2012 Sep 11, 5:00
Level 5 of the Stripe CTF revolved around a design issue in an OpenID like protocol.
Code
def authenticated?(body)
body =~ /[^\w]AUTHENTICATED[^\w]*$/
end
...
if authenticated?(body)
session[:auth_user] = username
session[:auth_host] = host
return "Remote server responded with: #{body}." \
" Authenticated as #{username}@#{host}!"
Issue
This level is an implementation of a federated identity protocol. You give it an endpoint URI and a username and password, it posts the username and password to the endpoint URI, and if the
response is 'AUTHENTICATED' then access is allowed. It is easy to be authenticated on a server you control, but this level requires you to authenticate from the server running the level. This
level only talks to stripe CTF servers so the first step is to upload a document to the level 2 server containing the text 'AUTHENTICATED' and we
can now authenticate on a level 2 server. Notice that the level 5 server will dump out the content of the endpoint URI and that the regexp it uses to detect the text 'AUTHENTICATED' can match on
that dump. Accordingly I uploaded an authenticated file to
https://level02-2.stripe-ctf.com/user-ajvivlehdt/uploads/authenticated
Using that as my endpoint URI means authenticating as level 2. I can then choose the following endpoint
URI to authenticate as level 5.
https://level05-1.stripe-ctf.com/user-qtoyekwrod/?pingback=https%3A%2F%2Flevel02-2.stripe-ctf.com%2Fuser-ajvivlehdt%2Fuploads%2Fauthenticated&username=a&password=a
Navigating
to that URI results in the level 5 server telling me I'm authenticated as level 2 and lists the text of the level 2 file 'AUTHENTICATED'. Feeding this back into the level 5 server as my endpoint
URI means level 5 seeing 'AUTHENTICATED' coming back from a level 5 URI.
Notes
I didn't see any particular code review red flags, really the issue here is that the regular expression testing for 'AUTHENTICATED' is too permisive and the protocol itself doesn't do enough. The
protocol requires only a set piece of common literal text to be returned which makes it easy for a server to accidentally fall into authenticating. Having the endpoint URI have to return variable
text based on the input would make it much harder for a server to accidentally authenticate.
internet openid security stripe-ctf technical web 2010 Feb 22, 3:55Hilarious Internet illiteracy generates tons of confused comments on RWW: '... We've determined by looking at our traffic stats that people are doing Google searches for "facebook login" and coming
upon RWW. They see the FB Connect button and assume that RWW is the "new Facebook." Sigh. The Internet Is Hard.'
via:kottke facebook internet identity openid 2009 Nov 30, 6:31"At Mozilla Labs, we’ve been working on some potential integrations of identity directly into the browser. Note, this is an extremely rough draft." Looks pretty!
firefox browser identity web mozilla security authentication openid 2009 Nov 23, 11:28"Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%...In
addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign
in more easily to government-operated websites."
identity openid google security authentication facebook password via:connolly technical 2008 Oct 30, 12:13On hearing news of Live ID supporting OpenID this is pretty much exactly what I was thinking: "With every big portal acting as a provider but not a consumer of identity credentials, users are still
going to wind up creating accounts for more than one service (says this user of Flickr and Google Calendars). When it comes to third-party sites, they may not need to remember a new username and
password, but they will have to remember to which of the providers they chose to provide the credentials for their account. Anyone who slips up may wind up with three or more identities on a single
website, with different data associated with each."
openid identity microsoft google 2008 Sep 16, 2:44Update via the web, email, or your phone, stats on day to day activities. For example send 'lunch time' to create a new time dataset named lunch and then send 'lunch' when you eat lunch and it will
note all the times you ate lunch. I was tempted to use this to see a graph of when I add delicious posts but it doesn't support importing old data. Don't think I'll use it but it uses OpenID
perfectly.
blog statistics openid social graph visualization tool 2008 Apr 7, 2:55"The PHP OpenID library lets you enable OpenID authentication on sites built using PHP."
php openid development opensource identity authentication api software server library 2008 Jan 22, 9:56
More ideas stolen from me in the same vein as my stolen OpenID thoughts.
Fast
Pedestrian Crossing on Four Way Stops. In college I didn't have a car and every weekend I had weekly poker with friends who lived nearby so I would end up waiting to cross from one corner of a
traffic lit four way stop to the opposite corner. Waiting there in the cold gave me plenty of time to consider the fastest method of getting to the opposite corner of a four-way stop. My plan was
to hit the pedestrian crossing button for both directions and travel on the first one available. This only seems like a bad choice if the pedestrian crossing signal travels clockwise or counter
clockwise around the four way stop. In those two cases its better to take the later of the two pedestrian signal crossings, but I have yet to see those two patterns on a real life traffic stop. I
decided recently to see if my plan was actually sound and looked up info on traffic signals. But the info
didn't say much other than "its complicated" and "it depends" (I'm paraphrasing). Then I found some guy's analysis of this problem. So I'm done with this and I'll continue pressing both
buttons and crossing on the first pedestrian signal. Incidentally on one such night when I was waiting to cross this intersection I heard a loud multi-click sound and realized that the woman in the
SUV waiting to cross the intersection next to me had just locked her doors. I guess my thinking-about-crossing-the-street face is intimidating.
Windows Searching
Windows Media Center Recorded TV's Closed Captions. An Ars-Technica article on
a fancy DVR described one of the DVRs features: full text search over the subtitles of the recorded TV shows. I thought implementing this for Windows Media Center recorded TV shows and Windows
Search would be an interesting project to learn about video files, and extending Windows Search. As it turns out though some guy, Stephen Toub implemented Windows Search over MCE closed captions already. Stephen Toub's article is very long and describes some
other very interesting related projects including 'summarizing video files' which you may want to read.
stolen-thoughts windows search mce windows traffic closed captions four-way-stop windows-media-center 2007 Nov 28, 4:43How to use FOAF and OpenID together and how DIG used that as a basis for commenting on their blog.
foaf openid authentication identity rdf semanticweb trust web spam 2007 May 1, 4:33In the past I've come up with ideas for software and find that the very idea is implemented soon after. So this time rather than getting down about it I'm going to make it work for me. I'll state
what I want to use and hope that its magically implemented. In order to uniformly support comments on my website I want a web service with the following features:
- Allow users to view and add comments for any particular URI.
- Use OpenID and optionally Card Space to
identify users.
- Use a captcha system that's optionally cute or humorous.
- Has atom or rss feeds of the comments available.
- Doesn't require users to register.
- Doesn't require any extra steps for commenting on a URI that no one has commented on.
I'm going implement this now so no one go off and do it before me so that I can use it without having to do anything...
technical homepage 2007 Apr 10, 2:55Loopster does a bunch of things Vishu and I wanted to implement. It merges profiles from different social networks together.
social aggregator profile identity mashup openid 2007 Mar 13, 3:54A blog article on creating group OpenIDs.
openid authentication group privacy blog article 2007 Mar 13, 3:53A service that provides anonymous OpenIDs with no authentication.
anonymous authentication openid identity privacy 2007 Mar 13, 3:53The OpenID Specification
openid authentication specification security 2007 Mar 13, 2:08OpenID is an open identification system for the Internet in which anyone can participate.
authentication identity openid security specification privacy 2007 Mar 13, 7:57I had a few thoughts after reading about
OpenID. However, after doing only a very small amount of digging I can see these aren't new thoughts.
-
Anonymous OpenID
-
Have an OpenID that anyone can use because it performs no authorization. You'd specify a URI like http://deletethis.net/anonymousopenid/yournamehere and you'd immediately get an anonymous OpenID
associated with that URI. This has already been implemented by Jayant Gandhi.
-
Group OpenID
-
Have an OpenID that consists of a group of member OpenIDs. To login as the Group OpenID you need to login with any of the member OpenIDs. This is discussed more by Dmitry Shechtman on his blog.
-
OpenID Normalization
-
I find that I already have a couple of OpenIDs without even trying due to AOL giving out OpenIDs. I'd like for all of my
OpenIDs to point to one canonical OpenID. It looks like this may already be possible by the OpenID
specification.
I guess I'm a little late to the scene.
technical stolen-thoughts openid 2007 Feb 20, 10:33AOL and AIM usernames can now be used as OpenIDs allowing participating OpenID sites and services to authenticate you using your AOL or AIM OpenID.
openid aol aim identity article
Fast
Pedestrian Crossing on Four Way Stops. In college I didn't have a car and every weekend I had weekly poker with friends who lived nearby so I would end up waiting to cross from one corner of a
traffic lit four way stop to the opposite corner. Waiting there in the cold gave me plenty of time to consider the fastest method of getting to the opposite corner of a four-way stop. My plan was
to hit the pedestrian crossing button for both directions and travel on the first one available. This only seems like a bad choice if the pedestrian crossing signal travels clockwise or counter
clockwise around the four way stop. In those two cases its better to take the later of the two pedestrian signal crossings, but I have yet to see those two patterns on a real life traffic stop. I
decided recently to see if my plan was actually sound and looked up info on traffic signals. But the info
didn't say much other than "its complicated" and "it depends" (I'm paraphrasing). Then I found some guy's analysis of this problem. So I'm done with this and I'll continue pressing both
buttons and crossing on the first pedestrian signal. Incidentally on one such night when I was waiting to cross this intersection I heard a loud multi-click sound and realized that the woman in the
SUV waiting to cross the intersection next to me had just locked her doors. I guess my thinking-about-crossing-the-street face is intimidating.
Some rights reserved