+ Demo User Functions
+ Error Page Middleware
+ Admin & Root (Maintenance) User Navigation Bars
- N/A
+ • Role Based Access Controls
+ o Roles Used in Mirai Access based Controls
+ o Role Based Access Control Configuration
+ • Data Masking & Detection
+ o Data Masking of sensitive information sent as text
+ o Sensitive Data Detection from image uploads using Optical Character Recognition
+ o Sensitive Data Detection of Passport using Machine Learning & Optical Character Recognition
+ • Logging & Console
+ • Admin Pages
+ o Admin Dashboard
+ o Admin Ban System
+ o Admin Report dashboard
+ o User Lists
+ • Root Account Pages & Functionalities
+ o Root Account Dashboard
+ o Admin Lists
+ o Admin Lock Accounts System
+ o Maintenance Mode
+ o Admin Create Accounts
+ • Error Middleware
+ o Shows Locked Account Page
+ o Shows Banned Account page
+ • Separate Data Base Servers
+ • Admin Honeypot page
+ • CloudFlare Configuration
- Demo User Functions
- Error Page Middleware
- Admin & Root (Maintenance) User Navigation Bars
- Role Based Access Controls
- Roles Used in Mirai Access based Controls
- Role Based Access Control Configuration
- Data Masking & Detection
- Data Masking of sensitive information sent as text
- Sensitive Data Detection from image uploads using Optical Character Recognition
- Sensitive Data Detection of Passport using Machine Learning & Optical Character Recognition
- Logging & Console
- Admin Pages
- Admin Dashboard
- Admin Ban System
- Admin Report dashboard
- User Lists
- Root Account Pages & Functionalities
- Root Account Dashboard
- Admin Lists
- Admin Lock Accounts System
- Maintenance Mode
- Admin Create Accounts
- Error Middleware
- Shows Locked Account Page
- Shows Banned Account page
- Separate Data Base Servers
- Admin Honeypot page
- CloudFlare Configuration
- N/A
A demo function for internal testing of the web application
- Create Users (Users, Mirai+ Accounts, Admin, Root)
- Creation of users using the Oauth2.0 Login system
- Create Reports Function (for the showcase of a reporting in Mirai)
- Deletion of Users & reports
- Create Ban Accounts and Ban Logs
A middleware handling errors caused in the Mirai social media
- Custom error pages and handling of web application errors such as error 404, 403, 500
- Redirect to home page
- Admin pages will be redirected 404 to not reveal the admin pages
Navigation bars for the Maintenance and Administrator accounts
- integrated with common UI template.
- If user is either the admin or root account, it will show their respective role navigation bars
Roles used in Mirai Access Based Controls Overview
Guest:
Unable to use the web application can only see public posts & comments
User:
Able to use Mirai plus features such as post, comments, chats
Mirai Plus:
A subscription role which gives user extra perks improvements
Admin(moderator):
Privilege Account that can ban users, view reports made,
Root Account(Maintenance):
The root account which can set site to maintenance mode, lock inactive admin accounts, create administrator
Role Based Access Controls Configuration
- Separation of Duties & least privilege a. Maintenance account cannot perform admin roles i.e. ban users b. Admin cannot perform user roles i.e. using Mirai social media app
- All roles are given their own router which allows these users to visit their authorized pages
- Further checks in place such as session checks to ensure only authorised users can access
- Whitelist authorization is done
Integrated with the Posts, Profile Picture, Comments, Chat Functionalities
Detects the following information:
- Singapore Street Address,
- American Social Security Number
- Credit Cards
- If a user sends any of the above sensitive information via text
- Sensitive data will be detected and be masked as ****
Integrated with the Posts, Profile Picture, Comments, Chat Functionalities
Detect sensitive data such as
- Singapore Street Address,
- American Social Security Number
- Credit Cards
- If a user sends any of the above sensitive information via an image which contains these sensitive information
- the image will not be send & user given a prompt that it contains sensitive information which cannot be send or posted
- Credit Card number will be validated from credit card numbers ranging from length of 13 – 19
- Credit Cards numbers will be validated with the Luhn algorithm to prevent false positives
Integrated with the Posts, Profile Picture, Comments, Chat Functionalities
- Detects Passports
- Detection of passport is done through OCR and passport recognition is through Machine learning using Python Eye Module
- Uses Google tesseract OCR installed on a Docker Container
- Function is done on cloud to save resources
- Any Detected Passport are logged
- Detected passports are cache for faster detection of similar passports
- If a user sends any of the above sensitive information via an image which contains these sensitive information
- the image will be analysed
- If a passport was detected, the image will not be send & user given a prompt that it contains sensitive information which cannot be send or posted
- Detects if the image contains particular information which are contained in a passport
- Is able to detect type 1 to type 3 Machine Readable zones
Features:
- Logging of admin & root account page viewed
- Logging of all action done by the admin and root such as banning
- Logging of sign ins and sign outs of the admin and root account
- Logging of passport detected
- Logging of failed attempts at the admin honeypot page
- Integrated logging using python logging which is uploaded to the cloud
- Uses Google Cloud logging
Dashboard showing useful information for the administrator
- Displays relevant dynamic information on the admin dashboard
- Number of ban logs, total users, banned users, reports in system open reports
Ban system of Mirai
- When user is banned they will be given a banned page along with the appropriate reasons
- A banned user posts, comments and profile are hidden from other viewers
- Retrieves the reports made by the user in Mirai web application
- Shows open and close cases
User lists of all the users in Mirai
- Pagination to support data availability
- Allows admin to ban or unban the users in Mirai
- Allows Admin to ban misbehaving users or suspicious
- Bans are logged to the cloud
Shows the relevant dynamic information on the maintenance account page
- Information shown are total admins, locked admins, maintenance mode, lock logs counts
Retrieves the admin lists
- Allows the root account to lock inactive or unlock admins
- When an account is locked or unlocked by an admin, a reason is required
- The action of executing the lock or unlock will be logged
- Implemented Pagination to support data availability
Mirai Locked Admins system
- Lock admins will be locked from accessing Mirai website
- Lock admins will be given a locked page stating the reason why they are locked
Allows the website to be set in maintenance mode
- Requires the root to input their username to confirm the action of setting website to maintenance mode
- This action is logged
- Implemented ReCAPTCHA Enterprise Validation to prevent bot attempts at setting the site to maintenance mode
- Page will dynamically change to enable or disable maintenance mode depending on the current site mode
- When Site is set to Maintenance mode, users who are not admins or root account redirected to maintenance page
Allows the creation of admins in Mirai website
- Admins email have to end with @miraisocial.live for it to be valid for creation
- Checks if existing admins already exists
- Only allows admin to login via Oauth2.0 feature
- The creation of admin accounts is logged
- Implemented ReCAPTCHA Enterprise Validation to deter bot creation of admins
Custom error exception handlers
- Lock Exception is triggered when an admin has a locked status set to true
- Banned Exception is triggered when a user has a banned status set to true
- When any of these exceptions is triggered, user is redirected to the respective pages
Two Separate database, decentralised system
- Implemented mirai as a user database server for any services on the mirai web application
- implemented mirai_admin as a database server for any services on the mirai admin pages
- Failsafe in the event of one database server being compromised the other is isolated and seperated from attacks
- requires greater effort in integration and checks Mirai Database Server
- For the daily operations of Mirai
- E.g. Posts Database, Chat Database , Users Database. Mirai Admin Database
- For the admin & root account operations of Mirai
- E.g. Reports database, Ban Database, Admin Database.
Fake Admin page located at /admin/login
- Test for attackers probing the website
- If attackers input a username and password the attempt will be logged
- Ip address of attacker
- Credentials used
- Administrators can be alerted of logs that shows repeated access from a specific IP address to possibly blacklist them or be alerted of a possible attack
- Enabled ReCAPTCHA to deter bot attacks
Configured the Cloudflare for security configuration
- Enabled cache controls for Cloudflare to set time for caching to be 3 hours long
- Ensure strict query controls are done
- Enabled HSTS mode on Cloudflare
- Enabled strict mode for TLS/SSL configuration
- Use Titan to create email accounts for used on mirai as oauth accounts
I have explored Role Based Access Control & the feasibility of it For users I will be further implementing Relationship Based Controls as it is better, allows finer tuned controls between users. Each user can define how much control the other users can see
I also have explored Data Masking for street names. My friend has offered to help teach me how to train Data Models. Using existing Data Models online curated by Singaporeans.
ReBAC
OWASP Authorization
Data Masking Dataset
AI Pytorch