-
Notifications
You must be signed in to change notification settings - Fork 73
Security
Rekono supports different types of authentication:
-
JSON Web Token
: used for user authentication from the frontend.access_token
andrefresh_token
are obtained after user login with basic credentials. -
API Token
: static and long token that can be used in API requests using the headerAuthorization: Token <API token value>
. This API token can be obtained from user profile page:
-
Telegram Bot
: specific authentication flow is created for Rekono Bot
Rekono users can't be created directly, new users should be invited previouly by an administrator:
This can be done in the users page and after that, the new user will receive a temporal link to create his account.
The Rekono authorization is mainly based on RBAC (Role Based Access Control) with three different roles:
- Administrator: they can do everything in the platform.
- Auditor: they can execute tasks and manage hacking resources like processes, wordlists, targets and findings.
- Reader: they only can see the execution results.
In addition to the roles, Rekono also has authorization based on project membershipt. In that way, only the members of each project can see or use its resources. This restriction is also applied to administrators, so that, only the administrators included in the project members can administrate the project. Project members can be managed in the members
tab of each project page:
Moreover, shared resources like processes and wordlists only can be modified or removed by an administrator or the Rekono user that creates them.
The access to Rekono backend can be restricted by origin host. This can be configured using environment variable RKN_ALLOWED_HOSTS
or the security.allowed-hosts
property (see Configuration).
Rekono has a file upload feature to create custom wordlists. This kind of features are very sensitive, so that Rekono includes some countermeasures to prevent different types of attacks. One of them is the restriction of the maximum file size allowed that can be configured in the settings page:
By default, the limit is 512 MB
.
Rekono includes some rate limits by default to prevent brute force attacks or any inadecuate usage of the platform:
-
100
requests/minute foranonymous users
-
300
requests/minute forauthenticated users
-
30
requests/minute forlogin attempts
-
30
requests/minute forrefresh token attempts