claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity
Files
c1d2e39b0905b0146749db1dbe48a044e6b8d029
flaskpaste/documentation/security-testing-status.md
Username c1d2e39b09 docs: complete penetration testing status update 
All pentest items now complete:
- CLI security audit (clipboard, permissions)
- DoS memory exhaustion (fixed lookup rate limit)
- Race conditions (all protected by locks)
2025-12-26 00:17:11 +01:00

6.8 KiB
Raw Blame History

Security Testing Status

Tracking security testing progress and remaining tasks.

Completed Testing

Local Fuzzer (tests/fuzz/run_fuzz.py)

Phase Tests Status
Reconnaissance 25 endpoints probed PASS
Input Fuzzing Binary, unicode, size limits PASS
Injection Attacks SQLi, XSS, SSTI, command injection PASS
Auth/Authz Header spoofing, privilege escalation PASS
Business Logic Burn-after-read, expiry, dedup PASS
Cryptography PoW token replay, timing PASS

Production Fuzzer (mymx.me/paste)

Phase Tests Status
Content Fuzzing Null bytes, unicode, 50KB, control chars PASS
Injection Testing SQLi, SSTI, XSS, command, path traversal PASS
Header Injection Host override, XFF chains, SQLi in headers PASS
Path Fuzzing Traversal, URL encoding, long paths PASS
MIME Detection GIF+JS, PNG+HTML, PDF+HTML polyglots PASS

MIME Detection (Polyglot Attacks)

Attack Vector Payload Result
PNG + HTML Magic bytes + script tag Served as image/png
GIF + JavaScript GIF89a + JS comment trick Served as image/gif
PDF + ZIP PDF header + ZIP trailer Served as application/pdf
SVG + Script XML with embedded script Served as text/plain
JPEG + PHP JFIF + PHP code Served as image/jpeg

Race Condition Testing

Test Method Result
Burn-after-read bypass HEAD then GET SAFE - HEAD triggers deletion

Verified via server logs: Burn-after-read paste deleted via HEAD: <id>

Timing Attack Analysis

Tested authentication endpoints for timing oracle vulnerabilities (2025-12-25):

Endpoint Test Variance Result
Password verification Correct vs Wrong 2.3% SAFE
Password verification Correct vs None 2.1% SAFE
Paste existence Valid vs Invalid ID Expected OK (DB lookup)
Auth header Valid vs Invalid format Expected OK (DB lookup)

Password verification uses PBKDF2 with 600,000 iterations (~900ms constant-time). No password oracle vulnerability - timing variance within acceptable bounds.

Remaining Tasks

MIME Detection - Additional Formats

Tested on production (2025-12-25):

[x] WebP (image/webp)                 PASS
[x] TIFF-LE (image/tiff)              PASS
[x] TIFF-BE (image/tiff)              PASS
[x] BMP (image/bmp)                   PASS
[x] ICO (image/x-icon)                PASS
[x] WebM (video/webm)                 PASS
[x] MP4 (video/mp4)                   PASS
[x] MP3 (audio/mpeg)                  PASS
[x] MP3-ID3 (audio/mpeg)              PASS
[x] FLAC (audio/flac)                 PASS
[x] OGG (audio/ogg)                   PASS
[x] 7z (application/x-7z-compressed)  PASS
[x] RAR (application/vnd.rar)         PASS
[x] XZ (application/x-xz)             PASS
[x] BZ2 (application/x-bzip2)         PASS
[x] WASM (application/wasm)           PASS
[x] MachO-32 (application/x-mach-binary) PASS
[x] MachO-64 (application/x-mach-binary) PASS

Fallback to text/plain (safe default):
[~] MOV  - ftyp offset varies
[~] CAB  - Signature not implemented
[~] DEB  - Signature not implemented
[~] AR   - Signature not implemented

Fixed (2025-12-25):
[x] RPM  - Added signature (0xEDABEEDB)
[x] AVI  - Fixed RIFF subtype detection
[x] WAV  - Fixed RIFF subtype detection

Known issues:
[!] JavaClass - Detected as Mach-O (0xCAFEBABE collision, unfixable)

Not tested (no signature defined):
[ ] AVIF, HEIC, MKV, TAR, DMG, ISO, DOCX/XLSX/PPTX, ODF

Fuzzing Improvements

[ ] Add --target option to run_fuzz.py for external testing
[ ] Implement adaptive rate limiting in production fuzzer
[ ] Add hypothesis property-based tests for MIME detection
[ ] Create polyglot generator for automated MIME confusion testing
[x] Add timing attack tests for authentication endpoints

Penetration Testing (from PENTEST_PLAN.md)

[x] Race condition: Burn-after-read via HEAD then GET (SAFE)
[x] Race condition: Content hash deduplication counter (SAFE - locked)
[x] DoS: Memory exhaustion via unique IP rate limits (FIXED)
[x] DoS: Anti-flood list growth under load (SAFE - bounded)
[x] CLI: Clipboard command injection validation (SAFE)
[x] CLI: Certificate file permission exposure (SAFE - 0o600)

CLI Security Audit (2025-12-26)

Check Status
Trusted clipboard path validation PASS
PATH injection prevention PASS
Subprocess safety (no shell=True) PASS
Config permission warnings PASS
Key file permissions (0o600) PASS
Symlink attacks LOW RISK

Memory Exhaustion Tests (2025-12-26)

Component Protection Status
Anti-flood list ANTIFLOOD_MAX_ENTRIES (10000) PASS
Rate limit dict RATE_LIMIT_MAX_ENTRIES (10000) PASS
Lookup rate limit LOOKUP_RATE_LIMIT_MAX_ENTRIES (10000) FIXED
Content dedup Database + PoW PASS
Concurrent access Thread-safe with locks PASS

Documentation

[ ] Add remaining MIME test results to security assessment
[ ] Document rate limiting behavior under attack
[ ] Create threat model diagram
[ ] Add security headers audit to CI pipeline

Test Commands

# Local fuzzer (starts isolated server)
./venv/bin/python tests/fuzz/run_fuzz.py --verbose

# Quick smoke test
./venv/bin/python tests/fuzz/run_fuzz.py --quick

# Specific phases only
./venv/bin/python tests/fuzz/run_fuzz.py --phases 1,2,3

# Hypothesis tests (via pytest)
./venv/bin/pytest tests/test_fuzz.py -v

# Production fuzzer (rate limited)
python /tmp/prod_fuzz.py

Security Controls Verified

Control Implementation Verified
X-Content-Type-Options nosniff Yes
Content-Security-Policy default-src 'none' Yes
X-Frame-Options DENY Yes
Magic byte detection First 16 bytes, 45 signatures Yes
Input sanitization Werkzeug header handling Yes
SQL injection prevention SQLAlchemy parameterized queries Yes
SSTI prevention No user content in templates Yes
Path traversal prevention ID validation regex Yes
Constant-time password check PBKDF2 600k iterations Yes
Burn-after-read race condition HEAD triggers deletion Yes
RIFF container detection Subtype check (WEBP/AVI/WAVE) Yes
Clipboard command injection Trusted path validation Yes
Memory exhaustion prevention Max entries on all dicts Yes
Race condition protection Threading locks on counters Yes

Notes

  • Production testing requires rate limit awareness (1.5s+ delay)
  • X-SSL-Client-SHA1 spoofing requires TRUSTED_PROXY_SECRET in production
  • /metrics endpoint intentionally exposed for Prometheus
  • Hypothesis tests use Flask test client (in-memory, not network)
View Git Blame Copy Permalink