OWASP Top 10#

List with Mitigations#

Authentication
- Authentication is done by PyLTI1p3. When a LTI launch was successful the user is being logged in with a Django session.
Authorization
- Roles given by LTI are respected. This means an Instructor or Administrator has staff privileges. This give the ability to use the statistics api and to use a blank admin page. Staff user data also is not deleted automatically.
CSRF
- CSRF token for every insecure HTTP method except for lti-register, OIDC-login and lti-launch because they are secured by OpenID and LMSs could not use the CSRF token.

HTTP Strict Transport Security
- Enabled
- For 1 year inactivity the browser will only use HTTPS.
- We also allow browsers to put sql-train on the preload list.
TLS
- We used the recommended settings for nginx from Mozilla https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.6
Secrets Management
- Secrets are manually added via environment variables.
- Great care was done to check that no secrets come to Github.
Key Management
- As pointed out in technical depts the private keys are unencrypted saved in the application database which comes from our PyLTI1p3 library but we cannot use them because this feature is by default disabled at the LMS.
Pinning Cheat Sheet
- TODO

SQL Injections
- A principle inherited from the repDB integrated in SQL-Train is that students work on their on database. So our Tool only provides a way of interacting with it. This means all students can do with their database is not the problem of SQL-Train.
- In respect for our application database (DjangoDB) we only use the Django ORM to interact with our database so we should be safe on that end.
OS Command Injection Defense
- No manual interaction with the OS
REST Injection
- Handled by NinjaAPI
Cross Site Scripting
- React:
  
  Much of the work mitigating XSS vulnerabilities is done by the use of modern web framework as React.
- Reflected XSS
  
  The only input SQL-Train get through the URL is the topic short the exercise number. These parameters are validate via regular expression to only contain numbers or slugs. For the REST API we use the CSRF token.
- Stored XSS
  
  User created content coming from the server is all generated by the same user. So other user cannot be attackted.
- DOM Based XSS
  
  DOM based XSS Prevention Cheat Sheet is being folowed stricly.
  
  React is forbidding or sanitizing most vulnerable operations.
Content Security Policy
- We try to keep our CSP as tight as possible. So all our our ‘src’s are set to ‘self’ exempt ‘style-src’. We have to use ‘unsafe-line’ because of emotion and codemirror.

We strictly followed the configuration documentation from Django
We use a minimal platform without any unnecessary features, components, documentation, and samples.