You probably hear it a lot: you should make your code secure! But… how?
When it comes to security, there are a plethora of measures you can implement.
Where do you start, and how do you know you’re doing the right thing?
Continue reading →
Welcome back to the final blog in de series "How to hack a box"!
In this blog we’ll cover the basics of Privilege Escalation and see it in practice on the Blocky box from Hack The Box.
Continue reading →
Welcome back to the blog series about how to hack a box!
In the past few blogs we’ve gone through a few steps which gives you an idea of how you can hack a box.
We went from the Introduction, to Exploration, to Gaining Access.
In this blog, we’ll cover the basics of Enumeration.
|
DISCLAIMER: Never attempt to execute one of these steps on a machine where you don’t have explicit permission for from the owner.
This is illegal and will get you in trouble.
|
Continue reading →
Welcome back to the blog series about how to hack a box! In this third post I’ll guide you through the second step: gaining access.
|
DISCLAIMER: Never attempt to execute one of these steps on a machine where you don’t have explicit permission for from the owner.
This is illegal and will get you in trouble.
|
Continue reading →
Welcome back to the blog series about how to hack a box! In the first blog I gave an introduction into the steps and prerequisites on How to hack a box.
In this second post I’ll guide you through the first step, which is exploration.
We will execute the steps on an actual box in Hack The Box, called Blocky.
|
DISCLAIMER: Never attempt to execute one of these steps on a machine where you don’t have explicit permission for from the owner.
This is illegal and will get you in trouble.
|
Continue reading →
Welcome to the blog series about how to hack a box! In this first post I’ll guide you through the global steps you can take to hack a box.
The steps are universal, so you can use them on any target which you have permission for.
In the next few posts we’ll go through each step in detail and try to hack a box in Hack The Box, called Blocky.
Continue reading →
In my last blog I gave you a small introduction into the term "Reverse Shell".
I described it as: "A Reverse Shell is where your target machine creates a connection to your machine, after which you get a shell on the target machine in which you can execute system commands."
It is similar to SSH, but without any encryption and the connection is created the other way around (from target to you, instead of you to the target).
Continue reading →
At JCore, we follow a three year program to become senior developers.
After following this program successfully, you will be promoted to the JDriven company.
In the final year, we have a specialization in a topic of our choice.
I chose to specialize myself further into security.
I have been studying this topic for some time now, even contributing to the fast track courses as a security teacher.
Until now, most of my time I spent on the defending side and now I want to take a look on "the other side".
So my specialization is all about attack, also described as joining "The Red Team".
Continue reading →
Now that it’s clear how to use an OAuth access_token in JWT to perform RBAC inside a REST service playing the role of resource server, it is time to see how to acquire such a token.
Continue reading →
How many lines of code do you actually need to implement external Role Based Access Control (RBAC) using OAuth, JWT with the new Spring Security features?
Lets find out!
Continue reading →
Recently we updated one of our internal applications from Spring Boot 1.5 to 2.1, which includes an update of Spring Security. After the update the OAuth2 security started to fail in the backend, it stopped recognizing the authentication.
The project is an Angular 4 application. It uses angular2-oauth2 (1.3) in the frontend, and spring-boot-security and spring-security-oauth2 on the backend. The frontend is responsible for authentication with our Bitbucket account. This information is then sent to the backend via a 'bearer' authentication token. We have a separate class extending WebSecurityConfigurerAdapter
, annotated with @EnableOAuth2Client
, to set our security settings.
Continue reading →
Modern applications development is a mix of custom code and many pieces of open source.
The developer is normally very knowledgeable about their custom code but less familiar with the potential risk of the libraries/components they use.
A study from Black Duck which covers more than 200 applications shows that 95% of the projects use open source libraries (see open source security analysis).
Important side note is we only use a fraction of all the libraries imported into a project.
Last couple of months some critical issues were found in Struts 2 which enabled attackers to perform a remote-code-execution through a malicious content-type.
One way to track whether you are using vulnerable components is to use the OWASP Dependency-Check.
This tool uses the National Vulnerability Database to search components for well known published vulnerabilities.
Let’s take a look at the well known Spring Pet Clinic project and integrate OWASP Dependency-Check, first we add the following plugin to the Maven pom.xml
:
The plugin supports all kind of configuration items, in this example our build will fail if the Common Vulnerability Scoring System (CVSS) score if above 8.
CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat.
Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.
If we run Dependency-Check the build will fail due to:
If we look at the report we will see the mysql connector has more than 400 CVEs and the build fails due to the CVSS score above 8 (in this case there is even a CVE with CVSS score 10).
Based on this score this library should be replaced with a more up-to-date version.
Because Dependency-Check offers many ways to integrate into your build pipeline it is easy to get it up-and-running.
It is also possible to integrate with Sonar which makes it even more visible to your team.
Continue reading →