identity - Dave's Blog

Search

Stripe CTF - Level 5

2012 Sep 11, 5:00

Level 5 of the Stripe CTF revolved around a design issue in an OpenID like protocol.

Code

    def authenticated?(body)
body =~ /[^\w]AUTHENTICATED[^\w]*$/
end

...

if authenticated?(body)
session[:auth_user] = username
session[:auth_host] = host
return "Remote server responded with: #{body}." \
" Authenticated as #{username}@#{host}!"

Issue

This level is an implementation of a federated identity protocol. You give it an endpoint URI and a username and password, it posts the username and password to the endpoint URI, and if the response is 'AUTHENTICATED' then access is allowed. It is easy to be authenticated on a server you control, but this level requires you to authenticate from the server running the level. This level only talks to stripe CTF servers so the first step is to upload a document to the level 2 server containing the text 'AUTHENTICATED' and we can now authenticate on a level 2 server. Notice that the level 5 server will dump out the content of the endpoint URI and that the regexp it uses to detect the text 'AUTHENTICATED' can match on that dump. Accordingly I uploaded an authenticated file to

https://level02-2.stripe-ctf.com/user-ajvivlehdt/uploads/authenticated
Using that as my endpoint URI means authenticating as level 2. I can then choose the following endpoint URI to authenticate as level 5.
https://level05-1.stripe-ctf.com/user-qtoyekwrod/?pingback=https%3A%2F%2Flevel02-2.stripe-ctf.com%2Fuser-ajvivlehdt%2Fuploads%2Fauthenticated&username=a&password=a
Navigating to that URI results in the level 5 server telling me I'm authenticated as level 2 and lists the text of the level 2 file 'AUTHENTICATED'. Feeding this back into the level 5 server as my endpoint URI means level 5 seeing 'AUTHENTICATED' coming back from a level 5 URI.

Notes

I didn't see any particular code review red flags, really the issue here is that the regular expression testing for 'AUTHENTICATED' is too permisive and the protocol itself doesn't do enough. The protocol requires only a set piece of common literal text to be returned which makes it easy for a server to accidentally fall into authenticating. Having the endpoint URI have to return variable text based on the input would make it much harder for a server to accidentally authenticate.

PermalinkCommentsinternet openid security stripe-ctf technical web

Washington Driver's License Numbers

2010 Feb 24, 12:42Apparently Washington State uses an algorithm to generate drivers license numbers. Unless someone else has the same name and birth date your license number is based entirely on your name and birth date.PermalinkCommentsmath identity washington reference

Technology Review: Augmented Identity

2010 Feb 23, 10:04Android augmented reality app that does facial recognition and then hovers icons for that person's profiles on various websites.PermalinkCommentsaugmented-reality mobile internet identity android phone technical

Facebook Wants to Be Your One True Login

2010 Feb 22, 3:55Hilarious Internet illiteracy generates tons of confused comments on RWW: '... We've determined by looking at our traffic stats that people are doing Google searches for "facebook login" and coming upon RWW. They see the FB Connect button and assume that RWW is the "new Facebook." Sigh. The Internet Is Hard.'PermalinkCommentsvia:kottke facebook internet identity openid

Panopticlick

2010 Jan 29, 10:28"Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies." Examines HTTP headers and browser features and reports if your configuration is unique (mine is). Good info for anyone looking at creating an anonymous browsing plugin or servicePermalinkCommentsweb security privacy eff education identity surveillance cookies cookie anonymity anonymous technical

Aza’s Thoughts » Identity in the Browser (Firefox)

2009 Nov 30, 6:31"At Mozilla Labs, we’ve been working on some potential integrations of identity directly into the browser. Note, this is an extremely rough draft." Looks pretty!PermalinkCommentsfirefox browser identity web mozilla security authentication openid

Official Google Blog: Cutting back on your long list of passwords

2009 Nov 23, 11:28"Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%...In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign in more easily to government-operated websites."PermalinkCommentsidentity openid google security authentication facebook password via:connolly technical

What happened to me and the new girl (or: "The girl who cried Webmaster") - The Adventures of Accordion Guy in the 21st Century

2009 Jun 1, 2:03Wow, read this without expectations of what its about. This is the second identity-theft/Internet/personal-relationships story I've read. It makes me think we need VeriSign to do cert verification for personal relationships but then I must remind myself that this must not be very common...PermalinkCommentsvia:swannman identity identity-theft story psychology web blog joey-devilla

Gravatar - Globally Recognized Avatars

2009 Apr 20, 3:37Web service that hosts avatar images for things like blog comments. The image is ID'ed by a hash of the user's email address. Auto generated or if the user signs up, the image can be whatever they upload. Lots of plugins for different blogging platforms.PermalinkCommentsblog web photo avatar image authentication identity icon hash

Bunny Identity Theft

2009 Apr 13, 1:11These have been popping up all over the internet, but I just had to share them with you in time for Easter. I'll take one of each in my Easter basket!PermalinkCommentscute cat bunny easter photo for:hellosarah

It's Me, and Here's My Proof: Why Identity and Authentication Must Remain Distinct

2009 Jan 22, 9:48"Revocation presents another challenge. If a system relies only on a biometric for both identity and authentication, how do you revoke that factor? Forgotten passwords can be changed; lost smartcards can be revoked and replaced. How do you revoke a finger?"PermalinkCommentsarticle microsoft security identity authentication biometrics

OpenID being Balkanized even as Google, Microsoft sign on

2008 Oct 30, 12:13On hearing news of Live ID supporting OpenID this is pretty much exactly what I was thinking: "With every big portal acting as a provider but not a consumer of identity credentials, users are still going to wind up creating accounts for more than one service (says this user of Flickr and Google Calendars). When it comes to third-party sites, they may not need to remember a new username and password, but they will have to remember to which of the providers they chose to provide the credentials for their account. Anyone who slips up may wind up with three or more identities on a single website, with different data associated with each."PermalinkCommentsopenid identity microsoft google

BBC NEWS | UK | Payout for false Facebook profile

2008 Jul 24, 7:26Fake Facebook page considered libel and gets target big pounds: "Mathew Firsht was awarded 22,000 pounds in damages against an old school friend". Careful what you post...PermalinkCommentsfacebook identity law legal privacy libel

GoogleUnique Names

2008 Jul 18, 1:50On GoogleUnique names for children. "Oh, and I have a GoogleCommon name. I share my name with so many other people that we have our own Kevin Kelly disambiguation website." To avoid race conditions be sure to use your NIC's ID in the child's name.PermalinkCommentsname identity google search language kevin-kelly

The Pros and Cons of LifeLock

2008 Jun 18, 12:44Bruce Schneier writes about LifeLock for which you've probably seen the comercials of the CEO parading around his SSN. I was wondering what LifeLock actually did.PermalinkCommentsbruce-schneier identity fraud credit article wired security privacy lifelock

Welcome to OpenID Enabled!

2008 Apr 7, 2:55"The PHP OpenID library lets you enable OpenID authentication on sites built using PHP."PermalinkCommentsphp openid development opensource identity authentication api software server library

apophenia: a google horror story: what happens when you are disappeared

2008 Feb 11, 4:27Google's adminstrative red tape destroys a person's online identity. There is a happy ending to this story... but it could happen TO YOU!PermalinkCommentsgmail data backup identity google web online article

FOAF and OpenID: two great tastes that taste great together | Decentralized Information Group (DIG) Breadcrumbs

2007 Nov 28, 4:43How to use FOAF and OpenID together and how DIG used that as a basis for commenting on their blog.PermalinkCommentsfoaf openid authentication identity rdf semanticweb trust web spam

XSL Identity Transfom

2007 Oct 12, 4:08As noted in the XSL Transformations spec you can create the identity transform using the xsl:copy element. With the MSXML implementation of xsl:copy the example the spec gives produces slightly ugly elements. For instance given it produces . In order to ensure empty elements turn out pretty I've modified the example as follows:
    
        
            
                
                    
                
            
            
                
                    
                
            
        
    

This got me thinking about inverting XSLTs. Clearly in general an XSLT isn't invertible since an XSLT can completely ignore the input XML and produce something else entirely but then the above is an example of an XSLT that is invertible. So there is a subset of XSLTs that are invertible, how might you produce the inverse of an XSLT, and would this ever be useful?PermalinkCommentsxml msxml inverse xlst xsl

Technophilia: Where to find public records online - Lifehacker

2007 Jul 23, 3:19List of sites to find public information on folks.PermalinkCommentsbackground search database birthday library identity privacy public phone lifehack
Older Entries Creative Commons License Some rights reserved.