Archive for the ‘security’ Category

IE and Facebook iFrame app session cookies problem

Sunday, February 10th, 2013

I wrote and Facebook app that uses sessions. I worked fine in my machine where I use mostly Firefox and Chrome. Suddenly I discovered that after resetting security settings to medium in IE 9 the app suddenly did not work anymore.

Each time I refreshed the new session key was created because requests did not send the cookies. Apparently IE decided to delete the cookies when I was running my Facebook app as page tab inside iFrame. Fortunately I have seen this before and immediately recognized the problem when I saw session key changing each request. It is called P3P headers that someone invented long ago but then understood that these are useless.

To fix it you need to add following line in your PHP code.

header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');

If you happen to use Laravel or other framework then add above code to Before filter.

See for other languages http://www.admon.org/how-to-implement-p3p-http-headers-for-cross-site-cookies/

 

 

Facebook signed _request missing

Saturday, February 9th, 2013

I have Facebook app as a page tab and sometimes it did not get the signed_request.

I saw with Firebug that POST to my app is made and signed_request is there but this call made redirect to GET instead. This was always reproducible with one Facebook account but with another account it worked just fine. I used Laravel framework and tried adding debugging code to index.php where all requests are routed through and also created separate index.php so that .htaccess would be bypassed. It turned out that POST request is not reaching the code at all.

What I found out is that even though I run all the services over HTTPS and in Facebook app config I have only HTTPS links then Facebook still forces app to be loaded over HTTP. I have apache2 virtual host configuration so that all HTTP requests are redirected to HTTPS which loses all the POST data and that is why the guaranteed signed_request never reached my app.

I resolved it by allowing HTTP but any navigation in the website was changed to HTTPS again.

How to download ca certificate chain

Thursday, January 10th, 2013

It might happen that some machine has missing CA chain certificates and you get error

OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
 Unable to establish SSL connection.

If accessing the specific URL in browser works without warning then you can export and download CA certificate chain

In Firefox right-click > View Page Info > Security > View Certificate > Details . There you see Certificate hierarchy and can export each certificate in chain individually.  Depending on OS you need to add these certificate in PEM format ti /etc/pki/tls/cert.pem or similar.

See more useful tricks about SSL here.

Access virtualbox shared folders from Ubuntu and fix ruined ubuntu installation.

Sunday, August 19th, 2012

If you are running Ubuntu virtualbox guest then you cannot access the shared folder under /media/shared with regular user. However you can fix this by adding your user to vboxsf additional group.

Important! make sure you append the additional group so that other groups are not removed! Run te command below as exactly as seen and replace you username. If the permission is not applied immediately then reboot.

usermod -a -G vboxsf username

In case you forgot flag -a then it is bad but not hopeless 🙂 (more…)

How to hire a freelancer – 10 lessons learnt

Friday, May 11th, 2012

These days everybody are full of ideas but no time to make these happen. Same here, I have great business ideas every a few weeks but while working full-time on my day job I have hard time to implement these on my own and all my friends are also very busy.

I decided to try out the www.getacoder.com service to find affordable quality help to my projects and so far I have not been disappointed while following the below steps.

1. Write down IN DETAIL what you want to be done.

Before posting a job to www.getacoder.com make sure you have as detailed as possible overview of your requirements. This is called BRD – Business Requirement Document. This must list everything like, user must be able to register, user must be able to login etc. Programmers can take this doc and can implement every feature step by step. (more…)

Promote keyword in website – Learn from proffessionals

Monday, January 2nd, 2012

DISCLAIMER If you are looking for help against DDOS look here. This page describes how to promote keywords in webpage.

Recently one of my friend had Spam attack in his rather small website. It happened on 20th of December and by 25th, when it was discovered, Google webmasters tool keywords top was full of unwanted sexual oriented words and one keyword was way above others.

Best webmasters struggle promoting keywords like that. I analyzed the situation and here is what I can say about the technique that was effective:

  • Just repeating keyword in after every a few words works.
  • Keywords are in sentences that kinda makes sense.
  • Keywords are in link titles.

If you worry about your pagerank then try linking to high pagerank pages. In long run this technique does not pay and it it much more reasonable to write original and useful text that readers are expecting and looking for.

This is example how promoting keyword DDOS might look like:

(more…)

Multiple ssh keys for logging to different sites

Thursday, November 24th, 2011

It is secure and easy to login into servers with openssh using public/private key client authentication. You only need to generate keys with ssh-keygen and these keys are used automatically.

Challenge starts when you dont want to use same key everywhere but prefer or have to use different keys for different sites.

Firstly lets create a few keys. Add also meaningful comments immediately that help you to remember which key was for what. ssh-keygen offers you choice what you want to have key names

$ ssh-keygen -C "my work key"
$ ssh-keygen -C "personal stuff"

Now copy public key to remote into ~/.ssh/server authenticated_keys or ~/.ssh/authenticated_keys2 file.

Change ssh configuration. Either systemwide in /etc/ssh/ssh_config account basis in ~/.ssh/config. Write into this file where your private keys are and which hosts they apply to.

Host server.atwork.com
  IdentityFile ~/.ssh/id_rsa.work
Host personal.webserver.com
  IdentityFile ~/.ssh/id_rsa.personal

See also Setting up public key authentication

 

 

Observations of Roboo usability and effectiveness agains DDOS

Thursday, October 20th, 2011

Before taking Roboo into use for protection against DDOS it is needed to take a look into cons and pros of it.

Firstly nothing comes without drawbacks and sideeffects. Here are some that you need to consider.

  • Searchengine crawlers have trouble indexing site. You never want that.
  • Webservice clients have issues. Api calls might breaks and SVN server over https does not work well.
  • Developers http://www.ecl-labs.org website by itself is not using the Roboo.

Good whitelisting plan must be developed to combat valid non-browser interactions.

I did some quick bruteforce analysis of performance  with 3 virtualmachines on vmware. Target was simple vulnerable web application WackoPicko used to test web application vulnerability scanners 1 core 1GB RAM. Roboo machine was ubuntu server 1 core, 1GB RAM. Third was more powerful server where httperf was run. All of these machines were run inside one physical server on vmware ESXi.

Here are the testing results: (more…)

Install Roboo to Ubuntu for DDOS protection.

Sunday, September 25th, 2011

I was fortunate enough to take part in Black Hat 2011 EU where was first public presentation of Roboo the HTTP mitigator http://www.ecl-labs.org/2011/03/17/roboo-http-mitigator.html. What is less fortunate is that it can be a pain to install, mostly because of dependency on perl modules. I have tried it a few times and present my experience in here.

Get yourself roboo which comes as a nginx module written in perl. Also get nginx example configuration. Newest versions are available in github https://github.com/yuri-gushin/Roboo. Place these files to those locations

/etc/nginx/nginx.conf
/opt/local/share/nginx/Roboo.pm
To avoid problem below modify first line of nginx.conf and change user nobody to www-data for example:
Starting nginx: [emerg]: getgrnam("nobody") failed in /etc/nginx/nginx.conf:1
configuration file /etc/nginx/nginx.conf test failed

It is tempting to install nginx from reposotory but you will get error.

Starting nginx: [emerg]: unknown directive "perl_modules" in /etc/nginx/nginx.conf:10
configuration file /etc/nginx/nginx.conf test failed

(more…)