search

pavanw3b / sh00t

Security Testing is not as simple as right click > Scan. It's messy, a tough game. What if you had missed to test just that one thing and had to regret later? Sh00t is a highly customizable, intelligent platform that understands the life of bug hunters and emphasizes on manual security testing.
Apache License 2.0
269 stars 60 forks source link

Webressources get 404ed when not in debug mode #4

Closed lam0r closed 6 years ago

lam0r commented 6 years ago

Hi,

first of all thanks a lot for that great tool 👍

I am experiencing strange behaviour when running not in debug mode: When I set DEBUG = True in sh00t/config.py everything runs fine, however when I set that flag to false all of the design supporting files get 404ed:

DEBUG = True

[04/Oct/2018 18:37:03] "GET /static/css/plugins/morris.css HTTP/1.1" 200 433
[04/Oct/2018 18:37:03] "GET / HTTP/1.1" 200 62593
[04/Oct/2018 18:37:03] "GET /static/font-awesome/css/font-awesome.min.css HTTP/1.1" 200 21984
[04/Oct/2018 18:37:03] "GET /static/css/bootstrap.min.css HTTP/1.1" 200 121200
[04/Oct/2018 18:37:03] "GET /static/js/jquery.cookie.js HTTP/1.1" 200 3121
[04/Oct/2018 18:37:03] "GET /static/images/sh00t-logo.png HTTP/1.1" 200 72623
[04/Oct/2018 18:37:03] "GET /static/js/bootstrap.min.js HTTP/1.1" 200 37045
[04/Oct/2018 18:37:03] "GET /static/js/side-menu.js HTTP/1.1" 200 790
[04/Oct/2018 18:37:03] "GET /static/js/jquery.js HTTP/1.1" 200 95785
[04/Oct/2018 18:37:03] "GET /static/font-awesome/fonts/fontawesome-webfont.woff?v=4.2.0 HTTP/1.1" 200 65452
[04/Oct/2018 18:41:59] "GET /app/sh0ts/new/ HTTP/1.1" 200 9231

DEBUG = False

[04/Oct/2018 18:36:36] "GET /static/css/plugins/morris.css HTTP/1.1" 404 103
[04/Oct/2018 18:36:36] "GET /static/font-awesome/css/font-awesome.min.css HTTP/1.1" 404 118
[04/Oct/2018 18:36:36] "GET /static/images/sh00t-logo.png HTTP/1.1" 404 102
[04/Oct/2018 18:36:36] "GET /static/js/jquery.js HTTP/1.1" 404 93
[04/Oct/2018 18:36:36] "GET /static/js/jquery.cookie.js HTTP/1.1" 404 100
[04/Oct/2018 18:36:36] "GET /static/js/bootstrap.min.js HTTP/1.1" 404 100
[04/Oct/2018 18:36:36] "GET /static/js/side-menu.js HTTP/1.1" 404 96
pavanw3b commented 6 years ago

Hey @lam0r, Thanks for reporting. I'll look into this and get back by tomorrow.

praveenskumar commented 6 years ago

I know about this.I will contribute to it. If it is fine.. pavan

On Fri, 5 Oct 2018 9:32 am Pavan, notifications@github.com wrote:

Hey @lam0r https://github.com/lam0r, Thanks for reporting. I'll look into this and get back by tomorrow.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/pavanw3b/sh00t/issues/4#issuecomment-427239621, or mute the thread https://github.com/notifications/unsubscribe-auth/AFasKtfJXBRSCvJfR6PMOfVa5x1IZ2TQks5uhtnvgaJpZM4XItkY .

pavanw3b commented 6 years ago

Hey @praveenskumar , Awesome, please go ahead!

praveenskumar commented 6 years ago

sh00t/settings.py

set if production ( for static files)

LIVE = False

SECURITY WARNING: don't run with debug turned on in production!

DEBUG = True

ALLOWED_HOSTS = ['localhost']

############## sh00t/urls.py ############## from django.contrib import admin from django.conf.urls import include, url from django.conf import settings from app import views from django.conf.urls.static import static, serve from django.urls import re_path

urlpatterns = [ re_path(r'^app/', include('app.urls')), re_path(r'^api/', include('api.urls')), re_path(r'^logout/$', views.logout_user), re_path(r'^admin/', admin.site.urls), re_path(r'^$', views.index), ]

if not settings.LIVE: urlpatterns += [url(r'^static/(?P.*)$', serve, {'document_root': settings.STATIC_ROOT})]

Print banner on the console when the server starts

print(settings.BANNER)

Custom Admin Site Header

admin.site.site_header = settings.NAME

#################################################################

Just add the above changes... It is not recommended for the production level as all the static files should be served by the web servers like APache or Nginx..

Above code is just a hack to work when debug is false. you should set live=True for production.

When you set debug=False and Live=false in production , it serves static files

pavanw3b commented 6 years ago

Hey @praveenskumar, Trying your suggestion. What's serve in your code?

What do you says about libraries like Cling, WhiteNoise?

pavanw3b commented 6 years ago

Hey @lam0r, We're working on this. Could you allow a few days while we evaluate a best possible solution?

lam0r commented 6 years ago

No worries, take your time. I guess it is also a bit of a User Error as I did not know that the ideal deployment should be in combination with a real webserver. So thank you for building a workaround for that

Maybe it is also enough to mention that in the readme. Would be the easiest fix I guess ;-)

praveenskumar commented 6 years ago

Hey @pavanw3b ,

WhiteNoise is best for production, even in cling github repository they have mentioned about WhiteNoise only, It requires more configuration compared to cling. But whitenoise is best if you are going to use any CDN's.

I would suggest you to go with WHiteNoise.

pavanw3b commented 6 years ago

Hey @lam0r, @praveenskumar helped us to fix that. I tested and looks perfect. Please pull a latest codebase. Let me know if you hit up any bug.

Also, please share how do you find Sh00t so far.

lam0r commented 6 years ago

@praveenskumar @pavanw3b works like a charm. Thanks a lot for the effort and the fast responses