Re: x509Vnc support

2021-03-04 Thread Nick Couchman 
On Thu, Mar 4, 2021 at 19:54 Dave Neeley  wrote:

> There was a pull request two years ago that would have added support for
> the x509Vnc protocol in guacd. There was some discussion about storing the
> certificates on disk on the guacd server rather than in-memory, and the
> code was pulled.
>
> GUACAMOLE-514: Implement additional VNC authentication support by
> necouchman · Pull Request #232 · apache/guacamole-server (github.com)
> 
>
>
Oops, looks like I missed some documentation for those parameters...

I would have assumed the certificates most definitely had to be stored on
> disk _somewhere_, is that not correct? Say the guacamole web client was
> running in one docker container, and guacd was running in a second
> container. How would certificates be passed in-memory between these two?
>

Yes, the parameters referenced in the pull request would, most likely,
point to the location of a file, accessible by guacd, that contains the
certificate, key, CA, and crl data, respectively. So, even though the
parameters are configured client-side, the client itself (both browser and
client container for the Java code) need not have any access to or
knowledge of the contents of the files.


> Has anyone found a way to implement x509Vnc support?
>

To be clear, support is implemented, already. Whether it works consistently
or not, or behaves as you expect it to, is another story. For example, if
you’re looking for an implementation where the user can have a certificate
and key pair locally available to their browser that then gets passed
through transparently to guacd to use for the VNC connection, that
definitely will not work as currently implemented, and would take some
(significant) additional work to make happen.

-Nick

x509Vnc support

2021-03-04 Thread Dave Neeley 
There was a pull request two years ago that would have added support for
the x509Vnc protocol in guacd. There was some discussion about storing the
certificates on disk on the guacd server rather than in-memory, and the
code was pulled.

GUACAMOLE-514: Implement additional VNC authentication support by
necouchman · Pull Request #232 · apache/guacamole-server (github.com)


I would have assumed the certificates most definitely had to be stored on
disk _somewhere_, is that not correct? Say the guacamole web client was
running in one docker container, and guacd was running in a second
container. How would certificates be passed in-memory between these two?

Has anyone found a way to implement x509Vnc support?

-dave

Re: DOM based XXS protections

2021-03-04 Thread Mike Jumper 
On Thu, Mar 4, 2021 at 8:43 AM hveke...@caci.co.uk 
wrote:

> Hello,
>
> Might be a slightly obscure topic but i've not been able to figure out
> whether Apache Guacamole has any built in features or protections to
> prevent
> DOM based XSS attacks.
>
> We've had a security questionnaire come through which includes this as a
> topic, i've included an OWASP link below. Are you able to provide any info
> on whether there's something in place for this?
>
> "Some XSS vulnerabilities work exclusively on the client side, in an
> application's scripting code. This kind of XSS is commonly referred to as
> DOM-based XSS. Because server-side escaping of user input does not protect
> against DOM-based XSS, you need a strategy for dealing with client-side
> scripting code that handles user input, as well as parts of the DOM that
> may
> contain user input (such as document.location)"
>
> https://owasp.org/www-community/attacks/DOM_Based_XSS


In Guacamole's case, all escaping is client-side:

   - There are no server-generated dynamic documents outside the static
   contents of the webapp and additional static contents provided by
   extensions.
   - Dynamic data comes to the client side only in the form of JSON
   responses to REST API requests, none of which are expected to be
   pre-escaped.
   - Neither data retrieved from the server (REST API) nor data obtained
   purely client-side (things like search filters) are ever simply
   concatenated into a document. Such data is only included using AngularJS'
   data binding, which is automatically escaped.

Michael Jumper
CEO, Lead Developer
Glyptodon Inc .

DOM based XXS protections

2021-03-04 Thread hveke...@caci.co.uk 
Hello,

Might be a slightly obscure topic but i've not been able to figure out
whether Apache Guacamole has any built in features or protections to prevent
DOM based XSS attacks.

We've had a security questionnaire come through which includes this as a
topic, i've included an OWASP link below. Are you able to provide any info
on whether there's something in place for this?

"Some XSS vulnerabilities work exclusively on the client side, in an
application's scripting code. This kind of XSS is commonly referred to as
DOM-based XSS. Because server-side escaping of user input does not protect
against DOM-based XSS, you need a strategy for dealing with client-side
scripting code that handles user input, as well as parts of the DOM that may
contain user input (such as document.location)"

https://owasp.org/www-community/attacks/DOM_Based_XSS 

Thanks

Himat



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: RDP: Issue with security-mode nego & NLA

2021-03-04 Thread guacatoine 
Hi Guacamolers,

Well, then I'm gonna phrase my question differently:

is a Connection **security-mode** = **any** supposed to work with NLA as
well?

Looking forward to an answer! :]
Antoine



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org