Perform Security Testing of Inquisition

[magneticstain]

Once Issue #94 has been completed, a security testing of all aspects of the application should be tested, especially Celestial.

This includes:

• Code review of Anatomize.py, Destiny, and Celestial
• Webapp security testing against Celestial
  • See https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

[magneticstain]

Celestial (Web UI)

• XSS - all reflected data is loaded using the Mystic library, via the Inqisition API. The content-type for all pages and requests is application/json, which should ensure all data transmitted is treated as plaintext and is escaped.
• CSRF - no login functionality currently supported
• SSRF - no code to execute CLI commands are in use; no vector for attack found
• SQLi - all SQL queries, in all modules, utilize parameterized queries in accordance with best practice. Connection configurations in code were set with security in mind.
• DDoS - there's no rate-limiting enforced within the API as this application is mean to be used internally. WIth that in mind, the ability for programmers to be able to make as many requests as their individual systems/organizations allow is better than the anti-DoS protection rate-limiting includes.
• Sensitive-data Exposure - sensitive configuration fields have been blacklisted as needed (i.e. db passwords, api keys, etc). The code is also easily modifiable to include any additional fields the user may choose to add.
• Deserialization - no deserialization of objects is performed within the application.