Thursday, June 25, 2015

A short introduction to cryptography

In my current assignment I work a lot with security issues. Recently I've had some work involving cryptography. As I have no experience with this from the past it was kinda hard getting started, but this book really gave me a good introduction on the subject.


It walks you through the basics of the history, block ciphers, stream ciphers and public key cryptography. It also has some chapter about the problem with public keys and Public Key Infrastructure. On some of the parts it goes a little deeper but mostly its a on the surface of things. It gives really good real world examples and is in a small format so you can bring it on the buss or the train.

Bottom line. Great book. Cheap book. Buy it if you want to get an intro to  cryptography.

Protecting against CSRF

CSRF is a quite common and dangerous attack that many websites are not protected against. The attack can be used to perform actions on website with a logged in user.
To do the attack the attacker need to no what should be sent in a POST request and to URL to post, to perform an action. An action being for example. Creating a new user account.

Lets say the following is posted from a form to create a new account.

Name             Value
name              Carl
telephone        54865123
password        123456

The password is an example of commonly used passwords =)

The form is posted to a to the path http://www.mysite.com/users/createAccount

The attack can be done as follows.


  1. The attacker creates a page on his website like this.
  2. <html>
    <head>
    <title>My evil page</title>
    </head>
    
    <body onload="javascript:postForm()">
    <script language="JavaScript">
    
    function postForm()
    {
            document.form.submit();
    }
       
    </script>
    <form method="POST" name="form" action="http://www.mysite.com/users/createAccount">
    <input type="text" name="name " value="Carl"/>
    <input type="text" name="telephone" value="54865123"/>
    <input type="password" name="password" value="password"/>
    </form>
    
    </body>
    </html>
    
  3. The a link to a page is then be sent to the victims email. When the victim clicks, the form is posted and the action is excecuted.


Some of you might think that this wont work because your site has a login. But it the victim is logged in when the link is clicked the form will be posted using the authenticated session. Thus bypassing all login.

So you can see this is a problem. With a little knowledge of the internals of the site, an attacker can make a victim make whatever actions. And because the action is done with the victims session it can be hard to track the attack.

The way to protect against this is by putting a hidden input in the form, containing an unpredictable value stored at the server. For example a random number. Every session should have a unique value. The best is to let every request have unique value

<input type="hidden" name="CSRFToken" value="<?= $token ?>"/>

Because the attacker can't know the value in the response, all you need to do on the server is to control that the value you get in the post request is the same as the one stored on the server.

For more information, tools and tips have a look at OWASPs page for CSRF http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

I would also recommend the OWASP top 10 publication. Witch describes the top 10 security threats to web applications and how to protect against them.

Adding Java formated code to your blogger blog

[Update] This one is much better

http://heisencoder.net/2009/01/adding-syntax-highlighting-to-blogger.html 


For all you new on blogger, as I was, here is a simple recipe on how to use syntax highlighting or code formating in your blog post.

In blogger goto the tab Design -> Edit HTML

Add the following in end of <head>

<link href='http://alexgorbatchev.com/pub/sh/current/styles/shCore.css' rel='stylesheet' type='text/css'/> 
<link href='http://alexgorbatchev.com/pub/sh/current/styles/shThemeDefault.css' rel='stylesheet' type='text/css'/> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shCore.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushCpp.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushCSharp.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushCss.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushJava.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushJScript.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushPhp.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushPython.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushRuby.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushSql.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushVb.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushXml.js' type='text/javascript'></script> 
<script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushPerl.js' type='text/javascript'></script> 
<script language='javascript'> 
SyntaxHighlighter.config.bloggerMode = true;
SyntaxHighlighter.config.clipboardSwf = 'http://alexgorbatchev.com/pub/sh/current/scripts/clipboard.swf';
SyntaxHighlighter.all();
</script>

To then add java formated code to a blog use the following tag



Here is an example. The following...



... will render as

int x = 4;
int y = 3;
int sum = x + y; // 7


If anyone has another solution, maybe a tip on how to get the clipboard util up in the right to work, please comment this post and tell me.

Implicit CSRF protection of ajax requests

Protecting form against CSRF is easy but what about ajax requests, here something more must be done.
It pretty straight forward to just  add the token to the data every time you make a ajax request, but what if you have a framework on top making the ajax request by it self. With frameworks using JQuery, in my case primefaces, this can be solved quite easy.

Primefaces uses the JQuery.ajax method when making ajax requests for many of its components, for example autocomplete. The easies way to do this would then offcourse be to change the underlaying function. Thanks to the way JQuery is built the core methods is very easy to override.

To override a core method in JQuery you just assign the function a new function... =/ like this.

JQuery.ajax = function(settings) {
...
}

The assign function should take the same arguments as the original function. In this case a key/value pair.

Now you just have to put something in the function to append the CSRF token. In my case:

//IPR Ergogroup AS
jQuery.ajax = function(settings) {
if (!settings.dataType)
settings.dataType = 'html';
if (typeof (settings.data) == typeof ('')) {
settings.data += '$CSRFToken=' + CSRFToken;
} else {
settings.data['CSRFToken'] = CSRFToken;
}
orginalMethod(settings);
}

To be able to invoke the original method after doing my stuff I save it to a variable berofe overiding it.
For further reading I recommend the OWASP top 10 publication. Which describes the top 10 security threats to web applications and how to protect against them.

Todays useful linux commands

Some useful commands I use now and then.


What files at taking all my space?

du / -h | grep ^[0-9\\.]*G

Showing all folders/files with a size of 1G and up


What logs changed the last minutes?

find / -mmin 5 | grep log

Showing all files changed in the last five minutes. Greps on log

Monitoring heap space on local JMVs in Java 5

In the last couple of days I have been helping a colleague with a problem. The problem is that they have a couple  of java processes running on a server. These processes go out of memory every no and then and it is important that they can get a notice when this is about to happen.

First I had a look at some monitoring applications.

  • jConsole - Had no email functions. It looks like you could install a MBean with mail funtions but I think that has to be done from inside each process and I'm not allowed to change the code.
  • Nagios - Is a big infrastructure monitoring utility which have a JMX pluging, but it seemed to overkill.
  • Munin - Appears to have some notification ability, but seems hard to set up. 

The solution was to write my own little notification and monitoring program. Often not the best solution but I also saw some value in learning more about JMX monitoring.

I think everybody can agree, it better to fix the memory problem then to just restart the servers when they are running out of memory, but no time for that right now.

Enough of problem, now to the solution =)

To get the memory used by the processes, I needed to summarize the memory used y each process.
As I were going to monitor all the JVMs running om the machine I have to somehow connect to the JMX of every process.

I first stumbled on to the Attach API in java 6 which have a lot of functionality for listing and working with the VMs on the machine. Problem is I was going to build the program for java 5. So I soon dropped this.

Second I tried to find out how jConsole lists the VMs in its startup dialog. Finally I found the class  sun.jvmstat.monitor.MonitoredHost used by the jvmstat program. As Oracle states it's not recommended to use sun.* classes because they are not guaranteed to work in future releases and all platforms.   http://www.oracle.com/technetwork/java/faq-sun-packages-142232.html. But because this is a simple utility meant for use on one server I decided to use them anyway.

So I could use the method activeVms to get a list of all process ID of the active vms.

MonitoredHost.getMonitoredHost("localhost").activeVms();

But how to connect to the JMX of a process only using a PID. Google gave me very many unhelpful suggestions about the Attach API. But finally I found another helpful class in the sun.* classes. sun.management.ConnectorAddressLink

Using the method importFrom I got the JMX address for the JVM process and the hard part was over.

ConnectorAddressLink.importFrom(pid);

Then it was just the simple task of getting the max and used heapspace from the Memory MX Bean.

jmxConnector = JMXConnectorFactory.connect(serviceUrl, null);
  MBeanServerConnection con = jmxConnector.getMBeanServerConnection();
  MemoryMXBean memBean = ManagementFactory.newPlatformMXBeanProxy(con, ManagementFactory.MEMORY_MXBEAN_NAME, MemoryMXBean.class);
memBean.getHeapMemoryUsage().getUsed();
memBean.getHeapMemoryUsage().getMax();

So to the whole process for calculating used heap space on the machine would look something like this

long usedHeapSpace = 0;
for (Object OPid : MonitoredHost.getMonitoredHost("localhost").activeVms()) {
 int dpid = Integer.parseInt(OPid.toString());
 String address = ConnectorAddressLink.importFrom(dpid);
 JMXServiceURL serviceUrl = new JMXServiceURL(address);
 JMXConnector jmxConnector = JMXConnectorFactory.connect(serviceUrl, null);
 MBeanServerConnection con = jmxConnector.getMBeanServerConnection();
 MemoryMXBean memBean = ManagementFactory.newPlatformMXBeanProxy(con
   , ManagementFactory.MEMORY_MXBEAN_NAME
   , MemoryMXBean.class);

 usedHeapSpace += memBean.getHeapMemoryUsage().getUsed();
 jmxConnector.close();
}

Note that all java processes must use the -Dcom.sun.management.jmxremote for the JMX to be enabled.
If there are processes without this flag the resulting calculation will be incorrect.

So to summarize, bad lessons learned, there is a lot of fun stuff in sun.* classes =)

Syncing Active Directory with OpenAM datastore using LSC

Lately I have been tasked to set up an OpenAM server that should authenticate user against an existing AD server.


I have found three usual approaches to this problem.

  • Use the AD as a OpenAM user store 
  • The AD authentication module can be used to authenticate user against AD. 
  • Use some kind tool could be used to synchronize AD and OpenAM user store.

The problem with the first one is that it require some changes to the AD which I am not allowed to implement.


The second one works fine if all you want to do is authenticate the user, as far as I've seen there aren’t any good ways to get more information about the user for example email address and phone number. The module can be configured to populate the default user store in OpenAM with user attributes from AD, but this will only happen on the first login. If the user changes email or phone number in the future the changes won't be reflected in OpenAM.


I ended up using both AD authentication module and synchronization. The authentication module for authentication directly against AD and synchronization for getting the attributes. For synchronization I used LSC.


In the next section I will describe the LSC configuration. This is not a beginners guide to LCS so if you are new to it, I recommend you checking out some of the tutorials here http://lsc-project.org/wiki/documentation/2.0/start


LSC configuration
In my OpenAM configuration different groups have different authorization so I want to sync both users and groups. 


This is accomplished by defining two tasks.


lsc.tasks = ADuser, ADgroup

Syncing users
First the properties for the srcService

lsc.tasks.ADuser.srcService = org.lsc.jndi.SimpleJndiSrcService

lsc.tasks.ADuser.srcService.baseDn = cn=Users

# Filter to list all entries to synchronize
lsc.tasks.ADuser.srcService.filterAll = (&(sAMAccountName=*)(objectClass=user)(memberOf=CN=OpenAMUsers,CN=Users,DC=capra,DC=no))

# Attributes to read from all entries used to match objects between source and destination
lsc.tasks.ADuser.srcService.pivotAttrs = sAMAccountName

# Filter to read one entry to synchronize, based on pivotAttrs above
# This filter may contain one or several pivotAttrs defined above, like "{attributeName}"
lsc.tasks.ADuser.srcService.filterId = (&(objectClass=user)(|(sAMAccountName={sAMAccountName})(sAMAccountName={uid})))

# Attributes to read from each entry used to read and write data
lsc.tasks.ADuser.srcService.attrs = mail cn sAMAccountName sn givenName

Short description. The filterAll attribute is used to pick out all users of interest. In this case I'm specifying objectType users and they should have an sAMAccountName. I have also placed all the users to be synced in a group called OpenAMUsers as the users to be synced is only a subset of the user base. 


The name to look at when matching users is the sAMAccountName and is specified in pivotAttrs. The filterId is a bit tricky In order to understand how to define this, I recommend reading  http://lsc-project.org/user-guide/#matching-up-entries. The attr is the attributes I would like to read from the source.

The dstService
lsc.tasks.ADuser.dstService = org.lsc.jndi.SimpleJndiDstService
lsc.tasks.ADuser.dstService.baseDn = ou=People

# Filter to list all entries to synchronize
lsc.tasks.ADuser.dstService.filterAll = (&(uid=*)(objectClass=inetOrgPerson))

# Attributes to read from all entries used to match objects between source and destination
lsc.tasks.ADuser.dstService.pivotAttrs = uid 

# Filter to read one entry to synchronize, based on pivotAttrs above
# This filter may contain one or several pivotAttrs defined above, like "{attributeName}"
lsc.tasks.ADuser.dstService.filterId = (&(objectClass=inetOrgPerson)(|(uid={sAMAccountName})(uid={uid})))

# Attributes to read from each entry used to read and write data
lsc.tasks.ADuser.dstService.attrs = mail cn uid objectClass sn givenName inetUserStatus

On the destination(OpenAM) all users lies under ou=People so base dn is ou=People.
FilterId sepecifies user of interest in the destination. The attrs in this case is the attributes I would like to update.


lsc.tasks.ADuser.dn = "uid=" + srcBean.getAttributeValueById("sAMAccountName") + ",ou=People"

In OpenAM the users are by default identified with the uid attribute. I thought it wise to keep this so the DN is concatenated with the account name and the user base dn.

Sync options specify how to update the info in destination.


# syncoption for the uid attribute: At creation the uid is set to sAMAccountName from src
lsc.syncoptions.ADuser.uid.action = K
lsc.syncoptions.ADuser.uid.objectClass.create_value = srcBean.getAttributeValueById("sAMAccountName")

#Insert objectClass
lsc.syncoptions.ADuser.objectClass.action = K
lsc.syncoptions.ADuser.objectClass.create_value = "iplanet-am-auth-configuration-service";"sunIdentityServerLibertyPPService";"sunAMAuthAccountLockout";"sunFederationManagerDataStore";"iplanet-am-managed-person";"iPlanetPreferences";"sunFMSAML2NameIdentifier";"person";"inetorgperson";"organizationalperson";"inetuser";"iplanet-am-user-service";"top"

#Set defualt sn
lsc.syncoptions.ADuser.sn.action = F
lsc.syncoptions.ADuser.sn.default_value = "noSN"

#Setting active user
lsc.syncoptions.ADuser.inetUserStatus.action = K
lsc.syncoptions.ADuser.inetUserStatus.default_value = "Active"

Pretty much straight forward, the uid is set to sAMAccountName, this is set to only update at creation time. This is the attribute to match users and it is not changed. 


The objectClass is updated at creation time with the classes users use in OpenAM. This is needed for OpenAM to recognize the users. 


For some reason the OpenAM data store schema demands SN to be set, so if it is not set in AD it is set to noSN. 


User status is set to Active. 


All attributes specified in the attrs settings with the same name in source and destination is automatically updated if nothing else is configured in sync options. In this case givenName, mail, cn.


Syncing groups
# Base DN for searches in the directory
lsc.tasks.ADgroup.srcService.baseDn = cn=Users

# Filter to list all entries to synchronize
lsc.tasks.ADgroup.srcService.filterAll = (&(cn=*)(objectClass=group)(memberOf=CN=OpenAMGroups,CN=Users,DC=capra,DC=no))

# Attributes to read from all entries used to match objects between source and destination
lsc.tasks.ADgroup.srcService.pivotAttrs = cn

# Filter to read one entry to synchronize, based on pivotAttrs above
# This filter may contain one or several pivotAttrs defined above, like "{attributeName}"
lsc.tasks.ADgroup.srcService.filterId = (&(objectClass=group)(cn={cn}))

# Attributes to read from each entry used to read and write data
lsc.tasks.ADgroup.srcService.attrs = cn member

As with the users, to make it easier to find the groups I want to sync, I have added the groups to a group, OpenAMGroups. As you can see in the filterAll property, only the groups in OpenAMGroups are synced.

The expression in the filterId becomes a lot easier to understand if the identifying attributes have the same name at source and destination. Again have a look at http://lsc-project.org/user-guide/#matching-up-entries for more information on filterId.


# Base DN for searches in the directory
lsc.tasks.ADgroup.dstService.baseDn = ou=groups

# Filter to list all entries to synchronize
lsc.tasks.ADgroup.dstService.filterAll = (cn=*)

# Attributes to read from all entries used to match objects between source and destination
lsc.tasks.ADgroup.dstService.pivotAttrs = cn

# Filter to read one entry to synchronize, based on pivotAttrs above
# This filter may contain one or several pivotAttrs defined above, like "{attributeName}"
lsc.tasks.ADgroup.dstService.filterId = (cn={cn})

# Attributes to read from each entry used to read and write data
lsc.tasks.ADgroup.dstService.attrs = cn uniqueMember objectClass

The attributes cn, uniqueMember and objectClass. UniqueMember is OpenAMs attribute for members and the object class needs to be set in order for the groups to be recognized by OpenAM.

lsc.tasks.ADgroup.dn = "cn=" + srcBean.getAttributeValueById("cn") + ",ou=groups"

New DN is concatenated.

# Set default delimiter for multiple values for an attribute.
# This is normally a semi-colon (;) but can be problematic when writing complex JavaScript
lsc.syncoptions.ADgroup.default.delimiter = $

The delimiter is set to be $ as semicolon is used in the more complex javascript expression below.

#Insert objectClass
lsc.syncoptions.ADgroup.objectClass.action = K
lsc.syncoptions.ADgroup.objectClass.create_value = "groupofuniquenames";"top"

Object class is set to standard values.

#members syncing
lsc.syncoptions.ADgroup.uniqueMember.action = F
lsc.syncoptions.ADgroup.uniqueMember.force_value = var uniqueMember = new Array();\
var members = srcBean.getAttributeValuesById("member").toArray();\
for (var i = 0; i < members.length; i++) {\
        var member = members[i];\
        member.replace(",CN=Users,DC=capra,DC=no", ",ou=people,dc=opensso,dc=java,dc=net").replace("CN", "uid");\
        uniqueMember.push(member);\
}\
members

Here is the best part, it shows some of the power in LSC.
What we need to do here is to take all the member attribute entries and change the dn before syncing.  


Every property value can be a javascript expression so we simply get the attributes, run them through a loop, do some string manipulation and return the new list.

This is the configuration I used. It works fine on OpenAM 10.0.0 and Windows Server 2008 R2.

If there are any questions or problems, feel free to post a comment.