secureCodeBox icon indicating copy to clipboard operation
secureCodeBox copied to clipboard

Published 20 hours ago verified publisher icon secureCodeBox

Integrate interaction server as active service into SCB

Open malexmave opened this issue 3 years ago • 5 comments

➹ New Feature implementation request

Integrate an interaction server like interactsh into the SCB

Is your feature request related to a problem?

Some scanners (e.g., Nuclei) require an interaction server to validate their findings. As a user, I may not want to use an external interaction service, as this will disclose my vulnerabilities to the operator of that server.

Describe the solution you'd like

Integrate an interaction server like interactsh into the secureCodeBox, which can be run as a service alongside the scans.

Describe alternatives you've considered

Not have an interaction service and rely on people running it themselves :(

Additional context

Considerations for a deployment which may inform the design:

  • Ideally, we'd probably want a single interaction service per operator, not one per namespace, as I think each interaction server needs a domain to itself
  • Consider what happens if kubernetes network policies are in place to separate namespaces.

malexmave avatar Feb 22 '22 16:02 malexmave

Clarification: When I say "integrate it into the SCB", I mean integration on the level of a scanner, not that it should be integrated into the operator. But the exact implementation is of course up to the developer taking up this task.

malexmave avatar Feb 22 '22 17:02 malexmave

The clarification made it more confusing to me 😅 What do you mean when you say "integration on the level of a scanner"?

Also would it be "enough" for this ticket to add detailed documentation on how configure a scan (like Nuclei) to use a self hosted OOB service? And maybe some short guidance on how one could set one up, though that mybe best left to the docs of the actual OOB service.

J12934 avatar Feb 23 '22 09:02 J12934

If I'm getting it right there is currently no Helm chart which a user can use to start a OOB along with the SCB infrastructure. Would be nice to be able to have some kickstart here for SCB users.

rseedorff avatar Feb 23 '22 09:02 rseedorff

Yes - the idea was to be able to configure and run an OOB service using the secureCodeBox, so that it can be installed and configured the same way we would install and configure a hook, scanner, ...

This "something in the backend that runs permanently" model would be a new* paradigm in the secureCodeBox, which may require some larger engineering if we want to do it "properly" - but it would also allow us to provide something like a trivy rule server as well.

*It's not actually new, as we already have a Nuclei rule downloader that can run permanently in the background, I think? This could also be migrated to the new approach, if we want to really support something like a "permanently running service" as a type of SCB component. But we can also just give guidance on how to set these things up using K8s methods, without supporting it as a "first-class citizen" in SCB,

malexmave avatar Feb 23 '22 09:02 malexmave

IMO this is a documentation task: How to setup my own interact.sh in my SCB setup.

Weltraumschaf avatar Jul 27 '23 09:07 Weltraumschaf