Web Security with Python | GET query (in)security

Cyber Security Python
Transcript

English (Auto-generated)

Hello everyone this is hez I am redoing a video that I had just finished because my computer crashed so I thought about just making another video closing it up But let's just start from scratch. So we are making an app as our junior dev where basically someone just logs in. Okay we're going to implement the bare minimum. In reality we already have the code here but we could rewrite this but it's very simple. So I'm gonna guide you through it very quickly. We have here our users I made one user called Root we have an index where we read an index page which I'll show you in a moment just a little html login form and then we get the uh the form data from that which is sent as they get which is sent as get parameters which is the default behavior of a form. We check if the credentials they sent us match any that we have which is only this one and if so we let them know they're authenticated and if not we reject it. So here's our html it's a simple log log in form, input the user name, input the password and submit and we will run it just to show you how it works. And I gotta Gotta set the flask app variable 1st and I said it to hello because I am foolish. It should be the name of the file which is off app try that again and we are off to the races so oops, there we go so we have our user name and password. I'm gonna log in as root the real user and you can see here that we've successfully authenticated. So here's our user name and password. Okay. This is where our Junior dev Dave is happy with his work. He's figured it out and that's all he has to say on the matter. So is there anything wrong with doing this? Is there anything we should be doing differently? Okay. We have a form and the form is default behavior is to send the data as a get request. Okay. It sends it to this login which is our code right here. What's the problem? Well the problem is this imagine we're in a library. Okay. And I log into a site like this and I'm very very careful to log out afterwards because I don't want other people stealing my account. Someone goes into the history and there it is right there in the U. R. L. And just in general I mean U. R. L. Is is somewhat more public than um then like cookies or something like that let's say right there's a degree to which it is just seen as something that can be accessed. For example, someone could be looking over your shoulder right to use a very primitive example. So all our hacker harry literally is gonna do it. He's gonna do something like look at the history or look over their shoulder or even if they were to click a link, a user controlled link certain browsers might send the query data as part of the referral as a referral header. Uh Firefox doesn't do that. I don't know if any modern web browsers still do that but according according to the documentation of the referral header which I can put up for, I was reading earlier um maybe I'll link to it in a comment or something. That is a possibility that is valid for the referral header. Let's look at that refer smith spelled as a header. Like I know I misspelled it here but that's actually the way you're supposed to spell it. Anyway, refer header. Query parameters, parameters should not be spelled like that. So the referral header can contain an origin which is like you're actually you are L. A. Path which is this slash blah blah blah. And your query stream which is here the user name and password. It won't contain fragments like when you have section and it automatically goes to that section. Um that's cool. And it won't have user name Colin password. That's not this this is the query string. That's when you do that's when you have something like user call in password app which allows http authentication which is completely unrelated to what we're doing here. In other words don't think that because it says that you can do authentication this way. It is not protected. So that's all hacker harry has to do. He has a really easy time getting these credentials because of the way that they are being used because it's very insecure. So what can we do instead? That's the question. What's the alternative? Well the alternative would be instead of a get request where we send everything in the U. R. L. We could use a post request. Okay a post request. And what's the difference and get requests. We send it in the U. R. L. And in a post request. Where do we send? Well to understand that we have to understand a little bit more about http. So let's make an http request to our own little website. Let's just see what it actually manually looks like. I've done 45,000 using a tool called net cat here. It's a very common networking tool but I'm gonna zoom in to make it more legible so we can get something like slash login. And we just put these things right here. Right? User name equals root and password equals tour. If you don't know a lot about http. I highly recommend doing these kinds of experiments because it is very educational and there you go, congratulations you've authenticated. Right? Uh in a post because when you get request we send it here in a post request. It's a little different. In a post request we have this little we tell them how many bytes were going to send. And we basically we have a little section below where we send it. That's not that doesn't show up in the U. R. It just shows up there which means that people can see the U. R. L. They can't see the post data which is which is safer. Right? It's more obscure. You might say it's more hidden. Um Yeah we can maybe I can even send a post request to Net Cat just so you guys can see it. Let me try that. Let's set this html form Instead of its action being that we're gonna say it's action to be something like one. We're gonna send it to the local host at report instead of 5000 to 8000. And this is the real fix. I'm gonna set the method to be post. Okay the message is gonna be post now it's gonna post and we're gonna get to see what that post request actually looks like because we'll be listening with Net Cat. So we'll say Net Cat dash l. And we'll tell it to listen on port 8000 now. So that cat is gonna listen on port 8000 and we're just gonna post some data to it. Okay so I'm gonna set this to send it to 48,000 and it's gonna post some data. Good. Okay so let's post some data to 48,000 and see how it looks. User name is gonna be something password is gonna be something and we submit and don't save the login. Okay. And let's look at net cap. Uh let's see what I did wrong. Maybe maybe I think I think I thought it was like a local thing. So I tried again MIT and there you go. Now it's loading and loading and loading right? Because Net Cat obviously isn't gonna respond and we'll just send and obviously it rendered it. So let's look at what it sent us. So here here's our here we're listening to his post to slash login using http 1.1. The host local host 8000 user agent Firefox on a Mac. It wants me to speak us english the origin but where was the post data? It was here here's the post dated the user name sts and password this so that won't show up as part of the U. R. L. Which means that when you are get stored in things like history or is visible up here. Um That's an issue for get requests but with post requests it's stored by the browser itself and hidden in this little area and sent to the server. So we have some extra security there. Great. So now we've got to look at post requests has been a fun little trip through http. No that's our fix. Our fixes to use a post request. We're already doing that here but here we're still going to be looking for these uh we're still gonna be looking for get parameters which are gonna be being sent anymore so we're gonna have to change that and unfortunately I forget how it's done. So let me look this up flask for me that I already googled it. How sad is that? Um Okay, request dot form. How obvious too. Okay, so this is a dick. It's actually, it looks like a dick. I'm accessing it like a dick. There's actually like a special class called a multi dick, which has some additional features, but from the perspective of someone like me who isn't very advanced and flask, we can just think of it as a dick. So this form comes in something that's pretty much addict, you have to restart it because we changed part of the actual servers code and let's go back. Oh, let's see what I broke, I love breaking stuff. Oh it's on 5000. Remember we tried to post to 8000, so we were on 8000 now. So we are route, this is two or submit And I didn't change the HTML back. It's still trying to post the local host 8000 to our little net cat server I made to show you guys how post works. Let's go back here and just get rid of that. There we go. That was that was a silly mistake on my part but silly mistakes are fun. Very educational method not allowed. Uh So what that means is that here right here? This login is just expecting get requests. It's not expecting post requests. All we have to do, there's some, it's something super simple I think the way we do it is like this we just say like the methods equal and give it all the allowed one. Obviously the only allowed method would be post right? Someone's posting a login information. We don't want that by post. Yeah it's really this method so we'll just say methods equals and there's only one allowed method which is post. Okay I'm gonna refresh, we're gonna resend the same data and congratulations. You have authenticated as you can see there is nothing up here to show up in the U. R. L. It won't show up out of history. If we click a link here it won't be part of the refer. Like if you were using some ancient version of Internet Explorer maybe that would be an issue and someone can just look over our shoulder and see it so we can. This is the this is the version of the code that maybe senior dev Samantha would. Right and correct Junior dev Dave with Thanks to the intervention, the devious intervention of hacker harry. There you go. This is why you do not want sensitive data to ever be sent via get requests. Even if it's an immediate redirect, you log in, send the password and redirect them because at least then it's still gonna show up in the history and that's no good um in the video description I have attached a link to the C. W. E. Which is the category of vulnerability that this falls under. If you click that link here I can just open it up actually if you click that link as all kinds of cool stuff about how this can be used to do horrible horrible things as a description of it. You know the query string can be saved in your browser's history past the reverse stored in weblogs. That's all true. Right. I mean imagine it's in the log somewhere and the log maybe isn't as secure as the database. Not only that. Think of this when when websites store your password how do they story? They store the password hash they store a hash of the password. Right That way if hackers ever steal it they don't have your real password they just have a hash and they can't use something like a rainbow table to just get the original password out of the hash because it's salted if you guys don't know what that means, we'll do a video on it soon. Um But if there is a log a weblog of every request and it has all the passwords there has all these you RLS in plaintext, there's all the passwords that's a huge security liability. Um I don't know if you guys remember a few years back when facebook got in trouble for having um unencrypted or unhatched passwords in some logs that got stolen. So I don't know if it got stolen. It may have been leaked like that. That was an issue. I don't know if anyone ever actually hacked it but in any case it was bad. So I hope this has been educational for you. This is about the use of get request method with sensitive query strings and why it's an issue. Um post is the way to go. So thanks a lot for your time. I hope you learned something and we will have another video for you coming shortly. This has been his looking forward to next time.
118 Views 0 Likes 0 Comments

GET and POST are more than just semantics. For security engineers, choosing one or the other has real safety consequences. https://cwe.mitre.org/data/...

Comment
Leave a comment (supports markdown format)