From a6364b08020348a17b3e3c8063db52b6cc18146a Mon Sep 17 00:00:00 2001 From: Frank Tovar Date: Sun, 8 Feb 2026 18:21:34 +0100 Subject: [PATCH] Add categorized webapp security audit tasks --- TASKS.md | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 TASKS.md diff --git a/TASKS.md b/TASKS.md new file mode 100644 index 0000000..02e2ebd --- /dev/null +++ b/TASKS.md @@ -0,0 +1,73 @@ +# Security Audit Tasks + +Audit date: 2026-02-08 +Scope: `Program.cs`, `Endpoints/*`, `Infrastructure/*`, `wwwroot/js/*`, deployment docs/config + +## Critical + +- None identified in this pass. + +## High + +- [ ] Fix stored XSS in confirmation modal flows. + Evidence: `wwwroot/js/modals-ui.js:41`, `wwwroot/js/modals-ui.js:43`, `wwwroot/js/modals-ui.js:47`, `wwwroot/js/suggestions-ui.js:481`, `wwwroot/js/data.js:44`, `wwwroot/js/data.js:57`, `wwwroot/js/admin-ui.js:48`. + Risk: user-controlled names are injected into HTML and can execute script in other users' sessions (including admin interactions). + Tasks: + 1. Remove dynamic `innerHTML` for confirm modal title/body and render untrusted text with `textContent`. + 2. Stop interpolating untrusted values into HTML attributes (for example `data-name`); assign with DOM APIs. + 3. Add regression coverage for XSS payloads in suggestion names and player names. + +## Medium + +- [ ] Add request-throttling and brute-force protection for authentication/admin-sensitive routes. + Evidence: `Endpoints/AuthEndpoints.cs:16`, `Endpoints/AuthEndpoints.cs:62`, `Program.cs:49`, `Program.cs:64` (no `AddRateLimiter` / `UseRateLimiter` configured). + Risk: password guessing and admin-key guessing are not rate-limited. + Tasks: + 1. Configure ASP.NET Core rate limiting policies for `/api/auth/*` and privileged admin routes. + 2. Add lockout/backoff telemetry and alerts for repeated failed auth attempts. + +- [ ] Harden screenshot URL validation against SSRF bypass techniques. + Evidence: `Endpoints/SuggestionValidator.cs:13`, `Endpoints/EndpointHelpers.cs:143`, `Endpoints/EndpointHelpers.cs:233`, `Endpoints/EndpointHelpers.cs:262`. + Risk: DNS rebinding and incomplete private/reserved IP filtering can allow internal network probing via server-side HTTP fetches. + Tasks: + 1. Expand blocked address ranges (IPv4 reserved ranges, IPv6 ULA `fc00::/7`, etc.). + 2. Ensure the request is pinned to validated IPs (or use a safe egress proxy/allowlist). + 3. Add tests for loopback/private/reserved host bypass attempts. + +- [ ] Add baseline HTTP security headers and enforce HTTPS policy. + Evidence: `Program.cs:68`, `Program.cs:77`, `Program.cs:90` (no app-level CSP/HSTS/`X-Content-Type-Options`/`X-Frame-Options`/`Referrer-Policy` middleware). + Risk: weaker browser-side mitigation for XSS/clickjacking/content-type sniffing and transport downgrade mistakes. + Tasks: + 1. Add explicit security headers in app middleware or IIS config. + 2. Enable HSTS in production and verify HTTPS redirection/termination settings. + 3. Add deployment checklist validation in `IIS.md`. + +- [ ] Restrict accepted host headers. + Evidence: `appsettings.json:8`. + Risk: wildcard `AllowedHosts` can increase exposure to host-header abuse patterns. + Tasks: + 1. Replace `AllowedHosts: "*"` with explicit production hostnames. + 2. Add environment-specific config guidance for IIS deployments. + +## Low + +- [ ] Strengthen credential policy and password hashing parameters. + Evidence: `Endpoints/AuthValidator.cs:24`, `Infrastructure/PasswordHasher.cs:9`. + Risk: weak user-selected passwords remain possible; PBKDF2 cost may become insufficient over time. + Tasks: + 1. Enforce minimum password length/quality checks. + 2. Review and periodically raise PBKDF2 iteration cost (or migrate to a stronger password hashing scheme). + +- [ ] Reassess long-lived session defaults. + Evidence: `Program.cs:56`. + Risk: 30-day sliding cookie increases exposure window for stolen session cookies. + Tasks: + 1. Reduce expiration window for privileged sessions or apply step-up auth for destructive admin actions. + 2. Consider explicit idle timeout + absolute lifetime policy. + +- [ ] Reevaluate permanent bootstrap-admin key behavior. + Evidence: `Endpoints/AuthEndpoints.cs:26`, `Endpoints/AuthEndpoints.cs:30`, `Endpoints/AuthEndpoints.cs:34`. + Risk: a leaked `ADMIN_PASSWORD` can be reused indefinitely to create new admin accounts. + Tasks: + 1. Limit bootstrap-admin creation to first-run or an explicit admin-only operation. + 2. Add audit logs for admin account creation attempts and successes.