Computers, Programming, Technology, Music, Literature

Client Side Storage Security and Sensitive Information

leave a comment »

Storing ‘Sensitive Information’ on client side is a very risky idea. The definition of ‘Sensitive Information’ differs from one application / business / context to another.

HTML5 localStorage
HTML5 sessionStorage
Cookies
Ideal for Storing Sensitive Information No No No
Ideal for Storing Sensitive Information with Encryption Client Side Encryption could be highly complex to implemet, and is not safe enough, compared to server side encryption.

Read more at “Encryption Options” section below.

Client Side Encryption could be highly complex to implemet, and is not safe enough, compared to server side encryption.

Read more at “Encryption Options” section below.

Client Side Encryption could be highly complex to implemet, and is not safe enough, compared to server side encryption.

Read more at “Encryption Options” section below.

 Persistence Till the item is explicitly cleared with localStorage.removeItemAPI  Till the browser/tab closure Based on a defined DateTime that is done via the Set-Cookieexpires response header
 Expiration No predefined expiration time. The data has to be explicitly cleared with localStorage.removeItemAPI

Also when the browser history is cleared (Ctrl + Shift + Delete)

 During the browser/tab closure

Also when the browser history is cleared (Ctrl + Shift + Delete)

During the browser/tab closure for session cookies (cookies that do not have the expires attribute set via the Set-Cookie response header)

Also when the browser history is cleared (Ctrl + Shift + Delete)

 Ideal for storing session tokens (session identifiers, OAUTH tokens, JWTs) No (because it can be compromised via a XSS attack) No (because it can be compromised via a XSS attack) Yes – provided the following cookie flags are set [httpOnlysecuresamesite=lax or samesite=strict]
Sent with every web request for a matching domain? No No Yes

 

Encryption Options:

Encryption requires a key to encrypt and decrypt sensitive information. In case of symmetric encryption algorithm like AES, there is only one key involved in encryption and decryption. In case of asymmetric encryption algorithm like RSA, there is a private key and public key involved for encryption and decryption.

Anybody with the encryption key can easily decrypt the sensitive information to plain text. Hence the key needs to be protected. The ideal place to save the key is on the server side that is behind a firewall to the internet.

In case of encrypting and decrypting an information on the client side, then the encryption key needs to the transferred to the client and typically a javascript module / library performs encryption and decryption of sensitive information. Because the key is transmitted to the client, an intermediate to advanced computer user can use the key to decrypt the sensitive information, thus breaking the logics of encryption and key storage.

There are advanced ways to make this encryption key to be dynamic for every user session, combining a static encryption key with a nonce (random number to be used only once), however the effort involved in implementing such an approach needs to be traded off against moving the encryption logic to the server side. Optional read about the perils of javascript cryptography – here.

Advertisements

Written by gmaran23

February 13, 2018 at 10:23 pm

First Software Security Netherlands Meet Up – Delft – 18 May 2017

leave a comment »

 

Written by gmaran23

February 12, 2018 at 8:21 pm

N Different Strategies to Automate OWASP ZAP – OWASP APPSec BUCHAREST – Oct 13 2017

leave a comment »

https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017#tab=Conference_0101_talks

In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP’s API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.

 

 

N Different Strategies to Automate OWASP ZAP – Cybersecurity WithTheBest – Oct 15 2017

leave a comment »

http://cybersecurity.withthebest.com

In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP’s API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.

 

 

 

Sitecore security hardening 8.2 Downloadable checklist

leave a comment »

Download

One of the developers we were working with Roel (https://in.linkedin.com/in/roelsnetselaar) came up with this checklist for hardening a Sitecore 8.2 installation. Of course you could start hardening a site core installation starting here – https://doc.sitecore.net/sitecore_experience_platform/82/setting_up_and_maintaining/security_hardening.

However almost all deployment scenarios require some sort of checklist to ensure sequential execution of steps to be complete before or during deployment. So, Rather than going through the Site Core hardening documentation and making a checklist of things to be done, download this Sitecore security hardening 8.2 checklist and get started – Sitecore 8.2 security hardening – checklist

 

Preview:

Written by gmaran23

February 12, 2018 at 5:22 pm

Posted in security

Tagged with , ,

OWASP ZAP: Global Exclude URL (Beta) – bug and fix

leave a comment »

As you proxy your browser traffic through OWASP ZAP, chances are that you are annoyed by noise.  That is by default browsers these days make a lot of requests to update version, update cache, addons update and what not. It get’s really difficult to focus on the website at hand when you have other sites cluttering your Sites and History tab.

The Global Exclude URL functionality was supposed to work and it did work partially.

There was a minor bug and that was fixed.  A screen recording of the bug and the bug fix url below:

Global Exclude URL (beta) – after close and reopen does not pick up added regex for excluding URLs #3275

 

 

Written by gmaran23

March 22, 2017 at 2:08 am

OWASP ZAP Development – Fixing the Can’t find bundle for base name lang.Messages error

leave a comment »

 

I have been generating the API files for OWASP ZAP DOT NET API since the inception. There is the core zaproxy project that has the DotNetAPIGenerator.java class. And there is the extensions project, including the beta and alpha.

image

Now, when I tried to generate the ‘non-optional’, i.e., the core API files for .Net, everything would work fine, the API files would be generated as below.

 

image

OWASP ZAP is internationalized, so the source code comes with a bunch of resource bundles with supporting language files.

When you try to generate the API files for the extensions project, you get this wonderful error message.

Exception in thread "main" java.util.MissingResourceException: Can’t find bundle for base name lang.Messages, locale en at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1564) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1387) at java.util.ResourceBundle.getBundle(ResourceBundle.java:890) at org.zaproxy.zap.extension.api.AbstractAPIGenerator.(AbstractAPIGenerator.java:68) at org.zaproxy.zap.extension.api.JavaAPIGenerator.(JavaAPIGenerator.java:81) at org.zaproxy.zap.extension.ApiGenerator.main(ApiGenerator.java:73)

 

image

I have fixed this error message before when I was trying to generate the api files back in 2015. Running in debug mode and stepping through pointed out that the zaproxy core project had the resource files under a directory that was not available to the extensions project.

This error was gruesome.

In the end all I had to do was copy the contents of the workspaceowaspzap\zaproxy\src\lang directory to workspaceowaspzap\zap-extensions\bin\lang

That’s it. Do the same thing for the alpha, and beta extensions’ bin directory too.

 

image

Cheers. Try the OWASP ZAP DOT NET API available at nuget.org.

Written by gmaran23

March 22, 2017 at 1:46 am

Fixing VMWare Player Cannot write to local file Cancelling the file copy operation

leave a comment »

 

 

PROBLEM: When copying files from VMWare player to the host (Windows host in this case), you get “Cannot write to local file”.

SOLUTION: Make space. Clear temp and %temp% directories, on your operating system drive.

 

I was trying to copy 5 GB of files from my VMWare player guest OS Kali Linux to my Windows Host. VMWare player displays Copying file “part2.rar” from virtual machine and exits with “Cannot write to local file. Cancelling the file copy operation.”.

 

image

image

This knowledge base from vmware hints disabling tempfs in linux operating systems.  https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2056353 

I looked at the temp and %temp%  windows directories and dicovered the below temp location  where VMWarePlayer copies the files from the VM Guest, and from there it copies to the destination directory in the host OS.

image

My Operating System drive C: was full, and I had to clear the temp directories and free up some space to do 5 GB copy operation from WMWare Player Guest Kali Linux to Windows Host.

Written by gmaran23

March 3, 2017 at 6:30 pm

Getting hackazon up and running on Wamp on Nov 2016

leave a comment »

Following the steps described here will most likely help in fixing the error messages and issues below:

 

 

Of all the vulnerable applications from the OWASP’s vulnerable web applications directory, Hackazon is up to date with the latest technology stack and customizable vulnerabilities. It’s is a great choice to learn and teach ethically hacking today’s web applications. As of today, although the project on GitHub reports an update nine months ago, the application still uses recent web technologies to that we can learn hacking like it is 2016. This article helps you set up hackazon on a windows machine.

 

Things to be downloaded before we get started:

1. Hackazon User guide

Download from https://community.rapid7.com/docs/DOC-3452

Direct Download Link https://community.rapid7.com/servlet/JiveServlet/downloadBody/3452-102-3-8267/Hackazon_User%27s_Guide.pdf

 

Alternative like to the Original Hackazon user guide (in case the link above goes dead) – https://renouncedthoughts.files.wordpress.com/2017/02/hackazon_users_guide.pdf

 

2. Wamp server

http://www.wampserver.com/en/

 

Here’s the story

I had a Wamp installed on Nov 2014 and I tried using the same Wamp server for hackazon deployment. After following the instructions on the user guide, and going to a browser, hitting http://hackazon.lc the install page came up, and after you put the credentials for the MySQL user hackazon, and hit the Next Step button, the page would load the same page over and over again. So basically I was stuck at the first step of the wizard where you supply the administrator credentials. [Bug #5 filed at “Installation – unclickable buttons "next step" ” https://github.com/rapid7/hackazon/issues/5]

I tried everything in the Hackazon User Guide (here after referred to as the user guide) on a Kali linux machine, set up went smooth, just as described in the User Guide and the site was up and running in no time. It was happiness to see the second step of the installation page where you provide the MySQL database credentials.

Though I cant technically confirm if the older version of Wamp was the cause of bug # 5. My guess was may be to reinstall the Wamp to a recent version on a window machine and try the same steps as the user guide. And it indeed, helped me get over the bug # 5.

For Windows, the User Guide describes installation on Wamp 2.some version. However the current stable version available for release is Wamp 3.0.6 at the time of this writing. So something in MySQL changed, some things in Apache changed and hopefully this post will help you fill the gaps between the Hackazon User guide and the recent changes to the Wamp.

 

1. Download Wamp server

http://www.wampserver.com/en/

clip_image002

Please ensure your computer has the recent version of VC++ Runtime. If you want to install the VC++ runtime to the recent version, either have it done via Windows Update, or download it from the Microsoft website as recommended by the Wamp servers download page (as in the screenshot above). It is so important for Wamp to function properly that they have even updated their installation agreements during the installation wizard to reflect the installation and update of VC++ runtime. I had to download VC++ runtime for Visual Studio 2015 here at https://www.microsoft.com/en-in/download/details.aspx?id=48145.

Ok. Install Wamp. Pretty straight forward installation, go with the defaults.

This is the current Wamp installation on my computer right now.

clip_image004

2. Download Hackazon source code

https://github.com/rapid7/hackazon

Head over to the hackazon source code download page at github and download a zip of the hackazon source code.

clip_image006

Have them zip file contents extracted to c:\home\hackazon

clip_image008

3. Rename db.sample.php to dp.php

Head over to C:\home\hackazon\assets\config and rename the file db.sample.php to db.php

clip_image010

4. Create hackazon db and username in MySQL console

Open ‘MySQL console’ from the Wamp server system tray.

clip_image012

Press Enter on the ‘Enter password’ prompt if you did not create a MySQL root account password, which is the default during installation. Or if you had created a password for your MySQL installation, authenticate.

clip_image014

Enter the below query to create a database named hackazon.

create database hackazon;

 

Enter the below query to create a user named ‘hackazon’ and give it a password. In the screenshot below and in the query below, admin123!  is the password, feel free to choose your favorite.

The password you provide here is important as you would need it on the first step of the Hackazon Installation wizard.

GRANT ALL ON hackazon.* TO hackazon@’localhost’ IDENTIFIED BY ’admin123!’;

clip_image016

After this step, if you are curious, only if you are, head over to phpMyAdmin (from the Wamp Server system tray), login with your root server credentials, to see a database named hackazon, and a user named hackazon. Or just imagine, if the above two queries worked fine, a user name and a database named hackazon would have been created.

clip_image018

Do a restart by selecting Restart All Services from the Wamp server system tray menu.

clip_image020



5. Configuring or Verifying Apache’s default port

Open apache’s httpd.conf file. From Wamp Server System tray  -  Apache  – httpd.conf

clip_image022

Search for the word Listen, and ensure Apache listens on port 80. I tried changing it from the default settings and tried to configure Apache to run on 7070 port, and hackazon kept giving me 400 Invalid Referrer error message, I couldn’t find out why. So I reversed back to the default settings.

Tip: Let’s try to configure Apache on the default port 80.

If you have Skype or IIS, running on port 80, change them, at least for now to give hackazon a preference to run on apache’s port 80.

clip_image024

Also, search for ServerName and verify if Server localhost also says port 80. I honestly do not know what this for, read the description and figure out. For now, all we are trying to do is configure apache to run on port 80.

clip_image026

6. Configuring the hackazon website set up

Open apache’s httpd-vhosts.conf file. From Wamp Server System tray  – Apache  – httpd-vhosts.conf

clip_image028

Copy paste the below contents of the httpd-vhosts.conf file in to your httpd-vhosts.conf file.

# Virtual Hosts
#

<VirtualHost *:80>
ServerName localhost
DocumentRoot c:/wamp64/www
<Directory "c:/wamp64/www/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
Allow from all
</Directory>
</VirtualHost>

#

<VirtualHost *:80>
ServerName hackazon.lc
DocumentRoot "c:/home/hackazon/web"
<Directory "c:/home/hackazon/web/">
Options +Indexes +Includes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
Allow from all
</Directory>
</VirtualHost>

 

clip_image030

Save the file. The vhost settings provided above is good enough to even access http://hackazon.lc from another machine on the LAN.

7. Edit Windows hosts file to bind hackazon.lc to loopback address

C:\Windows\System32\drivers\etc open hosts file with administrative privileges and add the below entries

 

127.0.0.1 hackazon.lc
::1 hackazon.lc

8. Restart DNS service from wamp server tools (right click wamp server from system tray)

clip_image032

After Restarting DNS, Restart All Services from wamp server from system tray.

This is all is required to start hackazon installation wizard. For the first time you hit http://hackazon.lc, you will automatically be redirected to the installation wizard.

9. Final tinkering

If you just go with this set up and continue with the Installation Wizard, on step 4 – the final step of the installation wizard will give you an error message as below:


Error 42S02: SQLSTATE[42S02]: Base table or view not found: 1146 Table ‘hackazon.tbl_product_options_values’ doesn’t exist”.


There is also a bug filed for it. [Bug #9 Database problem https://github.com/rapid7/hackazon/issues/9]

clip_image036

After digging and digging and executing the contents of the db.sql file at C:\home\hackazon\database manually at phpMyAdmin Sql console, it occurred that the default value given for the timestamp data type is not supported by MySQL anymore or you would need to turn off date zero validation for the query execution.

clip_image038

To fix, add the below line at the very top of the db.sql file in C:\home\hackazon\database and save the file.

SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='ALLOW_INVALID_DATES';

 

Now, for one last time, Restart All Services from the Wamp server system tray.

10. Navigating through the Hackazon installation wizard

Open a browser and hit http://hackazon.lc

1.

You will be redirected to http://hackazon.lc/install

Provide the admin123! password, that is the one we typed in the MySQL console. Hit Next Step.

clip_image040

2.

Provide the same password under the Password field, and hit Next Step

admin123!

clip_image042

3.

Leave the defaults, hit Next Step

4.

Leave the defaults, hit Install

In a couple of seconds, you should be automatically redirected to http://hackazon.lc

clip_image044

Basically, that’s it. The hackazon user guide has more information on how to use the vulnerabilities configuration and other things that are specific to the hackazon application itself.

10.1

Just to do a walk through, hit http://hackazon.lc/admin, provide user name as admin and password as the password we entered in the MySql console admin123!

Navigate to Vulnerability Config, and choose account from the drop down. Or simply hit the url – http://hackazon.lc/admin/vulnerability?context=account

clip_image046

to see an error page as below:

clip_image048

To fix, click Wamp Server system tray icon  -  PHP   -   php.ini

clip_image050

Go to the very end of the php.ini file and comment out the zend_extension line by adding a semi colon ; in the front.

Save the file. Restart All Services.

clip_image052

10.2

If you want to access http://hackazon.lc from another computer (let’s say ‘X’) on the same Local Area Network (LAN), Open drivers/etc/hosts file on computer X and add the ip address of the hackazon.lc to point to hackazon.lc.

For every computer on the LAN, modify their windows hosts file to point hackazon.lc to the Wamp servers ip address.

That’s how I set up hackazon and got it working. Do you have similar experiences?

Written by gmaran23

February 21, 2017 at 11:40 pm

Creating a virtual machine in Schuberg Phillis Cosmic Client / Apache Cloudstack for the first time

leave a comment »

 

Let’s say you want to create a virtual machine with Apache Cloudstack or an IAAS provider like SchubergPhilis that has a Apache Cloud Stack based client called Cosmic Client. Follow the instructions below:

I am not going to explain in words, but the pictures below, point you to places you need to click and edit. If any of the settings below don’t work, chances are that you might have chosen an incorrect VPC, Tier, offering, feel free to reach our to your cloud provider for assistance.

 

1. Let’s start by adding a VPC, that is a Virtual Private Cloud.

image

2. Give it a Name, Choose a Zone, Super CIDR (the subnet range within the Virtual Private Cloud), and a VPC offering as advised by your cloud provider.

image

 

3. Once the VPC is created, click on Create network to Add new tier.
Give it a Name, Choose a network offering, provide the gateway address, a subnet mask.

image

 

4. Once the Tier is created, Click on the Virtual Machines, to add a new VM.

image

5. Next screen, click on Add Instance

image

6. Select a zone. Choose either ISO or Template. Choose ISO, if you would like to use an ISO image as bootable media and install the Operating System yourself. Choose Template, if you would like to choose from preinstalled Operating System VM templates.

We are going to choose ISO for this example.

image

7. Choose an ISO image.

image

8. Choose the amount of RAM, CPU from the available offerings.

image

9. Choose the required HDD size.

image

10.

image

11. Give an IP address for this machine

image

12.

image

13. Give a hostname and hit Launch VM

image

14. Once the VM is created, Click the View Console icon to access the running VM

image

15. Your VM is ready, you can start installing and perform the required work.

image

 

In case you get any Network Errors during the creation of VPC, or Tiers, ask your IAAS Cloud provider for assistance.

Written by gmaran23

February 21, 2017 at 4:37 pm