Skip to content

Security

Jump to bottom
Pablo Santiago edited this page Mar 7, 2023 · 2 revisions

Users management

Authentication

Rekono supports different types of authentication:

  • JSON Web Token: used for user authentication from the frontend. access_token and refresh_token are obtained after user login with basic credentials.

  • API Token: static and long token that can be used in API requests using the header Authorization: Token <API token value>. This API token can be obtained from user profile page:

apitoken
  • Telegram Bot: specific authentication flow is created for Rekono Bot

User creation

Rekono users can't be created directly, new users should be invited previouly by an administrator:

invitation

This can be done in the users page and after that, the new user will receive a temporal link to create his account.

Authorization

The Rekono authorization is mainly based on RBAC (Role Based Access Control) with three different roles:

  • Administrator: they can do everything in the platform.
  • Auditor: they can execute tasks and manage hacking resources like processes, wordlists, targets and findings.
  • Reader: they only can see the execution results.

In addition to the roles, Rekono also has authorization based on project membershipt. In that way, only the members of each project can see or use its resources. This restriction is also applied to administrators, so that, only the administrators included in the project members can administrate the project. Project members can be managed in the members tab of each project page:

members

Moreover, shared resources like processes and wordlists only can be modified or removed by an administrator or the Rekono user that creates them.

Allowed hosts

The access to Rekono backend can be restricted by origin host. This can be configured using environment variable RKN_ALLOWED_HOSTS or the security.allowed-hosts property (see Configuration).

Maximum upload file size

Rekono has a file upload feature to create custom wordlists. This kind of features are very sensitive, so that Rekono includes some countermeasures to prevent different types of attacks. One of them is the restriction of the maximum file size allowed that can be configured in the settings page:

filesize

By default, the limit is 512 MB.

Rate limit

Rekono includes some rate limits by default to prevent brute force attacks or any inadecuate usage of the platform:

  • 100 requests/minute for anonymous users
  • 300 requests/minute for authenticated users
  • 30 requests/minute for login attempts
  • 30 requests/minute for refresh token attempts
Clone this wiki locally