Security review for login-service & survey-web-app -- App Engine, Python, Javascript

진행 현황: Closed
상금: $1000
응모작 접수(건수): 5
수상자: newsoftwaresolu

Winner

콘테스트 개요

GOAL
I have a prototype login-system, similar to open-ID, for authenticating voters. Also I have a survey web-app using the login-system.

This is a contest to find the most important security problem, both in the login site and in the survey app.

Describe the vulnerability, with:
* Endpoint affected
* Example exploit / input
* Estimate of severity / potential bad effects
* Suggested fix

SYSTEM
The system runs in Python on Google App Engine, with client webpages using Javascript.

The code is here:
https://github.com/chadbrower0/openVoterId3
https://github.com/chadbrower0/proCon3

EXAMPLE DATA
Survey web-app example pages:
* You may need to copy & paste these links, because freelancer.com breaks these URLs.
* Feel free to create more example pages.
* https://www.choosewithreason.com/procon#page=proposal&link=9DxVVGWcWlmPQLofuJ2vuCP1yAQ7gsOczmkbmB2TIXVlKOZij7
* https://www.choosewithreason.com/procon#page=request&link=ydef4LAXNkHnOOQoyDp8cvuFu3s4h6YnwRAy1ZGHqtmOkM5IWy
* https://www.choosewithreason.com/autocomplete#page=question&link=soGqnBjwQMm2koXVbV4KgaOMD5wv4FpdeX8PPIznHfc1oi9iuc
* https://www.choosewithreason.com/autocomplete#page=question&link=07CPZ6KFprXg9QSl5MEZXaQ1wgh6Az0oOY1kHymXyj5aavHsi2

Example voter information is attached separately.

고용주 피드백

“@newsoftwaresolu won the contest on 22 June 2020”

chadbrower, United States.

이 콘테스트의 최상위 응모작

newsoftwaresolu Tunisia

0
newsoftwaresolu Tunisia

0
webzonebd99 Bangladesh

0
dsamanmishra3 India

0
Shyam247 India

0

다른 응모작

공개 설명 게시판

newsoftwaresolu
- 3 년 전
please find attached our proposition
- 3 년 전
1. 콘테스트 주최자
  - 3 년 전
  Thanks! This is the first real security finding submitted so far.
  - 3 년 전
2. newsoftwaresolu
  - 3 년 전
  Thanks ! I'm very happy to work with you.
  - 3 년 전
mt7871
- 3 년 전
Not able to login using voter information provided.
- 3 년 전
1. 콘테스트 주최자
  - 3 년 전
  You would have to crack in.
  
  The only login-verification currently allowed, is the "mailed code", which is not provided. (I should not have provided the fake phone/birthdate/email in the sample voters file, attached.)
  - 3 년 전
2. 콘테스트 주최자
  - 3 년 전
  I've replaced the fake-voter information attachment with a version that does not contain the unneeded phone/birthdate/email.
  - 3 년 전
콘테스트 주최자
- 3 년 전
The contest-system auto-selected file-types for graphics (GIF, JPEG), but I assume most entries will be PDF. It's also fine to submit graphics with description in the comments / chat section.
- 3 년 전