davidvandusen/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Auth and WebSec

Today we looked at 3rd party authentication and web security.
We built a simple Express.js web app that uses Passport to allow users to
sign in with Google.
After that we used Wireshark to snoop on network trafic to that web app
to get an authenticated user's session id to make HTTP requests to the
app as them.
We tried to inject a script in the URL, but Chrome blocked it. However, we
then put a script in the "database" and it was successfully executed in the
browser.
We took a look at a cross-site request forgery. We made a malicious web
page with a form that submits to our app and saw that the app cookies were
sent along with the request from our malicious site.
We telneted into our app to see that an HTTP request can be hand-crafted
including the Referer header, which is supposed to say where the request
originated, but is easily spoofed.
GET / HTTP/1.1
Host: 127.0.0.1
Referer: http://this-isnt-the-website-youre-looking-for.com/index.html

We saw what happens when your app redirects the user to a path that was
provided by the user. We saw that user info is not trustable and that
if a redirect url is provided in user content (the query string, user
content in the database, etc.) it must be validated before issuing
a redirect.
We went over and talked about each of the OWASP Top 10 security issues.
https://www.owasp.org/index.php/Top_10_2013-Top_10
There is a developer cheat sheet here:
https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

  
## app.js
var database = {
  news: [{
    content: '<script>window.location="http://example.com/"</script>'
  }]
};

var express = require('express');
var expressSession = require('express-session');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var passport = require('passport');
var GoogleStrategy = require('passport-google').Strategy;

passport.serializeUser(function (user, done) {
  done(null, user);
});
passport.deserializeUser(function (user, done) {
  done(null, user);
});
passport.use(new GoogleStrategy({
  returnURL: 'http://127.0.0.1:3001/auth/google/return',
  realm: 'http://127.0.0.1:3001/'
}, function (identifier, profile, done) {
  done(null, {
    identifier: identifier,
    profile: profile
  });
}));

var app = express();

app.use(cookieParser());
app.use(bodyParser.urlencoded());
app.use(expressSession({
  resave: false,
  saveUninitialized: false,
  secret: 'secret'
}));
app.use(passport.initialize());
app.use(passport.session());

app.get('/', function (req, res) {
  if (req.isAuthenticated()) {
    if (req.query.redirectUrl) {
      res.redirect(req.query.redirectUrl);
    } else {
      var html = '<h1>Hello, ' + req.user.profile.name.givenName + '</h1><pre>' + JSON.stringify(req.user, null, '  ') + '</pre><p><a href="/signout">Sign out</a></p>';
      res.send(html);
    }
  } else {
    res.send('<h1>Hello</h1><p><a href="/auth/google">Sign in with Google</a></p>');
  }
});
app.post('/', function (req, res) {
  if (req.isAuthenticated()) {
    var html = '<h1>Hello, ' + req.user.profile.name.givenName + '</h1><pre>' + JSON.stringify(req.user, null, '  ') + '</pre><p><a href="/signout">Sign out</a></p>';
    if (req.body.account && req.body.amount) {
      html += '<h1><big>TRANSFERRED SUCCESSFULLY</big></h1>';
    }
    res.send(html);
  } else {
    res.send('<h1>Hello</h1><p><a href="/auth/google">Sign in with Google</a></p>');
  }
});

app.get('/auth/google', passport.authenticate('google'));

app.get('/auth/google/return', passport.authenticate('google', {
  successRedirect: '/',
  failureRedirect: '/?authFailed=1'
}));

app.get('/news', function (req, res) {
  var html = '<h1>News</h1>';
  database.news.forEach(function (article) {
    html += '<p>'+article.content+'</p>';
  });
  res.send(html);
});

app.get('/signout', function (req, res) {
  req.logout();
  res.redirect('/');
});

app.listen(3001);

## malicious.html
<form action="http://127.0.0.1:3001/" method="post">
Account: <input name="account" />
Amount: <input name="amount" />
<button>Transfer</button>
</form>

## package.json
{
  "name": "auth-lecture",
  "version": "1.0.0",
  "private": true,
  "dependencies": {
    "body-parser": "^1.12.2",
    "cookie-parser": "^1.3.4",
    "express": "^4.12.3",
    "express-session": "^1.10.4",
    "passport": "^0.2.1",
    "passport-google": "^0.3.0"
  }
}
	var database = {
	news: [{
	content: '<script>window.location="http://example.com/"</script>'
	}]
	};

	var express = require('express');
	var expressSession = require('express-session');
	var cookieParser = require('cookie-parser');
	var bodyParser = require('body-parser');
	var passport = require('passport');
	var GoogleStrategy = require('passport-google').Strategy;

	passport.serializeUser(function (user, done) {
	done(null, user);
	});
	passport.deserializeUser(function (user, done) {
	done(null, user);
	});
	passport.use(new GoogleStrategy({
	returnURL: 'http://127.0.0.1:3001/auth/google/return',
	realm: 'http://127.0.0.1:3001/'
	}, function (identifier, profile, done) {
	done(null, {
	identifier: identifier,
	profile: profile
	});
	}));

	var app = express();

	app.use(cookieParser());
	app.use(bodyParser.urlencoded());
	app.use(expressSession({
	resave: false,
	saveUninitialized: false,
	secret: 'secret'
	}));
	app.use(passport.initialize());
	app.use(passport.session());

	app.get('/', function (req, res) {
	if (req.isAuthenticated()) {
	if (req.query.redirectUrl) {
	res.redirect(req.query.redirectUrl);
	} else {
	var html = '<h1>Hello, ' + req.user.profile.name.givenName + '</h1><pre>' + JSON.stringify(req.user, null, ' ') + '</pre><p><a href="/signout">Sign out</a></p>';
	res.send(html);
	}
	} else {
	res.send('<h1>Hello</h1><p><a href="/auth/google">Sign in with Google</a></p>');
	}
	});
	app.post('/', function (req, res) {
	if (req.isAuthenticated()) {
	var html = '<h1>Hello, ' + req.user.profile.name.givenName + '</h1><pre>' + JSON.stringify(req.user, null, ' ') + '</pre><p><a href="/signout">Sign out</a></p>';
	if (req.body.account && req.body.amount) {
	html += '<h1><big>TRANSFERRED SUCCESSFULLY</big></h1>';
	}
	res.send(html);
	} else {
	res.send('<h1>Hello</h1><p><a href="/auth/google">Sign in with Google</a></p>');
	}
	});

	app.get('/auth/google', passport.authenticate('google'));

	app.get('/auth/google/return', passport.authenticate('google', {
	successRedirect: '/',
	failureRedirect: '/?authFailed=1'
	}));

	app.get('/news', function (req, res) {
	var html = '<h1>News</h1>';
	database.news.forEach(function (article) {
	html += '<p>'+article.content+'</p>';
	});
	res.send(html);
	});

	app.get('/signout', function (req, res) {
	req.logout();
	res.redirect('/');
	});

	app.listen(3001);
	<form action="http://127.0.0.1:3001/" method="post">
	Account: <input name="account" />
	Amount: <input name="amount" />
	<button>Transfer</button>
	</form>
	{
	"name": "auth-lecture",
	"version": "1.0.0",
	"private": true,
	"dependencies": {
	"body-parser": "^1.12.2",
	"cookie-parser": "^1.3.4",
	"express": "^4.12.3",
	"express-session": "^1.10.4",
	"passport": "^0.2.1",
	"passport-google": "^0.3.0"
	}
	}