- Privilege Escalation
- Has to deal with authorization
- I can do things that I'm not supposed to.
- How would this apply to a multi-tenant ecommerce application?
-
Mass Assignment Vulnerabilities
- Example in Rails?
- A whitelist of attributes someone can assign to an object.
- Examples
- I want to change the username and password of a user so I can gain access to their credit card.
- Privlege escalation, change my role to super-admin so I can do what I want in the application.
-
XSS or Cross Site Scripting
- When you allow someone to inject runnable code into your application.
- Happens often through users injecting JavaScript throught HTML
- Luckily newer version of Rails automatically escape HTML for you
- Escape formatter
- Overview of how public/private keys work
- Whiteboard something
- Give Verifi example
- Drop cheatsheet gist in slack [https://gist.github.com/BobGu/af9b3df39dfbe822da86a2c6e7872133]
- First thing we are going to do is create a public/private key pair on our computer.
- Download gpg by running
brew install gpg
gpg --generate-key
to generate your key- it will ask you to fill out a bunch of info, write this info down
- Remember public/private key pairs only work with each other! Thats why they are generated together.
- Download gpg by running
- Courtney's public key is obviously public, she sends her public key to anyone that wants to send her a secure message
- Have them look at her public key that shes created.
- Now she will export her public key, and post it in slack.
- To export your public key use this command
gpg --output name_of_file.gpg --export email_of_user
- To export your public key use this command
- Now the fun part is we are all going to send encrypted messages to Courtney
- First we have to import her public key
gpg --import name_of_file.gpg
- gpg will automatically verify the owner of this key is courtney, you should see some output like this
- Next we will encrypt a simple text file using Courtney's public key.
- create a text file
- To encrypt with Courtney's public key
gpg --recipient courtney@example.com --output encrypted_file.gpg --encrypt name_of_file.txt
- First we have to import her public key
- Now Courtney will decrypt these messages using her private key
- Send Courtney the encypted messages
- Now she will decrypt these messages
- To decrypt a message
gpg --output name_of_file.txt --decrypt encypted_file.gpg
- Then look at the file! Use
cat name_of_file.txt
orvim name_of_file.txt
to see the contents!
- Get in pairs, group of three
- One person is going to be receiving the encrypted messages
- The other person is going to be encrypting and singing the messages
- Signatures
* It is a way of verifying a document has come from the person you expect.
* Think like in the old days where people would have wax seals on their envelopes. Hard to fake where the
message came from unless someone jacked the seal.
- To sign a file, the signer is going to use their private key
gpg --recipient address@example.com --encrypt --sign name_of_file.txt
- The signing key is chosen by default or can be set explicitly using the
--local-user
and--default-key
options. * The decryption step happens the same way.gpg --output name_of_file.txt --decrypt encypted_file.gpg
- You should see some output in your command line like this
-
- In PGP(Pretty good privacy)
- Give an example from real job
- SSH(Secure Shell)
- SSH key based authentication
- GitHub uses it
- Have them go to their
~/.ssh.id_rsa.pub
- This is the public key that they put on GitHub so the key based authentication will work
- Have them go to their
- SSL(Secure socket layer)
- It keeps data encrypted until it reaches the server
- Authenticate the server to the client through a certificate
- A certificate has a public key(which you use the encrypt the message) and a private key which the website you are visiting uses to decrypt that message
- A certificate authority creates a second private/public key pair. They sign these certificates with their private keys. The certificate authority then includes their public key, so we can verify the signature is from them.
* The person doing this is looking to monitor traffic in some way
* What is some information that belongs to a request which I can monitor?
* MiTM attack on the high level.
- Brute Force
- bcrypt
- Hash - one way
- Salt
- Rainbow tables
- Bcrypt is slow
- What is a public/private key pair?
- How are public private keys used?
- What is a man in the middle attack?
- Why do you hash and salt your passwords?