TryHackMe | Snyk Code | Write-Up – Michael Weber's Blog

June 22, 2024

The Snyk Code room hosted by TryHackMe walks through securing code with Snyk – a junior application security engineer’s journey. More details can be found here: https://tryhackme.com/r/room/snykcode

For readability, I do not include the room’s informational texts for each task.

Table of Contents

Introduction

Let’s say hi to Jessica, who will help us!

Answer: none

Jessica is back!

Ready? Let’s get going!

Answer: none

Understanding Code Security Risks

How many dependencies do we have for this new feature?

Answer: 3

Getting Started With Snyk Code

How many vulnerabilities are flagged on the search-feature.js file?

Answer: 4

How many high-severity vulnerabilities are flagged on the search-feature.js file?

Answer: 2

What are the two medium-severity vulnerabilities flagged on the search-feature.js file? (in alphabetical order)

Answer: Cross-Site Request Forgery, Information Exposure

Diving Deeper Into Vulnerabilities

What is the CWE for Cross-site Scripting?

Answer: CWE-79

What is the CWE for SQL injection?

Answer: CWE-89

What is the unsanitised user input in the chat-controller.js file?

Answer: searchTerm

Remediating Vulnerabilities

What is the new vulnerability introduced with the XSS fix?

Answer: Allocation of resources without limits or throttling

Which Express method is used to fix the XSS vulnerability in the code snippet?

Answer: res.render

What is the updated code in the code snippet using to fix the SQL injection?

Answer: parameterised queries

CI/CD Pipelines Automation & Continuous Monitoring

Establishing sensible alert thresholds in continuous monitoring practices involves considering the severity, frequency, and rate of change of vulnerabilities. (y/n)

Answer: y

Establishing Best Practices

Which OWASP framework serves as a guide to strengthen the relationship between development teams and information security teams?

Answer: OWASP Security Shampion Playbook

Well done Jessica, she did it again!

Answer: none

That concludes this room. I haven’t used Snyk before, and even if I never will professionally, I think it is still very useful to know what it can do!

Michael Weber's Blog

Introduction

Let’s say hi to Jessica, who will help us!

Jessica is back!

Ready? Let’s get going!

Understanding Code Security Risks

How many dependencies do we have for this new feature?

Getting Started With Snyk Code

How many vulnerabilities are flagged on the search-feature.js file?

How many high-severity vulnerabilities are flagged on the search-feature.js file?

What are the two medium-severity vulnerabilities flagged on the search-feature.js file? (in alphabetical order)

Diving Deeper Into Vulnerabilities

What is the CWE for Cross-site Scripting?

What is the CWE for SQL injection?

What is the unsanitised user input in the chat-controller.js file?

Remediating Vulnerabilities

What is the new vulnerability introduced with the XSS fix?

Which Express method is used to fix the XSS vulnerability in the code snippet?

What is the updated code in the code snippet using to fix the SQL injection?

CI/CD Pipelines Automation & Continuous Monitoring

Establishing sensible alert thresholds in continuous monitoring practices involves considering the severity, frequency, and rate of change of vulnerabilities. (y/n)

Establishing Best Practices

Which OWASP framework serves as a guide to strengthen the relationship between development teams and information security teams?

Well done Jessica, she did it again!

Leave a Reply Cancel reply