How to become an author
Search
Write a publication
Pull to refresh
396.09
Rating

Website development *

Making the Web Better

Articles Posts News Authors
Show first
Rating limit
Level of difficulty

Hack the JWT Token

Reading time4 min
Views62K
Information Security*Website development*Web services testing*
For Educational Purposes Only! Intended for Hackers Penetration testers.

Co-authored with MariA Karpliuk !

Issue


The algorithm HS256 uses the secret key to sign and verify each message. The algorithm RS256 uses the private key to sign the message and uses the public key for authentication.

If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature. Asymmetric Cipher Algorithm => Symmetric Cipher Algorithm.

Because the public key can sometimes be obtained by the attacker, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data.
The backend code uses the RSA public key + HS256 algorithm for signature verification.

Example


Vulnerability appear when client side validation looks like this:

const decoded = jwt.verify(
   token,
   publickRSAKey,
   { algorithms: ['HS256'  , 'RS256'] }          //accepted both algorithms 
)

Lets assume we have initial token like presented below and " => " will explain modification that attacker can make:

//header 
{
alg: 'RS256'                         =>  'HS256'
}
//payload
{
sub: '123',
name: 'Ivan Prychantovskyi',
admin: 'false'                       => 'true'
}

The backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
Read more →
Total votes 12: ↑10 and ↓2+8
Comments0

The most common OAuth 2.0 Hacks

Reading time6 min
Views41K
Information Security*Website development*Web services testing*

OAuth 2 overview


This article assumes that readers are familiar with OAuth 2. However, below a brief description of it is presented below.



  1. The application requests authorization to access service resources from the user. The application needs to provide the client ID, client secret, redirect URI and the required scopes.
  2. If the user authorizes the request, the application receives an authorization grant
  3. The application requests an access token from the authorization server by presenting authentication of its own identity, and the authorization grant
  4. If the application identity is authenticated and the authorization grant is valid, the authorization server issues the access and refresh (if required) token to the application. Authorization is complete.
  5. The application requests the resource from the resource server and presents the access token for authentication
  6. If the access token is valid, the resource server serves the resource to the application

The are some main Pros and Cons in OAuth 2.0


  • OAuth 2.0 is easier to use and implement (compared to OAuth 1.0)
  • Wide spread and continuing growing
  • Short lived Tokens
  • Encapsulated Tokens

— No signature (relies solely on SSL/TLS ), Bearer Tokens
— No built-in security
— Can be dangerous if used from not experienced people
— Too many compromises. Working group did not make clear decisions
— Mobile integration (web views)
— Oauth 2.0 spec is not a protocol, it is rather a framework — RFC 6749

Read more →
Total votes 18: ↑17 and ↓1+16
Comments2

Web and Azure Tool Updates in Visual Studio 2019

Reading time2 min
Views882
Microsoft corporate blogWebsite development*Visual Studio*Microsoft Azure*

Hopefully by now you’ve seen that Visual Studio 2019 is now generally available. As you would expect, we’ve added improvements for web and Azure development. As a starting point, Visual Studio 2019 comes with a new experience for getting started with your code and we updated the experience for creating ASP.NET and ASP.NET Core projects to match:



If you are publishing your application to Azure, you can now configure Azure App Service to use Azure Storage and Azure SQL Database instances, right from the publish profile summary page, without leaving Visual Studio. This means that for any existing web application running in App Service, you can add SQL and Storage, it is no longer limited to creation time only.

Read more →
Total votes 11: ↑11 and ↓0+11
Comments0

Web application firewalls

Reading time6 min
Views3.9K
Information Security*Website development*Amazon Web Services*Cyberpunk
From sandbox

Web application firewall


Web application firewalls (WAFs) are a type of intrusion detection and prevention system and might be either a hardware or software solution. It is specifically designed to inspect HTTP(s) and analyse the GET and POST requests using the appalling detection logic explained below. Web application firewall software is generally available as a web server plugin.

WAF has become extremely popular and various companies offer a variety of solutions in different price categories, from small businesses to large corporations. Modern WAF is popular because it has a wide range of covered tasks, so web application developers can rely on it for various security issues, but with the assumption that this solution cannot guarantee absolute protection. A basic WAF workflow is shown below.



Its main function is the detection and blocking of queries in which, according to WAF analysis, there are some anomalies, or an attacking vector is traced. Such an analysis should not make it difficult for legitimate users to interact with a web application, but, at the same time, it must accurately and timely detect any attempted attack. In order to implement this functionality, WAF developers usually use regular expressions, tokens, behavioural analysis, reputation analysis and machine learning, and, often, all these technologies are used together.



In addition, WAF can also provide other functionality: protection from DDoS, blocking of IP-addresses of attackers, tracking of suspicious IP-addresses, adding an HTTP-only flag to the cookie, or adding the functionality of CSRF-tokens. Each WAF is individual and has a unique internal arrangement, but there are some typical methods used for analysis.
Read more →
Total votes 15: ↑13 and ↓2+11
Comments0

How Kiwi test 1'000 Python projects

Reading time5 min
Views1.8K
Конференции Олега Бунина (Онтико) corporate blogWebsite development*Open source*Python*Programming*
For Russian speaking posted translated version here.

This is how Alex Viscreanu’s talk on Moscow Python Conf++ named. Now it's two weeks till before the conference, but of course, I've already heard what Alex will speak about. Find below some spoilers and talk preparing backstage: what kind of an open source Zoo developed in Kiwi, how it tests Python code and what’s the difference between The Zoo and for example mypy.

— Tell us a bit about Kiwi, yourself and what is your work within a company?

Kiwi.com is an online travel agency based in Czech Republic. We aim to make travelling as simple and accessible as possible. The company was founded in 2012 as Skypicker, and since then it has become one of the five biggest online sellers of airline tickets in Europe. It was renamed to Kiwi.com in 2016.

The special feature that we, at Kiwi.com, offer is the virtual interlining, which allows us to connect flights from companies that don’t usually cooperate together, and we are covering the possible connection issues caused by delayed flights.

Some of the numbers that we manage at Kiwi.com include 90 000 000+ daily searches, 25 000 seats sold daily, and a total of 15 000 000 000+ flight combinations available.
Read more →
Total votes 17: ↑15 and ↓2+13
Comments0

Details

Reading time6 min
Views971
Website development*JavaScript*Programming*Computer Animation*
From sandbox
How often do you get to 404 pages? Usually, they are not styled and stay default. Recently I’ve found test.do.am which interactive character attracts attention and livens up the error page.

Probably, there was just a cat picture, then they thought up eyes movement and developer implemented the idea.imageNow user visits the page and checks out the effect. It’s cool and pleasant small feature, it catches, then user discusses it with colleagues or friends and even repeats the feature. It could be this easy, if not:
Total votes 14: ↑13 and ↓1+12
Comments0

SAPUI5 for dummies part 5: A complete step-by-step exercise

Reading time4 min
Views6.6K
Website development*JavaScript*Programming*HTML*
Tutorial


Introduction & Recap


In the previous blog post, we learned how to create a second level of drill-down (detail of detail) and how to interact with OData and ODataModel (v2) in order to delete a database record.


What will be covered on this exercise


With Part 5 of this series of blog posts, we will learn how to create a SimpleForm within a Dialog that will allow us to update the information of a Sales Order Item.


Before updating the database order we have to check that everything typed by the user validates our constraints.


  • ODataModel: we have already used it to display server-side information about our Business Partner, Sales Order, and Sales Order Items. We’ve also used it to delete a database record. We’re now going to use it to update a record thanks to the submitChanges method or remove what we’ve done with the resetChanges method.
  • Expression Binding: an enhancement of the SAPUI5 binding syntax, which allows for providing expressions instead of custom formatter functions
  • SimpleForm: a layout that allows users to create a pixel-perfect form
Read more →
Total votes 11: ↑10 and ↓1+9
Comments0
12 ...
67
8
9

Authors' contribution

Your account

Sections

Information

Services

Support
© 2006–2024, Habr