#StackBounty: #security #response-headers #nwebsec .net core 3.1 api subdomain security response headers

Bounty: 50

I have an application stack that uses several subdomains of subdomains.. eg develop.api.module.mydomain.com

develop.api.module.mydomain.com is a .net core 3.1 API

I set the headers using nwebsec.aspnetcore.middleware eg

        app.UseXfo(xfo => xfo.Deny());
        app.UseXXssProtection(options => options.EnabledWithBlockMode());
        app.UseXContentTypeOptions();
        app.UseReferrerPolicy(opts => opts.NoReferrer());

When I make a request to the API at this URL I can see the response headers are set correctly as expected

enter image description here

BUT! securityheaders.io isn’t happy 🙂

enter image description here

Is that something I can fix in terms of getting securityheaders.io to recognise the response headers are indeed coming back?


Get this bounty!!!

#StackBounty: #asp.net-core #security #csrf Why is aspnet preventing browser page caching when a csrf token is present?

Bounty: 50

As documented here, generating a csrf token with asp.net will also prevent the response to be cached by the browser.

Generates an AntiforgeryTokenSet for this request and stores the cookie token in the response. This operation also sets the "Cache-control" and "Pragma" headers to "no-cache" and the "X-Frame-Options" header to "SAMEORIGIN".

I initially assumed that this decision was made to prevent users from submitting a "stale" request token by using the browser "back" button. I later noticed that this might not be the reason, since :

  • asp.net keeps the same cookie token for the whole session.
  • asp.net allows the same request token to be submitted many times as long as the cookie token doesn’t change.

So, from my current understanding, using the browser back button and submit a cached html page should not be a problem ?

What is then the justification for disabling browser page caching when it contains a csrf token ? Is this a security best practice ?

EDIT

As @serpent5 rightfully pointed out, the header Cache-Control: no-store ensures that a public cache won’t cache the response and serve it to a different user. To clarify, I am more specifically interested in knowing if enabling browser caching (Cache-Control: private) would have a negative impact on security.


Get this bounty!!!

#StackBounty: #security #docker #authentication #docker-registry #devops System-wide Docker login?

Bounty: 50

Is there any way to log a whole machine / Docker daemon into a registry?

Everything I see about docker login and various proprietary credentials helpers uses ~/.docker/config.json, i.e. is per-user.

I have a situation where I would like to pull images from a private registry; multiple people have both arbitrary sudo access on those machines and should be able to use Docker against our registry.

Since Docker access should be read as root access to a machine anyway (i.e. user credentials are not mutually safe if they can run Docker), and sudo access is same but directly, I would like to just cut to the chase and log the whole machine in without every user having to jump through hoops.

I could provide one file that everyone could link to their config.json, but I would prefer if it was just taken care of from the first login on each machine.


Get this bounty!!!

#StackBounty: #linux #networking #security #iptables #linux-networking Is there a way to obtain CPS and Thruoghput metrics in Linux?

Bounty: 100

I want to analyze my Debian 9 server’s network workload to detect some possible network overloads.

The main metrics I need to analyze are:

  • CPS (connections per second)
  • Throughput

Is there a way to obtain these metrics from within Linux?
I thought that CPS metric could be somehow obtained through conntrack NEW connections events but not sure that this would be the most proper way..

Sorry if obvious.

P.S. this server handles not only local traffic, it also forward a lot of traffic.


Get this bounty!!!

#StackBounty: #google-chrome #security #google-chrome-extensions #chromium Chrome uses Preferences and Secure Preferences to manage ext…

Bounty: 100

I found this post: What is the difference between Preference and Secure Preference file in Google Chrome?

But I want to know further: When does Chrome decides to use Secure Preferences and when to use Preferences file for maintaining extensions?

Because I found that in my computer the newly installed extension’s manifest.json file’s whole content is copied to Preferences file. Which means Chrome uses Preferences file to maintain my extensions. In this case, my Secure Preferences file has only one line as below:

{"protection":{"super_mac":"abc123xxxxxxx"}}

While in my colleague’s computer the installed extension’s manifest.json file’s content is not copied to Perefences file, but it is copied to Secure Preferences file. Which means Chrome uses Secure Preferences file to maintain his extensions.

Why? What is the factor for Chrome to decide to use Preferences file or Secure Preferences file for maintaining the extensions?


Get this bounty!!!

#StackBounty: #security #keccak #proxy-contracts #eip eip-1967 address calculation

Bounty: 50

I have read EIP-1967 and i have study how work proxy contracts.

There is something i do not understand in EIP-1967.

Here is what i have understood:

  • Logic contract’s storage variables are stored in proxy contract’s memory.
  • Proxy contract contains his own storage variables
  • We can have a big problem if a logic contract variable has the same address than a proxy contract variable address.
  • For this reason, proxy contract variables are stored at 3 specific addresses (we have only 3 storage variables in proxy contract)
  • The goal of this EIP is to specify 3 addresses and to say to all compilers and EVM they should NEVER store a variable at this addresses.

In my opinion, people who wrote this EIP can choose any address. The important thing is that everyone agrees with this address choice (compilers, evm, …). They choose this Addresses:

0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc
(obtained as
bytes32(uint256(keccak256(‘eip1967.proxy.implementation’)) – 1))

0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50
(obtained as bytes32(uint256(keccak256(‘eip1967.proxy.beacon’)) – 1))

0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103
(obtained as bytes32(uint256(keccak256(‘eip1967.proxy.admin’)) – 1))

That’s fine but i am wondering something: Why did they put a -1 in the address calcuation ?

The EIP says:

Furthermore, a -1 offset is added so the preimage of the hash cannot
be known, further reducing the chances of a possible attack

I do not understand how this -1 offset can reduce any chance of possible attack… The hash is known by everybody. Can anyone explain which kind of attack is protected by this -1 ?

I have looked at an openzepplin implementation (TransparentUpgradeableProxy.sol) and here is what i saw:

bytes32 private constant _ADMIN_SLOT = 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103;

constructor(...)
{
     assert(_ADMIN_SLOT == bytes32(uint256(keccak256("eip1967.proxy.admin")) - 1));
     ...
}

My question is: How this assertion can be false ? What is the goal of this assertion in the constructor ?

Thanks a lot


Get this bounty!!!

#StackBounty: #wp-query #security #sanitization Does WordPress sanitize arguments to WP_Query?

Bounty: 50

This is a very straight-forward question, but it’s important and I can’t find anything definitive in the docs.

This question asks a similar question for the 's' parameter, specifically. I want to know if WordPress validates/sanitizes parameters for any of the other parameters. For example, do the terms in a tax_query get sanitized automatically?

Clarification:
This is a technical / engineering question about specifically what the WP_Query class does with particular parameters. Several recent answers offer philosophical advice and general best practices regarding validation/sanitization. But that’s not what this question is about. My goal is compile facts rather than opinions.


Get this bounty!!!

#StackBounty: #security #gdb #packet-sniffers #sniffing #sniffer How to prevent snooping by user of Mac app?

Bounty: 250

I am creating a Chromium/Electron based Mac app. The app is essentially a browser for my customers to use a web service that I have no control over. My requirement is that users of my app (who may have root access on their Mac) should not be able to view the URLs the app is visiting, and should be unable to gain access to the cookies the app is storing. Normally it is not hard to MITM yourself, or attach a debugger to an app and dump memory to see the URLs and cookies.

How can I prevent these types of leaks to the user? If it’s impossible, it may be acceptable to make it very hard so that a very high level of sophistication is needed.


Get this bounty!!!