-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security #4
Comments
@periodic1236 @epelz @dkong1796 @alphaz99 @Timeroot @ootks @ChingYunH @RobertEng |
About SQL injection:
About XSS:
About authentication:
|
Also if you want more about SQL injection, see this: |
I talked to RuthAnne this morning about enabling HTTPS. She said it should be fairly easy and emailed me these instructions from the website. Here are some instructions from the wiki our sysadmins use (obviously
Create the server key either with or without a passphrase: with passphraseopenssl genrsa -des3 -out server.key 2048 without passphraseopenssl genrsa -out server.key 2048 Create the Certificate Signing Request Now create the Certificate Signing Request: openssl req -new -key server.key > server.csr Country Name (2 letter code) [GB]:US Get your CSR signed by the Globalsign (or other) certificate authority E-mail your CSR to [email protected], along with the PTA you want the fee to be [email protected] will mail you back a signed certificate. Discussion If you use the cetificate for your HTTP/SMTP server Reload httpd/restart postfix after installing the certificate file. If you created a key which has a passphrase If you created a key which has a passphrase, remember the passphrase; you'll need it You'll need a decrypted PEM version of your RSA private key via to use with Apache. openssl rsa -in server.key -out server.key.unsecure Once you have the cert.crt and cert.key files, you get the corresponding cert.pem |
Yeah, that's the same thing I did to set up https for Ruddock. Couple things to note:
|
From the Ruddock documentation: |
Let's use this as a place to discuss security issues and how we plan on addressing them.
Also if you note any security hole you can comment here and link to the code or whatever.
I'm actually working on authentication and security for my SURF (in Django), so I'm trying to think about
the best way to do things, so I'd like to hear other people's opinions.
My thoughts:
General Exploits
SQL Injection: "Add SQL code to input to take over a db"
Option 1: Secure queries: build into Flask
Option 2: Object relational mapper functions for queries
XSS: "Input is printed and renders as html, allowing for javascript to be run"
Sanitize user input, escape
CSRF: "A website uses your browser's cookies to fill out forms for you on another site"
Django has middleware with CSRF tokens that adds a hidden POST variable.
User Security
Brute force password search:
Password Reset:
Should we email a "reset key" and the do the reset through a special link?
Feel free to add any other security issues you know about.
The text was updated successfully, but these errors were encountered: