FixTypo - Fix typo in various lesson documentations
This commit is contained in:
Thanh Tran
Àngel Ollé Blázquez
parent
de3c2c8d85
commit
f5e4d4717a
@ -2,7 +2,7 @@
|
||||
|
||||
== Base64 Encoding
|
||||
|
||||
Encoding is not realy cryptography, but it is used a lot in all kinds of standards around cryptographic functions. Especially Base64 encoding.
|
||||
Encoding is not really cryptography, but it is used a lot in all kinds of standards around cryptographic functions. Especially Base64 encoding.
|
||||
|
||||
Base64 encoding is a technique used to transform all kinds of bytes to a specific range of bytes. This specific range is the ASCII readable bytes.
|
||||
This way you can transfer binary data such as secret or private keys more easily. You could even print these out or write them down.
|
||||
|
||||
@ -21,8 +21,8 @@ Some certificate authorities that are used to provide you with a server certific
|
||||
|
||||
== Managed keystores in operating system, browser and other applications
|
||||
|
||||
When you visit a website and your browser says that the certificates are fine, it means that the certificate used for the website is issued by a trusted certificate authority. But this list of trusted certificate authorites is managed. Some CA's might be revoked or removed. These updates happen in the background when browser updates are installed.
|
||||
Not only the browser maitains a list of trusted certificate authorities, the operation system does so as well. And the Java runtime also has its own list which is kept in the cacerts file. Updates of the OS and Java JRE keep this list up to date. In coporate environments, these are usually maintained by the company and also contain company root certificates.
|
||||
When you visit a website and your browser says that the certificates are fine, it means that the certificate used for the website is issued by a trusted certificate authority. But this list of trusted certificate authorities is managed. Some CA's might be revoked or removed. These updates happen in the background when browser updates are installed.
|
||||
Not only the browser maintains a list of trusted certificate authorities, the operation system does so as well. And the Java runtime also has its own list which is kept in the cacerts file. Updates of the OS and Java JRE keep this list up to date. In corporate environments, these are usually maintained by the company and also contain company root certificates.
|
||||
|
||||
== Extra check for website certificates using DNS CAA records
|
||||
|
||||
|
||||
@ -2,6 +2,6 @@
|
||||
|
||||
== Post quantum cryptography
|
||||
|
||||
Quantum computers are here and getting more power in available qubits each year. Quantum computers are and will be capable of decrypting information that was encrypted with algorithms that were thought to be safe. For some years now, a lot of encrypted communicatation using quantum vulnerable cryptoraphy is being recorded. This information will be decrypted when the quantum computers are powerful enough. Even though the information may be old, it still could contain valuable information that can be misused. Besides the fact that some private information will be known to parties it was not intended for.
|
||||
Quantum computers are here and getting more power in available qubits each year. Quantum computers are and will be capable of decrypting information that was encrypted with algorithms that were thought to be safe. For some years now, a lot of encrypted communication using quantum vulnerable cryptography is being recorded. This information will be decrypted when the quantum computers are powerful enough. Even though the information may be old, it still could contain valuable information that can be misused. Besides the fact that some private information will be known to parties it was not intended for.
|
||||
|
||||
Mathematics has answers for the post quantum era. New cryptography is already available and should be used NOW in order to minimize threats. You can read more on this on Wikipedia: https://en.wikipedia.org/wiki/Post-quantum_cryptography[Post quatum on Wikipedia,window=_blank]
|
||||
|
||||
@ -18,7 +18,7 @@ Remember the session cookie should always be defined with http-only flag.
|
||||
Another defense can be to add a custom request header to each call. This will work if all the interactions
|
||||
with the server are performed with JavaScript. On the server side you only need to check the presence of this header
|
||||
if this header is not present deny the request.
|
||||
Some frameworks offer this implementation by default however researcer Alex Infuhr found out that this can be bypassed
|
||||
Some frameworks offer this implementation by default however researcher Alex Infuhr found out that this can be bypassed
|
||||
as well. You can read about: https://insert-script.blogspot.com/2018/05/adobe-reader-pdf-client-side-request.html[Adobe Reader PDF - Client Side Request Injection]
|
||||
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
== What is a Gadgets Chain
|
||||
|
||||
It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserializaded, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain".
|
||||
It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserialized, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain".
|
||||
|
||||
Finding gadgets to build gadget chains is an active topic for security researchers. This kind of research usually requires to spend a big amount of time reading code.
|
||||
@ -11,7 +11,7 @@ ObjectInputStream ois = new ObjectInputStream(is);
|
||||
AcmeObject acme = (AcmeObject)ois.readObject();
|
||||
----
|
||||
|
||||
It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting ocurs.
|
||||
It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting occurs.
|
||||
If an attacker finds the proper class implementing dangerous operations in `readObject()`, he could serialize that object and force the vulnerable application to perform those actions.
|
||||
|
||||
=== Class included in ClassPath
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
=== Let's try
|
||||
The following input box receives a serialized object (a string) and it deserialzes it.
|
||||
The following input box receives a serialized object (a string) and it deserializes it.
|
||||
|
||||
```
|
||||
rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l
|
||||
|
||||
@ -4,5 +4,5 @@ Older apps may follow different patterns, but RESTful apps (which is what's goin
|
||||
to perform different functions.
|
||||
|
||||
Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user's (Buffalo Bill's) profile.
|
||||
Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change the
|
||||
Change the role to something lower (since higher privilege roles and users are usually lower numbers). Also change the
|
||||
user's color to 'red'.
|
||||
@ -1,6 +1,6 @@
|
||||
|
||||
|
||||
- Describe how the attack works / should be some outpu
|
||||
- Describe how the attack works / should be some output
|
||||
|
||||
<p><b>Concept / Topic To Teach:</b> </p>
|
||||
This lesson teaches how to perform XML External Entity Attacks.
|
||||
|
||||
@ -11,7 +11,7 @@ The token is base64 encoded and consists of three parts:
|
||||
- claims
|
||||
- signature
|
||||
|
||||
Both header and claims consist are respresented by a JSON object. The header describes the cryptographic operations applied to the JWT and optionally, additional properties of the JWT.
|
||||
Both header and claims consist are represented by a JSON object. The header describes the cryptographic operations applied to the JWT and optionally, additional properties of the JWT.
|
||||
The claims represent a JSON object whose members are the claims conveyed by the JWT.
|
||||
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@ public class SampleAttack extends AssignmentEndpoint { // <3>
|
||||
//return failed(this).feedback("lesson-template.sample-attack.failure-2").build();
|
||||
}
|
||||
|
||||
//overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure'
|
||||
//overly simple example for success. See other existing lessons for ways to detect 'success' or 'failure'
|
||||
if (secretValue.equals(param1)) {
|
||||
return success(this) // <7>
|
||||
.output("Custom Output ...if you want, for success")
|
||||
|
||||
@ -18,7 +18,7 @@ For example: If you send a password reset link to a user via e-mail, do not incl
|
||||
Password reset tokens allow a user to reset a password without inherently safe information about the verification of the user. Hence they should be safe. It should be hard to guess such a token. The token should also be only valid for a short amount of time and should be invalid after the user successfully reset their password.
|
||||
|
||||
=== Logging user actions
|
||||
Logging alone can't prevent any attacks but it can make it easier to determine that an attack happened and how the attacker tried to bypass security. You can also use logs to determine if an account really got hijacked and if it has to be returned the the rightful user. Actions you can log are: How did the security questions get answered? When did the access to the password reset link happen in comparison to the time the e-amil got sent? Were there failed attempts?
|
||||
Logging alone can't prevent any attacks but it can make it easier to determine that an attack happened and how the attacker tried to bypass security. You can also use logs to determine if an account really got hijacked and if it has to be returned the the rightful user. Actions you can log are: How did the security questions get answered? When did the access to the password reset link happen in comparison to the time the e-mail got sent? Were there failed attempts?
|
||||
|
||||
=== Two factor authentication
|
||||
It is always safer to do an authentication process via two or more separate ways on two or more separate devices. If a user wants to reset their password you can ask them to enter verification codes sent to them via SMS, Messenger, or similar. This makes it hard for an attacker to bypass the verification process, because they need physical access to another device.
|
||||
|
||||
@ -4,7 +4,7 @@ After successfully compromising confidentiality and integrity in the previous le
|
||||
There are many different ways to violate availability.
|
||||
If an account is deleted or its password gets changed, the actual owner cannot access this account anymore.
|
||||
Attackers could also try to delete parts of the database, or even drop the whole database, in order to make the data inaccessible.
|
||||
Revoking the access rights of admins or other users is yet another way to compromise availability; this would prevent these users from accessing either specific parts of the database or even the entire database as a whdle.
|
||||
Revoking the access rights of admins or other users is yet another way to compromise availability; this would prevent these users from accessing either specific parts of the database or even the entire database as a whole.
|
||||
|
||||
=== It is your turn!
|
||||
Now you are the top earner in your company.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user