cse545-ss's People
cse545-ss's Issues
Username field is case-insensitive
The username field in the login page is case-insensitive. Let's change it to be case sensitive.
Denial of Service (DoS)
Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:[email protected], org.springframework.boot:[email protected] and others
Exploit maturity: No known exploit
Fixed in: 1.26
Overview
org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.
Affected versions of this package are vulnerable to Denial of Service (DoS). The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Note: While the Maintainer acknowledges the existence of the issue, they believe it should be solved by sanitizing the inputStream to the parser
Tier 2 Approve/ Decline Transaction
The Approve/ Decline transaction page for Tier 2 employee lists transactions <1000$ as well. This shouldn't be the case.
Error page gives away information
Change error page such that we don't give away any information.
Keep it as vague as possible.
Setup js and css dependency scripts
Cashier Cheque ID Missing
When the Tier 1 employee issues a Cashier Cheque, it's generated successfully but the Cheque Number/ ID isn't shown on dashboard. Add that.
XML External Entity (XXE) Injection
Vulnerable module: javax.servlet:jstl
Introduced through: javax.servlet:[email protected]
Exploit maturity: No known exploit
Detailed paths
- Introduced through: bankApp:[email protected] โบ javax.servlet:[email protected]
- Remediation: No remediation path available.
Overview
javax.servlet:jstl is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.
Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The package allows processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allow arbitrary code execution.
Virtual Keyboard
- Include virtual keyboard on OTP page for forgot password;
- disable right clicks, back button and ctrl/cmd shortcuts
Minor changes to #7
-
/Download
should download all rows from the transaction for a user
The username should be taken from the session's security context -
/Update
should be renamed to /EmployeeUpdate or something, since it may clash with `/UserUpdate, unless we use the same controller for updating both -
Uncomment code for
/Update
. -
/ChangeValue can update any user, so maybe rename the controller from EmployeeController to UserController or something
Also,/ChangeValue sounds like you're changing just one value. -
Remove URLs from
permitAll()
-
Remove all those spaces in between lines :D
Configure server to expose static resources
The server is currently not configured to access static resources. Including css/js files in web pages causes an authentication failure.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.