────────────────────┬──────────┬───────────────────────┐
│ # │ Vulnerability │ Severity │ Remediation
├───┼─────────────────────────────────────┼──────────┼───────────────────────┤
│ 1 │ Missing TRUSTED_PROXY_SECRET │ Critical │ Require in production
│ │ allows auth header spoofing │ │ or fail closed
│ 2 │ HEAD request bypasses burn-after- │ Medium │ Track HEAD as access
│ │ read deletion │ │ or disable for burn
│ 3 │ Rate limit memory unbounded │ Medium │ Add max entries limit
│ 4 │ Content hash race condition │ Low │ Add locking
│ 5 │ Clipboard command injection │ Medium │ Sanitize tool paths
│ │ potential in CLI │ │
└───┴─────────────────────────────────────┴──────────┴───────────────────────┘
```
---
## Remediation Task List
### Immediate (Critical)
- [x] **PROXY-001**: Add startup warning/failure when TRUSTED_PROXY_SECRET empty in production
- [x] **PROXY-002**: Document required proxy configuration in deployment guide
- [x] **PROXY-003**: Add security test for header spoofing without proxy secret
### Short-term (High)
- [x] **BURN-001**: Track HEAD requests as paste access for burn-after-read
- [x] **BURN-002**: Add test for HEAD-then-GET race condition
- [x] **RATE-001**: Add maximum entries limit to rate limit storage
- [ ] **RATE-002**: Add automatic cleanup trigger when threshold exceeded
- [ ] **CLI-001**: Validate clipboard tool paths against allow-list
### Medium-term (Medium)
- [ ] **HASH-001**: Add locking to content hash deduplication
- [ ] **FLOOD-001**: Add memory limit to anti-flood request list
- [ ] **ENUM-001**: Add rate limiting to paste metadata endpoints
- [ ] **CLI-002**: Verify SSL certificate hostname matching
- [ ] **CLI-003**: Add config file permission validation on startup
### Long-term (Low)
- [ ] **CRYPTO-001**: Add certificate serial collision detection
- [ ] **TIMING-001**: Add constant-time database lookups for sensitive queries
- [ ] **AUDIT-001**: Add query result limits to prevent enumeration
---
## Test Execution Commands
### Setup Test Environment
```bash
# Create isolated test environment
python3 -m venv pentest-venv
source pentest-venv/bin/activate
pip install -r requirements.txt
pip install pytest pytest-cov httpx hypothesis
# Start test server
FLASK_ENV=testing python run.py &
```
### Run Security Tests
```bash
# Authentication bypass tests
./venv/bin/pytest tests/test_security.py -v -k "proxy"
# Rate limiting tests
./venv/bin/pytest tests/test_rate_limiting.py -v
# PoW tests
./venv/bin/pytest tests/test_pow.py -v
# Full security suite
./venv/bin/pytest tests/ -v --tb=short -x
```
### Manual Testing
```bash
# Test header spoofing without proxy secret
curl -H "X-SSL-Client-SHA1: $(printf '0%.0s' {1..40})" \
http://localhost:5000/pastes
# Test burn-after-read via HEAD
paste_id=$(echo "secret" | curl -sS -X POST -d @- http://localhost:5000/ \
-H "X-Burn-After-Read: true" | jq -r .id)
curl -I http://localhost:5000/$paste_id/raw # HEAD request
curl http://localhost:5000/$paste_id/raw # Should still exist?
# Test rate limit memory growth
for i in {1..10000}; do
curl -H "X-Forwarded-For: 192.168.$((i/256)).$((i%256))" \
-X POST -d "test" http://localhost:5000/ 2>/dev/null &
done
```
---
## Test File Structure
```
tests/
├── security/
│ ├── test_auth_bypass.py # AuthBypass agent tests
│ ├── test_input_fuzz.py # InputFuzz agent tests
│ ├── test_crypto_audit.py # CryptoAudit agent tests
│ ├── test_race_conditions.py # RaceCondition agent tests
│ ├── test_dos_resilience.py # DoSResilience agent tests
│ ├── test_info_leak.py # InfoLeak agent tests
│ └── test_cli_security.py # CLISecurity agent tests
├── conftest.py # Shared fixtures
└── test_abuse_prevention.py # Existing abuse tests
```
---
## Reporting
### Finding Template
```markdown
## [SEVERITY] Finding Title
**ID:** CATEGORY-NNN
**Severity:** Critical | High | Medium | Low | Info
**CVSS:** X.X (if applicable)
**CWE:** CWE-XXX
### Description
[Detailed description of the vulnerability]
### Reproduction Steps
1. Step one
2. Step two
3. ...
### Impact
[Business and technical impact]
### Remediation
[Specific fix recommendations]
### References
- [Link to relevant documentation]
```
### Summary Report Sections
1. Executive Summary
2. Scope and Methodology
3. Findings by Severity
4. Risk Assessment Matrix
5. Remediation Roadmap
6. Appendix: Raw Test Results
---
## Schedule
```
Week 1: Phases 1-2 (Recon, Auth)
Week 2: Phases 3-4 (Input, Crypto)
Week 3: Phases 5-6 (Race, DoS)
Week 4: Phases 7-8 (CLI, Deps)
Week 5: Reporting and Remediation
```
---
## Success Criteria
- [ ] All Critical findings remediated
- [ ] All High findings remediated or risk-accepted
- [ ] Medium findings tracked in issue tracker
- [ ] Security test coverage > 80%
- [ ] CI pipeline includes security regression tests
- [ ] Documentation updated with security guidance
View Git Blame Copy Permalink