Open dqu123 opened 9 years ago
@periodic1236 @epelz @dkong1796 @alphaz99 @Timeroot @ootks @ChingYunH @RobertEng
About SQL injection:
sqlalchemy.text()
function that are parameterized, so the parameters are passed in separately, like this:query = sqlalchemy.text("SELECT user_id FROM members WHERE first_name=:fn AND last_name=:ln")
db.execute(query, fn="Daniel", ln="Kong")
About XSS:
About authentication:
Also if you want more about SQL injection, see this: https://github.com/ASCIT/Donut/issues/100
I talked to RuthAnne this morning about enabling HTTPS. She said it should be fairly easy and emailed me these instructions from the website.
Here are some instructions from the wiki our sysadmins use (obviously don't use "root@caltech.edu" as the email addresss...!). --RA
Create the SSL key
Create the server key either with or without a passphrase:
openssl genrsa -des3 -out server.key 2048
openssl genrsa -out server.key 2048 Save the server.key file.
Create the Certificate Signing Request
Now create the Certificate Signing Request:
openssl req -new -key server.key > server.csr Answer the questions like so:
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:California Locality Name (eg, city) [Newbury]:Pasadena Organization Name (eg, company) [My Company Ltd]:California Institute of Technology Organizational Unit Name (eg, section) []: IMSS Common Name (eg, your name or your server's hostname) []: $fqdn Email Address []:root@caltech.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "Common Name", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.com/, enter "www.foo.com" there.
Get your CSR signed by the Globalsign (or other) certificate authority
E-mail your CSR to security@caltech.edu, along with the PTA you want the fee to be charged to, the number of years you want the certificate for, and let them know who you want it signed by (CIT-signed, Globalsign signed, or some other CA).
security@caltech.edu will mail you back a signed certificate.
Discussion
If you use the cetificate for your HTTP/SMTP server
Reload httpd/restart postfix after installing the certificate file.
If you created a key which has a passphrase
If you created a key which has a passphrase, remember the passphrase; you'll need it in the future when you want to renew the certificate.
You'll need a decrypted PEM version of your RSA private key via to use with Apache. Here's how you make one:
openssl rsa -in server.key -out server.key.unsecure For Apache, use server.key.unsecure for SSLCertificateKeyFile, and the signed certificate from security@caltech.edu as the SSLCertificateFile.
Once you have the cert.crt and cert.key files, you get the corresponding cert.pem (needed for IMAP/POP/SMTP) by doing: cat cert.key cert.crt > cert.pem .
Yeah, that's the same thing I did to set up https for Ruddock. Couple things to note:
From the Ruddock documentation: https://docs.google.com/document/d/1pudZaGvmd5_mBVLMS4HkB5WoW_yXWhD9VyUPPn5_12Q/edit?usp=sharing
Let's use this as a place to discuss security issues and how we plan on addressing them. Also if you note any security hole you can comment here and link to the code or whatever. I'm actually working on authentication and security for my SURF (in Django), so I'm trying to think about the best way to do things, so I'd like to hear other people's opinions.
My thoughts:
General Exploits
SQL Injection: "Add SQL code to input to take over a db"
Option 1: Secure queries: build into Flask Option 2: Object relational mapper functions for queries
XSS: "Input is printed and renders as html, allowing for javascript to be run"
Sanitize user input, escape
CSRF: "A website uses your browser's cookies to fill out forms for you on another site"
Django has middleware with CSRF tokens that adds a hidden POST variable.
User Security
Brute force password search:
Password Reset:
Should we email a "reset key" and the do the reset through a special link?
Feel free to add any other security issues you know about.