Where communities thrive

Join over 1.5M+ people
Join over 100K+ communities
Free without limits
Create your own community

Explore more communities

Security Knowledge Framework/Lobby

Welcome to the OWASP-SKF chat room, if you need help or have questions then you are at the right place! https://securityknowledgeframework.org You can also ask our Chatbot questions regarding to security vulnerabilities: @botSKF_gitlab what is xss?

People

Repo info

Activity

Feb 19 22:12

Travis sthagen/skf-flask (master) failed (2)
Feb 19 22:09

Travis sthagen/skf-flask#1 errored (1)
Feb 19 13:33

Travis blabla1337/skf-flask (3.0.4) passed (2689)
Feb 19 12:23

Travis blabla1337/skf-flask (master) passed (2688)
Feb 19 12:18

Travis blabla1337/skf-flask (master) passed (2687)
Feb 17 14:22

Travis blabla1337/skf-flask (master) passed (2686)
Feb 17 13:36

Travis blabla1337/skf-flask (3.0.3) passed (2685)
Feb 17 13:27

Travis blabla1337/skf-flask (master) passed (2684)
Feb 14 12:46

Travis blabla1337/skf-flask (master) passed (2683)
Feb 14 12:40

Travis blabla1337/skf-flask (master) fixed (2682)
Feb 14 12:35

Travis blabla1337/skf-flask (master) errored (2682)
Feb 14 12:33

Travis blabla1337/skf-flask (master) still failing (2681)
Feb 13 13:44

Travis blabla1337/skf-flask#565 still failing (2680)
Feb 13 13:43

Travis blabla1337/skf-flask@7b25d44 (console-cleanup) failed (2679)
Feb 12 16:32

Travis blabla1337/skf-flask (master) broken (2678)
Feb 10 14:53

Travis blabla1337/skf-flask (master) passed (2677)
Feb 10 14:39

Travis blabla1337/skf-flask#564 broken (2676)
Feb 10 14:33

Travis blabla1337/skf-flask (master) passed (2675)
Feb 10 14:30

Travis blabla1337/skf-flask (master) canceled (2674)
Feb 10 14:05

Travis blabla1337/skf-flask#563 broken (2673)

Glenn ten Cate

@blabla1337

@balajiswami14 @danspils_twitter
Just for my information, the updating of any ASVS checklist is not working?

because the message I see is indeed related to the input validation we do

Glenn ten Cate

@blabla1337

Hmm there was a max length as well that disabled the update button as the titels of the security controls where to long

but in my case it was disabled so the update button didnt work

what type of input did you use when you got back the error message?

Validation Error on val_alpha_num_special

So what security control did you try to update

and what did you tried to change?

so I can reproduce it here as well

Glenn ten Cate

@blabla1337

@balajiswami14 about your remarks of the readme.io documentation. This is a bit old dated im afraid, what you see is functionality how SKF was in the past. The in-depth audit functionality with Developr Role and Security role we removed as the feedback we got was that its not used and done in the companies own tracking / vulnerability systems. Also for the manage users part we also removed it as we are now working on to get SAML integration so the whole Manage Users part will be done outside of SKF. Again the companies want that and not the manual creation and managing

So yeah good point we need to update the readme.io site :P

DanspilS 🌍

@danspils_twitter

Here's my steps:

create new checklist called test and give it some alphanumeric (no specials) entries in each box.
go to manage checklist page and click update on the one you created above.
tweak some of the text (still no specials) in the checklist description box and hit update.
watch the console explode! or at least 400 on the PUT.

Glenn ten Cate

@blabla1337

check, I just found it

had to enable persistant logs in developer of firefox...

Glenn ten Cate

@blabla1337

ok I found the problem

foobar @ " ' () ; a-z A-Z 0-9 _ . , - / ! # ^ & +'

is all good

but this one \

is triggering it

should I also add |

for the checklist title I have now these working characters that are allowe

foobar @ " ' () ; a-z A-Z 0-9 _ . , - / ! # ^ & +' \ : |

DanspilS 🌍

@danspils_twitter

(Y)

Glenn ten Cate

@blabla1337

ok let me commit

and roll out version 3.0.4

balajiswami14

@balajiswami14

@blabla1337 Checklist Options -> Manage checklists -> Select any one checklist -> Add checklist items -> Checklist edit options -> Click on any checklist item a.k.a the ASVS control

Say, if you want to choose a different "KB item" for a particular control and you select it, applying the "Update" button doesn't work. Also the checklist title isn't editable as well.

Eg:
Checklist title: "erify that passwords can contain spaces and truncation is not performed. Consecutive multiple spaces MAY optionally be coalesced"

This isnt editable and the "Update" isnt getting commited

Glenn ten Cate

@blabla1337

Check I also noticed that

but it was due to the fact of the max length of the field

I also removed that

for me the update button worked then

plus the special chars like | \

was not allowed and that triggered the 400 response

is also fixed now

Glenn ten Cate

@blabla1337

Ok I have updated the docker images

new versions are available with these fixes

DanspilS 🌍

@danspils_twitter

super support! confirmed part fixed in angular:1.3 and api:1.3. partly fixed because i can now update a checklist unless i use a return character. e.g. if i enter a description of test1 test2 then it works fine but put a return /n between test1 and test2 and I get the same error as before.

balajiswami14

@balajiswami14

Thanks a ton for the quick support!! The edit works like a charm now :)

Agree on the documentation part wrt the User management and the Developer/Security role options. I too am planning to integrate this with our JIRA.

Would be great if you can take a loot at the 3rd item i mentioned.

https://skf.readme.io/docs/post-development-stage
I just set some controls as True & False but that data doesnt appear in the Summary tab - where it is supposed to show the open, closed items etc in Red, Green etc.//

Glenn ten Cate

@blabla1337

@danspils_twitter lets see if we need that in the security control titles \, as for us we never came across that need :P

we can always modify it and add it if its really necessary

@balajiswami14 aah check perfect, yes indeed we made it more basic then we had before

we can make it a bit more fancy in the future again

we are currently busy with the SAML integration

after that we will have a look at those nice UI improvements :)

DanspilS 🌍

@danspils_twitter

Ah this isn't in the title, it's in the Checklist description

Glenn ten Cate

@blabla1337

Ooh crap ^^

Yes that we need to allow indeed