Welcome to the OWASP-SKF chat room, if you need help or have questions then you are at the right place! https://securityknowledgeframework.org You can also ask our Chatbot questions regarding to security vulnerabilities: @botSKF_gitlab what is xss?
@Spyros (northdpole) Description for XSS injection is : Every time the application gets userinput, whether this showing it on screen or processing this data in the application background, these parameters should be escaped for malicious code in order to prevent crosssite scripting injections. When an attacker gains the possibility to perform an XSS injection, he is given the opportunity to inject HTML and JavaScript code directly into the application. This could lead to accounts being compromised by stealing session cookies or directly affect the operation of the target application. Altough templating engines(razor, twig, jinja, etc) and contextaware applications(Angular, React, etc) do a lot of auto escaping for you. These frameworks should always be validated for effectiveness. (8:47:26 PM)
Hi, I'm looking at deploying SKF at my workplace for our engineering teams. I'm planning on doing an AOT build of the Angular site to stick in S3 for static hosting, and deploying the Flask app as a HA container setup. I was wondering if there would be any appetite for a PR that gives users the options of using an external DB
As well as the SQLite DB
https://github.com/blabla1337/skf-flask/blob/master/skf/settings.py#L21 <-- set the environment variable SKF_DB_URL to point to the DB string you want to use
works great with containers, less great with servers
which image are you using?
docker run -e "ORIGIN=localhost" -e "JWT_SECRET=change_this_super_secret_random_string" -e "HTTPS=false" -e "SKF_DB_URL=postgresql://user:pwd@host:443/db" -ti -p 127.0.0.1:80:80 blabla1337/skf-flask:latest
your image is probably built using https://github.com/blabla1337/skf-flask/blob/2.0.1/Docker/alpine/Dockerfile
which runs a wrapper script which launches the api part as python3.7 skf/app.py
let me try something
you could just set it and rebuild the images, i'm testing if it works
so @scrissti i got good news and bad news, good news: you can use skf-api and skf-angular from the same dockerhub repo to get the functionality you want. they need some more env variables which you can find here: https://github.com/blabla1337/skf-flask/blob/master/Docker/alpine-cloud/k8s/configmaps.yaml skf-back is the api and front is the angular. Bad news is that the functionality you're looking for seems to be on the dev branch and not stable enough yet. you can try building your own containers and using the dev version as per documentation. An alternative would be to work with kubernetes if you're familiar with it but if you're not it's a decent learning curve and if you're time constrained perhaps not a good avenue
i think i've prodded Glenn enough to work on this for now :p
so then you can use the way mentioned by @northdpole as well using the all in one docker image
or the other solution use the api docker and the flask docker as those have already this ENV settings enabled
or the other solution use the api docker and the flask docker as those have already this ENV settings enabled
@northdpole For the chatbot we have 2 docker images available to be able to deploy it with documentation, Slack and Gitter
@tdimbs Description for XSS injection is : Every time the application gets userinput, whether this showing it on screen or processing this data in the application background, these parameters should be escaped for malicious code in order to prevent crosssite scripting injections. When an attacker gains the possibility to perform an XSS injection, he is given the opportunity to inject HTML and JavaScript code directly into the application. This could lead to accounts being compromised by stealing session cookies or directly affect the operation of the target application. Altough templating engines(razor, twig, jinja, etc) and contextaware applications(Angular, React, etc) do a lot of auto escaping for you. These frameworks should always be validated for effectiveness. (8:49:41 AM)
@tdimbs Solution for XSS injection is : In order to prevent XSS injections, all userinput should be escaped or encoded. You could start by sanitizing userinput as soon as it is inserted into the application, by preference using a so called whitelisting method. This means you should not check for malicious content like the tags or anything, but only allow the expected input. Every input which is outside of the intended operation of the application should immediately be detected and login rejected. Do not try to help use the input in any way because that could introduce a new type of attack by converting characters. The second step would be encoding all the parameters or userinput before putting this in your html with encoding libraries specially designed for this purpose.You should take into consideration that there are several contexts for encoding userinput for escaping XSS injections. These contexts are amongst others: HTML encoding, is for whenever your userinput is displayed directly into your HTML. HTML attribute encoding, is the type of encoding/escaping that should be applied whenever your user input is displayed into the attribute of your HTML tags. * HTML URL encoding, this type of encoding/escaping should be applied to whenever you are using userinput into a HREF tag.JavaScript encoding should be used whenever parameters are rendered via JavaScript; your application will detect normal injections in the first instant. But your application still remains vulnerable to JavaScript encoding which will not be detected by the normal encoding/escaping methods. (8:50:05 AM)
and a skf-flask-3.0.0
this includes the ENV variable stuff @northdpole was mentioning
or you go with the angular docker image and the api docker image
2 flavours :)
@Ravi Mahankali (ravi-mrk) Description for CSRF on REST is : CrossSite Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a users Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.The impact of a successful crosssite request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the users context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer, form submission etc.) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed. (2:37:25 PM)