Sharons' CS Journey

Finishing winter terms capstone class marks 2/3rds through my capstone project of website application security. I chose it because I’m interested in the intersection between software development and security, and I believe that many vulnerabilities can be prevented already in the development phase. I also like node.js, which is the framework I used to develop the vulnerable application and the attack mechanism. This project gave me a chance to explore using frameworks and technologies which interest me, and to increase my knowledge of security.

One of the largest challenges in this project is how I’ll be hosting it for demonstration purposes, I still haven’t figured that one out. I can’t have it publicly availible, because of how vulnerable the application is. I have to assume that any user is capable of rooting the machine and doing what they want with it, and thus I don’t feel comfortable hosting it on a machine I own or am responsible for. I could have it as a docker image that each user downloads and runs on their machine locally.

I’m very pleased with project progress so far, I’ve thoroughly enjoyed working on this project. I liked developing each vulnerability and exploit, and look forward to adding the secure version of each vulnerable endpoint I’ve created so far. I’ll be adding the documentation and information for each exploit too, which will be interesting because I’ll get to do thorough research on each vulnerability in order to compile this information. I feel like this is a very solid project to present as a portfolio project, and I hope to be able to demonstrate it in interviews. I still need to touch up the code and documentation, but I’m very satisfied with it functionally and I look forward to see the progress I make on this project.

My favorite technology by far is Node.js. It allows javascript, which is a hacked together language that was designed to be run in a web browser, and was also developed in ten days[1], to run a server backend. How it works is that it runs on a v8 JavaScript engine, which allows Javascript to be executed outside of web browser. Node is also incredibly lightweight, making it very commonly used by software developerss if we want to roll out a quick and reliable server. Another advantage of using node is that there are so many libraries that you can add to your node tech stack, like socket.io which allows for socket communication, or express.js, which is a wonderful framework built on node that hosts web servers. It’s also incredibly lightweight, nodejs amounts to just a few megabytes, making it easier to run on machines with small amounts of disk storage.

On top of that, Node has a massive open source community of developers constantly developing tools, modules, and frameworks that help make building relatively complex applications a breeze. The fact that you can develop both the front end and back end of a web app in JS is also rather appealing, it eliminates the need to switch contexts between different languages, and the learning curve for full stack development lessens. These packages that are being constantly developed can be integrated into your project quite easily using the node package manager, it’s a simple command in the command-line to download a package and you’re good to go.

Node is not just efficient and lightweight, but also has very convenient even driven architecture, because it’s based on JS. This makes it well suited for handling concurrent requests without the need for complex threading, unlike traditional server environments. The use of async IO operations means that it can handle a high number of requests with minimal resource usage, making it perfect for scalable applications and microservices which companies and developers tend to use more and more as time goes on.

PS, this is a tangent, but if you’re wondering why I said javascript is hacked together, open a JS console and run this:
console.log(0.99999999999999999===1)
it’s true, even with the ===. To read more about this wackyness and why it happens, here’s a fun github repo full of similar funny javascript tricks. https://github.com/denysdovhan/wtfjs

1. https://www.geeksforgeeks.org/history-of-javascript/
2. https://en.wikipedia.org/wiki/Node.js (yes, wikipedia is a reliable source.)

Prompt: What is one thing from the articles that you would like to start doing (more often), and why? What is one thing you want to avoid doing and why?

I want to start making functions not take too many parameters. According to Chapter 3 of Refactoring: Improving the Design of Existing Code by Martin Fowler, one good way to avoid passing a very long parameter list to a function is to make a class or object to group together the parameters if possible, then pass the object rather than the separate parameters. In the function, the individual object parameters can be accessed, and this saves verbosity in the function call.

One thing I want to avoid doing is having global variables. The reason it’s bad practice to have data that’s globally accessible is that it allows for all functions in the program to modify that data. This creates opportunity for poor code hygiene, where, for example, there is a bug where global data is being modified and it’s unclear which piece of code is responsible for the change. One way to avoid this is by ensuring that data is only modifiable and accessible by whatever piece of code needs access to it.

I hope to employ these coding principles in the capstone project I’m working on currently, they are relevant to my current work in developing web apps with node.js.

Capstone Updates

The capstone is coming along wonderfully. I’ve implemented a nodejs server with express, and I’ve prototyped the attack on path traversal through this web app. Right now, it sends an exploit for path traversal through the clients web browser with a request using fetch, and updates an iframes contents with the output of the path traversal vulnerability. In the next project iteration, I will create an endpoint on the node app, like /request, which will take a string and make the exploit request, and send back the results it gets to the client, because it’s bad practice to demonstrate exploits through client side Javascript code, and ultimately this tool is a demonstrative and educational tool. If this project is being hosted on a server that’s accessible to the web, I can just have the vulnerable machine only whitelist its IP, and this wont be possible if the exploits are coming from random clients IP addresses. Overall, I’m feeling very good about the development we’ve done so far, and I look forward to seeing where this project goes. I really enjoy working with node.js, it’s been a while.

Here’s the Github repo in case you want to check it out:

https://github.com/sharoninator/Website-Security-Tool

Job Updates

Still no offers or interviews, the market seems pretty rough for junior software developers. I’ve branched out to also applying to positions like cloud engineering and DevOps, which is similar to what I do now at the Open Source Lab. I’m optimistic that I’ll find something eventually, with enough grit and applications. I also know a few people in the industry, and they might be able to help me out with getting references. I’ve been grinding leetcode lately to practice for interviews. I find it quite fun, and I can tell I’m getting better at solving problems than I was when I first started. Winter break is coming up, and I’ll be on vacation for part of it, but the other part I’ll probably spend doing leetcode and applying for jobs.

So far our project is going well. We’ve split up the project into vulnerabilities, and I’m in charge of exploiting the following vulnerabilities: Insecure design, path traversal, and security misconfiguration. We also decided that we’ll be implementing the web server with node.js and express, which I have prior experience with from past projects. JavaScript is one of my favorite languages, so I look forward to using this framework in our project. I enjoy developing backend servers, as I’m fascinated by how servers interact. I’m also very interested in computer security, I’ve been to a few security conferences before and am very active in my university’s security club. This project is a mix of some of my biggest fascinations in computer science.

I’ve also been looking for a job on the side, which has been rough because not many companies are looking to hire people in computer science these days, especially not new grads, its super competitive for us. Despite this hardship, I remain optimistic and am preparing for an interview by doing leetcode problems. I’ve been trying to solve at least one problem a day, and also apply for at least one job a day. I went to the career center on campus, and they’ve reviewed my Resume and given me feedback, I’ve improved it greatly. I’ve gone to a few career fairs on campus to network, and I’m asking people I know if they’re aware of any open positions at companies that I might be a good fit for. I really hope I find a job before graduation!

I hope that this capstone project can be something I link on my resume as a portfolio project. I will be careful to make sure the code is high quality, readable, and well commented. I’ll have clear commit messages and make sure to document all the changes I make with good descriptive commit messages. The idea is for an employer to see this project, and know that I’m a skilled developer who produces high quality work.

Hello, my name is Sharon and I’m a Computer Science student in my last year at Oregon State University. In my free time, I read, rock climb, and go down Wikipedia rabbit holes. (Did you know Wikipedia has a home page?)

https://en.wikipedia.org/wiki/Main_Page

I work as a Systems Engineer the Open Source Lab on campus, a lab that services the open source community. My job consists configuring and patching of a lot of Linux environments, and rolling out environments with Chef.

I started programming as a kid, because I was into Minecraft and wanted to make my own plugins for it. I started by learning Java, and from there it really interested me. From there, I learned JavaScript and Python, and got fascinated by networking. I have a few passion projects using Node.js and express.js or socket.io. Programming something that involves computers communicating with eachother is my greatest interest.

I’m taking a senior capstone class, and I can select a project that I work on. I’m looking at finding a project where I can work on a server, preferably with node.js or Python. I also have a strong background in security because I used to work as a Security Engineer at a small company in San Fransisco. I see that in the senior project selection, there’s one called Website Security Research Project, which looks interesting. Here are its requirements:

1. Perform penetration testing on the infrastructure of the web app for many of the top ten attacks (linked below)
2. Learn from each attempt at pentesting, and harden the web app accordingly.
3. Create a writeup for the attack and the solution and add to the GitHub repo how-to.
4. Repeat 1-3 until done 

This project seems interesting because it involves server-side programming, adjusting the web app to be more secure, and I’d also get the chance to pentest the web server.