running OWASP Zap proxy and i get output like:
WARN-NEW: Cookie Without Secure Flag [10011]
Is there a db or wiki of remediation approaches that take the issue ID? I'm looking for a way to humanize the results, with a message like "See http://how_to?issue=10011"
Thanks for any help,
KEvin
I'm guessing that you are using one of the packages ZAP scans, eg the baseline?
If so rerun your scan using one of the reporting options, eg '-r report_html' - this will give you a lot more information.
Related
I want to develop an action to google assistant. So i red the documentation here https://developers.google.com/assistant/conversational/overview and i followed this tutorial https://www.youtube.com/watch?v=Z1hxvniJ18s
It s worked and i was allow to develop and test my app in the simulator. The problem is that when it's come to webhook i don't totaly understand how it's work. On the webhook icon i got this
The seconde one allow me to use Google cloud function and firebase but i had to add my billing account to make it available. I also get a console where i can code my fonctions and my responses.
And if i am correct, the first one allow me to connect to my own Api. But i can only enter one field that is the URL adresse and nothing else so how do i code it? Also i see everywhere people using node.js and i would like to use php is it possible?
To sum up my problem, i would like to know how i could connect my action builder to an other service(Api) than google ones? If it's possible to run my server in php and how do i interact with my google action?(I think it's by sending json back and forth but i'am not sure how to do it?) Finally i would like to know if it's possible to test it in local server with mamp and phpmyadmin for exemple to test the answer of the server?
I would be very grateful if someone could help me, show me how to set up all this.
But i can only enter one field that is the URL adresse and nothing else so how do i code it?
When you develop your webhook, you will need to have a single publicly accessible endpoint to connect with. This endpoint will receive an HTTP POST request and you will need to respond with an appropriate response.
Also i see everywhere people using node.js and i would like to use php is it possible?
Any language that can run on a web server can work. Node.js is one that is used a lot, but PHP can work just as well. You can create an actions.php file and then enter an endpoint address https://example.com/actions.php that will be called. You may need to refer to the Request and Response reference for the expected format.
if it's possible to test it in local server with mamp and phpmyadmin for exemple to test the answer of the server?
It's somewhat possible. You'll need to have some method of sending mock requests to your local server, which might be as easy as using cURL or other tools like Postman.
Unfortunately my personal experience with PHP tools is limited, so I can't necessarily walk-through the specifics. But it does seem like you know these tools a bit more and should be familiar enough to be able to get started.
I run an self-hosted instance of BigBlueButton and signed up for Xirsys TURN server services because we need to serve clients behind (pretty restrictive) firewalls. Before I had been running my own instance of coturn, but as this led to problems recently, I thought I will got someone who does this for a living a try.
Now the configuration in BBB is explained here:
https://docs.bigbluebutton.org/2.2/setup-turn-server.html
Yet so far I completely failed to match the parameters I receive from Xirsys with what I have to put into the /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml file in the place of the <turn.example.com> and <secret_value>.
Did anyone ever make this work? I did try and find a tutorial but also failed.
bbb_web, is returning this the turn uris. passwords to the html5 client, that the client is using in sip.js
so you can either get bbb-web to send valid username/passwords is same method is used, or modify the html5 client to make a Xirsys api call, to get access to the turn candidates.
Would need to look at api docs. twilio has a similar service.
regards,
Stephen
not the most elegant solution but the easiest one for me:
modify the final bbb js bundle to load the stunturn info from a fixed url in
e.g.
/usr/share/meteor/bundle/programs/web.browser/f30716b2b57e2862c4db2325 b7aac63f4622842b.js
the minified part should then look somewhat like:
const r=Meteor.settings.public.media,i='https://<yourbbburl>/html5client/stunturn.json',a=r.cacheStunTurnServers,s=r.fallbackStunServer;
and put either the static credentials or generated ones in a file stunturn.json besides the js bundle.
I am using OWASP ZAP and i have 2 urls namely A and B and these URL should be passed like A,B as first request and second request A,B.if this order goes wrong i get privilage error which ultimately fails my test as owasp zap wont be able to deliver result properly.
Could someone help me on how to execute it sequentially.\
I referred the https://zapmultistep.wordpress.com/ but unfortunately it doesnt help.could anyone help me understand in detail.
Is it possible to do parametrization in owasp zap ,if so could you please explain in detail
me again..
I had done all the sensu-uchiwa-graphite set up. And i get a new request,:(. Rather than go to change the threshold in check.json file on sensu server..any plugin at the UCHIWA that this adjustment will be shown in Uchiwa dashboard? I asked because in case that my application teams wanna change it by themselves without accessing to server.
I think sensu-admin in enterprise is available but we need to pay big money per year ;(...
Thanks in advance to help.
Sumana W.
This is fairly doable if you use a configuration management system like Chef/Ansible/Puppet - especially if you run standalone checks on the sensu-client.
This allows the clients to define their own thresholds, rather than changing the sensu servers themselves.
See https://sensuapp.org/docs/latest/reference/checks.html#standalone-checks
In this case, the definitions for the checks are sitting on the client servers and they have the choice of their thresholds or configurations. The client itself manages how often to run the check and sends the output back to the server, rather than the server requesting the checks. This helps quite a bit as far as scaling or multitenancy.
The other way to accomplish this, if you are tied to serverside checks, would be to use client attributes (https://sensuapp.org/docs/0.25/reference/checks.html#check-token-substitution)
For example, you can have a cpu check that says something like check-cpu.sh -w :::cpu_warn::: -c :::cpu_critical::: and these come from a cpu_warn and cpu_critical value from the client.json on the client server.
Source: We use sensu extensively in an enterprise environment across thousands of hosts and have been working through these same issues.
According to this blog entry, REST is available in ColdFusion.
However, I have multiple sites, so when I navigate to
localhost/rest/Example/hello
I get "Hello World", but if I go to
http://mysite.com/rest/Example/hello
I get HTTP Error 500.0 - Internal Server Error
Requested URL http://mysite.com:80/jakarta/isapi_redirect.dll
If I go to the IP address, I get "Hello World".
Aaron posted a comment referring to bug 3348765, but I'm not sure that helps me get this first Proof-Of-Concept working.
Q: How do I get REST to work in ColdFusion if I have multiple sites defined in IIS?
Have a look at this: http://blogs.coldfusion.com/post.cfm/rest-support-in-coldfusion-part-i tutorial.
Apparently, mysite.com is very unlucky domain name since lots of people trying to use it for learning or testing purposes. That's just a website and most likely they don't have a ColdFusion 10 REST webservice.
Your problem with localhost seems to be the web-server issue. If you open http://localhost, do you see the same website as http://127.0.0.1? These could easily be two different virtual hosts (websites, in terms of IIS).
Solution would be to check how your ColdFusion is installed with your IIS. Even better solution would be to set up some virtual host for playing with code, for example I've got virtual local hosts like localhost.coldfusion, localhost.railo, etc.
Hope this helps.