Skip to content

Instantly share code, notes, and snippets.

@davidvandusen

davidvandusen/README.md

Last active August 29, 2015 14:17
Show Gist options
  • Save davidvandusen/29d393560b58a91704dd to your computer and use it in GitHub Desktop.
Save davidvandusen/29d393560b58a91704dd to your computer and use it in GitHub Desktop.
Download ZIP
W8D1 - Lecture Notes - February 2015
Raw
README.md

Auth and WebSec

Today we looked at 3rd party authentication and web security.

We built a simple Express.js web app that uses Passport to allow users to sign in with Google.

After that we used Wireshark to snoop on network trafic to that web app to get an authenticated user's session id to make HTTP requests to the app as them.

We tried to inject a script in the URL, but Chrome blocked it. However, we then put a script in the "database" and it was successfully executed in the browser.

We took a look at a cross-site request forgery. We made a malicious web page with a form that submits to our app and saw that the app cookies were sent along with the request from our malicious site.

We telneted into our app to see that an HTTP request can be hand-crafted including the Referer header, which is supposed to say where the request originated, but is easily spoofed.

GET / HTTP/1.1
Host: 127.0.0.1
Referer: http://this-isnt-the-website-youre-looking-for.com/index.html

We saw what happens when your app redirects the user to a path that was provided by the user. We saw that user info is not trustable and that if a redirect url is provided in user content (the query string, user content in the database, etc.) it must be validated before issuing a redirect.

We went over and talked about each of the OWASP Top 10 security issues.

https://www.owasp.org/index.php/Top_10_2013-Top_10

There is a developer cheat sheet here:

https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

Raw
app.js
var database = {
news: [{
content: '<script>window.location="http://example.com/"</script>'
}]
};
var express = require('express');
var expressSession = require('express-session');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var passport = require('passport');
var GoogleStrategy = require('passport-google').Strategy;
passport.serializeUser(function (user, done) {
done(null, user);
});
passport.deserializeUser(function (user, done) {
done(null, user);
});
passport.use(new GoogleStrategy({
returnURL: 'http://127.0.0.1:3001/auth/google/return',
realm: 'http://127.0.0.1:3001/'
}, function (identifier, profile, done) {
done(null, {
identifier: identifier,
profile: profile
});
}));
var app = express();
app.use(cookieParser());
app.use(bodyParser.urlencoded());
app.use(expressSession({
resave: false,
saveUninitialized: false,
secret: 'secret'
}));
app.use(passport.initialize());
app.use(passport.session());
app.get('/', function (req, res) {
if (req.isAuthenticated()) {
if (req.query.redirectUrl) {
res.redirect(req.query.redirectUrl);
} else {
var html = '<h1>Hello, ' + req.user.profile.name.givenName + '</h1><pre>' + JSON.stringify(req.user, null, ' ') + '</pre><p><a href="/signout">Sign out</a></p>';
res.send(html);
}
} else {
res.send('<h1>Hello</h1><p><a href="/auth/google">Sign in with Google</a></p>');
}
});
app.post('/', function (req, res) {
if (req.isAuthenticated()) {
var html = '<h1>Hello, ' + req.user.profile.name.givenName + '</h1><pre>' + JSON.stringify(req.user, null, ' ') + '</pre><p><a href="/signout">Sign out</a></p>';
if (req.body.account && req.body.amount) {
html += '<h1><big>TRANSFERRED SUCCESSFULLY</big></h1>';
}
res.send(html);
} else {
res.send('<h1>Hello</h1><p><a href="/auth/google">Sign in with Google</a></p>');
}
});
app.get('/auth/google', passport.authenticate('google'));
app.get('/auth/google/return', passport.authenticate('google', {
successRedirect: '/',
failureRedirect: '/?authFailed=1'
}));
app.get('/news', function (req, res) {
var html = '<h1>News</h1>';
database.news.forEach(function (article) {
html += '<p>'+article.content+'</p>';
});
res.send(html);
});
app.get('/signout', function (req, res) {
req.logout();
res.redirect('/');
});
app.listen(3001);
Raw
malicious.html
<form action="http://127.0.0.1:3001/" method="post">
Account: <input name="account" />
Amount: <input name="amount" />
<button>Transfer</button>
</form>
Raw
package.json
{
"name": "auth-lecture",
"version": "1.0.0",
"private": true,
"dependencies": {
"body-parser": "^1.12.2",
"cookie-parser": "^1.3.4",
"express": "^4.12.3",
"express-session": "^1.10.4",
"passport": "^0.2.1",
"passport-google": "^0.3.0"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment