Author: Steve

Bookmarklet and PHP to prevent Shibboleth-related Firefox Lockouts

 

Reason this might be useful.

/*
 * Remove all _shibstate cookies if there are too many of them. This usually
 * occurs due to Firefox session restores. Unfortunately we don't know which is
 * the active state cookie, so we have to delete them all, but this is a lessor
 * crime than locking the user out with server errors.
 *
 * In an app a good time to call this is when a user is not logged in or has an
 * expired app session. This way we can cleanup their cookies before forwarding
 * them to the shib login process. Also after logout you'll want to call this
 * with parameter 0 to always remove them.
 *
 * @param int $allowableStateCookies if the number of _shibstate cookies
 * exceeds this, they will all be removed.
 */
function Shibboleth_preventFirefoxLockout($allowableStateCookies = 10)
{
    $stateKeys = array();
    foreach ($_COOKIE as $key => $val) {
        if (0 === strpos($key, '_shibstate')) {
            $stateKeys[] = $key;
        }
    }
    if (count($stateKeys) > $allowableStateCookies) {
        foreach ($stateKeys as $key) {
            setcookie($key, '', time() - 3600, '/');
        }
    }
}

Here’s a bookmarklet that essentially does the same thing: Fix Shibboleth Lockout

Google’s School for Hackers

 

Google is offering programmers their own personal sandbox application—called Jarlsburg—and hints of how to exploit the common vulnerabilities purposefully left in it. Although Google is basically walking folks through how to attack apps, publicizing this info is a necessary evil in order to build safer programmers. We have to start thinking of each line of code, cookie, HTTP request, and configuration option as another attack surface.

The table of contents lists the who’s who of vulnerabilities (though there are a lot more out there). Several of these attacks no one would’ve even dreamed of a few years ago, so the sad reality is that the web is chock full of vulnerable “legacy” apps just waiting to be exploited—unless we can fix them in time.

  • Cross-Site Scripting (XSS)
    • XSS Challenges
    • File Upload XSS
    • Reflected XSS
    • Stored XSS
    • Stored XSS via HTML Attribute
    • Stored XSS via AJAX
    • Reflected XSS via AJAX
    • More about XSS
  • Client-State Manipulation
    • Elevation of Privilege
    • Cookie Manipulation
  • Cross-Site Request Forgery (XSRF)
    • XSRF Challenge
    • More about preventing XSRF
  • Cross Site Script Inclusion (XSSI)
    • XSSI Challenge
  • Path Traversal
    • Information disclosure via path traversal
    • Data tampering via path traversal
  • Denial of Service
    • DoS – Quit the Server
    • DoS – Overloading the Server
    • More on Denial of Service
  • Code Execution
    • Code Execution Challenge
    • More on Remote Code Execution
  • Configuration Vulnerabilities
    • Information disclosure #1
    • Information disclosure #2
    • Information disclosure #3
  • AJAX vulnerabilities
    • DoS via AJAX
    • Phishing via AJAX
  • Other Vulnerabilities
    • Buffer Overflow and Integer Overflow
  • SQL Injection

Another Great Drug War Moment

 

From Radley Balko:

In February, I wrote the following about a drug raid in Missouri:

SWAT team breaks into home, fires seven rounds at family’s pit bull and corgi (?!) as a seven-year-old looks on.

They found a “small amount” of marijuana, enough for a misdemeanor charge. The parents were then charged with child endangerment.

So smoking pot = “child endangerment.” Storming a home with guns, then firing bullets into the family pets as a child looks on = necessary police procedures to ensure everyone’s safety.

Just so we’re clear.

Now there’s video, which you can watch below. It’s horrifying, but I’d urge you to watch it, and to send it to the drug warriors in your life. This is the blunt-end result of all the war imagery and militaristic rhetoric politicians have been spewing for the last 30 years—cops dressed like soldiers, barreling through the front door middle of the night, slaughtering the family pets, filling the house with bullets in the presence of children, then having the audacity to charge the parents with endangering their own kid…

There are 100-150 of these raids every day in America, the vast, vast majority like this one, to serve a warrant for a consensual crime.

But Jonathan Whitworth won’t be smoking that pot they found in his possession. So I guess this mission was a success.

Uh-Oh: Firefox’s Unique Session Cookie Behavior

 

By now, Opera’s invention of restoring tabs automatically is available in most browsers, but unlike every other browser, Firefox’s restored tabs retain session cookies for the domains of the saved tabs Firefox restores all session cookies as if the browser were never closed. This is handy in some ways, but dangerous in others:

It’s fooling web developers by breaking a very old and widely-known convention. Since Netscape’s original spec (around 1994) a cookie with an empty/missing expires was to be discarded “when the user’s session ends” (later clarified as “when the user agent exits” in RFC2109), and thousands of prominent web pages describe “session cookies” this way.

A common session design pattern uses a persistent cookie to establish low-level identity info and a session cookie for full authentication. Developers may not know that their full auth period may be lasting days or weeks, including trips to insecure wifi spots, browsing by multiple users, etc.

It’s fooling users. No one thinks of a single browsing “session” as encompassing several days of browser usage just because the same tabs were open, and users frequently read that they need to simply exit their browser to ensure their session is ended.

Recommendations

  • Be aware that Firefox session cookies can linger for days, despite the user having closed their browser.
  • Manage session timeouts on the server-side and/or via HMAC-signed timestamp values in the cookie contents (don’t let the client decide how long a session should last).
  • If you can, include secure in the cookie header. Firefox does not restore HTTPS session cookies. Realize that in later FF versions, “secure” cookies also are restored.
  • If you give out session cookies with unique names, have your application clean these up when they’re no longer needed. If you don’t, your Firefox users could suffer from…

Cookie Accumulation Torment

This annoying situation occurs when Firefox gains so many local cookies that the web server begins to deny all your requests. Deleting some or all these cookies is the only way to fix the issue because—yay—the problem session cookies persist across browser, and even OS, restarts.

Big Shibboleth Implications

If your Shibboleth-authenticating app maintains its own session, make sure that the “sign out” function searches for and deletes the local Shibboleth cookies (or that the SP sets only “secure” cookies). Otherwise this could happen:

  1. Jane “signs out”, closes Firefox, and lends her computer to Sally.
  2. Sally opens Firefox and clicks “sign in”.
  3. Sally is instantly authenticated into Jane’s account!

Jane’s application session was over, but Firefox allowed her Shibboleth session to live on.

Also, since Shibboleth gives out uniquely-named session cookies (prepended with _shibstate), failing to clean these up will lead Firefox users to the aforementioned torment. If the user has an app open all day every day, count on her gaining at least one cookie per day.

Real Shocker: Drug Enforcement Increases Violence

 

Remember Calderón’s It’s-OK-if-criminals-kill-criminals argument? In light of the new study that finds increasing drug enforcement increases violence, our last drug czar weighed in:

The former drug czar, John Walters, said the researchers gravely misinterpret drug violence. He said spikes of attacks and killings after law enforcement crackdowns are almost entirely between criminals, and therefore may, in a horrible, paradoxical way, reflect success.

If only we could regulate more behaviors with so much bloodshed.

[via Pete Guither]

New Bass

 

Ibanez AGB140 Bass

Craigslist comes through with a huge step up from my crummy Precision bass knockoff. Sounds golden, great action (a joy to play), even volume & tone all across the fretboard. Love it.

23,000

 

…Deaths in the last three years of Mexico’s drug war. While U.S. prohibitions create thousands of criminals, Calderón reassures us they’re mostly killing each other. Of course plenty of cops, govt. officials, and innocent kids are in that figure, too. With the Mexican economy going South—especially tourism—parents will just have to hope their children don’t go into…the only highly profitable industry.

I see this situation as definitive proof that our current drug policies are immoral. At the very least the federal government should not strong arm other countries into fighting the supply of drugs into the U.S. We have no business imposing these harms outside our borders.

Mexicans would be wise to boot their “wage war on the cartels” politicians and try to regulate the supply chain, or return to the good old days when suppliers to the U.S. market were quietly ignored by law enforcement.

Walter McKay provides ongoing coverage on the LEAP blog.

Patent Absurdity

 

Don’t miss Patent Absurdity, a free half-hour documentary that “explores the case of software patents and the history of judicial activism that led to their rise, and the harm being done to software developers and the wider economy.”

When you open the page, the embedded video begins without human interaction, a violation of an Eolas patent. British Telecom tried to patent the hyperlink that took you to the page. The page probably results in transmission of a JPEG to your computer, a violation of a Forgent Networks patent. The browser you’re using is free in part because of the many patent-unencumbered open-source libraries and concepts its built upon: The concept of the “window” and the “tab”, the libraries that parse HTML, CSS, and Javascript and compress those resources over the wire; the TCP, IP, and HTTP protocols that made the internet bloom world-wide. The OS clipboard (“copy/paste”) that helped developers to build and reuse those libraries.

Had the modern interpretation of software patent law existed in the 60s, our computers, and the state of technology in general, might be very different. The clumsy technology in “Brazil” comes to mind.

With so much of the world’s economy and productivity now tied to software, the proliferation of software patents and worse—areas where those laws can apply—threatens to severely stifle innovation and funnel ever more of our resources into the pockets of law firms and of patent-trolling organizations that exist simply to extort from others.