Skip to content

Commit 90f4dcc

Browse files
SecureFromScratchSecureFromScratch
committed
update challenges
1 parent 8fd891d commit 90f4dcc

1 file changed

Lines changed: 41 additions & 4 deletions

File tree

nodejs/node-api/Challenges.md

Lines changed: 41 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,47 @@
66
* Use the walk-through: walkthroughs/*
77

88
---------------------------
9-
1) Fix the getItemsByCriteria to prevent Uncontrolled Resource Consumption
9+
## Uncontrolled Resource Consumption
10+
11+
CWE 400
12+
13+
Attackers trigger excessive use of CPU, memory, disk, or bandwidth—leading to DoS.
1014

11-
2) Create the /create-with-file endpoint to add an item with a picture uploaded from the user’s machine
15+
Fix the getItemsByCriteria to prevent Uncontrolled Resource Consumption
1216

13-
3) Fix the SSRF vulnerability in the create method
1417

15-
4) Fix the Race Condtion in coupon redemption
18+
---------------------------
19+
20+
## Unrestricted File Upload
21+
22+
CWE 434
23+
24+
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
25+
26+
Create the /create-with-file endpoint to add an item with a picture uploaded from the user’s machine
27+
28+
29+
---------------------------
30+
31+
## SSRF
32+
33+
CWE 918
34+
35+
* An attacker manipulates a server to make unintended or unauthorized HTTP requests.
36+
* These requests are initiated from the vulnerable server, and the attacker can often control the target of the request (e.g., a URL or IP address)
37+
* SSRF exploits the trust a server has in its internal network or other external systems
38+
39+
Fix the SSRF vulnerability in the create method
40+
41+
----------------------------
42+
43+
## Race Condition
44+
45+
"The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state."
46+
47+
CWE 367
48+
49+
The API allows users to apply a coupon code but it fails to properly handle concurrent requests. The logic checks if the coupon is unused, then applies the it— but these steps are not atomic.
50+
As a result, a malicious user can send multiple parallel requests using the same coupon.
51+
52+
Fix the Race Condtion in coupon redemption

0 commit comments

Comments
 (0)