When I was first starting bug hunting it was fairly unclear still what you should include into your vulnerability reports, especially if you don't have a reporting platform with required* fields.

I've been doing this on/off for some time now and I decided to create a template for reporting these if you end up filing these via email.

First things first, most companies actually have public facing emails (pr, press, contact etc.) and contact forms that can be useful to initiate first contact.
It is recommended that you don't send a report directly using these unless you know you reach the right people, as in some cases these might be some 3rd party customer support team somewhere down the supply chain, without direct contact to your actual customers security team, but let them know that you've found a vulnerability with rating X and that you'd like to have contact for, or be contacted by the information security team.
Getting through these channels can take number of days to weeks, usually just days, patience is a virtue.

When you have the right person on the line, you should send the report. BUT due note, if you have a super critical RCE or SQLi vulnerability that may affect a large number personal data, it is also worth considering using asymmetric encryption algoritms to protect the email communications, but I will not cover this here.

Please remove Example details from the report below before using 😅

TEMPLATE:
Vulnerability Type(s):

[List any vulnerabilities that may be connected to this single vulnerability, this can be basically contain anything from misconfiguration or an open redirect to an RCE]

• Open Redirection

Vulnerable Assets:

[List Assets here, this list could contain anything from indivual URLs to installed server components affected]

https://example.com/webshop/checkout-cancel?redirect=

Description:

[Explain the vulnerabilities and their impact in DETAIL and explain the path you took to reach that vulnerability, this portion can be long and should be well centered around the problems(s) found.]

I was doing shopping on your website, I was about to checkout but remembered another product which I still needed to add to my cart so I cancelled the process, while doing so I noticed that you were doing a redirect on the cancel button.

I decided to test putting random URLs after the redirect and it seems that it allows redirection to any URL.

POC Exploit:

[I Exploit available. Ask how the customer prefers these to be delivered, attaching a zip or a script file to an email may just end up in quarantine]

I will not be providing an exploit for this vulnerability as it is easy for you to reproduce, instead I'll write an example attack scenario:

1. Domain exampie.com is currently free and can be typosquatted (social engineering)
2. Set up email records for this domain and generate example rewards template for your webshop showing them that they've been rewarded product X, I'll get this template and the product details directly from your previous marketing campaign emails from date: xx.xx.xxxx (social engineering)
3. Setup a copy website of your login page to gather users credentials (phish)
4. On login, forward them to a form for shipping details (phish)
5. After shipping details forward to a postage details asking for credit card details (phish)

Attacker will walk out with: Username, Password, Home Address, Creditcard

Recommended Remediation Options:

[Add here X number of examples on how this should and could be fixed detailing possible dendencies or affected components if known.]

It is recommended that any redirection functions operate with separate Allow lists to fulfill operational needs. [if you have idenfied their web framework you can give articles here]

[Additional Notes]

Hope to hear from you in the near future 😊

[Signature]

As I was deploying this application, the only concern for me was how to actually handle deployment of patches as my database is inside the application container itself, which you cannot access via Kudu. And any further deployments would just override all database contents.

1) Open Azure Cloud shell in Windows Terminal application, it is a built in component so no need for installs

2) Authenticate to your tenant using Device login and selecting your tenant by selecing the desired tenant number

3) When the shell opens insert the following command 
az webapp create-remote-connection --subscription [SubscriptionID] --resource-group [ResourcegroupName] -n [AppName] &

4) This will open a tunneled SSH connection to the webapp resource, after tunnel is open, you can use the same shell to ssh

5) During the SSH negotiation you may run into similar MAC error, just define it in the ssh command. After this you'll be prompted for the root password which is "Docker!"

Now when you are inside the docker / your websites actual active directory, you can confirm this by just running the "ls" command.

To make a copy of your database you'll just need to run "cp database.db /home/" and the file will be copied to your Kudu home, which you can then access directly with your browser using your default domain name:
https://.scm..azurewebsites.net/newui/fileManager
Ex: https://examplewebapp.scm.westeurope-01.azurewebsites.net/newui/fileManager

Now you can make a copy of into your dev and proceed with what ever update or patch you might be running. 

Hope this helped!

Hello World! (sorry)

It was approximately 8 months ago when I started coding this website, and after couple of weeks of hitting my face into a wall with CSS, I was done and ready to move into TESTing. I went digging through my PC graveyard and found a nice one for a testing server, something in the terms of Athlon X4 with 4 GB DDR2.

The Framework and DEV

Although I've been programming here and there for years, it has been limited to Python, so I was pretty much only left with two options, Django or Flask.
I had done a Django site for a job interview close to 9 years ago and struggling with lack of documentation and knowing the scale of website I was planning on building I naturally leaned towards Flask.

Knowing it had been close to a decade since the last one, I decided to start by looking for a suitable tutorial, fortunately Flask themselves provided one:
https://flask.palletsprojects.com/en/stable/tutorial/
Following this tutorial I ended up getting to a point where I could actually start altering the code to my individual needs by expanding and adjusting the database, including other modules and improving the functions to further adjust the stability, and create new ones to implement additional functionalities. Pretty much recreating the entire thing block by block.

After this started my couple day struggle with CSS... we don't talk about that, please don't look.
And we were done with DEV.

The TEST struggle.

This being the first time pushing a website to prod I struggled alot, I ended up spending several hours even reading documentations of different possibilities to evaluate what I should actually go with.
Ended up going with nginx->Gunicorn reverse proxy setup.
https://flask.palletsprojects.com/en/stable/deploying/

Installing the servers and migrating the data was the easy part, then came the struggle of actual debugging. Due to immense amount of bad writeups and outdated documentation, actually configuring the servers took hours, I really got sick and tired of pointing of IPs and ports, and configuring domain names, and custom writing some cfg files, and making uneducated judgements on outdated documentation on how the implementation should actually be done on my environment, etc., I truly hope I don't have to do this again in a really long time.

But after a while I was actually able to get my server up and running in the internet.

How to PROD?

Actually getting here took that 8 months or so, ignoring the obvious procrastination it took me some consideration on what the approach would be, of course I could host this at home, but at what price? Considering that my wife and I both work from home and with sensitive materials I would need to properly segregate the networks and the price tag of additional non-EOL network hardware on top of my existing consumer level setup would be in four digits, not even considering the electricity and other implicit costs related to hardware maitenance.
Picture of my home network for reference so you get the gist:

Here comes to procrastination, just having to struggle with the TEST deployment I was expecting as much when it comes to cloud deployments, but after several months I finally decided to start looking at deploying. Being already familiar with Microsoft Azure I didn't really even evaluate other options.
After watching a few videos of how people had deployed Flask to Azure it immediately raised a few concerns in my mind, primarily the project structure. My current structure was something like this(obviously a rough example):
Flask Project Root> tree
.
|____venv
|____DB
||____database
|____Appfiles
||____Static
|||____site.css
||____Sitehtml
|||____index.html
||____BackendCodeX.py
||____BackendCodeY.py
||____BackendCodeZ.py
||____schema
|____requirements.txt
|____x.toml

What these videos had in common was that all the files required for the application deployment resided in the same structure, in comparison to mine where some of the other required directories were in the Project root.
Even with this in mind I decided to just set up the App Services web app and deploy via VSCode, immediately ran into an error with "--no-dev" parameter and first googling of the error took me to Microsoft's github issues section https://github.com/microsoft/Oryx/issues/2557 :
"Update: The rollout is progressing smoothly, and if everything continues on track, we should be able to complete it across all regions and clouds by early January 21st."
This was actually fixed in my situation by actually properly building the requirements.txt file, which I had accidentally forgotten.

Second deployment attempt was all green, but for some reason the azurewebsites URL still took me to the default page, something weird going on here, after reading through the logs I found "No framework detected; using default app from /opt/defaultsite" which lead me to a long Googling rampage and eventually found that the most common reason is missing "gunicorn" in the requirements.txt, this is of course even "mentioned" in the Flask deployment link above "You’ll probably need to Tell Flask it is Behind a Proxy when using most hosting platforms.", of course which I hadn't even visited before starting the writing of this article.

Yet I was still getting the same "No framework detected;" error, I tried random deployments in different orders and structures until I eventually just stopped to breath and read and analyze documentation.

THE FIX

I made a totally new folder and cloned the Microsoft's sample site and deployed it: https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart
Everything worked great and deployment logs showed that Flask framework was detected

THE ROOT CAUSE (suspected)

if __name__ == '__main__':
   app.run()

After analysing the codes side by side the only difference was that I didn't have this kind of standard run statement, during earlier debugging I even read that someone had to remove this as Microsoft was doing it automatically and was causing errors in code.
My code basically just returned the app from __init__.py never calling run. 

So I ended up scrapping the Microsoft Samples files leaving only the main app file, and carefully replacing it contents with the stuff inside my __init__ file while also ensuring that the app object can still be called by the app.run() method.
After this I decided that I'll do a test deployment knowing that the code itself won't work, just to ensure that the framework detection still works, and it was all green!

Next I spent a good amount of time just reading through all the project files and fixing any module calls and directory refenrences to their current logical paths where they'd reside in after deployment.
And after a few failed deployments and errors caused by the DB connections or paths I finally saw the site deployed! WOOP WOOP! 

Now the hard part was done!

Only thing I ended up having still issues with was the SSL certificates for this custom domain, due to me doing DEV on a Windows I didn't have simple access to openssl and had to do additional installations to do conversion of the private key and cert file to a PFX cert for Azure and I was in business!

Now the only thing I need to worry about is that within this 8 months, I've done some updates directly on the TEST, while I did the deployment from the DEV code, we'll I guess I'll run into something eventually  if that's the case :D

If you got this far, thank you for reading! If you have any questions please hit me up in Bluesky or via email and I'll happily answer.