huanld/tailscale-custom
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases 2 Wiki Activity
Files
2fb067ecbf44484cd240ce4a4ab187eca537b746
tailscale-custom/.agent/skills/api-patterns/security-testing.md
T
huanld 2fb067ecbf
checklocks / checklocks (push) Has been cancelled
Details
CodeQL / Analyze (go) (push) Has been cancelled
Details
natlab-integrationtest / natlab-integrationtest (push) Has been cancelled
Details
CI / gomod-cache (push) Has been cancelled
Details
CI / race-root-integration (1/4) (push) Has been cancelled
Details
CI / race-root-integration (2/4) (push) Has been cancelled
Details
CI / race-root-integration (3/4) (push) Has been cancelled
Details
CI / race-root-integration (4/4) (push) Has been cancelled
Details
CI / test (-race, amd64, 1/3) (push) Has been cancelled
Details
CI / test (-race, amd64, 2/3) (push) Has been cancelled
Details
CI / test (-race, amd64, 3/3) (push) Has been cancelled
Details
CI / test (386) (push) Has been cancelled
Details
CI / test (amd64) (push) Has been cancelled
Details
CI / Windows (benchmarks) (push) Has been cancelled
Details
CI / Windows (1/2) (push) Has been cancelled
Details
CI / Windows (2/2) (push) Has been cancelled
Details
CI / macos (push) Has been cancelled
Details
CI / privileged (push) Has been cancelled
Details
CI / vm (push) Has been cancelled
Details
CI / cross (386, linux) (push) Has been cancelled
Details
CI / cross (amd64, darwin) (push) Has been cancelled
Details
CI / cross (amd64, freebsd) (push) Has been cancelled
Details
CI / cross (amd64, openbsd) (push) Has been cancelled
Details
CI / cross (amd64, windows) (push) Has been cancelled
Details
CI / cross (arm, 5, linux) (push) Has been cancelled
Details
CI / cross (arm, 7, linux) (push) Has been cancelled
Details
CI / cross (arm64, darwin) (push) Has been cancelled
Details
CI / cross (arm64, linux) (push) Has been cancelled
Details
CI / cross (arm64, windows) (push) Has been cancelled
Details
CI / cross (loong64, linux) (push) Has been cancelled
Details
CI / ios (push) Has been cancelled
Details
CI / crossmin (amd64, illumos) (push) Has been cancelled
Details
CI / crossmin (amd64, plan9) (push) Has been cancelled
Details
CI / crossmin (amd64, solaris) (push) Has been cancelled
Details
CI / crossmin (ppc64, aix) (push) Has been cancelled
Details
CI / android (push) Has been cancelled
Details
CI / wasm (push) Has been cancelled
Details
CI / tailscale_go (push) Has been cancelled
Details
CI / fuzz (push) Has been cancelled
Details
CI / depaware (push) Has been cancelled
Details
CI / go_generate (push) Has been cancelled
Details
CI / make_tidy (push) Has been cancelled
Details
CI / licenses (push) Has been cancelled
Details
CI / staticcheck (macOS) (push) Has been cancelled
Details
CI / staticcheck (Linux) (push) Has been cancelled
Details
CI / staticcheck (Windows) (push) Has been cancelled
Details
CI / staticcheck (Portable (1/4)) (push) Has been cancelled
Details
CI / staticcheck (Portable (2/4)) (push) Has been cancelled
Details
CI / staticcheck (Portable (3/4)) (push) Has been cancelled
Details
CI / staticcheck (Portable (4/4)) (push) Has been cancelled
Details
CI / notify_slack (push) Has been cancelled
Details
CI / merge_blocker (push) Has been cancelled
Details
CI / check_mergeability_strict (push) Has been cancelled
Details
CI / check_mergeability (push) Has been cancelled
Details
Dockerfile build / deploy (push) Has been cancelled
Details
test installer.sh / test (curl, alpine:3.21) (push) Has been cancelled
Details
test installer.sh / test (curl, alpine:edge) (push) Has been cancelled
Details
test installer.sh / test (curl, alpine:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, amazonlinux:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, archlinux:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, debian:oldstable-slim) (push) Has been cancelled
Details
test installer.sh / test (curl, debian:sid-slim) (push) Has been cancelled
Details
test installer.sh / test (curl, debian:stable-slim, 1.80.0) (push) Has been cancelled
Details
test installer.sh / test (curl, debian:testing-slim) (push) Has been cancelled
Details
test installer.sh / test (curl, elementary/docker:stable) (push) Has been cancelled
Details
test installer.sh / test (curl, elementary/docker:unstable) (push) Has been cancelled
Details
test installer.sh / test (curl, fedora:latest, 1.80.0) (push) Has been cancelled
Details
test installer.sh / test (curl, kalilinux/kali-dev) (push) Has been cancelled
Details
test installer.sh / test (curl, kalilinux/kali-rolling) (push) Has been cancelled
Details
test installer.sh / test (curl, opensuse/leap:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, opensuse/tumbleweed:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, oraclelinux:8) (push) Has been cancelled
Details
test installer.sh / test (curl, oraclelinux:9) (push) Has been cancelled
Details
test installer.sh / test (curl, parrotsec/core:latest) (push) Has been cancelled
Details
test installer.sh / test (curl, rockylinux:8.7) (push) Has been cancelled
Details
test installer.sh / test (curl, rockylinux:9) (push) Has been cancelled
Details
test installer.sh / test (curl, ubuntu:20.04) (push) Has been cancelled
Details
test installer.sh / test (curl, ubuntu:22.04) (push) Has been cancelled
Details
test installer.sh / test (curl, ubuntu:24.04, 1.80.0) (push) Has been cancelled
Details
test installer.sh / test (wget, debian:oldstable-slim) (push) Has been cancelled
Details
test installer.sh / test (wget, debian:sid-slim) (push) Has been cancelled
Details
update-flake / update-flake (push) Has been cancelled
Details
tailscale.com/cmd/vet / vet (push) Has been cancelled
Details
test installer.sh / notify-slack (push) Has been cancelled
Details
feat: security hardening, production roadmap, admin panel v1 
Client security fixes (cmd/tailscale-tray/main.go):
- SSRF protection in Add Server dialog (validateControlURL): reject
  private/loopback/link-local/cloud-metadata IPs via DNS resolution
- RCE gate on AuthURL/BrowseToURL exec paths (validateAuthURL)
- Sanitized URL logging (sanitizeURLForLog drops query auth tokens)
- Error handling on exec.Command with user-facing showError()

Admin panel security (web-admin):
- Bcrypt password hashing (replaces SHA256)
- Rate limiting: 5 failed logins → 15-min lockout
- Session + login attempt cleanup goroutine (hourly)
- url.QueryEscape / encodeURIComponent for all API params
- Fail-hard startup when no TLS and non-loopback bind
- ADMIN_PASSWORD required (no default), password min 12 chars
- Username regex whitelist

Installer hardening (Setup.wxs):
- util:PermissionEx restricts SCM access: only Administrators +
  SYSTEM can start/stop/reconfigure service. Authenticated Users
  limited to QueryStatus/QueryConfig/Interrogate
- Vital="yes" on ServiceInstall

Docs & roadmap:
- PRODUCTION_ROADMAP.md: 5-milestone plan (security + features +
  distribution + ops) with granular tasks, effort, done-when
- CLIENT_SECURITY_AUDIT.md, SECURITY_FIXES.md, DEPLOYMENT.md
- AI assistant rules (.cursorrules, .antigravityrules, etc.)

Build & distribution:
- build-msi.ps1, deploy-and-sign.ps1, sign-release.ps1
- redeploy.ps1, tray-deploy.ps1, test-msi.ps1
- installer/msi/ alternative WXS setup
- Restored .github/workflows/ removed in mirror cleanup

.gitignore hardened: *.pfx, *.p12, *.key, *.pem, .env*
2026-04-22 15:18:11 +07:00

2.8 KiB
Raw Blame History

API Security Testing

Principles for testing API security. OWASP API Top 10, authentication, authorization testing.

OWASP API Security Top 10

Vulnerability Test Focus
API1: BOLA Access other users' resources
API2: Broken Auth JWT, session, credentials
API3: Property Auth Mass assignment, data exposure
API4: Resource Consumption Rate limiting, DoS
API5: Function Auth Admin endpoints, role bypass
API6: Business Flow Logic abuse, automation
API7: SSRF Internal network access
API8: Misconfiguration Debug endpoints, CORS
API9: Inventory Shadow APIs, old versions
API10: Unsafe Consumption Third-party API trust

Authentication Testing

JWT Testing

Check What to Test
Algorithm None, algorithm confusion
Secret Weak secrets, brute force
Claims Expiration, issuer, audience
Signature Manipulation, key injection

Session Testing

Check What to Test
Generation Predictability
Storage Client-side security
Expiration Timeout enforcement
Invalidation Logout effectiveness

Authorization Testing

Test Type Approach
Horizontal Access peer users' data
Vertical Access higher privilege functions
Context Access outside allowed scope

BOLA/IDOR Testing

  1. Identify resource IDs in requests
  2. Capture request with user A's session
  3. Replay with user B's session
  4. Check for unauthorized access

Input Validation Testing

Injection Type Test Focus
SQL Query manipulation
NoSQL Document queries
Command System commands
LDAP Directory queries

Approach: Test all parameters, try type coercion, test boundaries, check error messages.

Rate Limiting Testing

Aspect Check
Existence Is there any limit?
Bypass Headers, IP rotation
Scope Per-user, per-IP, global

Bypass techniques: X-Forwarded-For, different HTTP methods, case variations, API versioning.

GraphQL Security

Test Focus
Introspection Schema disclosure
Batching Query DoS
Nesting Depth-based DoS
Authorization Field-level access

Security Testing Checklist

Authentication:

  • Test for bypass
  • Check credential strength
  • Verify token security

Authorization:

  • Test BOLA/IDOR
  • Check privilege escalation
  • Verify function access

Input:

  • Test all parameters
  • Check for injection

Config:

  • Check CORS
  • Verify headers
  • Test error handling

Remember: APIs are the backbone of modern apps. Test them like attackers will.

Reference in New Issue View Git Blame Copy Permalink