habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: add hardening advice and link directly to Cure53 results (#9670)

Browse Source 
docs: add hardening advice and link directly to Cure53 results

Signed-off-by: Fletcher Heisler <fheisler@users.noreply.github.com>
This commit is contained in:
Fletcher Heisler
2024-05-10 09:07:19 -04:00
committed by GitHub
parent cb33f0d1e2
commit 09cacbd76b
1 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
website/docs/security/2023-06-cure53.md
View File

@ -1,6 +1,6 @@
# 2023-06 Cure53 Code audit
In May/June of 2023, we've had a Pentest conducted by [Cure53](https://cure53.de). The following security updates, 2023.4.2 and 2023.5.3 were released as a response to the found issues.
In May/June of 2023, we had a pentest conducted by [Cure53](https://cure53.de). The following security updates, 2023.4.2 and 2023.5.3 were released as a response to the found issues.
From the [complete report](https://cure53.de/pentest-report_authentik.pdf), these are the points we're addressing with this update:
@ -44,23 +44,24 @@ Related to ATH-01-003, it was possible to insert unintended diagrams into genera
## Additional info
In addition to the points above, several of the findings are classified as intended features (such as the expression policies), however these are points where we do also see room for improvement that we will address in the future.
In addition to the points above, several of the findings are classified as intended features (such as the expression policies). However, we have published additional [hardening documentation](./security-hardening.md) to provide guidance for further measures that can be taken to limit any possible risks associated with these features.
### ATH-01-002: Stored XSS in help text of prompt module (Medium)
Prompt help texts can use HTML to add markup, which also includes the option to include JavaScript. This is only possible to configure for superusers, and in the future we're planning to add an additional toggle to limit this.
Prompt help texts can use HTML to add markup, which also includes the option to include JavaScript. This is only possible to configure for superusers. To mitigate the risk of a rogue superuser creating a stage with a malicious script, requests to the `/api/v3/stages/captcha*` and `/api/v3/managed/blueprints*` endpoints can be blocked. With these restrictions in place, Captcha stages can only be edited using Blueprints on the file system. It is also recommended to use the RBAC system to restrict which users can edit these objects.
### ATH-01-006: Arbitrary code execution via expressions (Critical)
This is the intended function of expression policies/property mappings, which also requires superuser permissions to edit. We're planning to also add a toggle to limit the functions that can be executed to the ones provided by authentik, and prevent the importing of modules.
This is the intended function of expression policies/property mappings, which also requires superuser permissions to edit. To mitigate the risk of a rogue superuser creating a malicious expression, requests to the `/api/v3/policies/expression*`, `/api/v3/propertymappings*`, and ` /api/v3/managed/blueprints*` endpoints can be blocked. With these restrictions in place, expression can only be edited using Blueprints on the file system. It is also recommended to use the RBAC system to restrict which users can edit these objects.
### ATH-01-007: SSRF via blueprints feature for fetching manifests (Medium)
Blueprints can be fetched via OCI registries, which could be potentially used for server-side request forgery. This can only be accessed by superusers, and we're planning to add an option to limit the resolved IP ranges this functionality can connect to.
Superusers can fetch blueprints via OCI registries, which could be potentially used for server-side request forgery. To mitigate the risk of a rogue superuser sending malicious requests, requests to the `/api/v3/managed/blueprints*` endpoint can be blocked. With these restrictions in
place, blueprints can only be edited using YAML files on the file system. It is also recommended to use the RBAC system to restrict which users can edit these objects.
### ATH-01-013: XSS via CAPTCHA JavaScript URL (Medium)
Similar to ATH-01-002, any arbitrary JavaScript can be loaded using the Captcha stage. This is also limited to superusers.
Similar to ATH-01-002, any arbitrary JavaScript can be loaded using the Captcha stage. This is also limited to superusers. In order to prevent potential exploitation, it is recommended to limit the setting to allow-listed JavaScript URLs only.
### ATH-01-011: Weak default configs in logout/change password flows (Info)