#StackBounty: #magento2 #security #cookie #form-key Magento 2: How to prevent form_key cookie being set twice?

Bounty: 50

i’m using magento v2.4.1, and i’m doing some security testing, one of the vulnerable result is, the form_cookie is being set twice in http response, like this:

Set-Cookie: form_key=ANMOgcSCt33UqABtS; expires=Sun, 17-Jan-2021 02:43:11 GMT; Max-Age=3600; path=/; domain=test.m2.com; secure; SameSite=Lax
Set-Cookie: form_key=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=test.m2.com; SameSite=Lax

is there a way to prevent this ?


Get this bounty!!!

#StackBounty: #security #error-handling #cache #.htaccess #https HSTS Recommendations in .htaccess

Bounty: 50

Please see my previous post in the below hyperlink

Thank you to Mr. White for the incredibly detailed answer on my previous post. Posting code for review here always proves to be more beneficial than I can ever expect. Case in point, I thought I had a grasp on all of the big ticket security implementations, and then Mr. White introduces me to HSTS. "YEAH MR. WHITE! YEAH programming SCIENCE!"

I’ve updated my file to account for an HSTS, along with many of the recommended changes. See the updated snippet below. I provide further details on my HSTS usage and sources at the bottom of this edit. I’d like to stress that implementing an HSTS is not to be taken lightly for anybody else new to it.

#IMPLEMENT HSTS
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>

#CUSTOM ERROR PAGES
ErrorDocument 400 /allerror.php
ErrorDocument 401 /allerror.php
ErrorDocument 403 /allerror.php
ErrorDocument 404 /allerror.php
ErrorDocument 405 /allerror.php
ErrorDocument 408 /allerror.php
ErrorDocument 500 /allerror.php
ErrorDocument 502 /allerror.php
ErrorDocument 504 /allerror.php

RewriteEngine On

#REDIRECT TO SECURE HTTPS CONNECTION
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

#FORCE WWW TO NON-WWW
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

#URL EXTENSION REMOVAL
RewriteCond %{THE_REQUEST} /([^.]+).html [NC]
RewriteRule ^ /%1 [NC,L,R]
RewriteCond %{REQUEST_FILENAME}.html -f
RewriteRule ^ %{REQUEST_URI}.html [NC,L]

#HOTLINKING PROTECTION
RewriteCond %{HTTP_REFERER} !^https://(www.)?example.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .(css|flv|gif|ico|jpe|jpeg|jpg|js|mp3|mp4|php|png|pdf|swf|txt)$ - [F]

#CONTENT SECURITY POLICY
<FilesMatch ".(html|php)$">
    Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: 'unsafe-inline'; media-src 'self' data: 'unsafe-inline'; connect-src 'self';"
</FilesMatch>

#REDIRECT FOR DATE PAGE
RewriteRule ^date$ /storage/date-202010 [R=301,L]

#REDIRECT FOR HOME PAGE
RewriteRule ^home$ / [R=301,L]

#PREVENT DIRECTORY BROWSING
Options All -Indexes

#FILE CACHING
    #cache html and htm files for one day
<FilesMatch ".(html|htm)$">
Header set Cache-Control "max-age=43200"
</FilesMatch>
    #cache css, javascript and text files for one week
<FilesMatch ".(js|css|txt)$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
    #cache flash and images for one month
<FilesMatch ".(flv|swf|ico|gif|jpg|jpeg|mp4|png)$">
Header set Cache-Control "max-age=2592000"
</FilesMatch>
    #disable cache for script files
<FilesMatch ".(pl|php|cgi|spl|scgi|fcgi)$">
Header unset Cache-Control
</FilesMatch>

#BLOCKS FILE TYPES FOR USERS
<FilesMatch ".(ht[ap]|ini|log|sh|inc|bak)$">
Require all denied
</FilesMatch>

I decided to leave out any changes that were recommended for the #REDIRECT TO SECURE HTTPS CONNECTION, #FORCE WWW TO NON-WWW, #URL EXTENSION REMOVAL since Mr. White mentioned something about them being correct for HSTS.

Under his answer, Mr. White has noted in a comment that he will be updating his answer further, and it is my hope that he directs any further updates to this post.

HSTS Implementation

To note a few things that I’ve learned while researching HSTS:

  1. An SSL certificate is required
  2. If your sites are available via HTTP, redirect all requests to HTTPS with a 301 Permanent Redirect.
  3. Include the following in your .htaccess file: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. Max-age must be at least 10886400 seconds or 18 Weeks. Go for the two years value.
  4. Add your domain to a preload list using the first link below.

I encourage everyone to read each source below for more information.


Get this bounty!!!

#StackBounty: #javascript #security #authentication #typescript #angular-2+ Angular Frontend login logic

Bounty: 50

This is a follow-up to this question Node.js backend login logic. I wrote the following login Angular frontend logic for my Node.js Backend (see the previous question above). Is it any good in terms of security, efficiency, building, async/sync, logging? SECURITY is my main concern.
On in a prettier format the question would be:

  • SECURITY: Is my website secure in any way, shape, or form? I’m wondering if I could implement any security measures other than the ones that are built in to the methods provided by Angular. Isn’t the transmission of the password in plaintext a security issue? What about XSS and similar troubles? Can’t my login just simply be circumvented? That would be a critical mistake.
  • EFFICIENCY: Is how I’m checking usernames and password efficient? Is there any better way to do this?
  • BUILDING: Is how I loaded my website acceptable?
  • ASYNC/SYNC: I know I preform async and sync calls at the same time. Is there any problem to this?
  • LOGGING: I log all connections to the server, and all login attempts. Is this a good practice, or am I overdoing what logging is supposed to accomplish?
  • MISC: Are there any mistakes in the play between the backend and frontend? If I forgot some other important points about the code I would be glad if you mentioned them as well
    (Source: Login Server with Node.js)

My code:

authentication.service.ts:

import { Injectable } from '@angular/core';
import { HttpClient } from '@angular/common/http';
import { BehaviorSubject, Observable } from 'rxjs';
import { map } from 'rxjs/operators';

import { environment } from '../../environments/environment';
import { User } from '../models/user.model';
import { Router } from '@angular/router';
import { GlobalDataService } from './global-data.service';

@Injectable({ providedIn: 'root' })
export class AuthenticationService {
    constructor(private http: HttpClient,
                private router: Router, public DataService: GlobalDataService) {
        this.currentUserSubject = new BehaviorSubject<User>(JSON.parse(localStorage.getItem('currentUser')));
        this.currentUser = this.currentUserSubject.asObservable();
        this.LoggedIn = true;
    }
    public LoggedIn = true;
    public get currentUserValue(): User {
        return this.currentUserSubject.value;
    }
    private currentUserSubject: BehaviorSubject<User>;
    public currentUser: Observable<User>;
  getRedirectUrl() {
    throw new Error('Method not implemented.');
  }
  isUserLoggedIn() {
    throw new Error('Method not implemented.');
  }

  login(email: string, password: string) {
    return this.http.post<any>(`${environment.apiUrl}/api/login`, { email, password }, {withCredentials: true})
        .pipe(map(user => {
            // login successful if there's a jwt token in the response
            if (user && user.token) {

                // store user details and jwt token in local storage to keep user logged in between page refreshes
                // https://dev.to/rdegges/please-stop-using-local-storage-1i04
                localStorage.setItem('currentUserToken', JSON.stringify(user));
                this.currentUserSubject.next(user);
            }
            // set firstname & email of loggedin user
            this.DataService.loggedinfirstname = user['firstname'];
            this.DataService.loggedinemail = user['eMail'];
            this.redirtoDashboard();
            this.Toolbar();
            this.DataService.prefillSenderData();
            return user;
        }));
  }

  redirtoDashboard() {
      this.router.navigate(['order']);
  }

  Toolbar() {
      this.LoggedIn = !this.LoggedIn;
  }
}

login.component.ts:

import { Component, OnInit } from '@angular/core';
import { ActivatedRoute, Router } from '@angular/router';
import { FormBuilder, FormGroup, Validators } from '@angular/forms';
import { first } from 'rxjs/operators';

import { AuthenticationService } from '../services/authentication.service';

@Component({
  selector: 'app-login',
  templateUrl: './login.component.html',
  styleUrls: ['./login.component.css']
})
export class LoginComponent implements OnInit {

  returnUrl: string;
  loginForm: FormGroup;
  submitted = false;
  error = '';
  loading = false;
  public errorMsg = 'Please login to continue.';
  public redirected: boolean;
  public utm_source: string;

  constructor(private router: Router, private formBuilder: FormBuilder,
              private authenticationService: AuthenticationService, private activatedRoute: ActivatedRoute) {
      if (this.authenticationService.currentUserValue) {
        this.router.navigate(['order']);
    }
      this.activatedRoute.queryParams.subscribe(params => {
      const param = params['utm_source'];

      if (param === 'order' || param === 'work-document' || param === 'profile') {
        this.redirected = true;
        this.utm_source = param;
      } else {
        this.redirected = false;
      }
  });
  }

  ngOnInit(): void {
    this.loginForm = this.formBuilder.group({
      email: ['', [Validators.required, Validators.email]],
      password: ['', [Validators.required, Validators.minLength(6)]]
  });
  }

// convenience getter for easy access to form fields
get f() { return this.loginForm.controls; }

  onSubmit(loginsubmit) {
    this.submitted = true;
    // stop here if form is invalid
    if (this.loginForm.invalid) {
        return console.log('LoginForm Invalid');
    }
    this.loading = true;
    this.authenticationService.login(this.f.email.value, this.f.password.value)
        .pipe(first())
        .subscribe(
            data => {
                if (this.redirected) {
                  this.router.navigate([this.utm_source]);
                } else {
                  this.router.navigate(['order']);
                }

            },
            error => {
                console.log('Login->authservice->err: ', error);
                this.error = error;
                this.loading = false;
            });
}

}

login.component.html:

<div class="container">
  <div class="row">
    <div class="col-sm-9 col-md-7 col-lg-5 mx-auto">
      <div class="card card-signin my-5">
        <div class="card-body">
          <h5 class="card-title text-center">Login</h5>
          <br>
            <form [formGroup]="loginForm" class="form-signin" (ngSubmit)="onSubmit(this.loginForm.value)">
              <div class="form-label-group">
                <input #userName formControlName="email" type="text" id="inputUser" class="form-control" placeholder="E-Mail" required autofocus [ngClass]="{ 'is-invalid': submitted && f.email.errors }">
                  <div *ngIf="submitted && f['email'].errors" class="invalid-feedback">
                    <div *ngIf="f['email'].errors.required">E-Mail is required</div>
                  </div>
                </div>
                <br>
                  <div class="form-label-group">
                    <input #password type="password" formControlName="password" id="inputPassword" class="form-control" placeholder="Password" required [ngClass]="{ 'is-invalid': submitted && f.password.errors }">
                      <div *ngIf="submitted && f['password'].errors" class="invalid-feedback">
                        <div *ngIf="f['password'].errors.required">Password is required</div>
                      </div>
                    </div>
                    <br>
                      <div *ngIf="redirected">
                        <mat-error>
                          <p class="alert alert-danger">
                            {{errorMsg}}
                          </p>
                        </mat-error>
                      </div>
                      <button [disabled]="!loginForm.valid" class="btn btn-dark btn-block" id="loginSubmit" type="submit">Login</button>
                      <div class="forgot-password-link">
                        <a routerLink="/forgot-password">Forgot password</a>
                      </div>
                    </form>
                  </div>
                </div>
              </div>
            </div>
          </div>

```


Get this bounty!!!

#StackBounty: #security #error-handling #cache #.htaccess #https .htaccess Reccomendations

Bounty: 50

I have a personal website that’s used primarily for fun. I upload images, videos and text that I want to share. An html submission form accepts questions and string submissions from users, which uses a phpmyadmin database table for storage.

The below snippet is my current .htaccess file. https://gtmetrix.com/ notes that redirects are the largest culprit in slowing down my page loads, but I’m unsure of how to streamline them.

RewriteEngine On

#REDIRECT TO SECURE HTTPS CONNECTION
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

#FORCE WWW TO NON-WWW
RewriteCond %{HTTP_HOST} ^www.MYDOMAIN.com [NC]
RewriteRule ^(.*)$ https://MYDOMAIN.com/$1 [L,R=301]

#URL EXTENSION REMOVAL
RewriteCond %{THE_REQUEST} /([^.]+).html [NC]
RewriteRule ^ /%1 [NC,L,R]
RewriteCond %{REQUEST_FILENAME}.html -f
RewriteRule ^ %{REQUEST_URI}.html [NC,L]

#HOTLINKING PROTECTION
    #NOTE: having |html| and |htm| included prevented access of the site through browser search, so i removed them.
RewriteCond %{HTTP_REFERER} !^https://(www.)?MYDOMAIN.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .(css|flv|gif|ico|jpe|jpeg|jpg|js|mp3|mp4|php|png|pdf|swf|txt)$ - [F]

#CONTENT SECURITY POLICY
<FilesMatch ".(html|php)$">
    Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: 'unsafe-inline'; media-src 'self' data: 'unsafe-inline'; connect-src 'self';"
</FilesMatch>

#REDIRECT FOR DATE PAGE
Redirect /date /storage/date-202010

#REDIRECT FOR HOME PAGE
Redirect /home /

#CUSTOM ERROR PAGES
ErrorDocument 400 /allerror.php
ErrorDocument 401 /allerror.php
ErrorDocument 403 /allerror.php
ErrorDocument 404 /allerror.php
ErrorDocument 405 /allerror.php
ErrorDocument 408 /allerror.php
ErrorDocument 500 /allerror.php
ErrorDocument 502 /allerror.php
ErrorDocument 504 /allerror.php

#PREVENT DIRECTORY BROWSING
Options All -Indexes

#FILE CACHING
    #cache html and htm files for one day
<FilesMatch ".(html|htm)$">
Header set Cache-Control "max-age=43200"
</FilesMatch>
    #cache css, javascript and text files for one week
<FilesMatch ".(js|css|txt)$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
    #cache flash and images for one month
<FilesMatch ".(flv|swf|ico|gif|jpg|jpeg|mp4|png)$">
Header set Cache-Control "max-age=2592000"
</FilesMatch>
    #disable cache for script files
<FilesMatch ".(pl|php|cgi|spl|scgi|fcgi)$">
Header unset Cache-Control
</FilesMatch>

#BLOCKS FILE TYPES FOR USERS
<FilesMatch ".(htaccess|htpasswd|ini|log|sh|inc|bak)$">
Order Allow,Deny
Deny from all
</FilesMatch>


Get this bounty!!!

#StackBounty: #security #device-administrator Screen Lock Service as a Device Administrator

Bounty: 100

Background:

I was looking at the device administrators of my phone in the settings and saw a device administrator called "screen lock service". It’s description is "Activating this administrator will allow the app Google play services to perform the following operations: set password rules".

A previously unsettled question is found here.

I searched the net for the apk file of the application but could not find one. So as per suggestions, I ran

adb shell dumpsys package  resolvers | sed -n /android.app.action.DEVICE_ADMIN_ENABLED/,/:/p

The output for the above code was:

  android.app.action.DEVICE_ADMIN_ENABLED:
    438a74 com.motorola.demo/.admin.DemoModeAdminReceiver
    2acd3de com.google.android.gms/.auth.managed.admin.DeviceAdminReceiver
    36b5d24 ch.deletescape.lawnchair.ci/ch.deletescape.lawnchair.gestures.handlers.SleepMethodDeviceAdmin$SleepDeviceAdmin
    42aae3e com.google.android.gms/.tapandpay.admin.TpDeviceAdminReceiver
    8efd08d com.google.android.gms/.kids.account.receiver.ProfileOwnerReceiver
    9b4f242 com.google.android.gms/.mdm.receivers.MdmDeviceAdminReceiver
    a9980b6 com.oasisfeng.greenify/.DeviceAdmin
    b5771b7 com.google.android.gm/com.android.email.SecurityPolicy$PolicyAdmin
  com.motorola.internal.intent.action.INETCONDITION_REPORT:

The data for the code is quite unsettling for the fact that none seem to correspond to screen lock service.

For reference, I am using Moto G5 Plus (not rooted, stock build with no customizations)

Also note that, I own another same device which is rooted and runs Pixel-Experience (Android 10 latest build) and unfortunately it does not have the Screen Lock Service.

An insight/breakdown for this application is helpful.


Get this bounty!!!

#StackBounty: #security #apk #device-administrator Screen Lock Service as a Device Administrator

Bounty: 100

Background:

I was looking at the device administrators of my phone in the settings and saw a device administrator called "screen lock service". It’s description is "Activating this administrator will allow the app Google play services to perform the following operations: set password rules".

A previously unsettled question is found here.

I searched the net for the apk file of the application but could not find one. So as per suggestions, I ran

adb shell dumpsys package resolvers | sed -n /android.app.action.DEVICE_ADMIN_ENABLED/,/:/p

The output for the above code was:

  android.app.action.DEVICE_ADMIN_ENABLED:
    438a74 com.motorola.demo/.admin.DemoModeAdminReceiver
    2acd3de com.google.android.gms/.auth.managed.admin.DeviceAdminReceiver
    36b5d24 ch.deletescape.lawnchair.ci/ch.deletescape.lawnchair.gestures.handlers.SleepMethodDeviceAdmin$SleepDeviceAdmin
    42aae3e com.google.android.gms/.tapandpay.admin.TpDeviceAdminReceiver
    8efd08d com.google.android.gms/.kids.account.receiver.ProfileOwnerReceiver
    9b4f242 com.google.android.gms/.mdm.receivers.MdmDeviceAdminReceiver
    a9980b6 com.oasisfeng.greenify/.DeviceAdmin
    b5771b7 com.google.android.gm/com.android.email.SecurityPolicy$PolicyAdmin
  com.motorola.internal.intent.action.INETCONDITION_REPORT:

The data for the code is quite unsettling for the fact that none seem to correspond to screen lock service.

For reference, I am using Moto G5 Plus (not rooted, stock build with no customizations)

Also note that, I own another same device which is rooted and runs Pixel-Experience (Android 10 latest build) and unfortunately it does not have the Screen Lock Service.

An insight/breakdown for this application is helpful.


Get this bounty!!!

#StackBounty: #java #android #security Adding standard java classes that are missing in Android

Bounty: 50

I am using a Java Security Provider which throws FailedLoginException from the javax.security.auth.login package.
As i am using these provider in my Android App i get the problem that Androids javax.security.auth.login package doesn’t have such class, it only has the LoginException, which is the base class for the other ones. Because of that my application is throwing NoClassDefFound whenever the FailedLoginException is thrown.

Is there a way to add this missing standard Java class to my Android App, or to workaround that Error?

Any help is appreciated!


Get this bounty!!!

#StackBounty: #networking #wireless #security #vpn How can I block traffic over wifi before the VPN connects?

Bounty: 50

I’d like to use a VPN when on public wifi for security. In order to establish my OpenVPN tunnel I need a working network connection. When I connect to a public wifi access point there is a window of time after connecting but before my VPN client is launched, connects and updates the route table, during which traffic from my system travels unencrypted over public wifi.

How can I cause wifi to pass no traffic except traffic destined for my OpenVPN server during that window of time?

Extra credit : Is there a way to whitelist wifi networks as trusted (like my home or work wifi) such that all traffic is allowed as I won’t be using a VPN?


Get this bounty!!!

#StackBounty: #windows-10 #security #encryption Why is "Reasons for failed automatic device encryption: Hardware Security Test Int…

Bounty: 100

The full message is:

Reasons for failed automatic device encryption: Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected

It is shown under the Device encryption support field in msinfo32.exe.

What does this mean? How can I enable "automatic device encryption"?

Security features in my PC:

  1. Secure Boot: Enabled
  2. Core Isolation: Enabled
  3. Memory Integrity: Enabled
  4. BitLocker: Disabled
  5. TPM is present in my PC


Get this bounty!!!