Skip to content
This repository has been archived by the owner on Nov 16, 2022. It is now read-only.

set up a sandbox for security researchers #561

Closed
chadwhitacre opened this issue Apr 7, 2016 · 5 comments
Closed

set up a sandbox for security researchers #561

chadwhitacre opened this issue Apr 7, 2016 · 5 comments
Labels
Security

Comments

@chadwhitacre
Copy link
Contributor

This could help alleviate the accumulation of ~user and Team accounts we're seeing, e.g.

h/t https://hackerone.com/reports/128844#activity-893086:

Have you thought about a test enviorment such as what has been done by https://duo.money/hackers ? They avoid most of the tests against production that way.

Looks like duo.money's setup is pretty advanced. I was thinking we could at least set up a staging instance.
@chadwhitacre chadwhitacre mentioned this issue Jun 7, 2016
Closed
@ghost
Copy link

ghost commented Jul 13, 2016
edited by ghost
Loading

Definitely the right answer to gratipay/gratipay.com#3925.

It should avoid the spam of fake teams and fake users, giving more details about the real usage of gratipay (I guess the statistics are somehow wrong due to theses trials). In addition, it should protect us against "wrong moves" ("Ooops, corrupted the database because of [some tool]"), DoS (it's out of scope but the report 123697 is a proof that some researchers are trying anyway)…

Here are my thoughts about this:

  • We need to create a specific subdomain (bounty.gratipay.com, hackerone.gratipay.com?).
  • Always display a message (position: fixed & top: 0) to tell it's a staging instance (if one user was tricked to use this website or whatever).
  • Change the scope to this new domain. Announce that we are no more accepting reports related to the original domain.
  • This will introduce a new issue for us: the web server configuration will have to be the same than the production one, and we'll have to backport it when we're changing something (it's not often and always for mild reports). Maybe we should have the same approach than gratipay/grtp.co, by putting the nginx configuration file inside the repository (note that service nginx reload does not cause any downtime).
  • Automatically accept the teams after X hours. It'll give the researcher enough time to try to find vulnerabilities related to the validation process and we won't have handle their review tickets.
  • Maybe automate the build of the Docker image, so the researchers can have their own local instance more easily.
  • … profit!

What am I missing?

@chadwhitacre
Copy link
Contributor Author

We need to create a specific subdomain (bounty.gratipay.com, hackerone.gratipay.com?).

Let's use a different domain entirely (to solidly avoid any potential cookie leaks), and not one with gratipay in it (to help avoid essentially spoofing ourselves). Maybe yapitarg.exposed?

Always display a message

Let's change the logo and banner, as well, for good measure, and also have a modal on first visit saying "Go away!" (suppressed for the next hour, maybe).

the nginx configuration file

Gratipay.com is hosted on Heroku, where most of the relevant configuration is in the environment. One consideration is that, if we reproduce our production environment exactly, then it will double our hosting costs ($7/mo for one dyno, $20/mo for SSL, $50/mo for database). It's also possible that we may be able to implement this using Heroku's Pipelines feature.

@ghost
Copy link

ghost commented Jul 13, 2016

Let's use a different domain entirely (to solidly avoid any potential cookie leaks), and not one with gratipay in it (to help avoid essentially spoofing ourselves). Maybe yapitarg.exposed?

This is not supposed to happen but this article proves that it may still leak across subdomains, you're right. Don't take any risk and let's go for a yapitarg.exposed-like domain.

Let's change the logo and banner, as well, for good measure, and also have a modal on first visit saying "Go away!" (suppressed for the next hour, maybe).

👍

Gratipay.com is hosted on Heroku, where most of the relevant configuration is in the environment. One consideration is that, if we reproduce our production environment exactly, then it will double our hosting costs ($7/mo for one dyno, $20/mo for SSL, $50/mo for database). It's also possible that we may be able to implement this using Heroku's Pipelines feature.

Yep, my brain mixed the infrastructure of grtp.co and gratipay.com.
Doubling the hosting costs just for this usage is absolutely not desirable. Do you think that a $5 droplet on Digital Ocean may be enough? (or AWS/Scaleway/…)

If we want to provide SSL (so we won't have reports about missing HTTPS) for this instance, we can take a look at Let's encrypt. We can automate the renewal so we'll never have to care about it.

Are Heroku's Pipelines introducing new costs for the review instances? I guess that yes :^)

@chadwhitacre
Copy link
Contributor Author

Do you think that a $5 droplet on Digital Ocean may be enough?

That seems fine for most security testing. SSL and DoS testing won't be entirely accurate.

Seems like the next step here would be PRs for the UI and team review changes. Eh?

@chadwhitacre chadwhitacre changed the title set up a staging instance for security researchers set up a sandbox for security researchers Jul 22, 2016
@chadwhitacre
Copy link
Contributor Author

+1 https://hackerone.com/reports/123697

@nobodxbodon nobodxbodon mentioned this issue Jan 8, 2017
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chadwhitacre