Auth Problems from Parsing, Slack’s Password Hashes, Twitter’s Info Breach – ASW #207

A sign-in flow accepted a comma-separated list of email addresses, but treated the list as a single string when applying security checks to it. It's another lesson that generalizes well beyond the specific JavaScript library flaw -- normalize data before making a security decision with it or before passing it through a security boundary.

We have one standard for parsing URLs, RFC 3986, but many implementations thereof. And, as with all one-to-many mappings of standard-to-implementations, there will be discrepancies. This article shows how a mishandled (i.e., ignored) parsing error due to a semicolon leads to security flaws. It also falls into the recurring theme that while memory-safe languages solve one important class of vulnerabilities, they don't absolve programmers from the responsibility for secure code. Using Go is still a good choice; parsers are notorious for memory-safety issues. This kind of flaw should be an ideal case for fuzzers to identify and help programmers harden their code. Check out the researcher's article at https://www.oxeye.io/blog/golang-parameter-smuggling-attack You can find RFC 3986 at https://datatracker.ietf.org/doc/html/rfc3986#section-3

Path traversal strikes again! These types of flaws are ideal for discussing the importance of normalizing data before applying security checks. Then, once you've handled the complexity of file paths, it's an opportunity to talk about restricting file access. Then, once you've managed to sandbox your filesystem, it's an opportunity to talk about whether that was a good design pattern in the first place. (Ok, probably better to have had this step in the conversation up front.) After all, a cloud datastore like S3 or a local one like sqlite might solve the same feature and be prone to fewer security mistakes.

Why can a system access password hashes in the first place? Why are we still stuck with authentication based on comparing password hashes? Why are we still sending plaintext passwords so they can be hashed and then compared? Why do we still have passwords!? Slack's disclosure about the event is at https://slack.com/blog/news/notice-about-slack-password-resets WebAuthn is one alternative, http://webauthn.io/. Another is OPAQUE, which avoids having to share a plaintext password with servers in the first place. Check out a good article on it at https://blog.cloudflare.com/opaque-oblivious-passwords/ And, if you want to brush up on digital identities and a reminder why regular password rotation should be a thing of the past, check out NIST-SP800-63 at https://www.nist.gov/identity-access-management/nist-special-publication-800-63-digital-identity-guidelines.

A major theme of this episode is classes of flaws. We have a handful on normalization, password handling, and now oracles -- features that leak information about a system or users. These types of flaws become more interesting and more important when you include context about abuse and misuse into their threat models.

This article plus one related to malicious projects posted to GitHub* are a chance to revisit why I care less about the identity of actors when creating threat models. Plus, if these were exercises in learning or demonstrating impacts for bug bounties, there surely must be better ways of accomplishing these goals. * https://nakedsecurity.sophos.com/2022/08/04/github-blighted-by-researcher-who-created-thousands-of-malicious-projects/

Cryptocurrency bridges are intended to enable the transfer of tokens between different blockchains. In practice, they're self-funding bug bounties that transfer wealth from insecure code to observant hackers. Fortunately, they occasionally provide useful appsec lessons. In this case, it's about initializing values to zero (usually good), roots of trust (also good), and what happens when those situations come together without proper testing (oops). You can find another article on this at https://nakedsecurity.sophos.com/2022/08/02/cryptocoin-token-swapper-nomad-loses-200-million-in-coding-blunder/

I haven't had a chance to watch them all and pick out some favorites. Plus, we'll have a slew of presentations coming out of Vegas from DEF CON, BlackHat, and BSidesLV. What favorite presentations have you watched in the past year? What additional resources should we highlight?

(h/t hackaday)

Very interesting thread on why (mostly) non-security people think security is Hard