Welcome to the OWASP-SKF chat room, if you need help or have questions then you are at the right place! https://securityknowledgeframework.org You can also ask our Chatbot questions regarding to security vulnerabilities: @botSKF_gitlab what is xss?
@Glenn ten Cate (blabla1337) 0 Code input validation (12:40:25 PM)
@Glenn ten Cate (blabla1337) 0 Code input validation in php (12:40:41 PM)
@Glenn ten Cate (blabla1337) 2 Code input validation in django (12:40:41 PM)
@Glenn ten Cate (blabla1337) 3 Code input validation in ruby (12:40:41 PM)
@Glenn ten Cate (blabla1337) Code for input validation
Example:
<?php
/*
This function is where you store al your input validation controls.
It makes it easy to maintain whenever you want to apply changes for
certain input validation roles and reduces the chance of mistakes in your regexes.
*/
class validation{
//Our input validation function
public function inputValidation($input, $type, $logMessage, $threatLevel, $countLevel){
//Audit log and user lockdown
$logging = new logging();
switch ($type) {
case "numeric":
$pattern = "/^[09]+$/";
break;
case "alphanumeric":
$pattern = "/^[azAZ09]+$/";
break;
}
if(!preg_match($pattern, $input)){
/*
Set a log for whenever there is unexpected user input with a threat level
See "audit logs" code example for more information:
*/
$logging > setLog($_SESSION[''userID''], $logMessage, "FAIL", date("dmy"),
$_SESSION["privilege"], $threatLevel);
/*
Set counter if counter hits 3 the users session must terminated
After 3 session terminations the user account must be blocked
See "audit logs" code example for more information:
*/
$logging>setCounter($countLevel);
return false;
}else{
//Set a log for whenever there is unexpected userinput with a threat level
$logging>setLog($_SESSION[''userID''],"Valid input validation for regex from ".$type." ",
"SUCCESS", date("dmy"), $_SESSION["privilege"], "NONE");
return true;
}
}
}
?>Code language is php (12:40:51 PM)
how are you
We are good
how are you?
Hope you're fine.
I am following docker installation guide to run it but it doesn't work at first-login when I click "create account". I only see OPTIONS request but PUT.
While running Docker, it also gives following error. Maybe this was the reason.
`
- /wrapper.sh
/wrapper.sh: line 12: /skf-angular.sh: No such file or directory`
My command is like this:
docker run -v /root/skf-db/db.sqlite:/skf-flask/skf/db/db.sqlite -e SKF_FLASK_DEBUG=True -e ORIGIN=MY_IP -e JWT_SECRET=change_this_super_secret_random_string -ti -p 443:443 blabla1337/skf-flaskI gave 777 for db file to see it as working but no luck.
Can you help me to figure out what is wrong?
@enderax we are working on an easier way to start the SKF application
if you want to use it locally I would recommend to use for now the dev branch
git clone -b dev https://github.com/blabla1337/skf-flask.git
go into the skf-flask dir
and run docker-compose up
it will spin all the needed things up
and you can access it on localhost
also remember to enable Kubernetes in your Docker desktop GUI so you can also launch the Labs from SKF
if you want to install it on a server you have 2 options
or use the k8s and deploy it for example on GKE
or you manually install the SKF API and SKF Angular
and use the Nginx config file in the SKF project for the reverse proxy and connecting them
@Glenn ten Cate (blabla1337) Description for XSS injection is : Every time the application gets userinput, whether this showing it on screen or processing this data in the application background, these parameters should be escaped for malicious code in order to prevent crosssite scripting injections. When an attacker gains the possibility to perform an XSS injection, he is given the opportunity to inject HTML and JavaScript code directly into the application. This could lead to accounts being compromised by stealing session cookies or directly affect the operation of the target application. Altough templating engines(razor, twig, jinja, etc) and contextaware applications(Angular, React, etc) do a lot of auto escaping for you. These frameworks should always be validated for effectiveness. (12:39:21 PM)
:P
@Aniket Surwade (asurwade_gitlab) Description for XSS injection is : Every time the application gets userinput, whether this showing it on screen or processing this data in the application background, these parameters should be escaped for malicious code in order to prevent crosssite scripting injections. When an attacker gains the possibility to perform an XSS injection, he is given the opportunity to inject HTML and JavaScript code directly into the application. This could lead to accounts being compromised by stealing session cookies or directly affect the operation of the target application. Altough templating engines(razor, twig, jinja, etc) and contextaware applications(Angular, React, etc) do a lot of auto escaping for you. These frameworks should always be validated for effectiveness. (8:43:18 AM)
what is SSRF?
@botSKF_gitlab Howdo you validate Frameworksk such as Angular or React for effectiveness
@Chasej (ruevaughn) 3 Description change and validate current password (12:38:29 AM)
@Chasej (ruevaughn) 2 Description validate the integrity of all security relevant configurations (12:38:29 AM)
@Chasej (ruevaughn) 1 Description verify that structured data is strongly typed and validated (12:38:29 AM)