Hashes and Nonces in CSP

Troy Hunt has a nice article about inline-scripts and CSP with some practical examples.

By default the following CSP directive will block all inline scripts:

Content-Security-Policy: default-src 'self'

The most straight-forward way to remove the restriction is to add unsafe-inline but it disables all the defenses against inline scripts and XSS. Thankfully you have two alternatives: using a hash or a nonce. (TIL!)

If the script is static (the content does not change), you can add a SHA-256 hash of the script to the CSP directive, so the script will be whitelisted.

Content-Security-Policy: default-src 'self'; script-src 'sha256-blLDIhKaPEZDhc4WD45BC7pZxW4WBRp7E5Ne1wC/vdw='

However, if the script is prone to change, you have the option of adding a base64-encoded nonce (random value) to both the CSP directive and the script tag.

Content-Security-Policy: default-src 'self'; script-src 'nonce-4AEemGb0xJptoIGFP3Nd'
<script type="text/javascript" nonce="4AEemGb0xJptoIGFP3Nd">

Summary of Chrome Dev Summit 2017 Videos

Dan Fabulich has a post titled I Watched All of the Chrome Dev Summit 2017 Videos So You Don’t Have To:

tl;dr: Google wants you to build PWAs, reduce JavaScript file size, use Web Components, and configure autofill. They announced only a handful of features around payments, authentication, Android Trusted Web Activities, Chrome Dev Tools, and the Chrome User Experience Report.

Check out the full post for a more detailed summary.

This is three weeks old and I kept putting off posting this in AH. It’d be super cool if someone wrote TLDRs for all conferences happening everywhere.

Friendly advice

Tweet by sarah_edo:

A lot of people, mostly university friends, called me during last month after they learned that I was unable to walk due to a leg injury. People don’t forget to leave some advice during the calls. These include:

* Migrate to another country (from those who have already migrated to other countries)
* Live for a few years in a different country (from those who are abroad temporarily for work reasons)
* Marry ASAP (from those who are married)
* It’s time I should marry and have some kids (from those who are married and have kids)
* Build a house (from those who own houses)
* Switch to a better car (from those who have more expensive cars)
* Get the shit together (from someone who has theirs together, probably)

I’m not bluffing – this is 100% real. I’m thankful for all the advice, but I feel worse than ever now.

How Computers make Random Numbers

Came across an easy-to-follow article on how random number generators, or LCGs, work.

One thing we haven’t addressed yet, is the issue of deciding the initial seed. We could fix it to some constant number. This is useful in cases where you need random numbers, but they have to be the same every time the program is executed — generating the same map every game for example.

Another way to decide the seed is to fetch it from a source that is different each time the program is executed — like the system time. This useful in a case where a general random number is needed, like a program to simulate a dice roll.

Slack SAML authentication bypass

Antonio Sanso writes:

This means that if I present to a ServiceProvider A an assertion meant for ServiceProvider B, then the ServiceProvider A shoud reject it.

Well between all other things I tried this very really simple attack against a Slack’s SAML endpoint /sso/saml and guess what? It worked 😮 !!

To be more concrete I used an old and expired (yes the assertion was also expired!!) Github’s Assertion I had saved somewhere in my archive that was signed for a subject different than mine (namely the username was not asanso aka me) and I presented to Slack. Slack happily accepted it and I was logged in Slack channel with the username of this old and expired Assertion that was never meant to be a Slack one!!! Wow this is scary….

Scary indeed. And it isn’t a particularly sophisticated hack either. Slack has now patched the issue.

100s of useful AWK examples

Came across this nice cheatsheet with awk examples on Hacker News today: Github link

awk is a highly underrated Unix utility. I’ve seen very few developers use it, but it’s both powerful and useful. Awk is a language of its own, but you don’t need to master it to start using it.

Some time back, I moved a large bunch of files to a home directory in a server by mistake. I had used the following (naive) command to move them back to the original location (according to my notebook):

ls -ltr | grep '14:57' | awk '{print $8}' | xargs -I '{}' mv {} vftemp

Apparently I had exploited the fact that the moved files all had the 14:57 time stamp and filtered them with grep, and then used awk to get the 8th column of the list, which should have been the filenames and moved them back.

The State of Being Stuck

A high school mathematics teacher interviews Andrew Wiles. Wiles is one of the most famous mathematicians in the world today; best known for proving the 350-year-old Fermat’s Last Theorem.

Wiles explained the process of research mathematics like this: “You absorb everything about the problem. You think about it a great deal—all the techniques that are used for these things. [But] usually, it needs something else.” Few problems worth your attention will yield under the standard attacks.

“So,” he said, “you get stuck.”

“Then you have to stop,” Wiles said. “Let your mind relax a bit…. Your subconscious is making connections. And you start again—the next afternoon, the next day, the next week.”

Patience, perseverance, acceptance—this is what defines a mathematician.

Reading a User-Agent header

Tweet by @jschauma:

Whenever a browser makes an HTTP request to a server, the browser sends in a User-Agent header, so the server can know what kind of a browser/agent the request is coming from. I’m writing this post in a Safari browser in macOS and the string it sends is:

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38

It says Mozilla at the beginning, but it’s not Firefox.

Confusingly, the User-Agent string of Google Chrome has both Mozilla and Safari in addition to Chrome:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

These strings will change depending on both the browser version and the OS you are on.

While these strings seem cryptic, you can use this handy guide from MDN to identify the browser from User-Agent strings: https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent#Browser_Name

Zawinski’s Law

I was reading Finish your stuff by Martin Sustrik (creator of ZeroMQ) today and stumbled upon Zawinski’s Law from The Jargon File.

“Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.”

Emacs comes to mind (you know what they say, it’s “a great operating system, lacking only a decent editor”).

However, we see that a lot of bloated software being replaced by leaner and minimal products, which might seem to be in contrary to this rule. Lots of people moved from WordPress to much simpler Medium. But Medium, in turn, has become a bloated piece of JavaScript by now, which aligns with Zawinski’s Law.

Quoting the Wikipedia article on the subject:

Eric Raymond comments that while this law goes against the minimalist philosophy of Unix (a set of “small, sharp tools”), it actually addresses the real need of end users to keep together tools for interrelated tasks, even though for a coder implementation of these tools are clearly independent jobs.

Splitting a text file into two

Today I was trying to open a text file with a Node.js script and failed, apparently because it exceeded Node’s maximum buffer size. The most straight-forward solution was to split the file in half and open the two new files separately.

How do you split a text file by two, though? With a quick hack using head and tail of course.

head -n 1000 input-file > output1
tail -n +1001 input-file > output2

The + in the tail command tells it to count lines from the top, instead of from the bottom which is the usual case of tail.

Source: unix.stackexchange