Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Glenn
@botSKF_gitlab
@Spyros (northdpole) Description for XSS injection is : Every time the application gets userinput, whether this showing it on screen or processing this data in the application background, these parameters should be escaped for malicious code in order to prevent crosssite scripting injections. When an attacker gains the possibility to perform an XSS injection, he is given the opportunity to inject HTML and JavaScript code directly into the application. This could lead to accounts being compromised by stealing session cookies or directly affect the operation of the target application. Altough templating engines(razor, twig, jinja, etc) and contextaware applications(Angular, React, etc) do a lot of auto escaping for you. These frameworks should always be validated for effectiveness. (8:47:26 PM)
Spyros
@northdpole
hey @blabla1337 is there any documentation on deploying the skf bot? also, does it have slack bindings?
Riccardo ten Cate
@RiieCco
@northdpole yeah the skf bot is a Hubot so that Works with slack also 😄
Spyros
@northdpole
awesome, is there any documentation on how to add it to slack?
Daniel Murphy
@DanHatesNumbers
Hi, I'm looking at deploying SKF at my workplace for our engineering teams. I'm planning on doing an AOT build of the Angular site to stick in S3 for static hosting, and deploying the Flask app as a HA container setup. I was wondering if there would be any appetite for a PR that gives users the options of using an external DB
As well as the SQLite DB
Spyros
@northdpole
You can use an external db already, gimme a sec
https://github.com/blabla1337/skf-flask/blob/master/skf/settings.py#L21 <-- set the environment variable SKF_DB_URL to point to the DB string you want to use
works great with containers, less great with servers
scrissti
@scrissti
I tried using an external db using the SKF_DB_URL environment variable, see my above comments. It didn't work, if you can help me how to troubleshoot I appreciate. My requests to the api just fail with error 500
Spyros
@northdpole
gimme a sec
which image are you using?
Daniel Murphy
@DanHatesNumbers
@northdpole I was looking at the 2.0.1 tag, which looked like it wouldn't play nicely with another DB
scrissti
@scrissti
docker pull blabla1337/skf-flask
Daniel Murphy
@DanHatesNumbers
I take it that's not the case in master?
scrissti
@scrissti
docker run -e "ORIGIN=localhost" -e "JWT_SECRET=change_this_super_secret_random_string" -e "HTTPS=false" -e "SKF_DB_URL=postgresql://user:pwd@host:443/db" -ti -p 127.0.0.1:80:80 blabla1337/skf-flask:latest
Spyros
@northdpole
@DanHatesNumbers you're right, I had to add the optional ENV var for kubernetes deployments, whenever @blabla1337 releases the next version you'll get the option
scrissti
@scrissti
I don't know where to look for the exact error raised. the nginx/error.log is empty
Daniel Murphy
@DanHatesNumbers
@northdpole ah brilliant, that simplifies the work involved in getting everything up and running a bunch. Cheers!
scrissti
@scrissti
so what is the fix for me?
Spyros
@northdpole
gimme a sec
which runs a wrapper script which launches the api part as python3.7 skf/app.py
scrissti
@scrissti
i made also a local repo and i can make a new build, but what do I need to change ?
Spyros
@northdpole
there's no errors on stdout?
let me try something
scrissti
@scrissti
No errors on docker console
Spyros
@northdpole
you could just set it and rebuild the images, i'm testing if it works
scrissti
@scrissti
No i don't have this version, master is usingvthe env
Spyros
@northdpole
hmm, let me check somethings
Spyros
@northdpole
so @scrissti i got good news and bad news, good news: you can use skf-api and skf-angular from the same dockerhub repo to get the functionality you want. they need some more env variables which you can find here: https://github.com/blabla1337/skf-flask/blob/master/Docker/alpine-cloud/k8s/configmaps.yaml skf-back is the api and front is the angular. Bad news is that the functionality you're looking for seems to be on the dev branch and not stable enough yet. you can try building your own containers and using the dev version as per documentation. An alternative would be to work with kubernetes if you're familiar with it but if you're not it's a decent learning curve and if you're time constrained perhaps not a good avenue
i think i've prodded Glenn enough to work on this for now :p
scrissti
@scrissti
Thanks, i ll look into it
Glenn ten Cate
@blabla1337
@DanHatesNumbers @scrissti Hi guys, sorry let me make a new image and push it to the docker hub
so then you can use the way mentioned by @northdpole as well using the all in one docker image
or the other solution use the api docker and the flask docker as those have already this ENV settings enabled
@northdpole For the chatbot we have 2 docker images available to be able to deploy it with documentation, Slack and Gitter
tdimbs
@tdimbs
@botSKF_gitlab what is XSS?
Glenn
@botSKF_gitlab
@tdimbs Description for XSS injection is : Every time the application gets userinput, whether this showing it on screen or processing this data in the application background, these parameters should be escaped for malicious code in order to prevent crosssite scripting injections. When an attacker gains the possibility to perform an XSS injection, he is given the opportunity to inject HTML and JavaScript code directly into the application. This could lead to accounts being compromised by stealing session cookies or directly affect the operation of the target application. Altough templating engines(razor, twig, jinja, etc) and contextaware applications(Angular, React, etc) do a lot of auto escaping for you. These frameworks should always be validated for effectiveness. (8:49:41 AM)
tdimbs
@tdimbs
@botSKF_gitlab how to fix XSS?
Glenn
@botSKF_gitlab
@tdimbs Solution for XSS injection is : In order to prevent XSS injections, all userinput should be escaped or encoded. You could start by sanitizing userinput as soon as it is inserted into the application, by preference using a so called whitelisting method. This means you should not check for malicious content like the tags or anything, but only allow the expected input. Every input which is outside of the intended operation of the application should immediately be detected and login rejected. Do not try to help use the input in any way because that could introduce a new type of attack by converting characters. The second step would be encoding all the parameters or userinput before putting this in your html with encoding libraries specially designed for this purpose.You should take into consideration that there are several contexts for encoding userinput for escaping XSS injections. These contexts are amongst others: HTML encoding, is for whenever your userinput is displayed directly into your HTML. HTML attribute encoding, is the type of encoding/escaping that should be applied whenever your user input is displayed into the attribute of your HTML tags. * HTML URL encoding, this type of encoding/escaping should be applied to whenever you are using userinput into a HREF tag.JavaScript encoding should be used whenever parameters are rendered via JavaScript; your application will detect normal injections in the first instant. But your application still remains vulnerable to JavaScript encoding which will not be detected by the normal encoding/escaping methods. (8:50:05 AM)
Daniel Murphy
@DanHatesNumbers
@blabla1337 cheers!
Glenn ten Cate
@blabla1337
Hi guys there is now a latest label on docker hub
and a skf-flask-3.0.0
this includes the ENV variable stuff @northdpole was mentioning
or you go with the angular docker image and the api docker image
2 flavours :)
Ravi Mahankali
@ravi-mrk
@botSKF_gitlab what is CSRF?
Glenn
@botSKF_gitlab
@Ravi Mahankali (ravi-mrk) Description for CSRF on REST is : CrossSite Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a users Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.The impact of a successful crosssite request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the users context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed. (2:37:25 PM)