-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🚀 Feature: Web Security Scanners #5055
Comments
@zdanl, it makes sense to build file scanning into Appwrite because there is logic in Appwrite to scan files right when they're uploaded. From my experience, web security scanners are typically separate from the application itself and it would probably be best to decouple them. |
@stnguyen90, @abnegate has been doing some research on this area. @abnegate it might be a good idea to add the following suggestions to your lists. |
I'm nowhere near fully understanding the security model exposed to the user as to API keys and AppWrite's own security standing as to dealing with fraudulent input, thus, my suggestions are limited to - but I would like to firmly reiterate on that - I was suggesting externally scanning the web application run with Appwrite with advanced tools such as:
If there is anything we can do to sharpen the permissions of API keys with a wizard rather than granularity settings, which in my understanding, per default, allow to broadly operate in the context of the Backend, that would be very good. Pointing out the understanding of Javascript from a security perspective, as opposed to for example Nessus, as a key feature, given the SDK and the valueable semantics of AppWrite calls exposed in the Frontend ready for Parsing. If parsing in this case is too abstract, I would infer OpenAI ChatGPT for example, which can make assumptions on AppWrite SDK statements in the browsers, and neatly fully comprehend the implementation of those API calls if provided with the source code. This may be going to far, but whereelse to leave such thoughts if not in this ticket. |
Hi @stnguyen90 I just explored this and I found it amazing. Would you please assign this issue to me? |
🔖 Feature description
Since you are already running an Antivirus, here is another suggestion: Web security scanners. Like skipfish. Like the w3af. Like dictionary / word list attacks. Like Nexpose of Rapid7. Those could be scheduled or manually run web application security audits.
🎤 Pitch
this is the least pressing idea, since we assume the Appwrite code to be well audited after review, and consideration of the salted hashing algorithm, but noonetheless, the API key privileges and DB docs protection might yield a lot of unwanted leaks, that are automatically detectable by these scanners.
👀 Have you spent some time to check if this issue has been raised before?
🏢 Have you read the Code of Conduct?
Originally posted by @zdanl in #5053
The text was updated successfully, but these errors were encountered: