EuroDomenii 0 Report post Posted April 8 I don’t dispute that Blesta isn’t secured by design ( “But Blesta seems to be more secure and a nice and clean software”. http://www.webhostingtalk.com/showthread.php?t=1544179) But every application, with authenticated users, could be vulnerable, at some point, to a Cross-Site Request Forgery (CSRF) or Cross-site Scripting (XSS). The main idea of the workaround is to not store the full passwords of the modules ( registrar modules, hosting modules -Proxmox, Vultr etc), but instead store it into a third party proxy api gateway, https://konghq.com/, setup on your own server. The proxy api gateway will transform only the initial request for an authenticated token, then all the request will be forwarded unchanged. How is this different from an attacker grabbing the full password from blesta module? We can implement rate limiting at proxy level, and validate only allowed api calls ( for example deny delete requests). We’ve posted a more detailed explanation here https://forum.proxmox.com/threads/securing-third-party-application-proxmox-integration-with-proxy-api-gateway.47091/ Thank you! Quote Share this post Link to post Share on other sites
domaingood 54 Report post Posted April 8 From the source docs, you may be able to use this for client login http://source-docs.blesta.com/class-ClientLogin.html API docs https://docs.blesta.com/display/dev/API Take a look at Users::auth. Thank you Quote Share this post Link to post Share on other sites
