Classic ASP Cookie Vulnerability - cookies

I have a simple login page on a classic asp page.
It takes the username field from a form ("un") and the password ("pw") and does the following with them:
<%
un = newstr(request.form("un"))
pw = newstr(request.form("pw"))
SQL = "SELECT * from my_table WHERE un = '"&un&"' AND pw = '"&pw&"'"
set cRS = oConn.Execute(SQL)
if cRS.EOF then
%>
<p>Unable to log you in. Please try logging in again.</p>
<%
elseif NOT cRS.EOF then
Response.Cookies("test") = "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY"
Response.Cookies("test").Expires = Date() + 365
response.redirect "main.asp"
end if
end if
%>
Then I have some simple validation at the top of each page whose contain I only want logged in users to be able to see, which does this:
<%
test = Request.Cookies("test")
if test = "" OR test <> "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY" then response.redirect("default.asp")
%>
I wanted to check - is that naively simple?
Could someone easily hack into my site, by e.g. setting a cookie on their computer, called "test" and whose value = "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY"?
Or wouldn't it be pretty unlikely someone would guess that string value of "jeQmV4'QG)Eu'N-XSTC;pZeuwqUsjBdVv>Sqr!]ZhzB{dJ'p-#cYSdwY"?
Thanks

First off, someone could break your system by trying to pass in user names like
';DROP TABLE Users
http://xkcd.com/327/
Always, always use parameterized queries.
Never trust the UI for anything related to security. The client can observe all cookies that you set, and return any cookie back to you that it wants to. If this is not HTTPS, someone in the middle could also observe the cookie being sent back and forth.
Don't re-invent security frameworks. They are very hard to get right.

Related

Session variable lost after redirect for feature spec

The session object is cleared after redirect during testing.
First, my test stack. I am running a Rails 4.2.4 app with capybara 2.6.2, capybara-webkit 1.8.0, and rspec 3.3.0. My tests were running without issue until, for no apparent reason whatsoever, they weren't.
Below is my code (condensed to stay on point):
assessment_controller.rb
def create
#assessment_basic = Assessment::Basic.new(params)
if #assessment_basic.valid?
session[:most_recent_zip_code] = #assessment_basic.zip_code
if household.search.present?
update_household_search(#assessment_basic.zip_code)
end
redirect_to dashboard_path
else
render :new
end
end
private
def household
if #household
#household
elsif session[:household_id]
#household = find_household(session[:household_id])
elsif session[:most_recent_zip_code]
#household = Household.create(household_params)
session[:household_id] = #household.id
end
#household
end
As you can see, this is pretty straight-forward. I am receiving a zip code in the params. I store that zip code for later use and use it to create a household object unless one already exists, in which case I return that instance. If a household object is instantiated, I then store its id in the session, return control back to the action and redirect to the dashboard_path having two variables in session. All of this works well, and has worked well for some time now.
However, when I try to access the variables in the dashboard#index action, none of the session variables I stored are present. The feature works, which suggests that my problem is with the bits running my specs. By the way, the spec passes locally. It is when the code is moved to our CI environment that we get the error. We tried three different CI environments (Circle, Semaphore, and Travis) and they all report the same error:
#<NoMethodError: undefined method 'search' for nil:NilClass>
Which basically means, the household could not be recreated and is therefore nil. A closer look shows the reason the household could not be created from session is that the session was cleared.
Can someone help me identify the component(s) involved in ensuring session values persists during tests? Let me know if you need anything else in order to be able to help me.
Hector
it 'a client visits the referrals page with all providers minus the single stop and tax locations from the dashboard page and ' do
user_visits_the_homepage
enter_zip_code('11217', true)
dashboard_page.expect_to_be_on
dashboard_page.click_browse_local_resources
referrals_page.expect_to_be_on
end
def user_visits_the_homepage
visit '/'
expect(page).to have_content t('welcome.where')
end
def enter_zip_code(zip_code = '11217', remain_dashboard = false)
within '.welcome-form:nth-of-type(1)' do
fill_in t('welcome.where'), with: zip_code
click_on t('welcome.get_started')
end
expect(page).to have_content t('header.dashboard')
click_on t('header.your_profile') unless remain_dashboard
expect(page).to have_field t('activerecord.attributes.client_household_member.zip_code'), with: zip_code unless remain_dashboard
end

Rails 4 Dynamically Generate an Extra Public-Facing URL on Create

I have a Rails app that stores stock photos in each project. Upon creating a project, I want the app to not only create the url for the project that we will view internally, which is projects#show,i.e. /projects/4 but I also want it to create another URL that we can show to the client that will be a little different. It will allow the to approve the photos, etc. I want the url to be something like /projects/st53d where the end of the url will be a random number generated with random_string = SecureRandom.urlsafe_base64(5)
This way, I can pass this url to the clients and they can view all the photos in the project and approve the ones they want us to use, but cannot change or view the other internal stuff we have on the standard product show page
Currently, I have added a client_url column to the Project model and I was thinking of generating the random number within the Project#create method and then saving it to the project's client_url column. This way I can loop through all client urls and make sure I did not generate a duplicate. But I cannot figure out how to do the route creation part.
i have yet to do the part where I check if it is random but I know how to do that, just not the route creation.
I was thinking I needed to create a new method which I named show_client and somehow create a route for that in my config/routes.rb file
class ProjectsController < ApplicationController
before_action :authenticate_user!, only: [:show,:index]
def create
#project = Project.create(project_params)
#project.creator = current_user.email
require 'securerandom'
random_string = SecureRandom.urlsafe_base64(5)
#project.client_url = random_string
#project.save
redirect_to #project
end
def show_client
#project = Project.find(params[:id])
#photos = #project.photos
end
This seems like more of a roles issue. You could check out something like CanCanCan. If you only need two kinds of users, you could also just add a boolean column for admin to your user table. The url extension doesn't seem to matter in the scope of your problem. If you want to use a different view for the visiting the user show page, something in the show action like:
unless current_user.admin?
redirect_to client_show(current_user.id)
end
I was able to figure it out.
I created the client_url column in the database and upon creating a project, in the create method of the projects_controller, I generated a random base64 number and assigned it to project.client_url
in routes.rb i did:
get 'projects/clients/:client_id' => 'projects#clients', as: 'projects_client'
in my projects_controller.rb:
def clients
#project = Project.where(client_id: params[:client_id])
end
then the link to that route is:
<%= link_to 'Client Version', projects_client_path(#project.client_url) %>

Rails 4.2 - How to properly use rails sanitize to protect against cross scripting vulnerabilites

I am on rails 4.2.1 (ruby 2.2.1p85) and I want to sanitize user input and also have that text cleared out of the post/get params. I don't want to solely depend on native rails 4 auto escaping.
Being a bit new to rails I was not aware of the sanitize options.
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
I was originally going to create a helper for such purposes so I could do something as shown below. I'm trying to sanitize form input to secure against Cross-site scripting (XSS) vulnerabilities.
basic helper example This works but its probably not the best rails way to do it? Also the text is still in the post/get request.
<%= text_field_tag :input_text, Safetxt(params[:input_text]) %>
helper method
def Safetxt(input_value)
txtOut = input_value
if txtOut.blank?
txtOut = ""
else
txtOut = txtOut.gsub("<script>", "")
txtOut = txtOut.gsub("</script>", "")
end
return txtOut
end
on submit the input_text is cleaned on output but the get/post values still contain the stripped values.
input_text=<script>alert%28"blah"%29<%2Fscript>
How can I utilize a custom scrubber in a helper method to properly sanitize input (remove dangerous text,tags)? I'm a bit confused how to implement this properly with custom rules.
For example something as shown below (I know this is wrong). Also what is the best way to exclude that text in the post/get request as well? I know I should sanitize the text in the controller side for input, but if there is a way, I'd like that text to be cleared on the submit request if that's possible.
def Safetxt(input_value)
scrubber = Rails::Html::TargetScrubber.new
scrubber.tags = ['script']
txtOut = input_value
if txtOut.blank?
txtOut = ""
else
txtOut.scrub!(scrubber)
end
return txtOut
end
You can use the Rails 4 sanitize method to strip out tags that are not "whitelisted" by default by rails.
So in your controller code you can have:
ActionView::Base.new.sanitize("<script>alert('hello')</script>")
which would strip out the script tag. You can whitelist your own attributes or elements rather than the default or if you want more custom behavior you can define your own scrubber in the sanitize method.

Understanding Rails/Twitter On-click tweet on behalf of user

As preface, I've followed through some tutorials (i.e. Michael Hartl's) though I'm still fairly novice. Forgive any cloudy terminology.
I am trying to build a simple application in Rails 4 that does the following:
User logs into application (currently working with sign-in-with-twitter link and routing)
get "/auth/:provider/callback" => "sessions#create"
get "/signout" => "sessions#destroy", :as => :signout
Once <% if current_user %> is true, I have the view rendering a partial where there will be a list of simple buttons. When the user clicks a button I want the application to tweet on behalf of the current_user a preset string. Ideally, I'd do this all in ruby/rails.
These button functions are where I'm getting hung up. I've read a fistful of documents but there seem to be a lot of conflicting and old answers. Here's a quick list of the ones I think are closest, though not explicit about sending a tweet from a simple button/link in a view:
http://www.sitepoint.com/ruby-social-gems-twitter/
http://richonrails.com/articles/sending-a-tweet-to-twitter
Some call for controllers, a more robust oauth setup (which I have bundle installed and connected to the dev.twitter application, though not fleshed out beyond keys), and whatever else. It's got me turned around and I'm not yet good enough to synthesize all the information. Any help and direction would be great. Below are some other files in the app that might be helpful.
class SessionsController < ApplicationController
def create
auth = request.env["omniauth.auth"]
user = User.find_by_provider_and_uid(auth["provider"], auth["uid"]) || User.create_with_omniauth(auth)
session[:user_id] = user.id
redirect_to root_url, :notice => "Hi!"
end
def destroy
session[:user_id] = nil
redirect_to root_url, :notice => "Bye!"
end
end
And omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
provider :twitter, '_priv', '_priv'
end
Eep! I'm the author of the second link (RichOnRails). Did you take a look at the example app included with the tutorial? It does almost exactly what you want. If the tweets are hard coded you could approach it in a couple of different ways. If you take a look at the tweets controller, you'll see it takes a parameter called 'message'. Any message passed to that create method will tweet as the current user.
def create
current_user.tweet(twitter_params[:message])
end
The easiest (but not necessarily best) way to adapt this to fit your needs is to have a form for each tweet, and do a hidden field with the message you wish to tweet. The button becomes a submit for that particular form (you can add remote: true if you want to keep the page from refreshing, then use a bit of javascript to update the UI elements). Hope this helps.

Connect to LDAP via ColdFusion

I am trying to get the following connection to our LDAP working via ColdFusion, however, I can never get it to return any values (i.e. results.recordcount always equals 0). I assume my problem is with the "start" portion of the query so I did some research and have tried numerous values but nothing seems to work.
<cfldap
server = "adserver"
action = "query"
username = "DOMAIN\username"
password = "apassword"
name = "results"
scope="subtree"
start = "dc=domain.local"
attributes = "givenname,surname,uid,userid,groupMembership,mail,dn,roles,memberof,cn,samaccountName">
<cfoutput>
#results.recordcount#
</cfoutput>
The structure of the AD that I'm trying to access is as follows. I'm trying to get to the "Users" section at the bottom of the tree shown.
Active Directory Users and Computers
- Saved queries
- domain.local
- option1
- option2
- NAME1
- option1
- option2
- NAME2
- Computers
- Disabled Users
- Groups
- Users
If I right-click on "User" and view the properties it tells me the canonical name for it is domain.local/NAME1/NAME2/Users, which I assume is relevant to my problem.
Any ideas what I should be using for the "start" portion of cfldap?
Thanks in advance.
I highly recommend browsing your AD with a program like Softerra's LDAP Browser (http://www.ldapbrowser.com/) and then locating the distinguished name of the hierarchy where you want to start searching. Using this, I was able to find the exact DN of the LDAP structure to target.
Try somethign like this. I've had the best luck starting at a high level and then using the filter attribute to drill down.
<cfldap action="query" start="DC=server, DC=domain, DC=com" filter="OU=Users"
username = "DOMAIN\username" password = "apassword" name = "results"
scope="subtree" attributes = "givenname,surname,uid,userid,groupMembership,mail,dn,roles,memberof,cn,samaccountName">