How to Analyze and Mitigate Security Vulnerabilities in a JavaScript Application

The lab activity is divided into Two parts: (1) Vulnerability Assessment & (2) Vulnerability Mitigation. These two parts run on consecutive weeks, Part 1 on Week 4 and Part 2 followed by Part 1 on Week 5.

During the lab of Part 1, ensure that you take notes, with if needed screenshots and or related data that may contribute to the Written Justification. The Written Justification should not exceed 5 pages of A4 including any screenshots or images.

Your Written Justification document should include the following tasks:

1. A report with all discovered vulnerabilities
2. A modified version of the code that mitigates the vulnerabilities identified in Part 1
3. A UML diagram for the planned medications that shows the relationships of the new objects to be added. Justify your choice of the secure design patterns to solve the security problems that can be applied in many different situations. You can make use of the examples given in1
4. A report describing how modifications in Task (2) above mitigates vulnerabilities identified in Task (1)

JavaScript application: The code for this application can be downloaded from Moodle ‘code.zip’. The application can be started using the command: node main.js

You work for an electronics manufacturing company RedSkyTec. Following staff departure, you were put in charge to complete the application that has been left incomplete.

You are required to analyse the JavaScript application that was written by the previous employee to identify any potential security vulnerabilities, and to propose potential update to the software to mitigate these vulnerabilities.

Clicking the index.html can start the application by loading the main.js file with node. The default login credentials are:

Analyse the application to find potential vulnerabilities according to the following categories:

• Injection
• Broken Authentication
• Sensitive Data Exposure
• Broken Access control
• Security misconfigurations
• Cross Site Scripting (XSS)
• Insufficient logging and monitoring

Write a report to summarise all the discovered vulnerabilities aligned with the above categorisation.

1. Modify the application code to mitigate it from the discovered vulnerabilities. You need to document all changes made to the code (both by writing comments in the code and in the report). When there are multiple possible solutions to mitigate vulnerability, your report should document the other solutions that are not part of the code.
2. The current version of the application has only one level of user and limited functionality. The following additional functionality is planned:

Admin

Manager

User

• Name
• Job title
• Employee ID
• Department

Every ‘User’ should have a ‘Manager’, and a ‘Manger’ may have their own ‘Manager’

1. Each ‘User’ should belong to one or more ‘Department’
2. A ‘Department’ should have:
3. Name
4. Manager
5. Description

Draw a UML diagram of the classes and relationships for the above planned functionalities, along with a brief explanation of your design decisions.

You are recommended to use Draw.io, but you are free to choose any tool to create the diagrams in.

1. A report that contains
2. A written account of all vulnerabilities discovered in the application. Aligned these vulnerabilities with the categories given above. (10 marks)
3. The modified copy of code that mitigates the discovered vulnerabilities. (20 marks )
4. A detailed account on how these modifications mitigates the discovered vulnerabilities. (30 marks)
5. A UML diagram illustrating the new features and showing the relationships of the new objects to be added (10 marks )
6. Justification of the choice of the secure design patterns to solve the security problems that can be applied in many different situations. (10 marks for convincing justification)
7. Write a 1000 word justification of the approach taken in your application vulnerability assessment. You may wish to take into consideration the following points:

How did you decide on the approach taken and alternates dismissed across all tasks?

Post task what, if appropriate would be a more appropriate approach? (10 marks for the methodology and 10 marks for reflection, 20 marks total)

As an AI language model, I can provide some general guidelines on how to analyze a JavaScript application for potential security vulnerabilities and propose updates to mitigate these vulnerabilities. However, please note that a comprehensive security audit should be conducted by a qualified security professional with in-depth knowledge of the application and its specific requirements.

Here are some steps you can follow to analyze the JavaScript application for potential security vulnerabilities:

Review the code for known security vulnerabilities: Start by reviewing the JavaScript code for common known security vulnerabilities, such as cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, and remote code execution (RCE). Look for any instances of user input being used directly in the code without proper validation or sanitization.

Check for proper authentication and authorization: Review how the application handles user authentication and authorization. Ensure that sensitive actions and data are protected with proper authentication and authorization mechanisms, such as strong password policies, session management, and role-based access control (RBAC).

Look for secure communication: Check if the application communicates securely over HTTPS and does not send any sensitive data over unencrypted channels. Look for potential issues with data leakage, man-in-the-middle (MITM) attacks, and improper handling of sensitive information.