74 lines
4.0 KiB
Markdown
74 lines
4.0 KiB
Markdown
# Security Audit Tasks
|
|
|
|
Audit date: 2026-02-08
|
|
Scope: `Program.cs`, `Endpoints/*`, `Infrastructure/*`, `wwwroot/js/*`, deployment docs/config
|
|
|
|
## Critical
|
|
|
|
- None identified in this pass.
|
|
|
|
## High
|
|
|
|
- [ ] Fix stored XSS in confirmation modal flows.
|
|
Evidence: `wwwroot/js/modals-ui.js:41`, `wwwroot/js/modals-ui.js:43`, `wwwroot/js/modals-ui.js:47`, `wwwroot/js/suggestions-ui.js:481`, `wwwroot/js/data.js:44`, `wwwroot/js/data.js:57`, `wwwroot/js/admin-ui.js:48`.
|
|
Risk: user-controlled names are injected into HTML and can execute script in other users' sessions (including admin interactions).
|
|
Tasks:
|
|
1. Remove dynamic `innerHTML` for confirm modal title/body and render untrusted text with `textContent`.
|
|
2. Stop interpolating untrusted values into HTML attributes (for example `data-name`); assign with DOM APIs.
|
|
3. Add regression coverage for XSS payloads in suggestion names and player names.
|
|
|
|
## Medium
|
|
|
|
- [ ] Add request-throttling and brute-force protection for authentication/admin-sensitive routes.
|
|
Evidence: `Endpoints/AuthEndpoints.cs:16`, `Endpoints/AuthEndpoints.cs:62`, `Program.cs:49`, `Program.cs:64` (no `AddRateLimiter` / `UseRateLimiter` configured).
|
|
Risk: password guessing and admin-key guessing are not rate-limited.
|
|
Tasks:
|
|
1. Configure ASP.NET Core rate limiting policies for `/api/auth/*` and privileged admin routes.
|
|
2. Add lockout/backoff telemetry and alerts for repeated failed auth attempts.
|
|
|
|
- [ ] Harden screenshot URL validation against SSRF bypass techniques.
|
|
Evidence: `Endpoints/SuggestionValidator.cs:13`, `Endpoints/EndpointHelpers.cs:143`, `Endpoints/EndpointHelpers.cs:233`, `Endpoints/EndpointHelpers.cs:262`.
|
|
Risk: DNS rebinding and incomplete private/reserved IP filtering can allow internal network probing via server-side HTTP fetches.
|
|
Tasks:
|
|
1. Expand blocked address ranges (IPv4 reserved ranges, IPv6 ULA `fc00::/7`, etc.).
|
|
2. Ensure the request is pinned to validated IPs (or use a safe egress proxy/allowlist).
|
|
3. Add tests for loopback/private/reserved host bypass attempts.
|
|
|
|
- [ ] Add baseline HTTP security headers and enforce HTTPS policy.
|
|
Evidence: `Program.cs:68`, `Program.cs:77`, `Program.cs:90` (no app-level CSP/HSTS/`X-Content-Type-Options`/`X-Frame-Options`/`Referrer-Policy` middleware).
|
|
Risk: weaker browser-side mitigation for XSS/clickjacking/content-type sniffing and transport downgrade mistakes.
|
|
Tasks:
|
|
1. Add explicit security headers in app middleware or IIS config.
|
|
2. Enable HSTS in production and verify HTTPS redirection/termination settings.
|
|
3. Add deployment checklist validation in `IIS.md`.
|
|
|
|
- [ ] Restrict accepted host headers.
|
|
Evidence: `appsettings.json:8`.
|
|
Risk: wildcard `AllowedHosts` can increase exposure to host-header abuse patterns.
|
|
Tasks:
|
|
1. Replace `AllowedHosts: "*"` with explicit production hostnames.
|
|
2. Add environment-specific config guidance for IIS deployments.
|
|
|
|
## Low
|
|
|
|
- [ ] Strengthen credential policy and password hashing parameters.
|
|
Evidence: `Endpoints/AuthValidator.cs:24`, `Infrastructure/PasswordHasher.cs:9`.
|
|
Risk: weak user-selected passwords remain possible; PBKDF2 cost may become insufficient over time.
|
|
Tasks:
|
|
1. Enforce minimum password length/quality checks.
|
|
2. Review and periodically raise PBKDF2 iteration cost (or migrate to a stronger password hashing scheme).
|
|
|
|
- [ ] Reassess long-lived session defaults.
|
|
Evidence: `Program.cs:56`.
|
|
Risk: 30-day sliding cookie increases exposure window for stolen session cookies.
|
|
Tasks:
|
|
1. Reduce expiration window for privileged sessions or apply step-up auth for destructive admin actions.
|
|
2. Consider explicit idle timeout + absolute lifetime policy.
|
|
|
|
- [ ] Reevaluate permanent bootstrap-admin key behavior.
|
|
Evidence: `Endpoints/AuthEndpoints.cs:26`, `Endpoints/AuthEndpoints.cs:30`, `Endpoints/AuthEndpoints.cs:34`.
|
|
Risk: a leaked `ADMIN_PASSWORD` can be reused indefinitely to create new admin accounts.
|
|
Tasks:
|
|
1. Limit bootstrap-admin creation to first-run or an explicit admin-only operation.
|
|
2. Add audit logs for admin account creation attempts and successes.
|