I just changed my accounts mail address to another address and it was stored without the need to re-confirm the new mail address.

Please take a look at BLA DB

select agb, active, count(active)
from users
group by agb, active

No one accepted our AGB?

Recurring scans laufen derzeit offenbar nicht

Webserver für jeden Scanner

Siehe Slack

Business Layer muß dem Core einen callback mitgeben, den Core nach Abschluß eines Scans aufruft.

In der Callback Routine muß Business Layer, sofern es sich nicht um einen freescan gehandelt hat, das Siegel erzeugen und an geeigneter Stelle (wie im Meeting besprochen Google Storage Cloud?) ablegen.

Please check http(S)://www.tom123.de It reaches just 99% because of one hidden scan result. Hidden tests shouldn't have any negative impact we were told.

   {
      "scoreType" : "hidden",
      "name" : "PROTOCOLVERSION_TLS13",
      "score" : 0,
      "errorMessage" : null,
      "hasError" : false,
      "testDetails" : null
   },

Activation mail says

Diese Email wurde automatisch vom SIWECOS System zur Überprüfung Ihrer Domain generiert.

But it's not the DOMAIN, it's the mail address.

Instead of fixing, please tell us how to fix ourselfs.

Please do not send out notifications for low score more often than once a week.

Plase check whether or not a low score is due to a timeout and do not send to the user.

Idea: Inform the (yet to define) admin mail address. This should be configurable as long as we do not have proper monitoring for timeouts, I think this feature would be helpful.

Rough sketch:

env has to contain

ADMIN=(list-of-)admin-mail-address(es)
ADMIN_NOTIFY=list-of-events

where the "list-of-events" will be a comma separated list of possible events (like TIMEOUT).

Just a small mail to env('ADMIN') if env('ADMIN_NOTIFY') matches /\bTIMEOUT\b/.
Subject would be "%EVENT% for %DOMAIN% found at %TIME%".

For the mail body I'm not sure. Maybe url, scan_id, and scan_results.id?

PLEASE NOTICE:
This feature could be used for the mail notifications as well. If "ADMIN_NOTIFY" matches /\bLOWSCORE\b/, mails about low score should go to the admin mail address(es) instead of to the user.

Please make the Overall Scan Score and the last scan result be visible without having to open the detailed results.

According to https://github.com/SIWECOS/InfoLeak-Scanner/blob/master/doc/InfoLeak_Placeholders.txt it seems {something} is the expected notation for testdetails.

Unfortunately they are not replaced.

So I receive

Verwendete CMS {cms} detektiert.

instead of the expected

Verwendete CMS Wordpress detektiert.

Ist sinnfrei, Token sollte reichen, gehört zu SIWECOS/webapp#12

Muss hier raus:
https://github.com/SIWECOS/siwecos-business-layer/blob/master/app/Http/Controllers/SiwecosUserController.php#L309

I noticed that there is an issue in freescan's logic.

The freescan only allows us to see Scan results with danger level 0, so that people do not get all for free.

When a domain is registered and has a seal on their website, their visitors will be able to click the seal and view the score - nothing more

But what if the visitor starts a freescan for that domain?

He will suddenly see ALL scanresults, because no new scan is started, but the existing results are shown. Even those of DL10.

I think this is an issue and the freescan results of existing scans have to be filtered.

At the moment this seems impossible as we do not know the dangerlevel of scanner tests in the scan results.

We think it might be a good idea to have additional accounts for a domain. Maybe with restricted access (just view, not starting scans or registring/deleting domains).

Reasoning: When a user wants his service provider to fix the issues found by siwecos, it would be good the service provider could actually see what siwecos reports. As we do not have PDF (yet), it might be a good option to allow the service provider to log in and check without having to give them the user's credentals.

If this is too much overhead another idea could be to allow domain owners to give other registered users read access.

That way a service provider can register one account and will be able to see each domain he was granted access for.

Advantage would be: A Service Provider just needs to have one account and can manage multiple customers. Idea is similar to "public key autentication" in ssh: The domain owner simply ads one (or more) account names into a list of allowed viewers per domain.

CRON einrichten auf den Scheduler (5min)

There is no option to reset/recover a lost password.

Folgendes Anpassen:

Weiterer Parameter:
https://github.com/SIWECOS/siwecos-business-layer/blob/develop/app/Http/Controllers/SiwecosScanController.php#L193

Sprache Aktualisieren:
https://github.com/SIWECOS/siwecos-business-layer/blob/develop/app/Http/Controllers/SiwecosScanController.php#L203-L205

Unsortierte Schlagworte:

• Infrastruktur
• Troubleshooting
• Housekeeping
• Monitoring
• Performance Analyse
• Credentials

Seems there are no user notifications in case new issues were found, yet.

A registered user should receive a mail in case there were (new) issues found on one of his domains.

Try to scan https://sdfsdfsdfghdfkgksdfgf and SIWECOS will happily try to do so without telling the user that the domain does not exist.

/app/Http/Controllers/SiwecosScanController.php Line 239

   if ($item['has_error']) {
                $errorRaw           = $item['complete_request']['errorMessage'];
                $error              = array();
                $error['report']    = html_entity_decode(__('siwecos.' . $errorRaw['placeholder']));
                $error['has_error'] = true;
                $error['score']     = 0;
                if (array_key_exists('values', $errorRaw)) { // <- HERE

When error is set but the message is missing this gives an exception.

While a scanner should not provide hasError:true but no message, BLA should still be able to cope with this.

See SIWECOS/HSHS-DOMXSS-Scanner#51

Moin, sollten der report endpoint nicht besser in die routes/api.php hinter die usertoken middleware? Dann können wir das Token aus der eigentlich URL rausnehmen. Oder hab ich da den Usecase falsche verstanden?

There seems to be no way to ask for a resend of the activation mail. (Could be an SPA issue as well)

Background: I tested the password reset functionality with an account I (accidently) did not activate.

I could reset the password, but I could not log in as I didn't activate the account.

As I also "lost" my activation mail, there is no way for me to reactivate the account.

Proposals:

• either give the possibility to ask for a resend of the activation mail
• or count the password reset as an activation - after all the user did receive the reset mail
• or (least preferred) allow activation only within 24 hours so that a non-activated account gets cleaned up after 24h

According to the changes with SIWECOS/HSHS-DOMXSS-Scanner#40 the test names changed as follows:

HAS_SOURCES to SOURCES
HAS_SINKS to SINKS

There are two new placeholders:

Please include them in the language files so that SIWECOS/HSHS-DOMXSS-Scanner#40 can go to staging/production.

See also #2.

it would be best that a free scan:

1. Does not show cached results from registered scans thus avoiding the issues mentioned here.
2. Should have a delay between reruns of the same domain, avoiding the risk of overloading the target domain. Maybe a minute between each run?

When a user tries to register but the mail is already registered the error message is wrong, telling the user to use a valid mail address.

There should be Scan results mails (initial, under 50%, etc)

See also #20

HTML Datei als Link anzeigen @webapp

Momentan wird lediglich geprüft, ob ein Nutzer registriert ist:

Es besteht die Möglichkeit, dass ein Nutzer einen Report von einem anderen Nutzer, einer anderen Domain, anfragen kann ohne dafür authorisiert zu sein.

Daher notwendig:
Abfrage, ob der Scan auch zu einer Domain gehört, die zu dem jeweiligen Nutzer gehört.

Problem: Keine Testbarkeit, siehe: #83

Caused by my work at SIWECOS/HSHS-DOMXSS-Scanner#24 two new placeholders are included in the readme:

Please include them in the language files.

How can we troubleshoot the reason for

"Fehler beim Starten des Scans, bitte versuchen Sie es später erneut"

which appears from time to time when trying to start a new scan.

When clicking the button to start a new scan, the network analyzer in FF shows a 403 forbidden

Date: Mon, 12 Mar 2018 08:10:54 GMT
Server: Apache
Cache-Control: no-cache, private
Access-Control-Allow-Origin: https://staging2.siwecos.de
Vary: Origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json
Content-Language: en

I clicked on

https://bla.staging2.siwecos.de/api/v1/users/activate/4t4DsmAjcwZpmZrKOyz71tY9Gt4MmtelYPA97gI738Zxk3dcjv39qvZ2hUorE00FU68JSC5zm6V5L48r2wBfHAz94k5FzMg1

and was presented with JSON code. Nothing else.

Tested with Thunderbird and Safari on macOS.

We already had 2 occurences of customers having issues with the user agent string we use.

Problem is: They might not be aware that their website is blocking certain strings.

Solution could be that a user is allowed to define the user agent string he wants.

While this might not help the users at once, it could improve the situation as

a) Our support could tell them what they need to change in SIWECOS so that scanning is accepted by their website
b) The poweruser could define an agent string he easily can recognize in his logs in order to filter them out

Derzeit gibt es offenbar keine ausgehenden Mails?

Please add the domain to the subject of PDF Notifications.

I already tried but misssing a service to retrieve the domain when I just have the scan_id

Additionally name the attachment according to the domain. So not "scanreport.pdf" but something like "siwecosreport %PROTOCOL% %DOMAIN% %ISODATE%.pdf" (e.g. "siwecosreport https byte5.de 2018-05-30.pdf")

Currently it's not possible to generate a PDF report.

This should be part of the SPA, as the SPA already has all the necessary parts implemented for creating nice looking reports. After all the current "Sicherheitsbericht" already is a report, let alone not an easily printed one and not yet complete with all the tips and details a user might require to fix his domain's issues.

OTOH, according to @SniperSister "PDFs in JS aren’t that much fun, I would prefer if we have that implemented in the BLA".

After discussion with Peter: Every account will receive up to 50 free credits per day.

So when an account has 10 validated domains, he will be down to 40 after the automatic scans. But there should be an automatism to update the credits to 50 once per day.

Question remains what to do once we allow users to pay for credits.

My proposal is:

1. accounts having below 50 credits will be set to 50 once per day
2. account having more than 50 credits will receive one free credit per validated domain once per day.

The second adjustment is required so that the automatic, daily scans are not reducing the payed amount of credits.

It's unclear to me where this automatism has to be implements. Currently it's said that we have an automatic scan done every night at 01:00 (but I cannot see that in the database) and maybe it's a good idea to implement the logic at the same place.

The tests are missing placeholder values.

Additionally we are missing a means to provide them

• DOMXSS
  ** NO_SINKS_FOUND
  ** NO_SOURCES_FOUND
  ** SINKS_FOUND
  ** SOURCES_FOUND
• HEADER
  ** CSP_CORRECT
  ** CSP_NO_UNSAFE_INCLUDED
  ** CSP_UNSAFE_INCLUDED
  ** CT_CORRECT
  ** CT_HEADER_WITHOUT_CHARSET
  ** CT_META_TAG_SET
  ** CT_META_TAG_SET_CORRECT
  ** HSTS_LESS_6
  ** HSTS_MORE_6
  ** HSTS_PRELOAD
  ** INCLUDE_SUBDOMAINS
  ** XCTO_CORRECT
  ** XFO_CORRECT
  ** XXSS_BLOCK
  ** XXSS_CORRECT
• INFOLEAK
  ** CMS_ONLY
  ** CMS_VERSION
  ** CMS_VERSION_VULN
  ** EMAIL_FOUND
  ** JS_LIB_ONLY
  ** JS_LIB_VERSION
  ** JS_LIB_VULN_VERSION
  ** NUMBER_FOUND
  ** PLUGIN_ONLY
• WS_TLS
  ** RC4_SUITES

I already tried to insert into siwecos.php (as a test):

'CT_META_TAG_SET_CORRECT' => 'alles roger',

to no avail. Still CT_META_TAG_SET_CORRECT appears in the output.

Vermutlich verwandt mit SIWECOS/siwecos-core-api#162 und Ursache von SIWECOS/webapp#9

Try this:

1. register http://your.do.main
2. run a scan
3. run a freescan for https://your.do.main
4. check http://bla.staging2.siwecos.de/api/v1/domainscan?domain=your.do.main

That call is used for the seal. Unfortunately you'll get the result from the freescan as the domainscan first checks https and only http if https was not found.

This could lead to support calls when we are live. So domainscan should only return results for registered, validated domains.

According to https://en.wikipedia.org/wiki/Gettext#Implementations it should be possible to use gettext file (.mo) in php.

As I already implemented a script for converting our current translations directory into a .pot file, which we will use for translations, it might be a good thing to make use of them as well in BLA. Please check whether or not this is feasable.

Please note that due to the fact that some "msgid"s (i.e. untranslated texts) are identical for different contexts, I used the placeholder as a (msgctxt) message context. This might be an issue.

It also might be an issue, that the …_SOLUTION_TIPS placeholders should be able to contain wikitext links.

If it's not feasable we will have to create a script to convert .po files into siwecos.php files.

Bitte ein README, das zum Projekt passt.

Migration für die Userdatenbank
Check der Flags im Reportprocessing

Die Registrierung in der Staging funktioniert nicht, bekomme nen 422

{"g-recaptcha-response":["validation.captcha"]}

ich vermute dass der Recaptcha Key in der Env nicht stimmt, der müsste identisch mit der live sein.

@Weegy checkst du das?

/cc @Lednerb

We are especially interested in placeholders for the user's name, salutation and email address.

But every other placeholder which can be used would be good to know as well.