Excited to share that I did a talk at the 2nd Annual OWASP AppSec Days Pacific Northwest Conference. This was a virtual event organized by the OWASP foundation on 11 June 2022. Glad to be back at presenting at Tech conferences after a break of almost 3 years. My last (public) talk was at OWASP Global AppSec DC 2019 on WebAuthn, and I barely presented/blogged about my adventures after that. Probably I should do more of these. Let's see how it goes :)

Title: Common Vulnerabilities in Modern Auth Implementations

Abstract

Enterprises often leverage the modern authentication protocols - OpenId Connect and OAuth - to secure their cloud-based web apps and web APIs. Most enterprises rely on established cloud-based identity providers and their respective authentication libraries to abstract protocol-level complexities and promote secure defaults. However, certain unintentional/less obvious implementation mistakes made by developers result in vulnerabilities that can be exploited with ease.

This session showcases a few common vulnerabilities we’ve found during some of our AppSec pentests across Microsoft. These are all real exploitable, fixed vulnerabilities that have been anonymized. We have also found similar antipatterns exhibited in external blogs and discussion forums. The demos used in this session leverage Azure Active Directory as the identity provider and ASP.NET as the relying party. However, the key takeaways are generic and are applicable to broader tech stacks.

Slides

Recording

Here is a recording of my full talk. I'm super happy that the talk went smooth and I finished on time (Thanks to my peers at work for bearing with my dry runs and sharing feedback). The best part is, the Demo Gods were with me and all the 5 live demos went exactly as planned :)

Shout out to volunteers & speakers!

Needless to say, a lot of effort was put by the volunteers to make the event an astounding success. Huge shout out to the volunteers for all the pre and post conference efforts, and also to my fellow speakers for the absolutely high quality content. Please do watch all the amazing talks of the event at the AppSec PNW Youtube Channel.

A token better than NFT!

I was pleasantly surprised to receive a token of appreciation from the planning committee. In the world of NFTs and digital gifts, a physical tumbler (Yeti Rambler) and a handwritten "Thank You" note is worth more than an NFT to me (oh wow, I sound so old school!). Probably it's more than 2 decades ago that I received a handwritten note from someone (my grandfather used to post me handwritten letters when I was a kid). Thanks for the wonderful gesture @AppSecPnw!

Twitter Love :)

I am hoping that the concepts and the demos covered in the talk will be of use to the security community - for both pentesters as well as developers. Hopefully, I will be able to share some more useful content in another event. Until next time, have fun exploring the fast-moving tech. Thanks for reading!

Azure Active Directory (AAD) has a wonderful Business-to-Business (B2B) collaboration feature which allows an enterprise to share its applications with external users. The users become 'Guests accounts' in AAD and can securely access the enterprise applications. If proper restrictions are not imposed on applications, the guest accounts could access content which is not intended for them. This blog post outlines some of the restrictions that can be put in place to prevent over-sharing of content with guest accounts. Target audience - Primarily developers.

AAD B2B Invite and Guest Accounts

AAD B2B Invite is a fantastic feature which promotes secure sharing of content without the need for sharing authentication material (e.g., passwords) with external users (guest users). The guest users can login with their existing organizational/personal email credentials and get access to the enterprise content.

Office 365 External Sharing

While the AAD B2B Invite is one way of inviting guest users, probably the most popular (but the least obvious) way is to use Office 365 external sharing. In other words, when you share a document in One Drive/Sharepoint Online or other O365 apps to external users, behind the scenes the AAD B2B invitation/authentication process is triggered (there are a few differences in the workflow between direct B2B invite and O365 sharing though). So if you wondered how a large number of guest accounts ended up in your corp AAD tenant, now you know why :)

The hidden problem

Now let's switch the story to a development team which builds an enterprise web application and intends to restrict access only to it's enterprise users (by implementing AAD authentication). What is not obvious immediately to the developers is that the application can also be accessed by guest users in the directory. Let us understand this through a demo.

For fun, I have registered the domain Identt.dev (pronounce "Identt" as "Identity") and added it as a custom domain in AAD. So Identt.Dev is my demo enterprise and my users get @identt.dev alias.

Firstly, let us login to the enterprise application as an enterprise user and check.

Looks good! Next, let us invite a guest user, 1337.guest@protonmail.com, to the Identt.dev enterprise. You will see that the "User type" column for the external user shows as "Guest"

Now let us try logging in to the application as the guest user.

ta-da! And guests can access apps which are meant to be internal-only (employees only). Let's blame the devs - who would just add authentication and forget about authorization? Well, if you look at the docs and code samples, they mainly focus on adding authentication layer to apps. They leave authorization aspects to developers, and very few articles talk about the guest account problem. Developers do take care of business-related authorization checks if required by the application, but they do not expect guest accounts and hence the surprise.

Restricting access to guest accounts

Broadly, the guest accounts problem can be solved in two ways:

• Using AAD groups and user assignment (the config way)
• Using AAD App roles and groups claims (the code way)

Using AAD Groups and User Assignment

The idea here is to add users to security groups, and add the groups to the AAD app's service principal. The end result is that AAD throws an unauthorized exception if a user who is not in the service principal's group attempts to login. The biggest benefit of this approach is that there are no code changes required in the application.

When an app is registered in an AAD tenant, an Application Object is created. It has configurable properties such as redirect URIs, API permissions and scopes which are required to make a successful authentication. Every Application Object has at least one Service Principal object (one per tenant) which enables functionalities such as configuring permissions for users in the tenant. Properties of a Service Principal can be modified in Enterprise Applications section of AAD pane. Check this article for a differences between Application Objects and Service Principals.

Before looking at some of the caveats of using AAD groups, let us quickly see how this would look like through screenshots from the demo tenant. For the sake of the demo, I have created a nested group called "Employees-only-assigned-group". This group has two users "Kris" and "Jarvis" and a child group "Interns", which has the user "Peter Parker". In the enterprise application, I have added the nested group and in the properties I have set "User assignment enabled" property to "Yes".

So essentially with the above changes, I am ensuring that the guest account "1337.guest@protonmail.com" will not be able to login to the web application. Let us see what happens when the guest user logs in.

This is perfect! This is exactly what is required to solve the guest accounts problem. However, there is a caveat here. Let us login as the intern and see what happens.

This is unexpected! The intern is unable to login since permissions based on nested group membership is not supported. This is a common mistake which development teams make and they end up blocking access to genuine users.

In the previous screenshot for enterprise groups, I have not shown what type of group "Employees-only-assigned-group" is (well, the name has the group type). Broadly, AAD (premium) supports 2 membership types - Assigned (Static) groups and Dynamic groups.

We have seen the drawbacks of Assigned groups earlier. Dynamic groups have a flat hierarchy and their membership is controlled by attributed-based rules. E.g., I have created a dynamic rule which adds members only if "userType" attribute is "member". For a guest account, this attribute's value would be "guest" and hence the rule prevents guest users from being added to this dynamic group. The below screenshots depict this.

With this, the employees of the Identt.dev enterprise (including interns) can now login to enterprise applications, while guests are denied access. This is the perfect zero-code solution to the guest accounts problem.

The following points must be kept in mind before choosing AAD groups & user assignment:

• Group membership is supported only in Azure AD Premium P1 and P2
• As discussed earlier, permissions based on nested groups are not supported
• Only global administrators of a tenant can create a dynamic group.

So while dynamic groups work great, it is not always feasible to use them either due to licensing issues or inconvenience to developers in getting them created. This calls for the next option - App Roles and Group claims

Using AAD App roles and groups claims

AAD App Roles

The idea of AAD App roles is to declare roles specific to an AAD app (in AAD App's manifest), and assign users/groups to those roles. The owner of the AAD app, a developer in most cases, will always be in control of the roles. These roles show up as claims in a logged-in user's ID token.

The application consuming the ID Token can inspect the "roles" claim, retrieve it's value and make authorization decisions accordingly. This article and this GitHub sample explain in detail how this can be implemented in ASP.NET Core. The best part of App Roles is that it is not dependent on AAD pricing tiers and it can help refine fine-grained RBAC.

AAD Group Claims

The idea of group claims is similar to that of App Roles - Configure AAD apps to emit security groups of the logged-in user into the user's ID token. The relying party application can then make authorization decisions based on the groups. The following screenshots demonstrate how this looks like.

One of the downsides of relying on group claims is that AAD can emit a maximum of 200 group claims. In large organizations, users being a part of more than 200 groups is common. So if group claims have to be relied upon for authorization decisions, the application has to make explicit graph API calls in it's backend to take care of the above limitation. It should be noted that App Roles and Group claims can co-exist (groups can be assigned roles which are defined in App Roles).

Resources

I have linked various articles throughout this blog post. They point to official docs/code samples which provide detailed guidance. For a quick dose on implementing authorization in AAD-based applications, I would strongly encourage to check out this Microsoft Identity Platform community call.

Summary

Guest accounts pose significant security risks if enterprises do not enforce appropriate restrictions. There are several ways to mitigate this problem- using assigned security groups, dynamic security groups (preferred), App Roles (and/or) Group Claims. The traditional way of enforcing authorization checks through an external data store (database) works too.

Keep looking for uninvited guests who might visit your application!

Stay safe and stay secure!

One of my resolutions for the New Year is to upgrade my personal online security and the top priority is to improve my password management strategy. Being a security professional, I am totally aware of the risks of weak/reused passwords and I am super paranoid about my online security. I have been using KeePass as my password manager for quite sometime, but now I have moved to 1Password. This blog post summarizes my personal opinions/experiences in the process.

Who needs a Password Manager anyways?

I think this question is best answered by Troy Hunt's blog post - The only secure password is the one you can’t remember. I would strongly suggest you to read the blog post to answer the above question.

In summary, If:

• You use a unique password per website (say you have accounts in at least 20 different websites)
• Each password is "strong" (say, at least 15 characters long, non guessable, has a combination of upper case, lower case, numbers, special characters)

Then there is no way you can remember all of them.

How about some intelligent password schemes?

You can use some intelligent schemes to create hard-to-guess but probably easy-to-remember passwords e.g., Bruce Schneier has come up with this scheme. I have tried this for some time. This works only if you have, say, half-a-dozen passwords which you care about. This does not scale for sure. In fact, Bruce Schneier himself created a password manager - Password Safe - which is awesome by the way.

So yeah, if you have tens of passwords, you will need a password manager.

Why did I move away from KeePass ?

I've been using KeePass since a couple of years ago and it clearly meets its promises, so no complaints. The equation changed due to two main reasons:

• Increased personal devices: I need my credentials on my personal laptop (Windows), mobile phone (iOS) and occasionally my tablet (android-based). The official KeePass installer is windows-only, but there are several unofficial installers for other platforms. Frankly, I am not comfortable using unofficial versions of a password manager whatsoever (my friend, who will most likely read this blog, uses an unofficial version of KeePass for his iPhone and I keep scaring him for fun :p). They may be secure., but I wouldn't use them. May be the issue is with my paranoia. Also, syncing across devices is still a pain.

• Sharing accounts with family: I need to share some of my accounts (say online shopping, streaming etc.) with my spouse. I tried enforcing KeePass, but when clubbed with the above problem my family's convenience took priority over my paranoia and things were sub-optimal. I am pretty sure this is a common problem in every modern household.

So time has come to switch to a web-based password manager which solves the above two problems for me.

Which web-based password manager is better?

I have explored some of the popular web-based password managers and they are all very competitive. Most of the popular password managers have many good features in common with 1Password E.g., they have published security design and security audit reports, active bug bounty programs, password security reports and breach notifications, support MFA, cross-platform compatibility, good tech support etc. One of my friends uses Dashlane and it is pretty impressive. In fact, I was also considering Dashlane as an option,  but went with 1Password due to the following reasons:

• Shared vault: This allows sharing accounts between family members - members login to 1Password with their respective master passwords. This solves one of the major problems I have today.
• HaveIBeenPwned (HIBP) integration: I have been following HIBP's updates since its inception and its integration into 1Password definitely means something for me.
• Detailed security design: I guess the detailed security design whitepaper of 1Password (pdf) greatly influenced my decision to go with 1Password (yes, I am a little old school - I will be relatively easily sold if someone documents something that makes sense in good detail)

If not for the above reasons, I would have flipped a coin to decide between Dashlane and 1Password ;) But you will not go wrong if you choose one over the other.

What if 1Password gets compromised?

There are a bunch of conditions the attackers must meet to get away with my passwords and that includes compromising 2 things that 1Password does not have (my master secret and secret key). Instead of me writing a long story about it, I would simply refer to 1Password's security design whitepaper, which starts exactly with this assumption.

However, two things can happen (well, this applies to any password manager):

• Design vs implementation gaps: 1Password's implementation may or may not match 100% with what they documented in the design. Being an Application Security Engineer myself, I have seen this in many reputed software services. But given that 1Password has been around for 13 years, the chances of this being prevalent are very low.
• Bugs:  Even if the implementation matches the design, it doesn't mean the software will not have bugs. Every software will have bugs. But given the reputed support structure they have and the critical business they are in, I'm sure patches will be rolled out super quick.

If you are still paranoid and if you are in IT consulting space, just switch places and think how your customers feel when you sell your cloud offering to them :)

MFA and Hardware security keys!

Even if things go absolutely haywire and my 1Password account is somehow gone, I still have MFA to my rescue. I have configured MFA on all the sites that support them, so that gives me additional assurance which is totally under my control. Check out this amazing blog post - Your Pa$$word doesn't matter by Alex Weinert which highlights the importans of MFA.

To make things stronger, I use my physical hardware security key (Yubico's Yubikey 5 NFC) as my second factor and I have disabled SMS based 2FA altogether. If you are following password security related research you would know why this is super important. Nevertheless, check this scary blog post - The Most Expensive Lesson Of My Life: Details of SIM port hack

As a side note, check the following sites:

• TwoFactorAuth.org - List of websites which support 2FA
• Dongleauth.info - List of websites which support hardware security keys
• Yubikey catalog - List of websites which work with Yubikey

Immediate Benefits!

Thanks to the WatchTower feature of 1Password - This is what I was warned as soon as I migrated my passwords from KeePass to 1Password:

To be fair to KeePass, the problem isn't with its generation. Some of the passwords that I had in KeePass are probably more than an year old. I didn't generate them with KeePass, but created them by myself. I never knew about them as I always pasted them from KeePass and assumed they are strong/unique. Also, I did not enable MFA for 3 accounts  and 1Password alerted me!

So I had an immediate win migrating to 1Password and this is totally worth it!

Frustrations with resetting passwords

While I was regenerating a bunch of passwords through 1Password and resetting them, I had a series of frustrations:

• Few websites did not allow passwords greater than a certain length, say 16 characters
• Few websites allowed only certain special characters, so I had to tweak my auto-generated passwords a little to satisfy the websites
• Few websites disable pasting in password/confirm password fields. Imaging the pain involved in typing a 24 character auto-generated password!

If you are a web developer, make sure you design login forms keeping password managers into consideration.

Why did I write this post?

Well, I am pretty sure someone would go through the same dilemma I was in if they are considering a web-based password manager. So I thought I could spare them some time and peace of mind by sharing my opinions/experiences.

Happy New Year everyone! Wish you a year of improved online security :)

Stay Hungry, Stay Foolish, and Stay Secure!!

So it is that time of the year when I take some time to revisit my personal tech stuff. One of the things in my To Do list is to update my blogging platform. The last update was almost an year ago, where I updated my Ghost 0.x blog to 2.x. That was a painful story. There were no major releases of Ghost till recently and I didn't have time to care about my blog as well. Recently Ghost announced a major update - Ghost 3.0 - and I was excited about the new features - especially the integrations.

"Deploy to Azure" button please?

I was searching if someone has already tried out deploying Ghost 3.0 on Azure and has a ready-made "Deploy to Azure" button. The last thing I want to do is manually deploy ghost on my Azure subscription. Given that Ghost 3.0 is only 3 months old, I wasn't too hopeful. Thankfully, I came across a few blogs which tried it already.

Thanks to my old blog post about Ghost 2.x migration which made the search easier this time (see, I told you a year ago that this would be handy! Always document your efforts!). Following the cues from my old blog, I checked the Radoslav Gatev's blog to see if he updated it to Ghost 3.x. Unfortunately he didn't, but then I came across Yannick Reekmans' repo which he apparently cloned from Radoslav and updated it. It has "Deploy to Azure" button. I forked Yannick's repo and it works!

The pain of redeploying a web app!

My last deployment didn't rely on CI/CD (so does the current deployment) as I was not sure if the Radoslav's repo will receive newer updates . So what happens when you don't have a CI/CD pipeline setup and you have to redeploy a web app using "Deploy to Azure" button? Well, you will end up deleting the web app (after taking a backup of course), create a new web app, do a fresh deployment, map custom domain in DNS settings, reconfigure TLS cert & binding. Phew! Mapping a custom domain doesn't take much time, but I was worried about re-configuring TLS as my last year's deployment wasn't that hassle-free.

Informing Ghost about your custom domain

While the deployment to Azure and configuring custom domain was smooth, the site's URL at various locations was still pointing to my Azure App Service domain (novogeek.azurewebsites.net) instead of my custom domain (blog.novogeek.com). Since Ghost was deployed on a new Azure app service (even before mapping a custom domain), it does not know anything about the custom domain. You can verify this by clicking on the blog's logo in the top navigation and it would point to the Azure App Service and not the custom domain. You can also verify the same under Ghost Admin section (Settings -> General -> Site Meta Settings -> Search Engine Result Preview). Turns out that to inform Ghost about your custom domain, you need to do the following: Navigate to Azure App Service -> Configuration -> Application Settings and set a new application setting called url pointing to your custom domain. Restart the website and Ghost automatically honors the custom domain everywhere!

App Service Managed Certificates!

Azure App Service recently launched App Service Managed Certificates (in preview). It lets you secure custom domains on your Windows and Linux apps at no additional charge (it is available only on Basic and above app service plans). In just 3-4 clicks you can get a new standard certificate (not wild card one). The certificate is valid for 6 months but the best part is, it will be automatically renewed by Azure App Service about a month before expiry. So if you are procrastinating about enabling TLS coz it is a time consuming thing, think no more!

Ghost Integrations - Disqus, Formspree

The thing I missed the most after switching to Ghost is comments system. Ghost does not come with an integrated comments system  and it wasn't easy to integrate one. Ghost 3.0 comes with a bunch of integrations - some are available by default while some can be configured with minimal code changes to the template files. I have configured Disqus for comments (you can see this at the bottom of every blog post) and Formspree for contact form (you can see this on the Contact link in the top navigation bar). I have an Office 365 subscription which I used to setup a dedicated email account for my blog and used it for Formspree contact form. So yeah, now more power with my Ghost blog!

Future updates

Lack of CI/CD slows the deployment of future updates of Ghost platform. However, given the stability of the current version and the ease of new manual deployments, I think it is more of a trade-off between effort spent on setting up CI/CD vs manual updates. I don't have immediate CI/CD plans, but Chris Tjoumas' blog may serve as a handy reference if someone wants to setup.

Why did I blog about this?

Citing the section from my last year's blog post :)

Firstly, the references in this post will serve as a quick start when I plan for future upgrades. More importantly, like all the good blog posts that helped me setup this blog, this post might help someone who is facing similar challenges in upgrading Ghost on Azure. Always good to give it back to the community!

Excited to share that my colleague Murali and I gave a talk at the "OWASP Global AppSec DC 2019" security conference. The event was organized by the OWASP foundation and was held at Washington, D.C. between 9th-13th September.

Talk Title

Building Secure Password-less Web Applications using WebAuthn

Abstract

According to the 2017 Verizon Data Breach Investigation Report, 81% of breaches were caused by weak, stolen or reused passwords. But what if you NEVER had to deal with passwords in the first place? For the past several years, security experts across the industry have been working on a robust authentication protocol that does not involve passwords. The result is a specification called WebAuthn, which is now an official W3C web standard. With WebAuthn, developers can build secure web applications that enable users to experience password-less logins. In this session, we will explain how WebAuthn works and show how developers can leverage it.

Slides

Below are the slides of the talk

Demos

Below are 2 videos which capture 4 demos. We demonstrated these live during the talk

• Video 1: A custom ASP.NET core web app which leverages WebAuthn for registration & login. The web app uses FIDO2 .NET WebAuthn Library built by Anders Åberg and several community contributors. There are 3 demos in this video:
  • Demo 1: Registration & Login
  • Demo 2: User Verification
  • Demo 3: Defense against Phishing

• Video 2: A custom ASP.NET core web app which integrates with Azure Active Directory (AAD). In this case AAD handles WebAuthn implementation details while the web app just federates with AAD for for authentication

Demos source code

The entire source code of the demos is available on GitHub. Check this repo.

Tweets

A few favorite tweets around the talk :)

Two years back I have blogged about migrating from BlogEngine to Ghost. In short, I have archived my old blog and started this blog afresh. I have used this Ghost-Azure repository as my source to do a one-click deploy to Azure. I had my ghost blog up and running and it appeared that all my blogging platform issues have been sorted out.

Two years passed by, I was blogging intermittently about my talks and I barely focused on updating my blog. Since I have setup a sync between my Azure website and my source repo using Azure app service deployment center, I was assuming that my blogging platform will be updated with the latest ghost releases. I was correct technically, except that the source Ghost-Azure repo stopped receiving updates and my ghost version was stuck at 0.11.11. Nevertheless, I thought it is just a  matter of upgrading to the latest version, exporting older posts and importing them back to the latest deployment.

A painful migration from Ghost 0.x to 2.0

I thought of attempting a manual deployment of Ghost on Azure to avoid future upgrade problems, but my hectic work schedule didn't encourage me much. I did a quick search to find out what the community is doing and I came across Radoslav Gatev's Ghost-Azure repository with a true one-click deployment of Ghost 2.0 on Azure. If you are starting a new blog and want to deploy on Azure, you should perhaps start here.

My excitement of finding a new and latest one-click deployment was short-lived though, as I quickly found that I was unable to import my blog posts from Ghost 0.11.11 to Ghost 2.0. As per Ghost's official documentation and discussions in forums, I should:

1. Upgrade Ghost from 0.x to 1.0
2. Import the 0.x posts to Ghost 1.0 and export them from 1.0
3. Upgrade Ghost from 1.0 to 2.0
4. Import the 1.0 posts to Ghost 2.0.

Phew! While I can understand that breaking changes are common across versions, it would have definitely been a great help had Ghost team released a 0.x to 2.0 content migration utility. Given the exciting features in Ghost 2.0, it seemed that it is totally worth taking the pain in migrating to Ghost 2.0 instead of switching to another blogging platform.

So to start my migration process, I  have deployed Ghost 1.0 following Corey Smith's blog post, except that I have used Radoslav Gatev's repo as my Ghost source. I have cloned the source from the tag 1.16.0, used it as a local git repository and pushed it to Azure. I had to use Kudu console to trigger npm install and node db.js to get dependencies and database setup right. Once I have deployed Ghost 1.x, I have imported my posts from Ghost 0.x and it was smooth. Now I exported the posts from 1.x and saved locally. To install Ghost 2.0 on Azure, I used the latest code from Gatev's repo (branch Azure, tag 2.1.0) and the one-click deployment was super smooth. I then imported all my posts that I saved previously from 1.x and all my posts are back in Ghost 2.0!

Lets Encrypt!

Let me be honest, every time I shared my blog post on Twitter, I always had a feeling of guilt as the blog is served on plain HTTP. Moving to HTTPS using LetsEncrypt was always in my TODO list but I kept procrastinating.

To all those wondering why a static site requires HTTPS, read "Here's Why Your Static Website Needs HTTPS" by Troy Hunt.

My site's homepage (novogeek.com) was on http and very recently it automatically got HTTPS love without my effort! It is hosted on Github pages as a sub domain, and recently Github subdomains gained HTTPS support. However, this blog's sub domain (blog.novogeek.com) does not inherit the HTTPS love and I have to explicitly configure HTTPS on this subdomain. Given that this blog is hosted on Azure, first I had to migrate from Shared plan to Basic plan (Shared plan only supports custom domains but does not support enabling TLS for custom domains).

To configure Lets Encrypt on Azure App Service, the process is really, really simple. To all the Azure App Service consumers out there procrastinating to move to HTTPS, delay no further and just install Lets Encrypt Site Extension. There are several blog posts detailing all the steps. I followed CodeHollow's blog post and I had HTTPS configured in less than 20 minutes! Finally, no more guilt!

Future upgrades

Well, this will be a continuous process, but hopefully less painful in the future. I liked the upgrading plan outlined by OnCodeDesign. I have forked Gatev's Ghost-Azure repo on Github and deployed this blog from my forked repo. The plan for now is to sync the fork periodically and keep updating this blog. This will work as long as Gatev's repo gets the latest updates (I trust the community!). If this doesn't work in the long term, may be I will deploy Ghost on my Azure App service manually, as outlined in "Hosting Ghost on Azure — The Definitive Guide".

Why did I blog about this?

Firstly, the references in this post will serve as a quick start when I plan for future upgrades. More importantly, like all the good blog posts that helped me setup this blog, this post might help someone who is facing similar challenges in upgrading Ghost on Azure. Always good to give it back to the community!

NULL Hyderabad held its October month's security meetup at Service Now, Hyderabad. I have presented on the topic "Gaining lateral movement in cloud solutions by leveraging bad API impersonation designs".

I could have titled the talk as "What might have possibly gone wrong in Facebook's View As feature that affected 50 million accounts", but I didn't want to point fingers at the Facebook issue. Instead, I wanted to generalize it so that the learning can be used in a wider sense.

Abstract:

Software systems which require a user impersonating another user's identity often involve security challenges. It becomes all the more challenging when the system is a modern web platform comprising of web apps and APIs talking to each other by leveraging identity federation. While protocols such as OpenId Connect and OAuth 2.0 provide a way of securely authenticating and authorizing users & applications, they do not specify how impersonation can be implemented, so development teams are on their own. If not designed and implemented meticulously, the impersonation feature could lead to horizontal or vertical privilege escalations. Even worse, it could potentially lead to lateral movement, where an adversary can catch hold of one account and harvest details of several other accounts of the system. The recent Facebook vulnerability in "View As" feature, which affected 50 million users, is arguably an example of this. In this demo-driven talk, we will look at the perils of bad impersonation implementation and see how it can be designed & implemented securely in an API-driven system.

Slides:

Below are the slides of the talk.

Demo Source Code:

The entire source code of the demo is available on GitHub. Check this repo. The demo is built using ASP.NET Core 2.1.

Demo Video:

Here is a quick screen recording of the demo:

Selected Tweets:

My rant which drove me to do this talk

The twitter thread has more details..

Confirms the theory I long believed in.. a vast majority of developers and pentesters do not understand modern Identity protocols & design. May be they still think that Federation, Impersonation, Delegation are for Infra folks, who themselves dont fully understand modern identity

— Krishna Chaitanya T (@novogeek) October 12, 2018

Bug or design flaw?

I don’t think we have full details yet, but from what i think is know so far it’s a (design) flaw, not a bug - a side-effect of an intended feature, not a feature working incorrectly.

— Mike Andrews (@ma) September 28, 2018

Code demos a week in advance..check

Now this is why I do talks. I get to set a deadline and code.

And the demo for my talk "Gaining lateral movement in cloud solutions by leveraging bad API impersonation designs" is ready! Stretched a lot and learnt a lot in the last 1 week while doing the demo. This is why I love to present at @nullhyd @null0x00 #nullhyd

— Krishna Chaitanya T (@novogeek) October 23, 2018

Last minute slides preparation..check

For some reason, this is the norm and I cannot fix this :)

My @nullhyd talk is about to start in an hour and as usual I am preparing my slides sitting in the last row. @0xmahesh is like.. can you do the intro talk.. I am like.. my slides are.. hmm.. sure.. https://t.co/TL8wDLNOCG

— Krishna Chaitanya T (@novogeek) October 27, 2018

Here's how I got the title of the talk

Thanks to TalBe'erySec :)

Thanks! Please feel free to use it. Would love to see your slides if you publish them

— Tal Be'ery (@TalBeerySec) October 19, 2018

The audience

Glad that around 60+ folks turned up. The hall is too big to fit in one pic.

How bad #api design can lead to breach data by ⁦@novogeek⁩ . #security #learning in #weekend ⁦@nullhyd⁩ #nullhyd ⁦@doy143in⁩ ⁦#cloudsecurity ⁦@secfigo⁩ ⁦@vhssunny1⁩ ⁦@pavanw3b⁩ ⁦@0xmahesh⁩ pic.twitter.com/YJtxuAeZRY

— Sanjeev Jaiswal (@jassics) October 27, 2018

Disclaimer:

The demo that I built does not necessarily depict the exact technical details behind Facebook's "View As" vulnerability. I am not particularly sure what exactly is Facebook's "View As" impersonation design/implementation. I haven't come across any documentation. So I made up a few things just to show the impact of bad impersonation design and drive a point - E.g., I built my toy IDP just for fun and it is not a standard implementation of OIDC/OAuth 2.0. Finally, this talk and demo has nothing to do with my employer - it is just a fun exploration by a passionate security enthusiast :)

Microsoft User Group Hyderabad (MUGH) is back with yet another full-day event on cutting edge Microsoft Technologies! Global Azure Boot Camp 2018 was held on 21st April 2018 and it has covered several latest technical topics.
Here is our gang!

Gang of passionate people met together to host Global Azure Bootcamp 2018 in Hyderabad. Excited to see how we are evolving with industry trends #AI #Bot #DevOps #OSS #gabc2018 #mugh @AbhijitJana @techieshravan @a_pranav @novogeek https://t.co/ScnumMLs6s

— Subhendu De (@dotnetartisan) April 22, 2018

I have presented on Azure Data Encryption Techniques.

@novogeek on Azure Encryption Techniques #GlobaAzure #Hyderabad #gabc2018 pic.twitter.com/VFxMo2S9xh

— Pranav Ainavolu (@a_pranav) April 21, 2018

Below are the slides.

NULL Hyderabad held its September month's security meetup at CA Technologies, Hyderabad. I had the opportunity to present in this meet and I chose to continue with April month's topic - practical crypto pitfalls.

As always, for me presentation means demos first and slides last. This time I have spent exactly a week on the demos and as usual didn't prepare slides till the last hour :)

All set for tomorrow's talk-Practical Crypto Pitfalls at @nullhyd. Have been working since last week on the demos. Should I make slides? ;)

— Krishna Chaitanya T (@novogeek) September 22, 2017

Topic: Regarding the topic, I have presented on Padding Oracle attacks. This is one topic I really struggled to grasp the low-level details. I thought presenting this topic in NULL meet is an opportunity for me to study this properly. So I have spent a week trying to understand the math behind it as well as coming up with a demo.

Slides: Below are the slides. They only contain screenshots of my hand-written notes and screenshots of Crypto Explorer utility. Thankfully, there are several fantastic blog posts which serve as great reference materials. No point re-creating slides or writing in length about the topic. Check the references slide in the ppt for the pointers. I have also listed them at the end of this article.

Demo Source Code:
There are two parts to the demo:

1. A web application, built in ASP.NET, which is vulnerable to Padding Oracle attack. Check my PaddingOracleWebApp github repo for the source.
2. A client which launches the attack on the vulnerable web app. Check my Crypto Explorer utility for this. I have added "Padding oracle" tab.

Demo Video:
Here is a quick video recording of the padding oracle attack:

References:

• Udacity - Cipher Block Chaining Mode -
  Fundamentals of how CBC mode of AES encryption works.
• Padding oracle attacks: in depth - Strongly recommend to go through this post for understanding the math part of the attack.
• Automated Padding Oracle Attacks with PadBuster - Strongly recommend to go through this post for a pictorial understanding of the attack. Beautifully captured!
• Martani's implementation of Padding Oracle Attack in C# - My demo is based out of this. Check this out for C# implementation of the attack.
• Erlend Oftedal's web app demonstrating padding oracle - A fantastic JavaScript based visualization of the attack.

NULL Hyderabad held its April month's security meetup at J.P Morgan Chase, Hyderabad. This time, there was a turn out of about 150 people! Glad to see that security enthusiasts in Hyderabad are increasing :) This time, I have presented on "Learning a few Crypto pitfalls, practically".

Whenever I commit for giving a talk, I always visualize (may be fantasize is the right word :p) about my demos first, and start writing code. I usually end up preparing slides on the day of the talk. Apparently, I am quite consistent at this, as evident from this old tweet :p

Spent the last couple of days on demos for today's talk at @nullhyd. Realized that I don't have a ppt yet! 1 hr to go. This doesn't change!

— Krishna Chaitanya T (@novogeek) October 15, 2016

Coming to the topic, I wasn't sure what to propose and I led myself into a trap this time ;) Primarily I work on securing apps developed using Microsoft technologies (ASP.NET Core, Azure PaaS etc.). Since I know that almost 99% of my audience are from non-Microsoft-tech background, I'm sure it would sound like Astro-Physics if I go into the nuances of what I work on. So I thought of choosing a generic topic and thought about covering the basics of Crypto. Touching Crypto without going into the basic Math of it is hard, and doing a talk on it without demos is sin! It is easy to do basic demos, but I wanted to tinker and expand my learning.

.@nullhyd The learning I had in the last few days is amazing! Well, I thought to do an intro session, but I now think it may go beyond intro ;)

— Krishna Chaitanya T (@novogeek) April 21, 2017

Precisely for this, I have changed the title of my talk from "Practical Crypto 101" to "Learning a few Crypto pitfalls, practically". Though a part of the content was more than absolute basics for some, I am sure it was useful.

Though the talk was for about 1.5 hrs, I spent more than 30 hours building the demos. Most of the time went into understanding the theoretical side of it. I have built a simple utility, Crypto Explorer, to graphically demonstrate certain weaknesses in poor Cryptography implementations. Specifically, it demonstrates the weakness in Stream Cipher key stream reuse, and Block cipher ECB mode. You can find the source code of the utility at this Github repo. I have built it in WPF and C#.

For me, demos give a plan of how I should organize the content and slides only help me set the flow. Typically, I polish the slides post my talk so that I can expand the technicalities as per the discussion in the talk. So here are the (polished) slides of my talk:

Here is a quick demo of Crypto Explorer. I really enjoyed building this :)

There were several interesting challenges in building this. E.g., If you thought that encrypting an image is same as encrypting a file (simply run it through an encryption algorithm), you are wrong! The demo requires the image to be rendered on screen. So if you encrypt the image totally, you will be encrypting the image headers as well, thereby corrupting the image. I tried to manually split the headers/content of the image but it wasn't trivial. I ended up looking at a few Steganography projects to get an idea of how it is done. Essentially you need to read the rendered pixels, convert to byte array and encrypt it. One catch is, the same logic doesn't apply for decryption as the approach is error prone (you may not get the same encrypted byte array when you read the rendered pixels of an encrypted image). So the encrypted byte array has to be stored in memory and decryption has to be done on it instead of reading encrypted pixels from screen. It took some time to figure out library support for this, but thankfully MSDN had good pointers.

On top of these implementation challenges, the learning I had in exploring the crypto side of things is amazing. The references slide has some of the sources that I explored. I couldn't cover Padding Oracle in detail in the talk, but hope I can cover it some other time. If you are looking for a good crypto programming challenge, implement a tool to automate padding oracle attack on your own (check Padbuster). You will need to have a detailed understanding of Block ciphers :-)

Thanks to NULL, I had an extremely fruitful week. Want to discuss more about this? Drop by at the next NULL Hyderabad meet :-)

NULL Hyderabad chapter's October security meet was hosted at Progress Software, Hyderabad on 15th October. I was given the opportunity to present on a topic of my choice. After a lot of deliberation, I have decided to present on Securing Single Page Applications (SPA). Of late SPAs have been on the rise and I have been reviewing some of them at work as well. Thought of sharing my learning with the community. Hopefully, it could be of some use to devs/pentesters around.

Frankly, I hate giving a talk without a practical demonstration of what I want to present. I believe All gyan and no demo makes Jack a dull audience ;) Thanks to my mentors (former Technical Evangelists at Microsoft) for inculcating this habit. When I have to give talks on a short notice (<=2 days), I select a topic for which I can create a quick demo. I don't get time to prepare slides and in fact I prepare them when my previous speakers are on stage. This time, I was informed about a week in advance but I was tied up with office work. I have spent whatever time I had on preparing demos and on the day of the meet nothing has changed :)

Spent the last couple of days on demos for today's talk at @nullhyd. Realized that I don't have a ppt yet! 1 hr to go. This doesn't change!

— Krishna Chaitanya T (@novogeek) October 15, 2016

Nevertheless, I have managed to put some slides and polished them post my talk so that they make sense for those who could not attend. Here you go:

Even before my talk, we had security news bytes covered by Hemanth. As always, this time too it was an interactive discussion on the latest security threats. Post that, there was WiFi security session by Hruday Charan. This guy is a 17 year old college student and he already has deep hands-on knowledge on his topic. The next session too was given by a college student Prashanth on OAuth security. I seriously envy this generation kids. They have the resources to learn, amazing determination to grow and also a stage like NULL community to showcase their talent. I am sure these guys will reach great heights in their careers, given that they continue the perseverance & passion.

On the whole, it was a great meetup with good learning and networking with security geeks. Hope to continue the tech fun in the next meet. If you are in and around Hyderabad, stay tuned to @nullhyd for updates on the next meet.

Microsoft User Group Hyderabad (MUGH) is back with yet another full-day event on cutting edge Microsoft Technologies! Hyderabad DotNetConf 2016 was held on 27th August 2016 and it has covered the latest tech presentations on ASP.NET Core, Windows 10 Anniversary update and Dev APIs, Deploying ASP.Net Core Apps on Docker, Building Roslyn Analyzers, Xamarin Forms and Universal Windows Platform (UWP)

I have presented on Building Roslyn Analyzers for Fun and Profit. Below are the slides. The session was primarily demo-driven and the slides only give a brief intro. Strongly recommend to go through the references to do a deep-dive into Roslyn.

And yours truly below :)

As usual, I had the challenge of taking the post-lunch session and glad that I had attentive audience :)

Here are the speakers of the event:

Glad that the effort spent by organizing team and the speakers got the returns. i.e., happy and satisfied audience :)

And finally,

NULL Hyderabad monthly security meet is back! I had to give a talk on a short notice and I didn't have enough time to prepare for a good demo-driven technical topic. While it is easy for me to do any basic topic, I wanted to take this as a challenge and THINK on what best I can give in the limited time I have. I wanted to be creative (read crazy :D).

Yeah, I wanted to connect two seemingly unrelated dots, both of which I had decent exposure to - Security and the game of 64 squares, Chess. If you see, both have several intersection points - Threats, Weaknesses, Attackers, Defenders, Traps, Mitigations (Defenses), Strategies, Tactics and the list goes on. What else can give me better analogies to explain about Secure Design? Surprising that I never got this thought till now. At times, you tend to think better when you have a strong force demanding excellence, and you love the force. Isn't it :)

Here are the slides of my talk:

If you know basic Chess moves, I would recommend to go through the positions. They are damn interesting! Particularly, you should not miss the game-The Opera House Massacre. In the slides, you will also see a blindfold Chess trainer. I have created it in 2009 just to practice blindfolded chess, but I have never used it. However, I gave the link to a couple of Chess academies so that they can use it to train their students. While I have built it for fun, little did I realize that it is going to help several hundreds of students. Came to know from a Chess coach (my friend) that several young kids use it in their daily practice. You can find the source code of tool at this Github repo.

While I am not sure if the audience got the Chess related intricacies in the slides, I think I could bring out the analogies and bring out the message. At least, the audience stayed glued till the end of the talk, though it was lunch time (1.30 PM already). So I would take the benefit of doubt ;)

NULL Hyd team has started covering OWASP Top 10 as a series. This time it was on A2-Broken Authentication and Session Management and Mahesh Bheema has done a decent job in explaining it from ground up! Also, we had security news bytes by Vamsi and attacking OAuth by Prashanth.

We had a surprise visitor in this meet - Bharadwaj Machiraju. The OWTF guy was in full swing and explained how he is attempting to make machines do the job for him (Machine Learning that is!)

Bharadwaj has always been an inquisitive and energetic guy and glad that he is aiming to do amazing things in security. Watch out this guy! On the whole, we had yet another fantastic meet. We are growing!

I am a Chess enthusiast and fortunately got trained by brilliant professional Chess coaches during my Engineering days (2003-07). I have played in a few district, inter-zonal tournaments and participated in All India Inter University championship in 2006. I am not a FIDE rated player and gave up participating in tournaments after I got into IT profession. Chess is addiction - Once you learn it properly, you cannot get rid of it. While I don't do serious practice anymore, I enjoy playing blitz almost every day. Check out my Chess blog for some of my little adventures

Just a week after Global Azure Boot Camp, we had Null Hyderabad security meet and I was supposed to give a talk. I planned to repeat the Modern web authentication scenarios talk which I have presented at the Azure boot camp. But to satisfy my technical side, here is what I have done:

I have presented this last week at #mughazure using @azuread. For fun I'm rebuilding the demos using @IdentityServer ;) @nullhyd @mughtwits

— Krishna Chaitanya T (@novogeek) April 21, 2016

Here are the slides of my talk:

I have hinted Null Hyderabad core team that I would take longer that the usual time and here is how it ended up :)

Enjoyed presenting at @nullhyd meet today. Touched the basics of OAuth 2.0 & OpenIdConnect. Good audience..it went for 2.5 hrs!

— Krishna Chaitanya T (@novogeek) April 23, 2016

One of the highlights of the meet was a talk by a 10+1 student! See how smart the next gen kids are turning out to be! I haven't switched on a computer till I was in the 2nd year of my Bachelor's degree and today we have a student doing a security talk in an open security community. I hope this will be an inspiration not only to rest of the college kids but also to working professionals who while away their time.

A 10+1 student is presenting at null hyd.. His dad accompanied him to meet. @nullhyd @null0x00 pic.twitter.com/A3Wdr3CLd5

— Hari (@vhssunny1) April 23, 2016

On another note, Raghunath, one of the co-founders of NULL Hyderabad and the backbone of the community since its inception, was leaving Hyderabad. While we are happy that he is moving abroad for a much bigger goal, we are sad that we will miss his contributions to the community.

Thank you @raghunath24 for your relentless contributions to @nullhyd and @null0x00. We will miss you. Good luck! pic.twitter.com/YqPQj1TsDj

— NULL Hyderabad (@nullhyd) April 23, 2016

Glad to say that I had the opportunity to present at Global Azure Boot Camp 2016, Hyderabad. It was a full day event organized by Microsoft User Group Hyderabad, covering deep dive sessions on Azure for Developers, Architects and IT Pro's. Similar to its previous editions, this event was held simultaneously at several hundreds of locations across the globe - The power of Microsoft's community contributors!
The best part is, the event organized at Hyderabad turned out to be the largest Global Azure Bootcamp with 350+ techies as its audience!

Record attendance ..350 developers, 10 star speakers, 8 hours...at @mughtwits #GlobalAzure #mughazure pic.twitter.com/sN1WbXuTAQ

— DoDo Coder (@sudhakr) April 16, 2016

The highlight of the day was the keynote by Mr. Janakiram MSV, the renowned Cloud/IoT expert! Janakiram has mesmerized the crowd with his amazing demos around IoT. Also, his talk was very motivating and brought good energy

Glowing #IoT at GABC 2016 #globalazure #mughazure #mughazure16 pic.twitter.com/etrJtnr3us

— MS User Group Hyd (@mughtwits) April 16, 2016

The event was well planned and the sessions were very interesting till the end.

It is 6pm and folks are still glued.. Still running full house #mughazure #mughazure16 #globalazure @mughtwits pic.twitter.com/SbC57ilWF3

— Krishna Chaitanya T (@novogeek) April 16, 2016

I have presented on Modern Authentication for web apps with Azure Active Directory. Here are the slides:

Check out the pics from the event at MUGH's Facebook page . While the MUGH Core team has put tremendous efforts in organizing the event flawlessly, the silent hero behind this event (in fact, for almost every MUGH event) was Mr. Shravan Kumar Kasagoni. This guy can plan and organize a tech event of any scale almost single-handed! Not to forget, he is a Microsoft MVP and has been a core community contributor for Hyderabad since the past 5+ years. Kudos Shravan!