Restructure, Analysis V3.1 V3.2

Signed-off-by: Tiago Garcia <tiago.rgarcia@ua.pt>

delivery3/Makefile

@@ -0,0 +1,11 @@
+.PHONY: html
+
+ASCIIDOCTOR := $(shell which asciidoctor > /dev/null 2>&1 && which asciidoctor)
+
+ifeq ($(ASCIIDOCTOR),)
+	ASCIIDOCTOR := $(shell ruby -r rubygems -e 'puts Gem.bin_path("asciidoctor", "asciidoctor")')
+endif
+
+html:
+	@echo "Building HTML"
+	@$(ASCIIDOCTOR) -b html -o report.html main.adoc

delivery3/analysis.adoc

@@ -0,0 +1,98 @@
+== Analysis
+
+For the analysis section, the project will be evaluated under the scope of the V3 (Session Management) chapter of the OWASP ASVS, using version v4.0.3. This will include an assessment of the session management mechanisms implemented, as well as any vulnerabilities identified and possible mitigations.
+
+=== Session Management
+
+==== Fundamental Session Management Security
+
+[cols="^1,10,^1,^1", options="header", source]
+|===
+| Requirement | Description | Applicable | Implemented
+
+| 3.1.1
+| Verify the application never reveals session tokens in URL parameters.
+| ✔
+| ✔
+
+|===
+
+===== 3.1.1
+
+The current implementation meets the requirement, as the session tokens are not exposed in the URL parameters but instead are sent in the Authorization header.
+
+==== Session Binding
+
+[cols="^1,10,^1,^1", options="header", source]
+|===
+| Requirement | Description | Applicable | Implemented
+
+| 3.2.1
+| Verify the application generates a new session token on user authentication.
+| ✔
+| ✔
+
+| 3.2.2
+| Verify that session tokens possess at least 64 bits of entropy.
+| ✔
+| ✔
+
+| 3.2.3
+| Verify the application only stores session tokens in the browser using secure methods such as appropriately secured cookies (see section 3.4) or HTML 5 session storage.
+| ✗
+| ✗
+
+| 3.2.4
+| Verify that session tokens are generated using approved cryptographic algorithms.
+| ✔
+| ✔
+|===
+
+===== 3.2.1, 3.2.2, 3.2.4
+
+The application generates a new session token on session creation when a user logs in.
+
+This token is generated using the `secrets.token_hex(128)`
+function, which generates a 256-character hexadecimal string, providing more than 64 bits of entropy. This function has been certified as secure by OWASP in their https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation[cheat sheet series].
+
+This generation is implemented in the code as follows:
+
+[source,python]
+----
+include::create_session.py[]
+----
+
+==== Session Termination
+
+[cols="^1,10,^1,^1", options="header", source]
+|===
+| Requirement | Description | Applicable | Implemented
+
+| 3.3.1
+| Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties.
+| ✔
+| ✔
+
+| 3.3.2
+| If authenticators permit users to remain logged in, verify that re-authentication occurs periodically both when actively used or after an idle period.
+| ✔
+| ✗
+
+| 3.3.3
+| Verify that the application gives the option to terminate all other active sessions after a successful password change (including change via password reset/recovery), and that this is effective across the application, federated login (if present), and any relying parties.
+| ✗
+| ✗
+
+| 3.3.4
+| Verify that users are able to view and (having re-entered login credentials) log out of any or all currently active sessions and devices.
+| ✔
+| ✔
+|===
+
+==== Cookie-based Session Management
+
+==== Token-based Session Management
+
+==== Federated Re-authentication
+
+==== Defenses Against Session Management Exploits

delivery3/create_session.py

@@ -0,0 +1,13 @@
+def create_session(user: User, org: Organization) -> Session:
+    session = Session(
+        user_id=user.id,
+        org_id=org.id,
+        token=secrets.token_hex(128),
+        roles=[],
+        challenge=secrets.token_hex(128),
+        verified=False
+    )
+    db.add(session)
+    db.commit()
+    db.refresh(session)
+    return session

delivery3/decisions.adoc

@@ -0,0 +1,3 @@
+== Decisions
+
+The methodology section will delineate the steps undertaken to achieve the project objectives, including the tools and technologies utilized, as well as any challenges encountered and the strategies employed to address them.

delivery3/features.adoc

@@ -1,25 +1,3 @@
-= SIO Project Report
-Authors: Rúben Gomes (113435), João Bastos (113470), Tiago Garcia (114184) | 30/12/2024
-
-:toc: macro
-:toclevels: 3
-:doctype: article
-:source-highlighter: highlightjs
-:icons: font
-:sectnums:
-:sectlinks:
-:!last-update-label:
-
-<<<
-
-== Introduction
-
-This document serves as the final report for the SIO-2425 project. This project serves as a way to demonstrate the practical application of some of the concepts learned throughout the course (Authentication, Access Control, Session Management and Stored Cryptography). On a analysis perspective, it will be focused on the V2 (Authentication) chapter of the OWASP ASVS.
-
-This report will cover the features implemented, the decisions made as a group, as well as results and conclusions of the project.
-
-<<<
-
 == Features
 
 The features of the project are the ones present in the course project description, but with an extra feature, the possibility to reset the database of the server. This was shown to be useful for testing purposes, but it should be disabled/deleted in a production environment.
@@ -241,31 +219,3 @@ a| * `Authorization: token`
 | ROLE_MOD
 
 |===
-
-== Decisions
-
-The methodology section will delineate the steps undertaken to achieve the project objectives, including the tools and technologies utilized, as well as any challenges encountered and the strategies employed to address them.
-
-== Analysis
-
-For the analysis section, the project will be evaluated under the scope of the V3 (Session Management) chapter of the OWASP ASVS. This will include an assessment of the session management mechanisms implemented, as well as any vulnerabilities identified and possible mitigations.
-
-=== Session Management
-
-==== Fundamental Session Management Security
-
-==== Session Binding
-
-==== Session Termination
-
-==== Cookie-based Session Management
-
-==== Token-based Session Management
-
-==== Federated Re-authentication
-
-==== Defenses Against Session Management Exploits
-
-== Results and Conclusions
-
-This section will present the outcomes of the project, including any data collected, analyses performed, and key findings.

delivery3/main.adoc

@@ -0,0 +1,27 @@
+= SIO Project Report
+Authors: Rúben Gomes (113435), João Bastos (113470), Tiago Garcia (114184) | 30/12/2024
+:toc:
+:toclevels: 3
+:doctype: article
+:source-highlighter: highlightjs
+:icons: font
+:sectnums:
+:sectlinks:
+:!last-update-label:
+
+<<<
+
+== Introduction
+
+This document serves as the final report for the SIO-2425 project. This project serves as a way to demonstrate the practical application of some of the concepts learned throughout the course (Authentication, Access Control, Session Management and Stored Cryptography). On a analysis perspective, it will be focused on the V2 (Authentication) chapter of the OWASP ASVS.
+
+This report will cover the features implemented, the decisions made as a group, as well as results and conclusions of the project.
+
+<<<
+include::features.adoc[]
+<<<
+include::decisions.adoc[]
+<<<
+include::analysis.adoc[]
+<<<
+include::results_conclusions.adoc[]

delivery3/results_conclusions.adoc

@@ -0,0 +1,3 @@
+== Results and Conclusions
+
+This section will present the outcomes of the project, including any data collected, analyses performed, and key findings.