Web Security with Python | Secure Logging

Cyber Security Python
Transcript

English (Auto-generated)

everyone it is your boy has. And today we're gonna learn about secure logging. So you should be able to see my screen and access this code inside of the code editor. Right now we have, if you look at our app dot pi we have something that just redirects you to this index dot html page. So first let's take a look at this index dot html and see what we're working with. Okay. So you have a page that takes in a password And we can pass the password 123456. And it gives us a welcome. So it's a simple password page using a get parameter. Which is bad because then it'll show up in uh it'll show up in the browser history and other places where the U R L is visible. But we'll just say this is what we're given. I mean we're the we're the back end developer, not the front end developer. So let's just say we can't do anything about that. Or maybe it's some legacy software that we're stuck with. Right? So what we want to do is we want to add logging. Okay. And we want our log to be accessible over the web so that we can say, you know, slash static slash, you know, like log dot txt and see all the incoming requests. And just use that monitor traffic just to make sure that we're not being ddos or whatever. We might plug it into some of the monitoring solution. So instead of flask dot run we're going to pass that over normally would just redirect you just redirect to like static, you know server dot log. So I want to see the output here. So I'm gonna use the Linux XP command. He will write to this file but it will also show us the output here. And I'm gonna redirect the file descriptor too. I'm gonna redirect it back into one that will give us standard error as well because I also want to see errors inside of there. So this is also kind of a bash scripting or Linux shell lesson for those of you interested in that side of things. Okay. So if we run that we will now get access we will not have this log which we can see inside a static we have server dot log. Okay. And we can see it has the same output here is in server dot log. Alright, wonderful. So we start making some requests. Let's go to let's make sure that the server dot blog and we see that the log is in fact they're great. So let's go back to that index page and start making requests and this is gonna be super simple. Super simple vulnerability. A lot of you can already guess what the issue is but we start coming in we get password, that password that people start putting in their passwords obviously there's only one password if you if you read index dot html it says the password hard coded in there, we're gonna pretend this was something secure, I just hacked that together so you guys can see why logging this way is bad and let's see why logging this way is bad. Yeah, so we have the logs and we have static slash index dot html password equals 12. Yeah, that's that's an issue, isn't it? So we have our junior dev developing something, he decides to make the log publicly visible and as we can see the log is insecure. Right? I mean the log has passwords right there in it. So this is the this is an issue if you don't want to make logs like this public because sometimes sensitive data is passed inside of get requests. Um You see the same thing with Apache logs and genetics logs, other logs where you're like, oh I'll make a log public so we can see just what requests are coming in. Right. No harm in that. It's not like it's gonna show post data, but sometimes sensitive data is shown inside of the gap parameters. It's just an issue. So what will we do to fix this? Well, there's a few things for one a log like this simply should not be public. So we could add authentication here. That would be good. Um We could add a simple authentication mechanism where you log in and you have to be an admin. So that would be the first thing. So right now we're writing this log to wear just static server. Right. What we would want to do is just right it locally, remove the static server log and instead write it here where they don't have access to it. There's really no need for them to have access to that if they don't have access to the server itself, so we'll move the log out from where they can get it and make it not public. But another thing we could do and stop accepting credentials via get requests. That would be a front end solution so we don't really have to worry about that here. But if we wanted I mean for example, instead of handling this authentication, hard coded on the front end, you know, we can take a simple post request right here. So you know we used to like app route, I'll save this offense that you guys have access food and mira. Yes. Okay. You guys have access to it in your code editor dot route and uh huh I have this little ai code and everything. Co pilot. It's super cool. Okay so we'll say I'm trying to convince it to do some some cool little tricks for me. Yeah, there you go. It should I was supposed to be able to auto fill and do all these cool things so let me just wants me to if user name equals admin, no password check I guess. Okay. But yeah we would check if the user name equals whatever and then check if uh if that matches a passport we already have. So we could even do that right now. Let's just real quick. I think this is a pretty short podcast. Hopefully haven't taken up too much of your time. Yeah, we're five minutes and I think we have time to add a simple authentication mechanism for these logs. Okay. So we'll just make we're literally gonna use an in memory database in the form of a dictionary. So I have users we'll just have the one user admin, sorry, name. And the user name will be like admin and the password will be something I don't know. We'll use the same one as before. 123456 dot accepts an insecure password. We're just doing this as sort of concept. So we'll say if user name is not in users. All right. That's bad. These are not found borrow four if users use your name. Oh yeah, I see what I did here. We have the one single user. We'll just call this the user in that case. Sorry. So I'll say in that case I might as well just have it hard coded. Yeah, we'll have this be users and users should of course be sorry. I'm a little foggy today. It's a little early where I am. So forgive me forgive me. So this will be an array of dictionaries which dictionary represents the user. There we go. And now we're thinking. Okay. So if users okay, if any, you know how to use any of the iterable first and then Okay. So if any and we needed to convert these to true and false for any to work. I would say if any user dot is your name using a list comprehension attorneys into true or false values for any of this kind of advanced advanced python. For those of you who aren't super familiar with python, but it's okay. So for each user in users, for each you and users, we're gonna make sure that that user we're going to see if any of their user name equals hard user. So in fact it might even be better. Let's just use a simple for loop. I'm glad we're stretching this out because I want to do some coding today. So I'll say for you for user in users if user name equals user name, what we want to say and user password it was password. Then we can go ahead and sit and give them the logs. So this is actually supposed to be for our logs. Right? So we'll say so we have to have a way to get this password and I forget how to get a post body. And uh flask. So let me just look that up flask. Post body. Mhm I think we can use request dot form. Actually let me just look at a platform that I forget this all the time. But is it again it's request dot form? Yeah. Okay. so we'll get request to import it up here and we will just know that the password equals request dot form which is a dictionary like object you can use dot get on it or we can use if you want to default value we can use yeah. Okay. Oh get the password and if they all match we return the log so there's a way you can actually using a flat flask server file. I forget how to do this. Hey hey my my sincerest apologies send file right. Something like that. I mean I can always just read it and serve it but that's not cool. I want to do this like what I would normally do is I would just okay you do app dot sense static file but what I would have done if I was just being intuitive is just read the file and uh like using open and read and all that python stuff but I didn't want to do that because I didn't want to do that because hold on, logging failed for a one. The reason I didn't want to just open the files because I want to do things the flask way even though I'm not some super flask developer we want to do things as well as we can and also learn together. Right so okay the time has come we have to actually try it out so I'm not gonna do it in the browser this time. I'm gonna do it here in my criminal because I'm gonna use curl. Oh and I have to make, I think by default has already lost. So I was gonna say I have to allow posts and I have to change the name away from login now. It should be logs. Sorry. And there's really no need for it to accept to use your name here in the U. R. L. Anyway. So I'll just call this logs. I call it the view logs. That's actually just one log. So view log. Okay. And we'll accept the user name also as a form parameter. Mm hmm. So we have you log amount to restart the server for it to notice that change. Okay. Yeah, I'm writing to local server dialog with us. That's okay. Okay. So view log we get method not allowed. So I will in fact have to allow, we'll have to allow post and in fact post is the only method I want to allow here. Okay, so let's try that again. Internal server error is neither of those things were found because this requires I still have it requiring that positional user name argument. There we go login failed. Great. That's that's what we would expect. So now I'm gonna add some form data which I think in curlers dash F. Let me look that up again, curl, add form data. I love looking stuff up. That's F. Okay. Okay. So we'll say dash F. User name equals um, let's try the real user name, user name equals admin and another dash F. I think we have to do that for each one it said. And I used curl just enough to have an idea of how to do everything, but just rarely enough to forget everything every time. And it's mad that requested U. R. L. Was not found on the server. Okay. So I'm doing something pretty bad here. Let me look again and see if I'm using curl. Right. So it should be exposed dash F. Dash F. That looks pretty correct considering what I did. Okay. Let's see. So we're getting view log and it's giving us just literally a 404. Let's try the previous request where I didn't include them at all. It looks like I broke something. Yeah, login failed and dash F for each one you just know this is one of those instances where you're forgetting something super obvious. You know, it's so weird that it's giving me 404 and then later earlier it actually did give me, it did give me this 401. So Oh right. Because okay. So it's trying to send a static file, right? And I think it's looking inside of the static directory. In other words, sense, static file is the one who is not working. Okay. That's fine. I'll literally just use with, I'll just open the file and read it. I think it does want it to be inside of the static log. It doesn't want you reading stuff locally like that server log. Mm hmm. Yeah. Well just read the file. Let's see if that does the trick. Okay. So that, that actually works only if you can tell here. But it actually does give us the server log. Let's try with the wrong password. Let's see that gives us doesn't work. And now we can start seeing our requests from here. We'll even be able to see the ones that have passwords in them and then we can add that in. That's the wrong password. But that's okay. We should still be able to see it And yeah, we can see someone tried to log in with the password 3-3 and they got a 304 which is in the air they should get. That's because Javascript is handling that. But yeah, there you go. So we have made this logging is still not ideal. We should, we could even go further by sanitizing it, sanitizing the log for things. That might be bad. Just that even if someone were to exfiltrate the log, it wouldn't be as big of a deal. But for now, um, we've, we've made it so that there's at least some authentication on the log and that's certainly better than just the whole world being able to steal everyone's passwords. So I hope you've learned something about logging and what secure logging is all about. Hopefully you'll go and apply some of these principles if you ever implement logging and thanks a lot for your time, bye bye.
167 Views 0 Likes 0 Comments

What happens when you don't log securely? Let's find out!

Comment
Leave a comment (supports markdown format)