Secure Bits | cyber security
Hacking is fundamentally about data control, controlling the data on a webpage, in a database, cookie or data sitting on a webserver out there somewhere in the cloud.
For a hacker controlling the data means compromising:
A hacker needs to find avenues to meet the system, these are avenues where the hacker gets the system to run and hopefully get it to crush and burn.
The best way to find avenues is through the inputs of the system, these are the doorways the system has to the outside world. Naive systems fail to consider all that can pass through those doorways, the same door that fits the angel also fits the demon.
It is good practice to decompose a system or sub-system to it doorways (Inputs) and analyze the angels (expected input) and demons (hacker input).
These are the inputs expected by a system.
These are the inputs not considered by naive systems. These inputs can result in the compromise of the systems confidentiality, integrity or availability.
Some hacks are as the result of vulnerable software dependencies of developer/implementation bugs such as CVEs, these bugs can lead to angels and demons doorways or to other class of CIA data control hacks.
On this page what data should the hacker not be able to read?
If so what controls that data?
On this page what data should the hacker not be able to modify?
If so what controls that data?
On this page what data should the hacker not be able to destroy?
If so what controls that data?
List all the doorways on this page with their angels and demons
List exploitable dependency bugs
https://beesbuzz.biz/code/439-Falsehoods-programmers-believe-about-email
It is only a matter of time until your server gets hacked, and when that happens you don’t want the users passwords to be leaked – this will allow the attacker to gain access to the users resources. Some users also use the same password across many services, your web-server can be the root cause of a chain of breaches.
A cool way to prevent this type of leak is by obfuscating the users password with a hash function.
There are lots of hash functions that can be used, but most of these will be a bad idea to use. For example if you use SHA-256 or other computationally cheap functions (hash function without a work factor parameter), they are vulnerable to rainbow table attacks. Bruteforce is also possible if the password length is short/known, asic miners can generate 100 TeraHashes PER Second.
The server can increase the passwords entropy by concatenating it with a random string aka the salt. Users can also protect themselves by using longer passwords.
The best method to use against plaintext password leaks and rainbow table attacks is to use a Password Hash Function. Which is a hash function specially designed to be slow/expensive to compute even on specialized hardware.
The scrypt hash function uses large amounts of memory when hashing making it expensive to scale to the point of reasonable bruteforce attacks. Secure against hardware brute-force attacks.
A number of cryptocurrencies use scrypt for proof of work.
Created by Colin Percival of Tarsnap
The Argon2d function is designed to resist GPU cracking attacks. Secure against hardware brute-force attacks.
It is the winner of Password Hashing Competition.
Bcrypt is based on the blowfish cipher.
Vulnerable against hardware brute-force attacks.
PBKDF2 is an key derivation function with a sliding computational cost to reduce bruteforce search.
Vulnerable against hardware brute-force attacks.
A cool way to prevent password leaks is by obfuscating them with a password hash functions which offer additional security against bruteforce from specialliazed hardware such as asics. If password hash functions are used and implemented correctly even the administrators of the server will not be able to read the users passwords especially if the server is open source and the users can audit the code for themselves.
https://www.troyhunt.com/our-password-hashing-has-no-clothes/ https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016 https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
http://www.unixwiz.net/techtips/sql-injection.html https://bobby-tables.com/ https://www.hackingarticles.in/beginner-guide-sql-injection-part-1/
https://brutelogic.com.br/blog/dom-based-xss-the-3-sinks/
https://www.hackerone.com/application-security/how-server-side-request-forgery-ssrf https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/ https://www.rfk.id.au/blog/entry/security-bugs-ssrf-via-request-splitting/
https://nullsweep.com/http-security-headers-a-complete-guide/
//TODO see:
see https://www.guardsquare.com/blog/iOS-SSL-certificate-pinning-bypassing
https://dzone.com/articles/do-you-really-know-cors
https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3 https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ https://cursorblog.com/managing-a-secure-json-web-token-implementation/
https://dzone.com/articles/android-webview-secure-coding-practices
https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc
https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
The Apache HTTP Server (“httpd”) was launched in 1995 and it has been the most popular web server on the Internet since April 1996. It has celebrated its 25th birthday as a project in February 2020.
https://sudo.pagerduty.com/for_engineers/
updated: 2024-11-07