Sonntag, 28. November 2010

Sessionmanagement in X-Header

Hi,

I recently stumbled upon a solution for session management where I'm searching hard to find the weak points but I failed so far.

There is this web 2.0 application which neither uses cookie nor it transports the session ID within the URL. The devs decided to transport the session ID within an X-Header HTTP field which they send over on each (XHR) request. This seems smart from a range of perspectives:
  1. They do not have to care about CSRF Protection, because no session identifier is sent without explicit intend.
  2. They do not have to care about cached or otherwise leaked session ids, since the ID is held in RAM only and the user doesn't see (and thus cannot share it accidentally) it.
  3. They fully control the transport of the session ID (they do not need a "secure" flag for their cookie as the ID is only send to desired hosts with desired transport protocol).
  4. The session invalidates as soon as the user changes to another site.
  5. No crossdomain.xml hassle: As far I know a flash movie cannot access in-memory variables of a JavaScript instances.
So, these are the advantages, but hey: if there is light, there must be shadow :).
Here are the drawbacks I identified so far:
  1. The X-Header isn't clearly specified in RFC2616 - only in RFC2045ff
    I'm not sure how this affects this approach - Are there any Proxies etc out there which are stripping X-Headers?
  2. No "HTTP only" flag, but hey it's a web 2.0 application. Even if a cookie is set this can't be done for such an application
I'm not happy with such less drawbacks :). Is this solution of a web2.0 session management so simple and smart that there are no big drawbacks? What I'm missing here?

comments appreciated...

wlet

Mittwoch, 17. November 2010

DVD to iPad - free and easy

Hey there,

I won an iPad at a conference booth and use it mainly for watching movies on my train ride to work in the morning and in the evening. Besides stuff I record myself on my VDR, I recently got some DVDs from a collegue to watch. Now I had the problem that I have to reencode that movies to h264 and had no clue about how to do it in a smart (and in a cheap, preferably non-cost) way.

I've made some good experiences with handbrake. But this is not enough to reencode CSS protected DVDs. To mount the DVDs in a way that Handbrake can read them you need fairmount.

The next steps are pretty simple:

  1. start fairmount
  2. put in your DVD - you should see something like this:
    Don't pay attention to the wrong size which maybe is displayed in the column "Data Read"
  3. Start Handbrake and choose the "VIDEO_TS" folder on the now mounted DVD.
  4. To encode it for the iPad the preset "AppleTV" fits perfectly. You can choose it by clicking "Toggle Presets" on the icon bar.
  5. You may want to change some values for the desired audio tracks etc. You can do that in the "Audio" Tab.

  6. You do not have to make any changes to the video settings.
If you start the recode process you'll get a h.264 encoded file with the main title and the chapters set as on the DVD. Just copy it to you iPad and watch it with the preinstalled "Video"-App.

Done!

cheers,

wlet

Montag, 31. Mai 2010

a lot of work to do...

I'm on vacation in the Netherlands, and had a quite odd situation.... We found some vouchers on the internet with discount for Madame Tussauds in Amsterdam. Usually I don't have a printer in my backpack, so we had the problem to print these vouchers. The local library was closed and the tourist information was also not on duty. So we went to the camping site reception and asked them to print these out. I grabbed for my pen drive with the PDF vouchers on it, but surprisingly the receptionist declined to put it into the desks computer for security reasons.
The next sentence was: "Just send that file via e-mail, then we can print that for you".

I'm happy that they finally printed my vouchers, but even on vacation I saw that there is a huge pile of work to be done...

wlet

Mittwoch, 26. Mai 2010

self signed certificates, android and HttpsURLConnection

Hi,

I'm a proud "copy&paste" programmer, and often I program only PoCs and stuff that doesn't went into live production environments. The reason is, that I work as a security engineer (according to this I would call myself a "security practitioner") and the most of the time you have to verify that a vuln exists and is practically exploitable. For this task one do not need extensive programming skills. Most of the stuff you need is already out there and only must be glued together.

This time I tried to glue my first android app together. My task was to send a simple POST request to a web server "secured" with a self signed certificate. Pretty simple, heh?
Of course it is, the problem here is the "self-signed" cert. With command-line tools like curl this is only one parameter you have to set to ignore the exceptions caused by this.. I would expect that one only has to set a parameter for HttpsURLConnection. But not in JAVA - from my perspective it's a real PITA (if your're also a "Copy & Paste Programmer - for a skilled JAVA geek this might be a intuitive way to handle this...)

PLEASE NOTE: This code is bad code! Really bad code! This leaves you open to Man-in-the-middle Attacks. You should NEVER, EVER use this in an productive environment!

Here is the code - ready for copy & paste:



package meinpack.wlanpost;
import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URL;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

import android.app.Activity;
import android.os.Bundle;
import android.widget.TextView;

public class WlanPost extends Activity {

@Override
public void onCreate(Bundle icicle) {
super.onCreate(icicle);
TextView tv = new TextView(this);
tv.setText("Sending User and PW....\n\n");
String urlParameters =
"username=blubb&pwd=googog";
String response = excutePost("https://www.example.com/blubb.php", urlParameters);
tv.setText(response);
tv.append("\n\n");
setContentView(tv);
}
public static String excutePost(String targetURL, String urlParameters)
{
URL url;
HttpsURLConnection connection = null;

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType) {
}
}
}; // Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
catch (Exception e) {
return ("exception " + e.toString());
}

try {
//Create connection
url = new URL(targetURL);
connection = (HttpsURLConnection)url.openConnection();
connection.setRequestMethod("POST");
connection.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded");

connection.setRequestProperty("Content-Length", "" +
Integer.toString(urlParameters.getBytes().length));
connection.setRequestProperty("Content-Language", "en-US");

connection.setUseCaches (false);
connection.setDoInput(true);
connection.setDoOutput(true);

//Send request
DataOutputStream wr = new DataOutputStream (
connection.getOutputStream ());
wr.writeBytes (urlParameters);
wr.flush ();
wr.close ();

//Get Response
InputStream is = connection.getInputStream();
BufferedReader rd = new BufferedReader(new InputStreamReader(is));
String line;
StringBuffer response = new StringBuffer();
while((line = rd.readLine()) != null) {
response.append(line);
response.append('\r');
}
rd.close();
return response.toString();

} catch (Exception e) {
return e.toString();

} finally {

if(connection != null) {
connection.disconnect();
}
}
}
}

glued together from this: http://www.exampledepot.com/egs/javax.net.ssl/trustall.html
and this: http://www.xyzws.com/Javafaq/how-to-use-httpurlconnection-post-data-to-web-server/139