Got this on two Dutch Windows machines, not sure why yet:
Missing information on security certificate retraction
Certificate path is OK
–jeroen
Archive for the ‘Security’ Category
Not sure why: graph.windows.net is missing a security certificate retraction on some Windows machines?
Posted by jpluimers on 2022/02/28
Posted in Communications Development, Development, Encryption, Internet protocol suite, Power User, Security, TCP, TLS | Leave a Comment »
Bash functions to encode and decode the ‘Basic’ HTTP Authentication Scheme
Posted by jpluimers on 2022/02/24
IoT devices still often use the ‘Basic’ HTTP Authentication Scheme for authorisation, see [Wayback] RFC7617: The ‘Basic’ HTTP Authentication Scheme (RFC ) and [Wayback] RFC2617: HTTP Authentication: Basic and Digest Access Authentication (RFC ).
Often this authentication is used even over http instead of over https, for instance the Egardia/Woonveilig alarm devices I wrote about yesterday at Egardia/Woonveilig: some notes about logging on a local gateway to see more detailed information on the security system. This is contrary to guidance in:
- RFC7617:
This scheme is not considered to be a secure method of user authentication unless used in conjunction with some external secure system such as TLS (Transport Layer Security, [RFC5246]), as the user-id and password are passed over the network as cleartext.
- RFC2617:
"HTTP/1.0", includes the specification for a Basic Access Authentication scheme. This scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL [5]), as the user name and password are passed over the network as cleartext.
Fiddling with those alarm devices, I wrote these two little bash functions (with a few notes) that work both on MacOS and in Linux:
# `base64 --decode` is platform neutral (as MacOS uses `-D` and Linux uses `-d`) # `$1` is the encoded username:password function decode_http_Basic_Authorization(){ echo $1 | base64 --decode echo } # `base64` without parameters encodes # `echo -n` does not output a new-line # `$1` is the username; `$2` is the password function encode_http_Basic_Authorization(){ echo $1:$2 | base64 }
The first decodes the <credentials> from a Authorization: Basic <credentials> header into a username:password clean text followed by a newline.
The second one encodes a pair of username and password parameters into such a <credentials> string.
They are based on these initial posts that were not cross platform or explanatory:
- [Wayback] Decode HTTP Basic Access Authentication – Stack Pointer
- [Wayback] Create Authorization Basic Header | MJ’s Web Log
–jeroen
Share this:
Posted in *nix, *nix-tools, Apple, Authentication, bash, bash, Communications Development, Development, HTTP, Internet protocol suite, Linux, Mac OS X / OS X / MacOS, Power User, Scripting, Security, Software Development, TCP, Web Development | Leave a Comment »
Google Open Source Insights (hopefully by now more than just npm/golang/maven)
Posted by jpluimers on 2022/02/02
Interesting project at [Wayback] Open Source Insights
Open Source Insights is an experimental project by Google.
Hopefully by now it is supporting more than just npm/golang/maven and by the time it sunsets, other projects take over.
The introduction was some 9 months ago: [Wayback] Introducing the Open Source Insights Project | Google Open Source Blog
Via:
- [Archive.is] corbosman on Twitter: “At least in the JS/PHP world it’s already pretty common to add all kinds of dependency security checkers to your CI/CD pipeline. And there’s Github Code Scanning. But it’s interesting to visually see the often immense dependency chains.… “
- [Archive.is] annabelle on Twitter: “Finding OSS dependencies is messy, particularly when you start trying to figure out how you inherent a particular vulnerability. Today Google launched deps.dev, a way to visualize and find how you inherent dependencies, and what’s in them: … “
–jeroen
Share this:
Posted in Development, Go (golang), JavaScript/ECMAScript, Node.js, Power User, Scripting, Security, Software Development | Leave a Comment »
Hornbach has some very “special” limitations to “special characters” in passwords. I wonder why.
Posted by jpluimers on 2022/02/01
[Wayback] Jeroen Wiert Pluimers on Twitter: “”Too special” password character password woos at @HORNBACH_NL : [ Het wachtwoord moet minstens acht tekens lang zijn, en minstens een getal en een letter (a-zA-Z) bevatten. De volgende speciale tekens zijn toegestaan: !”#$%&'()*+,.:;?@_|} ] 1/”
I wonder what kind of parser they use, as these printable special ASCII characters are forbidden:
- \-/[\]^`{~
- space (0x20)
- tab (0x9)
- line feed (0xa)
- carriage return (0xb
- vertical tab (0xb)
- form feed (0xc)
Seems no JSON or SQL to me: there I would expect other limitations.
What would break if you use them in other fields or pass them in an HTML POST-request?
I mean: these passwords should be salted and hashed immediately when the HTML-POST request is received, so certainly they would not be stored somewhere or passed many layers into code, right?
Oh, in order to activate an account there, you need to accept some 40+ A4 sized pages of legal stuff. Brave Dutch judge that will put these all in favour of Hornbach.
- [Wayback] Herroepingsrecht bij HORNBACH (no PDF)
- [Wayback] Modelformulier voor herroeping PDF (1 page)
- [Wayback] Privacyverklaring HORNBACH Bouwmarkt (Nederland) B.V. [Wayback] PDF (23 pages)
- [Wayback] Reglement cameratoezicht (only as PDF): 3 pages
–jeroen
Share this:
Posted in Development, LifeHacker, Power User, Security, Software Development, Web Development | Leave a Comment »
Some links on using and updating Let’s Encrypt certificates for internal servers
Posted by jpluimers on 2022/02/01
Sometimes it is easier to have current and public CA signed TLS certificates for internal servers than to setup and maintain an internal CA and register it on all affected browsers (including mobile phones).
One of my reasons to investigate this is that Chrome refuses to save credentials on servers that have no verifiable TLS certificate, see my post Some links on Chrome not prompting to save passwords (when Firefox and Safari do) about a week ago.
Below are some links for my link archive that hopefully will allow me to do this with Let’s Encrypt (msot via [Wayback/Archive] letsencrypt for internal servers – Google Search):
Share this:
Posted in Cloud, Cloudflare, Development, Encryption, ESXi6, ESXi6.5, ESXi6.7, ESXi7, Fritz!, Fritz!Box, Fritz!WLAN, Infrastructure, Internet, Let's Encrypt (letsencrypt/certbot), Power User, Security, Software Development, Virtualization, VMware, VMware ESXi, Web Development | Leave a Comment »
Some links on Chrome not prompting to save passwords (when Firefox and Safari do)
Posted by jpluimers on 2022/01/20
For quite some time now, Chrome (think years) refuses to prompt for saving passwords whereas Firefox and Safari do prompt and save them, even for site types that it used to save passwords for in the past.
It has been annoying enough for too long now that I tried to do better than the Google searches I used back when I saw this happen first.
Below are some links based on new searches (starting with [Wayback] adding a password in chrome settings – Google Search); hopefully I can try them after I made a list of sites that Chrome does not show the password save prompt for.
Solutions I tried that failed (but maybe useful for others):
- [Wayback] windows 7 – Chrome not asking to remember passwords – Super User: restart your browser
- First answer of [Wayback] How can I manually add a password to Chrome password manager? – Super User : check if “Autofill” a.k.a. “Offer to save passwords” is enabled and the site is not on the “Never Saved” list of sites.
- Second answer of [Wayback] How can I manually add a password to Chrome password manager? – Super User Check if there is a password
inputfield being marked withtype="password", and if not add it.
Solutions still to try:
Share this:
Posted in Chrome, Chrome, Communications Development, Development, Encryption, ESXi6, ESXi6.5, ESXi6.7, Firefox, Fritz!, Fritz!Box, Fritz!WLAN, Google, https, HTTPS/TLS security, Internet, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), Power User, routers, Safari, Security, TCP, TLS, Virtualization, VMware, VMware ESXi, Web Browsers, Web Development | Leave a Comment »
Security questions are evil because of social media “games” phishing for them
Posted by jpluimers on 2022/01/11
Via [Archive.is] Jilles Groenendijk on Twitter: “what @AppSecBloke said… “, from:
- [Archive.is] Jeroen Wiert Pluimers on Twitter: “@AltTextCrew please OCR CC @MintheG @BiancaPrins… “
- [Archive.is] V_To_The_K on Twitter: “ESPECIALLY ones that say the Month and Day/Year you were born means you are “X” person/character/animal… “
- [Archive.is] Mike Thompson on Twitter: “Thanks to @robmay70 for this, but it remains an ever present issue, especially on the likes of Facebook and Instagram.… “
I don’t normally do this but here goes:
First job STOP Current job SENDING Dream Job YOUR Favorite food POTENTIAL Favorite dog PASSWORDS Favorite footwear OR Favorite Chocolate bar MEMORABLE Favorite Ice Cream DATA Your Vehicle color TO Favorite Holiday PEOPLE Night owl or earlybird WHO Favorite day of the week COLLECT Tattoos THIS Favourite colour INFORMATION Do you like vegetables FOR Do you wear glasses SOCIAL Favourite season ENGINEERING
Share this:
Posted in Facebook, Instagram, LifeHacker, Pen Testing, Power User, Security, SocialMedia | Leave a Comment »
SVB PGB and DigiD security suddenly logged you out every 15 minutes despite the count down counter indicating otherwise.
Posted by jpluimers on 2021/12/14
From a while back, so I hope it has been fixed by now on the SVB PGB site.
The Dutch SVB (sociale verzekeringsbank, the [WayBack] organisation that implements social security schemes in The Netherlands) has a web-site to submit declarations for PGB ([Wayback] individualised subsidy for care, or personal care budget).
Authentication for the site goes through DigiD, the identity provider through which government related web-sites can verify the identity of Dutch residents on the internet.
In from somewhere in the mid 2010s until somewhere in 2020, the SVB PGB site would log you out when the 15-minute inactivity count-down in the lower right of the screen would reach zero.
After that, the behaviour changed: you would be logged out 15 minutes after logon, forcing one to login way more often. Each logoff/logon cycle had these effets:
- loosing the data you entered on the current page
- a cost to SVB of about EUR 0.15 excluding VAT for the logon
- loss of time and convenience for the end-user
Note that due to site stability reasons in the years before, I already printed each web-page to PDF before submitting, as there was no way to use the “back” button to see what information you had entered.
That way at least I had the information at hand when re-entering the same information. It also provided me of a “paper” trail of site navigation and entered data.
That’s why I reported it early March 2021:
Share this:
Posted in Authentication, Development, DigiD, Power User, Security, Software Development, Web Development | Leave a Comment »
Jan Schaumann: “The secret language of coders, part N of many. Today: “risk acceptance”… “
Posted by jpluimers on 2021/12/08
From a while back, but more relevant than ever:
[Archive.is] Jan Schaumann on Twitter: “The secret language of coders, part N of many. Today: “risk acceptance”… “
Obligatory video below the fold.
–jeroen
Share this:
Posted in Development, DevOps, Infrastructure, LifeHacker, Power User, Security, Software Development | Leave a Comment »
OWASP top rated security “feature” A01:2021 – Broken Access Control
Posted by jpluimers on 2021/11/24
An important [Wayback/Archive] A01:2021 – Broken Access Control, in German, is a pre-amble for a future post about getting a feel how to counter the vulnerabilities that OWASP tracks and documents.
Basically remember that Broken Access Control is by far the most vulnerable feature in applications:
Broken Access Control war 2017 auf Platz 5 und ist jetzt Problem #1. 94 % der getesteten Anwendungen hatten irgendeine Form von defekter Zugangskontrolle. Der ehemalige #1 Dauerbrenner Injection ist nur noch auf Platz 3.
Basically the top 3 changed dramatically between 2017 and 2021. The new top-3 is below. Please get acquainted with it.
- [Wayback/Archive] A01 Broken Access Control – OWASP Top 10:2021
Moving up from the fifth position, 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dataset with over 318k. Notable Common Weakness Enumerations (CWEs) included are CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, CWE-201: Exposure of Sensitive Information Through Sent Data, and CWE-352: Cross-Site Request Forgery.
- [Wayback/Archive] A02 Cryptographic Failures – OWASP Top 10:2021
Shifting up one position to #2, previously known as Sensitive Data Exposure, which is more of a broad symptom rather than a root cause, the focus is on failures related to cryptography (or lack thereof). Which often lead to exposure of sensitive data. Notable Common Weakness Enumerations (CWEs) included are CWE-259: Use of Hard-coded Password, CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy . - [Wayback/Archive] A03 Injection – OWASP Top 10:2021
Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3%, and 274k occurances. Notable Common Weakness Enumerations (CWEs) included are CWE-79: Cross-site Scripting, CWE-89: SQL Injection, and CWE-73: External Control of File Name or Path.
Via; [Archive] Kristian Köhntopp on Twitter: “Vieles aus diesem Thread ist nun geordneter in … zu finden.… “
Very much related as A01 was the basic cause of GitHub’s commitment to npm ecosystem security | The GitHub Blog – no npm package can historically ben tracked to be authentic.
We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.
–jeroen
Share this:
Posted in Development, Power User, Security, Software Development | Leave a Comment »
The Wiert Corner - irregular stream of stuff 