Security best practices

edit
  • XSS

    • Check for usages of dangerouslySetInnerHtml, Element.innerHTML, Element.outerHTML
    • Ensure all user input is properly escaped.
    • Ensure any input in $.html, $.append, $.appendTo, latexmath:[$.prepend`, $].prependTo`is escaped. Instead use$.text`, or don’t use jQuery at all.
  • CSRF

    • Ensure all APIs are running inside the Kibana HTTP service.
  • RCE

    • Ensure no usages of eval
    • Ensure no usages of dynamic requires
    • Check for template injection
    • Check for usages of templating libraries, including _.template, and ensure that user provided input isn’t influencing the template and is only used as data for rendering the template.
    • Check for possible prototype pollution.
  • Prototype Pollution

    • Check for instances of anObject[a][b] = c where a, b, and c are user defined. This includes code paths where the following logical code steps could be performed in separate files by completely different operations, or recursively using dynamic operations.
    • Validate any user input, including API url-parameters/query-parameters/payloads, preferable against a schema which only allows specific keys/values. At a very minimum, black-list __proto__ and prototype.constructor for use within keys
    • When calling APIs which spawn new processes or potentially perform code generation from strings, defensively protect against Prototype Pollution by checking Object.hasOwnProperty if the arguments to the APIs originate from an Object. An example is the Code app’s spawnProcess.

      • Common Node.js offenders: child_process.spawn, child_process.exec, eval, Function('some string'), vm.runIn*Context(x)
      • Common Client-side offenders: eval, Function('some string'), setTimeout('some string', num), setInterval('some string', num)
  • Check for accidental reveal of sensitive information

    • The biggest culprit is errors which contain stack traces or other sensitive information which end up in the HTTP Response
  • Checked for Mishandled API requests

    • Ensure no sensitive cookies are forwarded to external resources.
    • Ensure that all user controllable variables that are used in constructing a URL are escaped properly. This is relevant when using transport.request with the Elasticsearch client as no automatic escaping is performed.
  • Reverse tabnabbing - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#tabnabbing

    • When there are user controllable links or hard-coded links to third-party domains that specify target="_blank" or target="_window", the a tag should have the rel="noreferrer noopener" attribute specified. Allowing users to input markdown is a common culprit, a custom link renderer should be used
  • SSRF - https://www.owasp.org/index.php/Server_Side_Request_Forgery All network requests made from the Kibana server should use an explicit configuration or white-list specified in the kibana.yml