[ Solution to the Task 1: GPN_Task-1.pdf ]
[ Solution to the Task 2: GPN_Task-2.pdf ]
[ Solution to the Task 3: GPN_Task-3_Rules ]
Brief overviews:
Task 1 |
Task 2 |
Task 3
My solution to the tasks given within the Gazprom Neft Hackathon of the year 2023.
The task was to review code stored within the provided files (*each file represents an independent web application) and to create a report regarding vulnerabilities found during the analysis.
| Case № | Technologies | Findings |
|---|---|---|
| 1 | Python, Flask |
[Relative Path Traversal] [CWE-23] |
| 2 | JS, PHP |
[Cross-Site Scripting] [CWE-159] |
| 3 | JS |
[Cross-Site Scripting] [CWE-159] [CWE-360] |
| 4 | Go |
[Broken Authentication] [CWE-287] |
| 5 | C |
[Buffer Overflow] [CWE-120] |
| 6 | NodeJS |
[CORS Misconfiguration] [CWE-942] |
| 7 | PHP |
[Absolute Path Traversal] [CWE-36] [Server-Side Request Forgery] [CWE-918] |
| 8 | JS |
[OpenRedirect] [CWE-601] [Cross-Site Scripting] [CWE-83] |
| 9 | Python, Flask |
[Server-Side Template Injection] [Command Injection] [CWE-1336] |
The task was to examine the provided web application and to create a report regarding vulnerabilities found during the analysis.
I have separately conducted both White-box and Black-box testing of the provided web application to evaluate security from the point of view of both the developer and the potential attacker.
| Method of software testing | Findings |
|---|---|
| White-box | [Weak credentials] [CWE-1391] |
| White-box | [Hard-coded plaintext credentials] [CWE-798] |
| White-box | [Hard-coded plaintext secret key] [CWE-321] |
| Black-box, White-box | [Debug mode on] [CWE-489] |
| Black-box, White-box | [SQL Injection] [CWE-89] [CVE-2022-34265] |
The task was to write Semgrep rules that would find bugs that lead to the vulnerabilities listed above in the overview of the Task 1 and the overview of the Task 2.
- Have a look at the resulting rules:
GPN_Task-3_Rules - And have a look at the resulting Semgrep report:
GPN_Task-3_Report.txt