Connecting to REST server w/ digest auth using postman

Im having a hard time with a CTF, i managed to exploit a path traversal vulnerability that lead me to read a configuration file in php that indicates:

define('rest_auth', 'digest'); define('rest_username', 'webservices'); define('rest_password', 'thepassword');  define ("REST_SERVER_1", serialize (                                     array(                                           'server' => 'http://10.10.10.28/web_services/',                                           'http_user' => rest_username,                                           'http_pass' => rest_password,                                           'http_auth' => rest_auth                                         )                                     ) ); 

The site is accessible by port 80 and its a login page, i tried using the credentials

define(‘rest_username’, ‘webservices‘); define(‘rest_password’, ‘thepassword‘);

but getting incorrect username and password.

I tried using postman to login to the REST server using a GET Request but it only responds with the source code of the login page. How can i access the data inside the REST server using postman and the credentials i have?

//EDIT How do i craft the URL request to show the data inside the REST server?

**

curl query to regular url: basic auth

I’m currently experimenting with the Toggl API https://github.com/toggl/toggl_api_docs/blob/master/chapters/workspaces.md#get-workspace-users

For example, the page states

curl -v -u 1971800d4d82861d8f2c1651fea4d212:api_token -X GET https://www.toggl.com/api/v8/time_entries/current 

If i enter this in my console (using my api token, not the example token of course) it works and I’m getting back the requested JSON.

If I try to get the json however directly in a browser by restatting the query as

https://1971800d4d82861d8f2c1651fea4d212:api_token@www.toggl.com/api/v8/time_entries/current 

I’m getting

Access to www.toggl.com was denied You don't have authorization to view this page. HTTP ERROR 403 

what am I doing wrong? I thought that user:pw@domain would be the same as curl -u user:pw -X GET domain

In memory JWT for API auth with HTTP-only cookie for sessions?

I’ve spent a while reading about this, and I know it’s a common topic, but I was hoping to get some feedback on my authentication approach.

I have an SPA. It needs to authenticate to 1) my application backend and 2) some APIs on AWS. I’m using cognito to authenticate user credentials.

My idea on approaching this is as follows:

  1. User authenticates via AWS Cognito API
  2. Receives JWT
  3. Keeps JWT in memory only (no local storage — XSS)
  4. Passes JWT to application backend
  5. Backend sets HTTP-only secure cookie on the client, STORING the JWT inside this cookie.
  6. Cookie is used to maintain sessions with the app backend
  7. In-memory JWT is used to authenticate with AWS APIs

This is fine-and-dandy, but when the user closes browser or switches tabs, they won’t have the JWT in memory. However, they’ll still have the session cookie. So my thought is that it will ask the application server for the JWT (inside the cookie) before hitting the AWS APIs.

In this fashion, I have a secure HTTP-only cookie that maintains sessions with my app server, and I also have the JWT to authenticate with the AWS APIs. If the user has a valid session cookie, it means they should allowed to have the JWT contained within it.

My only concern with this is that it seems a little circular. JWT authenticates to receive cookie, which authenticates in the future to receive a refreshed JWT. Otherwise, I think it seems pretty solid.

Thoughts?

Is it safe to create a session from an auth token?

My server is using Django Rest Framework. My mobile app logs in using token authentication. However, I also have a webview in the mobile app where I need to log in. I can’t inject the auth token on every request in the webview, so I use the auth token for authenticating this endpoint and then create a session from it. This is the code:

class CreateSessionView(APIView):     authentication_classes = [TokenAuthentication]     permission_classes = (permissions.IsAuthenticated,)     throttle_classes = [ScopedRateThrottle]     throttle_scope = 'auth_token_verify'      def get(self, request, format=None):         login(request, request.user, backend='django.contrib.auth.backends.ModelBackend')         return redirect(reverse('home')) 

My questions are:

  1. Is there a vulnerability here? If so, how can I secure it?

  2. Do I need CSRF?

Any book/resource on ssl, client auth using cert, server auth pgp, keys, etc [closed]

Is there any book which can cover security from certs point of view in detail. I want topics like

  1. SSL certs for webservers/ sites
  2. Security certs for authenticating clients rather username/password
  3. PGP keys, ssh keys anything realted
  4. CA cert chain, bundle , database certs
  5. diff types of formats of certs , keys
  6. Security at diff layers of OSI Model /protocols

Can I bypass basic auth to fingerprint a web server with Httprint or netcat?

There is a web server I’d like to recon using httprint.

But that web server has a basic auth protection on 443. Port 80 is not responding When I lauch httpint, it says “Unspecified Error”

The same thing happens with netcat. It fails because of Basic Auth (ie “Connection Refused”) When basic auth is disabled, both netcat and httprint work well.

How can I bypass basic auth for fingerprinting a web sever ?

API Key via Basic Auth: Send it as a username or as a password?

In APIs that authenticates with a single API key (eg a long random string) via Basic Auth, I have seen that most (eg Stripe, Unbounce) sends the API key as the username, leaving the password field blank. The only service I have seen that sends the API key in the password field is Bing.

Is there any reason to choose to send the API key as the username field or the password field?

I know that both usernames and passwords are concatenated and encoded, so both are equivalent in the transmission. I am looking for reasons such as (for example):

  • Well known client X expects non-empty usernames, so the API key has to go in the username

  • Well known client Y logs usernames and not passwords, so the API key has to go in the password

Security of a web app with AzureAD auth

I have a question. The company I work for is about to publish a custom web app (hosted in a AWS) that authenticates through AzureAD. That way, when someone goes to https://www.mywebap.com it is redirected to AzureAd and, if successfully authenticated, access is granted. My question is. What are the security risks here? Is this a recommended practice? As “mywebapp” will be public it can be theoretically attacked. All comments and thoughts will be appreciated.

Thanks!

Eric.

Microservice security: How to perform authorization + services also need auth checks individually?

I have the following architecture for accessing a REST service that requires authentication:

enter image description here

  • Oidc token flow managed at the client
  • Access token verified at the server in the auth service (proxied by the api gateway), exchanged for a jwt that contains authorisation information about the user.
  • The resource is accessed

In the current model, every request needs to verify the access token (which is normal), but also needs to retrieve the authorization information on every request, which I don’t feel is ok.
The jwt used in this model is only for internal use at the server cluster, as there really is no need to send it back tot the client. Also generating a jwt on every request doesn’t feel quite right.

Storing the jwt in a server store (cache / database) is something I don’t feel is right with this model, because this makes the system stateful again (in case of multiple api gateways, there is need again for sticky sessions, synchronisation etc). Hence this doesn’t offer a solution.

One possible solution would be that authorization is not checked upfront along with the authentication (i.e. verification) process, but only depending on the requested route / action. I don’t particularly like this, as this requires back and forth messaging when a protected resource is accessed. It doesn’t smell like clean architecture.

What is the advised way to go about this?
Related, I wondered if it is enough to perform authentication in the api gateway. These microservices work independently, and I feel a bit uncomfortable that the api gateway grants all access while keeping the underlying services ‘dumb’. Is this a misplaced sense of paranoia?

Are the trade offs for putting an auth token in an http-only cookie for an SPA worth it?

I’ve been building a web app (rails api + react SPA) for learning / fun and have been researching authentication. The most commonly recommended approach for authenticating SPAs that I have read is to put the auth token (such as a JWT) in a secure HTTP-only cookie to protect from XSS. This seems to have a couple of consequences:

  • We now have to handle CSRF since we are using cookie authentication
  • Since it’s an SPA we can’t protect against CSRF until the user is logged in, which means we are vulnerable to a login phishing attach (https://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks)

But what is the real downside to just storing the auth token in browser storage (i.e. session storage)? XSS becomes slightly more convenient for the attacker? Even with an HTTP-only cookie the attacker can still use the auth token by making requests directly from the site, because if there’s a XSS vulnerability then they don’t need to be able to read the token to use it.

It seems that the popular recommendation just makes things more complicated to protect against CSRF just to make things a little more difficult for the attacker in the case of XSS. Due to the amount of resources making these recommendations I feel like I am missing something and would appreciate any feedback or clarifications!

Here is a couple of sources I’ve been reading that have been quite adamant against browser storage for auth tokens:

  • https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html
  • https://jwt.io/introduction/
  • https://auth0.com/docs/security/store-tokens