week 3 tutorial

• The remainder of topic 2 intro challenges.
• There is a form to fill in for group registration: https://forms.office.com/r/skrQ1vVYQv
  • Filling this in correctly (and submitting correctly at the end of the assessment) gets a +5% (pct points) bonus.
• use Google Docs/something with history
• Example Report layout
  • please do not use CVSS to rate vulns
• Assignment
• https://gcp.secure.force.com/GCPEDU?cid=MYn2W8J%2BaHrv88Y1DgyYFGgzN0jcyzp9ZnjpMy3yuETy0zs5Ze90OGr38WoNiqRI/

lecture content recap

• TLS and PKI + a bit of mTLS
• Reports!
• Certificate Transparency
• HSTS
• Authorization.
• Common authorization models (e.g. RBAC, ABAC, RuBAC, whatever).
  • AWS as example of how batshit insane authorization can get.
• What do authorization vulns look like?
  • Misconfigured permissions (someone/a role has access they shouldn't).
  • Determining permission insecurely (e.g. storing role/permissions on an insecure session token/cookie).
  • Missing authorization checks.
• IDOR
• Mention of OAuth as a way to delegate authorization to a third partty.
• Extended: Deep dive into OAuth.

Authorisation vs Authentication : When you authenticate yourself to a service you are telling the service who you are in this service. This normally is your name, email and/or username. You normally authenticate yourself via credentials. Authorisation can occur with/without authentication and this is the actions you can perform and what you can view within the service. This normally is your role (guest, user, admin, etc...) within the service. In terms of security, an example of authentication flaw would be default passwords, sql injection, etc... while authorisation would be poor access control allowing a standard user to view admin pages or perform admin related functions.

Do you see something that starts with an ey / eY ? This is most likely a JWT or a flask token. I'll break down the difference between a JWT or flask token and what tools you can use for them:

JWT:

Best tool for JWT token would have to be: https://jwt.io/

If you paste a payload you suspect to be a JWT token into jwt.io:

• In the Header, you should be able to see "typ":"JWT" and the alg it uses to create a signature. Common algorithms that are used for encryptionin JWT would be HS256 or RS256. Flask sessions tend to not have this.
• If you have the key needed to encrypt a JWT you can also use https://jwt.io/ to modify the payload within the JWT then encrypt it to get a new JWT.

Flask:

• Flask just requires a key to encrypt and create the token so it won't require any fancy algorithm.
• To decode the flask token just paste it into here and if it is a flask token it should decrypt properly:
  • https://www.kirsle.net/wizards/flask-session.cgi
• If you have the flask secret key, I would highly suggest using this repo to create a forged/modified Flask tokens:
  • https://noraj.github.io/flask-session-cookie-manager/