- Docker Desktop
- Go 1.13
Please download the releases before continuing with the instructions below. If you would like to compile the code, please follow the instructions here for macOS and Linux.
Open a bash shell and run the following:
$ docker run --rm -it -p 2525:1025 -p 8080:1080 djfarrelly/maildev --incoming-user=test --incoming-pass=test
After that, run the binary as follows:
$ ./zendesk-product_security_challenge
The following list are the web endpoints you should visit to interact with the site:
- https://localhost - Website
- http://127.0.0.1:8080 - Mail
Open a terminal and run the following:
> docker run --rm -it -p 2525:1025 -p 8080:1080 djfarrelly/maildev --incoming-user=test --incoming-pass=test
After that, run the binary as follows:
> ./zendesk-product_security_challenge.exe
The following list are the web endpoints you should visit to interact with the site:
- https://localhost - Website
- http://127.0.0.1:8080 - Mail
Clone the repository, and run the following commands. Commands to download the compromised password list
is optional, as the release build.companion.zip
contains the common-passwords.db
.
$ go mod download
$ make run
# Compromised password list
$ make import-passwords
$ make setup-passwords
# Generate the releases
$ make pkg
The web application has the following features:
- Brand new look (Bootstrap)
- Input sanitization and validation
- Password hashed
- bcrypt
- Prevention of timing attacks
- Rate-limiting for all requests to the site
- Maximum failed attempts on login
- Temporary ban when maximum failed attempts threshold reached
- Logging
- Logging all DB (optional)
- Logging all requests
- CSRF prevention
- Multi factor authentication
- MFA through emails
- Password reset / forget password mechanism
- Password reset through emails
- Account lockout
- Temporary ban by IP & Browser
- User account is not locked when temporary ban is placed on offending client
- Cookie
- Secure, HttpOnly
- HTTPS
- Self-signed certificates
- Known password check
- zxcvbn by Dropbox for client-side password advice
- Valve fingerprintjs2 for browser fingerprinting
- CrackStation's password cracking dictionary for matching against well-known passwords.
The application starts with an empty database. Please sign up as a user before trying out the features.
- Test coverage
- OAuth2
Hello friend,
We are super excited that you want to be part of the Product Security team at Zendesk.
To get started, you need to fork this repository to your own Github profile and work off that copy.
In this repository, there are the following files:
- README.md - this file
- project/ - the folder containing all the files that you require to get started
- project/index.html - the main HTML file containing the login form
- project/assets/ - the folder containing supporting assets such as images, JavaScript files, Cascading Style Sheets, etc. You shouldn’t need to make any changes to these but you are free to do so if you feel it might help your submission
As part of the challenge, you need to implement an authentication mechanism with as many of the following features as possible. It is a non exhaustive list, so feel free to add or remove any of it as deemed necessary.
- Input sanitization and validation
- Password hashed
- Prevention of timing attacks
- Logging
- CSRF prevention
- Multi factor authentication
- Password reset / forget password mechanism
- Account lockout
- Cookie
- HTTPS
- Known password check
You will have to create a simple binary (platform of your choice) to provide any server side functionality you may require. Please document steps to run the application. Your submission should be a link to your Github repository which you've already forked earlier together with the source code and binaries.
Thank you!