brothercorvo
commented
5 months ago @naman108 please verify if that is still the case in the current version
Open Securitybits-io opened 2 years ago
brothercorvo
commented
5 months ago @naman108 please verify if that is still the case in the current version
naman108
commented
4 months ago This is definitely still an issue
naman108
commented
2 months ago I think this issue can be reasonably decomposed into three parts:
IMO, this is probably the most relevant factor for the security conscious user as the other two pertain mostly to cases where an attacker already has access to the UI. To address this issue we would need two main changes:
I think we could reasonably address this by enabling API tokens for use in the web sockets that way every user has a uniquely identifying access token for FTS which can be revoked.
In general, we expect that the authenticated user knows their API token however clearly this is an issue over HTTP as anyone listening could get access to the API token. This would bring us back to issue 1, where we should provide the user with an easy mechanism to enable HTTPS.
naman108
commented
2 months ago @brothercorvo @Securitybits-io what are your thought's on this?
The WebUI leaks the RestAPI and Websocket tokens in the javascript source code! These should not be reflected back to the user as that can lead to unintended requests through for example XSS.
API Bearer Token
Websocket Token