search

trufflesecurity / xsshunter

MIT License
364 stars 105 forks source link

Is there a dev.env template missing? #36

Open xnl-h4ck3r opened 1 year ago

xnl-h4ck3r commented 1 year ago

Hi The docker-compose.yml file refers to dev.env. Is there a template for that? What fields need to be referenced? I tried the same as the original xsshunter environment variables but I couldn't get it to work. Thanks

dustin-decker commented 1 year ago

I'll upload an example soon. We've added several new variables. Also there is no more automatic TLS, we made a number of changes so that we could terminate TLS externally.

xnl-h4ck3r commented 1 year ago

Thanks!

schniggie commented 1 year ago

Please #define soon.

catmandx commented 1 year ago

As of the latest commit (https://github.com/trufflesecurity/xsshunter/commit/b0416990e4db121bfa1c056b023fea5d28b53ca1), the project uses the following environment variables:

BUCKET_NAME
CLIENT_ID
CLIENT_SECRET
CONTROL_PANEL_ENABLED
DATABASE_HOST
EMAIL_FROM
EMAIL_NOTIFICATIONS_ENABLED
HOSTNAME
NODE_ENV
PORT
POSTGRES_DB
POSTGRES_PASSWORD
POSTGRES_USER
SCREENSHOTS_DIR
SENDGRID_API_KEY
SENDGRID_UNSUBSRIBE_GROUP_ID
SENTRY_DSN
SENTRY_ENABLED
SESSION_SECRET_KEY
SSL_CONTACT_EMAIL
USE_CLOUD_STORAGE
VUE_APP_I18N_FALLBACK_LOCALE
VUE_APP_I18N_LOCALE
XSS_HOSTNAME

You can look at this commit to see some of the variables' values: https://github.com/trufflesecurity/xsshunter/commit/7fc28b13a32692b0faf7da591cd4f16e7bb3bfee#diff-e45e45baeda1c1e73482975a664062aa56f20c03dd9d64a827aba57775bed0d3

I listed them using this command: grep -Eiroh "process.env.([A-Z_0-9]*)" | sort | uniq | cut -d '.' -f 3 | while read line; do echo $line; done

xnl-h4ck3r commented 1 year ago

As of the latest commit (b041699), the project uses the following environment variables:

BUCKET_NAME
CLIENT_ID
CLIENT_SECRET
CONTROL_PANEL_ENABLED
DATABASE_HOST
EMAIL_FROM
EMAIL_NOTIFICATIONS_ENABLED
HOSTNAME
NODE_ENV
PORT
POSTGRES_DB
POSTGRES_PASSWORD
POSTGRES_USER
SCREENSHOTS_DIR
SENDGRID_API_KEY
SENDGRID_UNSUBSRIBE_GROUP_ID
SENTRY_DSN
SENTRY_ENABLED
SESSION_SECRET_KEY
SSL_CONTACT_EMAIL
USE_CLOUD_STORAGE
VUE_APP_I18N_FALLBACK_LOCALE
VUE_APP_I18N_LOCALE
XSS_HOSTNAME

You can look at this commit to see some of the variables' values: 7fc28b1#diff-e45e45baeda1c1e73482975a664062aa56f20c03dd9d64a827aba57775bed0d3

I listed them using this command: grep -Eiroh "process.env.([A-Z_0-9]*)" | sort | uniq | cut -d '.' -f 3 | while read line; do echo $line; done

Yes I've seen these and tried creating a dev.env file with these in, and what I thijnk should be the roght values based on the docker-compre.yml of the original xsshunter-express, but I can't get it to work. I just keep gerting this error repeatedly after doing ./docker-compose-linux-x86_64 up xsshunterexpress:

xsshunter-xsshunterexpress-1  | 2023-02-09T13:19:54: PM2 log: App [server:0] exited with code [1] via signal [SIGINT]
xsshunter-xsshunterexpress-1  | 2023-02-09T13:19:54: PM2 log: App [server:0] starting in -fork mode-
xsshunter-xsshunterexpress-1  | 2023-02-09T13:19:54: PM2 log: App [server:0] online
xsshunter-xsshunterexpress-1  | API key does not start with "SG.".
xsshunter-xsshunterexpress-1  | TypeError [ERR_INVALID_ARG_TYPE]: The "path" argument must be of type string. Received undefined
xsshunter-xsshunterexpress-1  |     at new NodeError (node:internal/errors:387:5)
xsshunter-xsshunterexpress-1  |     at validateString (node:internal/validators:162:11)
xsshunter-xsshunterexpress-1  |     at Object.resolve (node:path:1098:7)
xsshunter-xsshunterexpress-1  |     at Object.<anonymous> (/app/api.js:27:30)
xsshunter-xsshunterexpress-1  |     at Module._compile (node:internal/modules/cjs/loader:1165:14)
xsshunter-xsshunterexpress-1  |     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1219:10)
xsshunter-xsshunterexpress-1  |     at Module.load (node:internal/modules/cjs/loader:1043:32)
xsshunter-xsshunterexpress-1  |     at Function.Module._load (node:internal/modules/cjs/loader:878:12)
xsshunter-xsshunterexpress-1  |     at Module.require (node:internal/modules/cjs/loader:1067:19)
xsshunter-xsshunterexpress-1  |     at Module.Hook._require.Module.require (/usr/local/lib/node_modules/pm2/node_modules/require-in-the-middle/index.js:101:39) {
xsshunter-xsshunterexpress-1  |   code: 'ERR_INVALID_ARG_TYPE'
xsshunter-xsshunterexpress-1  | }

Were you able to install a local version successfully? Thanks Xnl

Damian89 commented 1 year ago

Same same... decided to stick to the original version

catmandx commented 1 year ago

TypeError [ERR_INVALID_ARG_TYPE]: The "path" argument must be of type string. Received undefined

This error is due to the variable SCREENSHOTS_DIR not being initialized. These are my configuration:

BCRYPT_ROUNDS=10
BUCKET_NAME=
CLIENT_ID=89FS4381SGa_3YU82xXT-OVnr_jiEUdM
CLIENT_SECRET=PlVzcF28zdEQqmEk_azLz1yD4PRlfSPh
CONTROL_PANEL_ENABLED=true
DATABASE_HOST=postgresdb
EMAIL_FROM=
EMAIL_NOTIFICATIONS_ENABLED=false
HOSTNAME=admin.example.com
NODE_ENV=development
PORT=8080
POSTGRES_DB=xsshunterexpress
POSTGRES_PASSWORD=xsshunterexpress
POSTGRES_USER=xsshunterexpress
SCREENSHOTS_DIR=/app/payload-fire-images
SENDGRID_API_KEY=
SENDGRID_UNSUBSRIBE_GROUP_ID=
SENTRY_DSN=
SENTRY_ENABLED=false
SESSION_SECRET_KEY=wafrxxOWB9EQAFQqZOYsr1Lo812iti4i9pcXbzDPaYr-NhcVPTacjLa2T-A2h4RTUxXaI6m-v2sABCQoLeuFzsRhMXCpy_yjjJOa2D7iU8UETRKC1s_123
SSL_CONTACT_EMAIL=admin@example.com
USE_CLOUD_STORAGE=false
VUE_APP_I18N_FALLBACK_LOCALE=en-US
VUE_APP_I18N_LOCALE=en-US
XSS_HOSTNAME=xss.example.com

Please note that you have to supply your own Google OAuth client ID and secret, and I disabled Sentry and Google Cloud Storage.

The app also only listen on localhost:8080. So you have to modify the docker configuration or use a reverse proxy (you have to anyway since this fork does not come with SSL by default). I used a self signed cert here to quickly demonstrate:

image

Here is my nginx config, this fork won't work without the Host header being passed as-is and the X-Forwarded-For header:

server {
        server_name admin.example.com xss.example.com;
        access_log /var/log/nginx/reverse-access.log;
        error_log /var/log/nginx/reverse-error.log;

        location / {
                proxy_pass http://127.0.0.1:8080;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
        server_name xss.example.com;
        access_log /var/log/nginx/reverse-access.log;
        error_log /var/log/nginx/reverse-error.log;

        location / {
                proxy_pass http://127.0.0.1:8080;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

    listen 80;
}

Working instance: image

xnl-h4ck3r commented 1 year ago

Thank you @catmandx !! 🤘

0xspade commented 3 months ago

dev.env file still not in the repo.

Damian89 commented 2 months ago

This repo is essentially abandoned... image

Last commit a year ago, no real fixes ;)

0x10f2c commented 2 months ago

Not to mention the readme.md being completely out of date - might as well archive this repo so other forks have a better chance of picking up the torch

bthrx commented 2 months ago

agreed, or at least bring on someone to maintain it.