Forum Academy Marketplace Showcase Pricing Features

Penetration Testing Lesson On Bubble

I think it would be quite good to have a lesson or a basic resource that is specific to allow us to pen-test our own apps and related privacy settings, as if we were a hacker.

I would like to be able to understand + test the fields that are viewable (or not viewable) with my privacy settings to see how it looks to these hackers to better protect and test the privacy settings within Bubble to ensure that all bases are covered, and I fully understand what can and cannot be seen to others, and how that data is displayed.

The privacy settings are OK but you can only test what is viewable on the live website, not as if you were a hacker skilled in retrieving the data in the fashion that Bubble is hopefully protecting.

4 Likes

Well, one thing you can do is create a page that has a repeating group with a search that returns every thing / every field for a given type. Then you can view that page as different users – logged in, logged out, etc, to see what each user can see. To avoid making it too easy for other people to use the page to see the data, you can hide the repeating group until someone enters a password on the page (this doesn’t add real security against a hacker, but it prevents someone casually seeing the data).

We’ll think about making this a built-in feature if people find it worthwhile.

7 Likes

Question: Would the combination of (1) redirect when not logged in, (2) workflow restrictions, and (3) displaying data with constraints (i.e. A repeating group of Post where Post_Creator = Current User) be enough to prevent unrestricted data viewing? Or would we need to implement an additional security layer via the privacy setting?

Thanks in advance!

EDIT: So looking over the documentation and forum, would it be fair to assume that the Privacy Tab helps us set conditions at large and save time for larger applications while individual page/workflow constrictions are good for smaller data manipulation?

I think that more emphasis on security would be a benefit especially for a larger app or a SaaS client.

Clear documentation or a lesson would be very good to have along with the ability to search and display things as or even “preview” the security settings themselves… All it would take is a standard page that calls the Type based on the current Privacy settings set.

1 Like

Privacy settings are necessary to protect data against unauthorized viewing, because (3) only offers protection against non-technical users… a sufficiently technical hacker could run the queries without the restrictions. Privacy settings are a way of applying constraints to every single search that are enforced with no exceptions (we do the enforcement of privacy rules on the web server, not in the web browser).

For workflows, the rule of thumb is that the condition of the workflow is always double-checked on the server, so if you add conditions to your workflows that enforce your access rules, that’s sufficient to prevent someone running the workflow maliciously – no need for additional privacy settings.

3 Likes

We’re actually working on a feature to let you view the app as any one of your users, to make it easy to preview various privacy settings.

I agree with “I think that more emphasis on security would be a benefit especially for a larger app or a SaaS client”. We try not to hit new users with too much security info out of the box to keep the learning curve mild, but as people start building more serious apps, it’s important to make them secure. We’re going to be constantly improving our resources here, and if anyone has any questions about whether or not something is secure, please reach out – we’re happy to help!

5 Likes

Yes. Opens me up to big liability if I dont do something right. Especially considering I’m handling personal information and payment/payout information…

We just deployed the “Run as” feature.

See

3 Likes

Your fast!!!

FYI, I use a service called Test Anywhere. I create tests for each of those accounts and then can run them automatically to make certain each user accesses what they are supposed to correctly. One of the best features I appreciate is the ability to easily create tests and record videos of whenever a failure occurs. The free plan is pretty robust, allowing for up to 1000 tests per month. Might be worth taking a look at for you.

3 Likes