Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Spotify | TuneIn | RSS
We wrap up our discussion of PagerDuty’s Security Training, while Joe declares this year is already a loss, Michael can’t even, and Allen says doody, err, duty.
The full show notes for this episode are available at https://www.codingblocks.net/episode177.
Sponsors
- Datadog – Sign up today for a free 14 day trial and get a free Datadog t-shirt after creating your first dashboard.
- Linode – Sign up for $100 in free credit and simplify your infrastructure with Linode’s Linux virtual machines.
- Shortcut – Project management has never been easier. Check out how Shortcut is project management without all the management.
Survey Says
News
- Ja Ja Ja Jamuary is complete and there are 46 new games in the world. Go play! (itch.io)
Session Management
- Session management is the ability to identify a user over multiple requests.
- HTTP is stateless, so there needs to be a way to maintain state.
- Cookies are commonly used to store information on the client to be sent back to the server on subsequent requests.
- They usually contains a session token of some sort, which should be a random unique string.
- Do NOT store sensitive information in the cookie, such as no usernames, passwords, etc.
- Besides tampering, it can be difficult to revoke the cookies.
- Cookies are commonly used to store information on the client to be sent back to the server on subsequent requests.
Session Hijacking
- Session hijacking is stealing a user’s session, possibly by:
- Guessing or stealing the session identifiers, or
- Taking over cookies that weren’t properly locked down.
Session Fixation
- Session fixation is when a bad actor creates a session that you will unknowingly take over, thus giving the bad actor access to the data in the user’s session.
- This used to be more of an issue when session tokens were passed around in the URL (remember CFID and CFTOKEN?!).
- Always treat cookies like any other user input, don’t implicitly trust it, because it can be manipulated on the client.
How to Secure / Verify Sessions
- Add extra pieces of data to the session you can verify when requests are made.
- Ensure you actually created the session.
- Make sure it hasn’t expired and ensure you set expirations for sessions.
- All of this just catches the easy stuff.
- Session ID’s should be unique and random.
- Ensure the following when sending cookies to the client:
- Secure flag is set,
httpOnly
flag is set, and- The domain is set on the cookie so it can only be used by your application.
- To avoid the session fixation we mentioned earlier, ALWAYS make sure to send a new session ID when privileges are elevated, i.e. a login.
- Always keep information stored on the server side, not on the client.
- Make sure you have an expiration that is set on the server side session. This should be completely independent of the cookie because the cookie values can be manipulated.
- When a user logs out or the session expires, ensure you fully destroy all session information.
- NEVER TRUST USER INPUT!
Permissions
- Try to avoid using
sudo
in any shell scripts if you can.- If you can’t avoid it, use it with care.
- The the principle of least privilege, i.e. more restrictive permissions, as in, can you live with read-only perms?
- Revoke permissions you don’t need.
- Create separate users for separate needs.
- If you need to delete files from a storage bucket, have a service account or user set up with just that permission.
- Same for managing compute instances.
- Use the least permissive approach you can as it greatly reduces risks.
Other Classic Vulnerabilities
- Buffer overflow: This is when a piece of data is stored somewhere it shouldn’t be able to access.
- From Wikipedia, a buffer overflow _”is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations.”_
- Typically these are used to execute malicious code by putting instructions in a piece of memory that is to be executed after a previous statement completes.
- One malicious use of a buffer overflow is using a
NOP
sled (no-operation sled) to fill up the buffer with a lot ofNOP
s with your malicious code at the end of the ride.- Apparently you can use this method to easily get a root shell – article linked in the resources
- Metasploit (YouTube)
- Path Traversal: This is when you “break out” of the web server’s directory and are able to access, or serve up, content from elsewhere on the server
- Remember, your dependencies may also have vulnerabilities such as this. You need to run scans on your apps, code, and infrastructure.
- Side Channel Attacks: This is when the attacker is using information that’s not necessarily part of a process to get information about that process. Examples include:
- Timing attack: Understanding how long certain processes take can allow you to infer information about the process. For example, multiplication takes longer than addition so you might be able to determine that there’s multiplication happening.
- Power analysis: This is when you can actually figure out what a processor is doing by analyzing the electrical power being consumed. An example of this process is called differential power analysis.
- Acoustic cryptanalysis: This is when the attacker is analyzing sounds to find out what’s going on, such as using a microphone to listen to the sounds of typing a password.
- Data remanence: This is when an attacker gets sensitive data after it was thought to have been deleted.
Resources we Like
- For Engineers – PagerDuty Security Training (sudo.PagerDuty.com)
- For Everyone – PagerDuty Security Training (sudo.PagerDuty.com)
- Session Management Cheat Sheet (OWASP.org)
- Channel-Bound Cookies (BrowserAuth.net)
- Origin Cookies (tools.ietf.org)
- Channel Bindings for TLS (tools.ietf.org)
- Firesheep (Wikipedia)
- Buffer overflow (Wikipedia)
- Smashing The Stack For Fun And Profit (phrack.org)
- The Visual Microphone: Passive Recovery of Sound from Video (YouTube)
- NSA’s involvement in the design of the Data Encryption Standard (Wikipedia)
- The Data Encryption Standard (DES) and its strength against attacks by D. Coppersmith (simson.net)
- Differential cryptanalysis (Wikipedia)
- Power analysis (Wikipedia)
- American Cryptology during the Cold War, 1945-1989 (NSA)
- DirecTV attacks hacked smart cards (theregister.co.uk)
- Oh mother… | Family Feud (YouTube)
- Eagle Eye (IMDb)
Tip of the Week
- Did you know you can use your phone as a pro level webcam? Thanks Simon Barker! (reincubate.com)
- From the tip hotline (cb.show/tips) – Mikerg sent us a great site for learning VSCode. Some are free, some require a $3 monthly subscription, but the ones Joe has done have been really good. Not just VSCode either! IntelliJ, Gmail, lots of other stuff! (keycombiner.com)
- How to use Visual Studio Code as the default editor for Git MergeTool (stackoverflow.com)
- Five Easy to Miss PostgreSQL Query Performance Bottlenecks (pawelurbanek.com)