Open in app

Sign in

Write

Sign in

(In Progress) Task Manager Manual Source Code Review

Ajay Monga
6 min readNov 27, 2024

--

GitHub link: https://github.com/rengreen/task-manager/tree/master

Application Overview and Risk Assessment:

  • Application: Task Manager(Application for managing tasks for a team or a small company)
  • Authentication: Login is required for most of the features. Non auth users can access the login page and welcome page

User and their roles:

Admin (manager) can:
> Create task and assign task to any user
> View list of all users with possibility to delete user
> View list of all tasks with editing or deleting task
> Switch task as completed/uncompleted

Common user (employee) can:
> Create task only for himself
> View list of all users with no action allowed
> View list of all tasks but edit or delete only tasks for which he is responsible
> Switch owned task as completed/uncompleted

Every authorized user can:
>View his own profile

Built With
Spring Boot
Spring Security
H2 database
Maven
Thymeleaf
Bootstrap
jQuery

Test users
Paste email and password into the login form or click one of demo buttons under the login form to quickly insert them:

manager@mail.com password: 112233
ann@mail.com password: 112233
mark@mail.com password: 112233

Risk:

  1. Authentication and Authorization Risks: Insecure or improper user authentication and authorization, deleting another user task, deleting a user as an employee,
  2. Cross-Site Scripting (XSS): If any user input not sanitized
  3. Cross-Site Request Forgery (CSRF): modifying tasks, deleting task via crafted link
  4. information leakage:
  5. Session Management Issues:
  6. Supply chain issue: 3rd party components

Information Gathering:

Primary Language: Java

Framework: Spring

Structure: Model, View, Controller, services

Database: Uses JPA, H2

Dependencies:

Entities and Relationships:
Role: Represents user roles with a ManyToMany relationship with User.
User: Likely the main entity for authentication and task assignments.
Tasks: Likely handled through a task-related entity (not explicitly reviewed but inferred).

Vulnerabilities Checklist

Authentication and Authorization Risks:

  • Test for user enumeration
  • Passwords are encrypted using a framework / library
  • Users are unable to login over GET, only POST
  • Strong password policy in effect
  • Sensitive transactions require re authentication
  • Authentication and Authorization checks are done on each private request
  • Authorization checks are granular, per page / directory / action

Cross-Site Scripting (XSS):

  • Are Input sanitized

Cross-Site Request Forgery (CSRF):

  • CSRF token
  • modifying tasks, deleting task via crafted link

Session Management Issues:

  • Session cookies use cookie attributes httponly, secure, samesite
  • Session tokens are not passed in URLs
  • Session Cookies expire in a reasonable amount of time
  • Logout will invalidate the session

Supply chain issue:

  • 3rd party components having vulnerabilities

SQL Injection:

Performing Review

Supply chain issue:

First will cover 3rd party component issue. As it is using spring, all dependencies will be in pom.xml file.

Versions:

  • Java: 1.8
  • spring-boot-starter-data-jpa
  • spring-boot-starter-security
  • spring-boot-starter-thymeleaf
  • thymeleaf-extras-springsecurity5
  • spring-boot-starter-web
  • h2
  • spring-boot-starter-test
  • spring-security-test
  • webjars-locator: 0.36
  • jquery: 3.3.1–1
  • bootstrap: 4.2.1
  • font-awesome: 5.7.1
  • datatables: 1.9.4–2

Versions:

  • Java: 1.8
    Do latest update of Java or use Java 11 or 17
  • spring-boot-starter-data-jpa
  • spring-boot-starter-security
  • spring-boot-starter-thymeleaf
  • thymeleaf-extras-springsecurity5
  • spring-boot-starter-web
  • h2
  • spring-boot-starter-test
  • spring-security-test
  • (ISSUE 1) (Vulnerable) webjars-locator: 0.36
    latest version : 6.2.2
  • (ISSUE 2) (Vulnerable) jquery: 3.3.1–1
    latest version 3.7.1
  • (ISSUE 3) (Vulnerable) bootstrap: 4.2.1
    latest version: 5.3.3
  • font-awesome: 5.7.1
  • (ISSUE 4) (Vulnerable) datatables: 1.9.4–2
    latest version: 2.1.0

For SQL injection, will search for string concatenation in SQL query. As application is using Spring JPA so less chance of having SQL injection directly.

First I tried searching for common patterns of SQL injection,

Grep command: grep -iE “SELECT\s|INSERT\s|UPDATE\s|FROM\s|WHERE\s” -r “A:/Codes/SCR/Taskmanager/task-manager-master/task-manager-master”

Only two SQL query found with this grep command. And looks it is a parameterized query.

$ grep -iE “\.query|\.execute” -r “A:/Codes/SCR/Taskmanager/task-manager-master/task-manager-master”

No result found.

grep -iE “(\”.*\”|\’.*\’) *(\+|\|\|) *” -r .

These are normal string concatenation in return of a function.

Then I checked for SQL query manually in repository dir. No direct SQL query found.

Then I started searching for user inputs used without validation.

I checked user inputs in controller directory.

In src/main/java/pl/rengreen/taskmanager/controller/AssigmentController.java

showUserAssigmentForm function directly passing userid path variable value in getuserById function without any validation.

(ISSUE 4)

(ISSUE 5)

(ISSUE 6)

In file: src/main/java/pl/rengreen/taskmanager/controller/ProfileController.java

(ISSUE 7)

(ISSUE 8)

In file: src/main/java/pl/rengreen/taskmanager/controller/TaskController.java

(ISSUE 9, 10, 11)

(ISSUE 12, 13)

In file: src/main/java/pl/rengreen/taskmanager/controller/UserController.java

(ISSUE 14)

Done for SQL injection.

Cross-Site Scripting (XSS)

I checked controllers of application from where a user input enters an application. So all user input coming are not validating, so their are higher chance the value can be used in html or js script directly without any validation or encoding.

File: src/main/resources/templates/views/profile.html

this can be a potential XSS, as id is used directly in dynamic URL.

File: src/main/resources/templates/views/tasks.html

In line 55, 56, 60 and 61

File: src/main/resources/templates/views/users.html

there are many XSS issues

Cross-Site Request Forgery (CSRF):

File: src/main/java/pl/rengreen/taskmanager/configuration/SecurityConfiguration.java

As csrf is disabled.

Application is vulnerable to CSRF

Authentication and Authorization Risks:

Authentication mechanism: Form login

Brute force attack:

Rate limiting of user login: NO

Authorization issue:

File: src/main/java/pl/rengreen/taskmanager/controller/TaskController.java

A user can delete edit other users task

The function is not validation the current user id to the task owner id.

It may lead to access, edit and delete other users tasks.

It can also lead to CSRF attack.

A user can assign task to other user, user validation is not in place.

Authorization checks are granular, per page / directory / action are not implemented.

Session Management Issues:

Session maangement is not implemented. Basic authentication is used

Application is not invalidating previous session even after logout. If someone knows or receives the session ID, he can perform all actions on behalf of the user.

All checklist is done.

Their are some hardcoded secrets also for default admin.

Now I am going to read code randomly If something got missed.

Secure Code Review
Owasp
Code Review

--

--

Ajay Monga
Ajay Monga

Written by Ajay Monga

6 Followers
17 Following

Sharing thoughts on the latest trends in Business and Technology

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams