Inconsistency between tutorial vulnerabilities described and those that exist

[cewing]

Greetings,

I'm prepping for teaching a course on Python web development to begin in about 8 weeks. I would like very much to use this repository in a series of assignments about OWASP vulnerabilities. I want to start here by thanking you for making it available.

That being said, i'm noticing some issues that make it hard to use as a teaching tool.

One first example involves the Broken Authentication and Session Management tutorial step. In the text describing the bug the problem is described as an incomplete blacklist for form fields that omits is_superuser. However, that's not actually the problem present in the user registration form which appears instead to be the 'inadvertent' inclusion of the user_permissions field in the form whitelist.

I think the incomplete blacklist problem is a better example, as allowing someone to assign themselves superuser status is a much clearer vulnerability to demonstrate than allowing them to get permissions they should not have. Is it possible to revert to using the blacklist problem instead? If not, can the description of the bug be updated to align correctly with the reality of the app vulnerability?

I'm still looking over other tutorial steps to see if I can find any other such issues. Thanks very much for any attention you can give to this issue. I certainly hope that development is ongoing and that this input is welcomed.

[nafod]

Hey cewing, definitely agree on blacklist vs. whitelist. I'll take a look at making the necessary changes. And thanks for the kind words :)

[nafod]

Hey @cewing, the latest commit in master (7875075) should have flipped the example from a whitelist to an incomplete blacklist. We also tidied up the language and formatting in some of the tutorials. If it's all good I'll go ahead and close this issue.

[cewing]

@cmalekpour I'll check it out and let you know. Give me a few days?

[nafod]

Definitely, no rush. Thanks for all the help!