Post AQAPaFT5ybH3Tx112u by jeff@federated.fun
(DIR) More posts by jeff@federated.fun
(DIR) Post #AQ9bzcYyFhkKdmfW2i by ericazelic@infosec.exchange
2022-12-01T06:07:30Z
0 likes, 0 repeats
HTTP Basic authentication with lack of 2FA internet facing providing access to multiple clients' confidential data once logged in.Severity? (plz boost my toot?)#infosec #cybersecurity #authentication #http#pentesting #pentest
(DIR) Post #AQ9bzd5aIRpmGvvYsS by jeff@federated.fun
2022-12-01T06:15:24.925639Z
2 likes, 0 repeats
@ericazelic jfc people who voted "critical" needs to learn what threat modeling is and why there is so so much worse to find in an audit.
(DIR) Post #AQ9cLccKjOtvBCjSee by ericazelic@infosec.exchange
2022-12-01T06:17:57Z
0 likes, 0 repeats
@jeff I think it depends on how you read the circumstances, but appreciate your input nonetheless
(DIR) Post #AQ9cLdB4eEgquwzCnw by jeff@federated.fun
2022-12-01T06:19:28.859921Z
1 likes, 0 repeats
@ericazelic consider the following, it could have NO auth.
(DIR) Post #AQ9cThMixf6IDsHZNg by ericazelic@infosec.exchange
2022-12-01T06:20:12Z
0 likes, 0 repeats
@jeff good point. In that case it would be considered a data breach
(DIR) Post #AQ9cThsd32cZopD36u by jeff@federated.fun
2022-12-01T06:20:56.242110Z
1 likes, 0 repeats
@ericazelic and likely has a google dork for it laying about.
(DIR) Post #AQAK3jayRbW5anNS1w by mav@hackers.town
2022-12-01T07:08:40Z
1 likes, 0 repeats
@jeff @ericazelic do you really typically find things that are worse than passwords being passed in plaintext and if so what the hell are they
(DIR) Post #AQAKM8kfeUEepHgo3U by jeff@federated.fun
2022-12-01T14:32:35.903661Z
3 likes, 0 repeats
@mav @ericazelic not typically, you just need to keep in mind thinking about security isnt always in the dev process, especially when you are the one doing a code audit.
(DIR) Post #AQAKqDHlMOGJZhVYQK by andreashappe@infosec.exchange
2022-12-01T07:12:23Z
0 likes, 0 repeats
@mav @jeff @ericazelic is https being used? if so, this is common behaviour (as there seems to be a slow uptake of PAKE).I'd go with medium, maybe high. but not due to the confidentiality of the data (which must be given by TLS anyways) but because of the (highly probable) lack of session management (no logout, etc.)
(DIR) Post #AQAKqDxaqrirfR4xcm by Freyja@eldritch.cafe
2022-12-01T08:07:41Z
1 likes, 0 repeats
@andreashappe @mav @jeff @ericazelic basic Auth is common through https but is a bad habit. There is so much things that can break https (to begin with your company proxy, your phone provider proxy, your VPN provider, the tor exit node, your anti-virus provider, your state and so on).People tend to think they are protected when they use https, even if it's better than http, it's only a layer of security, and it's not bullet proof at all.
(DIR) Post #AQAKqEVyn1EDO5AQDo by jeff@federated.fun
2022-12-01T14:38:00.173134Z
0 likes, 0 repeats
@Freyja @andreashappe @mav @ericazelic do note that if you pin server certs that are self signed you are already putting the user into alert mode when the browser complains about lack of ca certified tls. this can be a better way just from how distinct the ux is vs thier other things. kinda wish you could set custom errors in the browser to pin fp tofu style
(DIR) Post #AQANLOruXoo6NtPlzs by andreashappe@infosec.exchange
2022-12-01T14:50:45Z
0 likes, 0 repeats
@jeff @Freyja @mav @ericazelic not sure I am getting you right, with pin you mean HSTS or an application pinning the cert?
(DIR) Post #AQANLPJCuKdpkYBZXk by jeff@federated.fun
2022-12-01T15:06:04.597864Z
0 likes, 0 repeats
@andreashappe @Freyja @mav @ericazelic ssh style tls cert fp tofu, in the browser with customizable error pages for blueteam to put in as needed, like a page that says to file an it ticket if you get this page with error code (insert number used to sound alarms to sec here)
(DIR) Post #AQANbBGAuPKIoMHxb6 by Freyja@eldritch.cafe
2022-12-01T14:50:38Z
0 likes, 0 repeats
@jeff @mav @andreashappe @ericazelic pinning is a good thing but I've seen issues with High Availability :/One thing to note, your corporation can inject an authority in your certificate store and magically all certs are trusted (even expired or self-signed one if the device intercepting the trafic is nasty).The worst I've seen is a vpn provider (nord vpn to not mention them) injected an authority without user knowledge so they can inspect trafic for "antivirus purpose".
(DIR) Post #AQANbBkJ6NQgJoO1Z2 by jeff@federated.fun
2022-12-01T15:08:55.070498Z
1 likes, 0 repeats
@Freyja @mav @andreashappe @ericazelic entry level infosec tend to not notice the user is the first line of defense. giving them the ability to report sec related issues is better than anything money can buy
(DIR) Post #AQAOnLCbruWf4nz2P2 by andreashappe@infosec.exchange
2022-12-01T15:14:28Z
0 likes, 0 repeats
@jeff @Freyja @mav @ericazelic how (or from where) do you get the custom error page.. you wouldn't want to trust the web server (with the invalid TLS certificate)? can you roll out something like this company-wide? i think i still am missing some piece of the puzzle
(DIR) Post #AQAOnLm3k6skqkZLeq by jeff@federated.fun
2022-12-01T15:22:19.764048Z
0 likes, 0 repeats
@andreashappe @Freyja @mav @ericazelic IT sets up pinned certs on all mid/high sec user-agents for the core infra your users talk with that is internal, if something gets fucky the user-agents can automatically report an issue, this creates a dragnet of "sigint minute men". you really want to fold users into the process of sec if you can, they will be more receptive to report potential early warning signs. you want to add something to THEIR ux that can keep them in the loop, and make them feel like they can contribute to the security process. just spit balling here tbh, there is a lot more you'd have to.
(DIR) Post #AQAOy7huNqTYPJlSvg by Freyja@eldritch.cafe
2022-12-01T15:15:37Z
0 likes, 0 repeats
@andreashappe @jeff @mav @ericazelic I don't get it too. If your browser don't trust the cert, NO page can't be shown and no redirect to an error one hosted by the company
(DIR) Post #AQAOy89uhisRoArpa4 by jeff@federated.fun
2022-12-01T15:24:16.373608Z
0 likes, 0 repeats
@Freyja @andreashappe @mav @ericazelic additional corporate CA creates green lock blindness and let's encrypt exists.
(DIR) Post #AQAP4aqGyQQwVNlJ8i by jeff@federated.fun
2022-12-01T15:25:27.434716Z
0 likes, 0 repeats
@Freyja @andreashappe @mav @ericazelic i want a distinct ui/ux for "this is internal and authenticated" not just the green lock of tls ca snakeoil
(DIR) Post #AQAPFPAIjEYZTWHlNQ by jeff@federated.fun
2022-12-01T15:27:19.015538Z
0 likes, 0 repeats
@Freyja @mav @andreashappe @ericazelic if i could have the browser give me some hooks as IT that i can mark "this page is internal and authenticated" that is visually distinct, in both success and failure modes, that would be great tbh. kills phishing too.
(DIR) Post #AQAPQcrEA2qn7uiMHA by SecurityWriter@infosec.exchange
2022-12-01T08:09:27Z
1 likes, 0 repeats
@ericazelic @ladyparabellum depending on other factors this ranges from benign to high, because you could *technically* secure this quite well, if you reaaaaaly wanted to.Both CVSS and EPSS would likely categorise this as low severity, but it is stupid design.
(DIR) Post #AQAPaEP9vkX0BSAMGu by andreashappe@infosec.exchange
2022-12-01T08:15:54Z
0 likes, 0 repeats
@Freyja @mav @jeff @ericazelic fully agree, and I have marked HTTP BASIC in all pen-test reports that I've written over the years (and participated in writing national (small) standards that explicitly forbid usage of HTTP BASIC). But again, I find the ranking of BASIC AUTH as being critical more than a bit overblown.
(DIR) Post #AQAPaF0jg2aa3zkMqG by Freyja@eldritch.cafe
2022-12-01T08:36:04Z
0 likes, 0 repeats
@andreashappe @mav @jeff @ericazelic You're right, it should be Medium or High. It really depends of your business, the sensitivity of the data and against who you want to be protected.
(DIR) Post #AQAPaFT5ybH3Tx112u by jeff@federated.fun
2022-12-01T15:31:08.914734Z
0 likes, 0 repeats
@Freyja @andreashappe @mav @ericazelic i think that the level of granularity here is a bit too simple. i wish there was a way to have a "for this class of threat model/data it is low, for this it is mid, for the remaining critical" or something like that as it adds the nuance back into it.
(DIR) Post #AQAPrgtjFNtDTan38i by Freyja@eldritch.cafe
2022-12-01T14:53:01Z
0 likes, 0 repeats
@andreashappe @jeff @mav @ericazelic pinning is HTTP Public Key Pinning (HPKP) and is not considered as a so great idea by certificate companies because of side effects.https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning
(DIR) Post #AQAPrhOZOiYl1FDgDA by Freyja@eldritch.cafe
2022-12-01T14:59:07Z
0 likes, 0 repeats
@andreashappe @jeff @mav @ericazelic it can become a nightmare, very, very fast... HSTS is useful but also needs to be carefully configurated :/
(DIR) Post #AQAPrhonpBXkKbUd6G by ericazelic@infosec.exchange
2022-12-01T15:32:56Z
0 likes, 0 repeats
@Freyja @andreashappe @jeff @mav I was going to suggest this but the server version is not compatible with HSTS. Glad you brought up this point.
(DIR) Post #AQAPriDyJbfzafGjKa by jeff@federated.fun
2022-12-01T15:34:17.947230Z
0 likes, 0 repeats
@ericazelic @Freyja @andreashappe @mav user agent security tooling is very under explored in sec rn and it makes me sad
(DIR) Post #AQAQRECLQglStHRWVc by Freyja@eldritch.cafe
2022-12-01T15:36:19Z
0 likes, 0 repeats
@jeff @mav @andreashappe @ericazelic I'm using user-agent to open specific doors on my personnal website :DBut still it can be caught by proxies or url sniffing (IF https is not in use, but you can always trick a browser to send some reply unprotected)
(DIR) Post #AQAQRElnIt7YfE1plQ by jeff@federated.fun
2022-12-01T15:40:44.093848Z
0 likes, 0 repeats
@Freyja @mav @andreashappe @ericazelic user-agent header in http just identifies the claimed user-agent, i wish there was a more rigorous way than that too that isnt invasive fingerprinting.
(DIR) Post #AQARlIA8V2CMvpXbSS by staticnoisexyz@infosec.exchange
2022-12-01T15:51:23Z
0 likes, 0 repeats
@Freyja @mav @jeff @ericazelic @andreashappe Don’t CVSS environmental and temporal metrics do exactly that?
(DIR) Post #AQARlIm4E0XWpTHta4 by ericazelic@infosec.exchange
2022-12-01T15:55:24Z
1 likes, 0 repeats
@staticnoisexyz @Freyja @mav @jeff @andreashappe yes, it may be the best model for that. I guess if there was a better way to apply the leaked password policy and naming convention for authentication and critical finding behind the door, I wouldn't struggle with this as much.
(DIR) Post #AQAS2hStg7KQKTcK0G by andreashappe@infosec.exchange
2022-12-01T15:56:16Z
0 likes, 0 repeats
@ericazelic @Freyja @jeff @mav HSTS is executed by the client.. as long as you can add a HTTP Server Header, you should be able to enable it, no special Server Support needed
(DIR) Post #AQAS2i5XMSEkGJhBEO by ericazelic@infosec.exchange
2022-12-01T15:57:06Z
0 likes, 0 repeats
@andreashappe @Freyja @jeff @mav Hmm, this wasn't what Microsoft docs said but let me check again in case I misread.
(DIR) Post #AQAS2ieHHI1g03wvNg by Freyja@eldritch.cafe
2022-12-01T15:58:09Z
0 likes, 0 repeats
@ericazelic @andreashappe @jeff @mav IIS :/
(DIR) Post #AQAS2jBxG4xrgVhosC by jeff@federated.fun
2022-12-01T15:58:41.872333Z
0 likes, 0 repeats
@Freyja @ericazelic @andreashappe @mav the .dev gtls is on the google chrome hsts whitelist which is probably what they are referring to