2012 Sep 11, 5:00
Level 5 of the Stripe CTF revolved around a design issue in an OpenID like protocol.
Code
def authenticated?(body)
body =~ /[^\w]AUTHENTICATED[^\w]*$/
end
...
if authenticated?(body)
session[:auth_user] = username
session[:auth_host] = host
return "Remote server responded with: #{body}." \
" Authenticated as #{username}@#{host}!"
Issue
This level is an implementation of a federated identity protocol. You give it an endpoint URI and a username and password, it posts the username and password to the endpoint URI, and if the
response is 'AUTHENTICATED' then access is allowed. It is easy to be authenticated on a server you control, but this level requires you to authenticate from the server running the level. This
level only talks to stripe CTF servers so the first step is to upload a document to the level 2 server containing the text 'AUTHENTICATED' and we
can now authenticate on a level 2 server. Notice that the level 5 server will dump out the content of the endpoint URI and that the regexp it uses to detect the text 'AUTHENTICATED' can match on
that dump. Accordingly I uploaded an authenticated file to
https://level02-2.stripe-ctf.com/user-ajvivlehdt/uploads/authenticated
Using that as my endpoint URI means authenticating as level 2. I can then choose the following endpoint
URI to authenticate as level 5.
https://level05-1.stripe-ctf.com/user-qtoyekwrod/?pingback=https%3A%2F%2Flevel02-2.stripe-ctf.com%2Fuser-ajvivlehdt%2Fuploads%2Fauthenticated&username=a&password=a
Navigating
to that URI results in the level 5 server telling me I'm authenticated as level 2 and lists the text of the level 2 file 'AUTHENTICATED'. Feeding this back into the level 5 server as my endpoint
URI means level 5 seeing 'AUTHENTICATED' coming back from a level 5 URI.
Notes
I didn't see any particular code review red flags, really the issue here is that the regular expression testing for 'AUTHENTICATED' is too permisive and the protocol itself doesn't do enough. The
protocol requires only a set piece of common literal text to be returned which makes it easy for a server to accidentally fall into authenticating. Having the endpoint URI have to return variable
text based on the input would make it much harder for a server to accidentally authenticate.
internet openid security stripe-ctf technical web 2010 Feb 24, 12:42Apparently Washington State uses an algorithm to generate drivers license numbers. Unless someone else has the same name and birth date your license number is based entirely on your name and birth
date.
math identity washington reference 2010 Feb 23, 10:04Android augmented reality app that does facial recognition and then hovers icons for that person's profiles on various websites.
augmented-reality mobile internet identity android phone technical 2010 Feb 22, 3:55Hilarious Internet illiteracy generates tons of confused comments on RWW: '... We've determined by looking at our traffic stats that people are doing Google searches for "facebook login" and coming
upon RWW. They see the FB Connect button and assume that RWW is the "new Facebook." Sigh. The Internet Is Hard.'
via:kottke facebook internet identity openid 2010 Jan 29, 10:28"Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies." Examines HTTP headers and browser features and reports if your
configuration is unique (mine is). Good info for anyone looking at creating an anonymous browsing plugin or service
web security privacy eff education identity surveillance cookies cookie anonymity anonymous technical 2009 Nov 30, 6:31"At Mozilla Labs, we’ve been working on some potential integrations of identity directly into the browser. Note, this is an extremely rough draft." Looks pretty!
firefox browser identity web mozilla security authentication openid 2009 Nov 23, 11:28"Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%...In
addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign
in more easily to government-operated websites."
identity openid google security authentication facebook password via:connolly technical 2009 Jun 1, 2:03Wow, read this without expectations of what its about. This is the second identity-theft/Internet/personal-relationships story I've read. It makes me think we need VeriSign to do cert verification
for personal relationships but then I must remind myself that this must not be very common...
via:swannman identity identity-theft story psychology web blog joey-devilla 2009 Apr 20, 3:37Web service that hosts avatar images for things like blog comments. The image is ID'ed by a hash of the user's email address. Auto generated or if the user signs up, the image can be whatever they
upload. Lots of plugins for different blogging platforms.
blog web photo avatar image authentication identity icon hash 2009 Apr 13, 1:11These have been popping up all over the internet, but I just had to share them with you in time for Easter. I'll take one of each in my Easter basket!
cute cat bunny easter photo for:hellosarah 2009 Jan 22, 9:48"Revocation presents another challenge. If a system relies only on a biometric for both identity and authentication, how do you revoke that factor? Forgotten passwords can be changed; lost smartcards
can be revoked and replaced. How do you revoke a finger?"
article microsoft security identity authentication biometrics 2008 Oct 30, 12:13On hearing news of Live ID supporting OpenID this is pretty much exactly what I was thinking: "With every big portal acting as a provider but not a consumer of identity credentials, users are still
going to wind up creating accounts for more than one service (says this user of Flickr and Google Calendars). When it comes to third-party sites, they may not need to remember a new username and
password, but they will have to remember to which of the providers they chose to provide the credentials for their account. Anyone who slips up may wind up with three or more identities on a single
website, with different data associated with each."
openid identity microsoft google 2008 Jul 24, 7:26Fake Facebook page considered libel and gets target big pounds: "Mathew Firsht was awarded 22,000 pounds in damages against an old school friend". Careful what you post...
facebook identity law legal privacy libel 2008 Jul 18, 1:50On GoogleUnique names for children. "Oh, and I have a GoogleCommon name. I share my name with so many other people that we have our own Kevin Kelly disambiguation website." To avoid race conditions
be sure to use your NIC's ID in the child's name.
name identity google search language kevin-kelly 2008 Jun 18, 12:44Bruce Schneier writes about LifeLock for which you've probably seen the comercials of the CEO parading around his SSN. I was wondering what LifeLock actually did.
bruce-schneier identity fraud credit article wired security privacy lifelock 2008 Apr 7, 2:55"The PHP OpenID library lets you enable OpenID authentication on sites built using PHP."
php openid development opensource identity authentication api software server library 2008 Feb 11, 4:27Google's adminstrative red tape destroys a person's online identity. There is a happy ending to this story... but it could happen TO YOU!
gmail data backup identity google web online article 2007 Nov 28, 4:43How to use FOAF and OpenID together and how DIG used that as a basis for commenting on their blog.
foaf openid authentication identity rdf semanticweb trust web spam 2007 Oct 12, 4:08As noted in the
XSL Transformations spec you can create the identity transform using the xsl:copy element. With the MSXML implementation of xsl:copy
the example the spec gives produces slightly ugly elements. For instance given it produces . In order to ensure empty elements turn out pretty I've modified the example as follows:
This got me thinking about inverting XSLTs. Clearly in general an XSLT isn't invertible since an XSLT can completely ignore the input XML and produce something else entirely but then the above is an
example of an XSLT that is invertible. So there is a subset of XSLTs that are invertible, how might you produce the inverse of an XSLT, and would this ever be useful?
xml msxml inverse xlst xsl 2007 Jul 23, 3:19List of sites to find public information on folks.
background search database birthday library identity privacy public phone lifehack
Some rights reserved