openid - Dave's Blog

Search

Stripe CTF - Level 5

2012 Sep 11, 5:00

Level 5 of the Stripe CTF revolved around a design issue in an OpenID like protocol.

Code

    def authenticated?(body)
body =~ /[^\w]AUTHENTICATED[^\w]*$/
end

...

if authenticated?(body)
session[:auth_user] = username
session[:auth_host] = host
return "Remote server responded with: #{body}." \
" Authenticated as #{username}@#{host}!"

Issue

This level is an implementation of a federated identity protocol. You give it an endpoint URI and a username and password, it posts the username and password to the endpoint URI, and if the response is 'AUTHENTICATED' then access is allowed. It is easy to be authenticated on a server you control, but this level requires you to authenticate from the server running the level. This level only talks to stripe CTF servers so the first step is to upload a document to the level 2 server containing the text 'AUTHENTICATED' and we can now authenticate on a level 2 server. Notice that the level 5 server will dump out the content of the endpoint URI and that the regexp it uses to detect the text 'AUTHENTICATED' can match on that dump. Accordingly I uploaded an authenticated file to

https://level02-2.stripe-ctf.com/user-ajvivlehdt/uploads/authenticated
Using that as my endpoint URI means authenticating as level 2. I can then choose the following endpoint URI to authenticate as level 5.
https://level05-1.stripe-ctf.com/user-qtoyekwrod/?pingback=https%3A%2F%2Flevel02-2.stripe-ctf.com%2Fuser-ajvivlehdt%2Fuploads%2Fauthenticated&username=a&password=a
Navigating to that URI results in the level 5 server telling me I'm authenticated as level 2 and lists the text of the level 2 file 'AUTHENTICATED'. Feeding this back into the level 5 server as my endpoint URI means level 5 seeing 'AUTHENTICATED' coming back from a level 5 URI.

Notes

I didn't see any particular code review red flags, really the issue here is that the regular expression testing for 'AUTHENTICATED' is too permisive and the protocol itself doesn't do enough. The protocol requires only a set piece of common literal text to be returned which makes it easy for a server to accidentally fall into authenticating. Having the endpoint URI have to return variable text based on the input would make it much harder for a server to accidentally authenticate.

PermalinkCommentsinternet openid security stripe-ctf technical web

Yahoo! Accepts OpenID Authentication with Google

2010 Oct 28, 6:32PermalinkCommentsOpenID Second Level Features YDN Theme Categories technical

Facebook Wants to Be Your One True Login

2010 Feb 22, 3:55Hilarious Internet illiteracy generates tons of confused comments on RWW: '... We've determined by looking at our traffic stats that people are doing Google searches for "facebook login" and coming upon RWW. They see the FB Connect button and assume that RWW is the "new Facebook." Sigh. The Internet Is Hard.'PermalinkCommentsvia:kottke facebook internet identity openid

Aza’s Thoughts » Identity in the Browser (Firefox)

2009 Nov 30, 6:31"At Mozilla Labs, we’ve been working on some potential integrations of identity directly into the browser. Note, this is an extremely rough draft." Looks pretty!PermalinkCommentsfirefox browser identity web mozilla security authentication openid

Official Google Blog: Cutting back on your long list of passwords

2009 Nov 23, 11:28"Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%...In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign in more easily to government-operated websites."PermalinkCommentsidentity openid google security authentication facebook password via:connolly technical

OpenID being Balkanized even as Google, Microsoft sign on

2008 Oct 30, 12:13On hearing news of Live ID supporting OpenID this is pretty much exactly what I was thinking: "With every big portal acting as a provider but not a consumer of identity credentials, users are still going to wind up creating accounts for more than one service (says this user of Flickr and Google Calendars). When it comes to third-party sites, they may not need to remember a new username and password, but they will have to remember to which of the providers they chose to provide the credentials for their account. Anyone who slips up may wind up with three or more identities on a single website, with different data associated with each."PermalinkCommentsopenid identity microsoft google

mycrocosm

2008 Sep 16, 2:44Update via the web, email, or your phone, stats on day to day activities. For example send 'lunch time' to create a new time dataset named lunch and then send 'lunch' when you eat lunch and it will note all the times you ate lunch. I was tempted to use this to see a graph of when I add delicious posts but it doesn't support importing old data. Don't think I'll use it but it uses OpenID perfectly.PermalinkCommentsblog statistics openid social graph visualization tool

Welcome to OpenID Enabled!

2008 Apr 7, 2:55"The PHP OpenID library lets you enable OpenID authentication on sites built using PHP."PermalinkCommentsphp openid development opensource identity authentication api software server library

Crossing Four Way Stops Fast and Searching Closed Caption MCE Videos: More Stolen Thoughts

2008 Jan 22, 9:56

More ideas stolen from me in the same vein as my stolen OpenID thoughts.

Fast Pedestrian Crossing on Four Way Stops. In college I didn't have a car and every weekend I had weekly poker with friends who lived nearby so I would end up waiting to cross from one corner of a traffic lit four way stop to the opposite corner. Waiting there in the cold gave me plenty of time to consider the fastest method of getting to the opposite corner of a four-way stop. My plan was to hit the pedestrian crossing button for both directions and travel on the first one available. This only seems like a bad choice if the pedestrian crossing signal travels clockwise or counter clockwise around the four way stop. In those two cases its better to take the later of the two pedestrian signal crossings, but I have yet to see those two patterns on a real life traffic stop. I decided recently to see if my plan was actually sound and looked up info on traffic signals. But the info didn't say much other than "its complicated" and "it depends" (I'm paraphrasing). Then I found some guy's analysis of this problem. So I'm done with this and I'll continue pressing both buttons and crossing on the first pedestrian signal. Incidentally on one such night when I was waiting to cross this intersection I heard a loud multi-click sound and realized that the woman in the SUV waiting to cross the intersection next to me had just locked her doors. I guess my thinking-about-crossing-the-street face is intimidating.

Windows Searching Windows Media Center Recorded TV's Closed Captions. An Ars-Technica article on a fancy DVR described one of the DVRs features: full text search over the subtitles of the recorded TV shows. I thought implementing this for Windows Media Center recorded TV shows and Windows Search would be an interesting project to learn about video files, and extending Windows Search. As it turns out though some guy, Stephen Toub implemented Windows Search over MCE closed captions already. Stephen Toub's article is very long and describes some other very interesting related projects including 'summarizing video files' which you may want to read.

PermalinkCommentsstolen-thoughts windows search mce windows traffic closed captions four-way-stop windows-media-center

FOAF and OpenID: two great tastes that taste great together | Decentralized Information Group (DIG) Breadcrumbs

2007 Nov 28, 4:43How to use FOAF and OpenID together and how DIG used that as a basis for commenting on their blog.PermalinkCommentsfoaf openid authentication identity rdf semanticweb trust web spam

Commenting Wishlist

2007 May 1, 4:33In the past I've come up with ideas for software and find that the very idea is implemented soon after. So this time rather than getting down about it I'm going to make it work for me. I'll state what I want to use and hope that its magically implemented. In order to uniformly support comments on my website I want a web service with the following features: I'm going implement this now so no one go off and do it before me so that I can use it without having to do anything...PermalinkCommentstechnical homepage

Loopster Makes Friends of Social Networks

2007 Apr 10, 2:55Loopster does a bunch of things Vishu and I wanted to implement. It merges profiles from different social networks together.PermalinkCommentssocial aggregator profile identity mashup openid

The Undevelopment Blog - Collective Identities Anybody?

2007 Mar 13, 3:54A blog article on creating group OpenIDs.PermalinkCommentsopenid authentication group privacy blog article

Free, anonymous, temporary, disposable OpenID by Jayant Gandhi

2007 Mar 13, 3:53A service that provides anonymous OpenIDs with no authentication.PermalinkCommentsanonymous authentication openid identity privacy

Implementor's Draft: OpenID Authentication 2.0 - Draft 11

2007 Mar 13, 3:53The OpenID SpecificationPermalinkCommentsopenid authentication specification security

OpenID: an actually distributed identity system

2007 Mar 13, 2:08OpenID is an open identification system for the Internet in which anyone can participate.PermalinkCommentsauthentication identity openid security specification privacy

OpenID Stolen Thoughts

2007 Mar 13, 7:57I had a few thoughts after reading about OpenID. However, after doing only a very small amount of digging I can see these aren't new thoughts.
Anonymous OpenID
Have an OpenID that anyone can use because it performs no authorization. You'd specify a URI like http://deletethis.net/anonymousopenid/yournamehere and you'd immediately get an anonymous OpenID associated with that URI. This has already been implemented by Jayant Gandhi.
Group OpenID
Have an OpenID that consists of a group of member OpenIDs. To login as the Group OpenID you need to login with any of the member OpenIDs. This is discussed more by Dmitry Shechtman on his blog.
OpenID Normalization
I find that I already have a couple of OpenIDs without even trying due to AOL giving out OpenIDs. I'd like for all of my OpenIDs to point to one canonical OpenID. It looks like this may already be possible by the OpenID specification.
I guess I'm a little late to the scene.PermalinkCommentstechnical stolen-thoughts openid

AOL Supports OpenID (Somewhat Frank :: web 2.0 ● technology ● life :: blog by Frank Gruber)

2007 Feb 20, 10:33AOL and AIM usernames can now be used as OpenIDs allowing participating OpenID sites and services to authenticate you using your AOL or AIM OpenID.PermalinkCommentsopenid aol aim identity article
Older Entries Creative Commons License Some rights reserved.