RESTful API

Resource Server API

You can use either existing authorization server or your own server.Here, I created an authorization server and resource server both in a single server.This is written using node,js. In order to run this on your computer, you should have node.js installed on your computer.

app.js 

There are two endpoints I have created in this. One to get the access token which is "/oauth/token" and the other one is to get resources which is "/profile". 

model.js

Here I have created a user first (username = thusiya, password = thusiya) and all the functions that handle requests from client are written in this file.

Run

Run this resource server using node,js

First of all We have to make a POST request to get the access token from the authorization server.
For that we have to send the authorization key in the header.

Authorization : Bearer XXXXXXXXXXXXXXX
And also we have to mention the content type in the header.
Content-Type :  application/x-www-form-urlencoded


Then we have to mention these 3 parameters in the body.
username=thusiya
password=thusiya
grant_type=client_credentials

The URL should be the endpoint that gives us the access token.

http://localhost:4000/oauth/token

When we send this we get the response which has access token in it. This access token also have an expiration time.

Then we have to make a GET request to retrieve the resources we need.

Now our URL is different because we have to call a different endpoint to get these resources which is "http://localhost:4000/profile".

Authization: Bearer XXXXXXXXXXXXXXX

When you sent this request you get a response that contains the resources we specified in the code.
{"name":"thusiya","id":"set"} 


You can download source code from my GitHub.

https://github.com/thusith94/RESTful_API

Cross Site Request Forgery - method 02

In this post, I suppose to discuss  how to achieve CSRF attack protection using double-submitted cookie pattern.

Work Flow

In double submitted cookie pattern, there are two cookies(session & CSRF token) stored in the browser.In our previous method, we stored csrf token values on the server side (text file). But here we don't do it.

index.php

The user login to the website using their credentials.Here, I hard coded the user credentials for the testing purposes like this ($uname == 'thusiya' && $pwd == 'thusiya').

result.php

As should be obvious two cookies are put away on the browser. These cookies have 1 year termination time and they are available from anyplace. 


home.php

csrf cookie value and the html hidden field csrf value are sent to the checkToken function as parameters.

 token.php

 If CSRF value is matched, that function will return the true value.

You can download source code from my GitHub.

https://github.com/thusith94/Cookies-Patterns

Cross Site Request Forgery - method 01

What is Cross Site Request Forgery?

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

In this blog entry, I will talk about a strategy that can be utilized to secure your own particular site by producing Cross-Site Request Forgery Tokens in server side and approving them before react to any customer request.

How it's working?

The user login to the website using their credentials.Here, I hard coded the user credentials for the testing purposes like this ($uname == 'thusiya' && $pwd == 'thusiya').Upon the sign in a session will be made and the session id will be utilized to delineate the CSRF token that will be produced along with the session creation.After that user redirects to a website that allows user to update posts.This page will be load with the help of AJAX.Then generated CSRF value will be added to a hidden field in the HTML file.When the user update a post, CSRF token will be validated.Then if it is a valid user, that post can be seen by the user.

Index.php File

Once the form is submitted, then result.php file will be called.

For the validation of the user inputs, Code is like this.AJAX call is used call to the csrf_token_generator.php file and validate the generated CSRF token and put it into the hidden text field inside the HTML file.

csrf_token_generator.php

This php file generates the csrf token. Also it sets a browser cookie with the value of session_id. After that CSRF token value will be stored in a text file called Tokens.txt along with it's session_id.

openssl_randon_pseudo_bytes() is used to generate the 32bit long csrf token.

token.php

this php file has checkToken function which gets  two parameters (csrf token and session id) and return true if the given parameters matches with the values that are stored inside the text file.

Tokens.txt

 home.php

You can download source code from my GitHub.

https://github.com/thusith94/synchronizer_token_pattern-php

Beware of Windows/MacOS/Linux Virus Spreading Through Facebook Messenger

If you came across any Facebook message with a video link sent by anyone, even your friend — just don’t click on it.

Security researchers at Kaspersky Lab have spotted an ongoing cross-platform campaign on Facebook Messenger, where users receive a video link that redirects them to a fake website, luring them to install malicious software.

Although it is still unclear how the malware spreads, researchers believe spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link.

The attackers make use of social engineering to trick users into clicking the video link, which purports to be from one of their Facebook friends, with the message that reads "< your friend name > Video" followed by a bit.ly link, as shown.

Here's How this Cross-Platform Malware Works:

The URL redirects victims to a Google doc that displays a dynamically generated video thumbnail, like a playable movie, based on the sender's images, which if clicked, further redirects users to another customised landing page depending upon their browser and operating system.

For example, Mozilla Firefox users on Windows are redirected to a website displaying a fake Flash Player Update notice, and then offered a Windows executable, which is flagged as adware software.

Google Chrome users are redirected to a website that masquerades as YouTube with similar YouTube logo, which displays a fake error message popup, tricking victims into downloading a malicious Chrome extension from the Google Web Store.

The extension actually is a downloader that downloads a file of attacker's choice to the victim's computer.

"At the time of writing, the file which should have been downloaded was not available," David Jacoby, a chief security researcher from Kaspersky Lab, writes in a blog post published today.

"One interesting finding is that the Chrome Extension has log files from the developers displaying usernames. It is unclear if this is related to the campaign, but it is still an amusing piece of information."

Users of Apple Mac OS X Safari ends up on a web page similar to when using Firefox, but it was customised for MacOS users with a fake update for Flash Media Player, which if clicked, downloads an OSX executable .dmg file, which is also adware.

Same in case of Linux, user redirects to another landing page designed for Linux users.

The attackers behind the campaign are not actually infecting users of all platform with any banking Trojan or exploit kits, but with adware to make a lot of money by generating revenue from ads.

Spam campaigns on Facebook are quite common. A few years ago, researchers found cyber criminals using boobytrapped .JPG image files to hide their malware in order to infect Facebook users with variants of the Locky ransomware, which encrypts all files on the infected PC until a ransom is paid.

To keep yourself safe, you are advised not to get curious to look at images or video links sent by anyone, even your friend, without verifying it with them, and always keep your antivirus software up-to-date.

Shadow Brokers Leaks Another Windows Hacking Tool Stolen from NSA's Arsenal

The Shadow Brokers, a notorious hacking group that leaked several hacking tools from the NSA, is once again making headlines for releasing another NSA exploit—but only to its "monthly dump service" subscribers.

Dubbed UNITEDRAKE, the implant is a "fully extensible remote collection system" that comes with a number of "plug-ins," enabling attackers to remotely take full control over targeted Windows computers.

In its latest post, the hacking group announced a few changes to its monthly dump service and released encrypted files from the previous months as well.

Notably, the September dump also includes an unencrypted PDF file, which is a user manual for the UNITEDRAKE (United Rake) exploit developed by the NSA.

According to the leaked user manual, UNITEDRAKE is a customizable modular malware with the ability to capture webcam and microphone output, log keystrokes, access external drives and more in order to spy on its targets.

The tool consists of five components—server (a Listening Post), the system management interface 
(SMI), the database (to store and manage stolen information), the plug-in modules (allow the system capabilities to be extended), and the client (the implant).

Snowden Leak Also Mentions UNITEDRAKE

The Snowden documents suggested the agency used the tool alongside other pieces of malware, including CAPTIVATEDAUDIENCE, GUMFISH, FOGGYBOTTOM, GROK, and SALVAGERABBIT, to infect millions of computers around the world.

• CAPTIVATEDAUDIENCE is for recording conversations via the infected computer's microphone
• GUMFISH is for covertly taking control over a computer’s webcam and snap photographs
• FOGGYBOTTOM for exfiltrating Internet data like browsing histories, login details and passwords
• GROK is a Keylogger Trojan for capturing keystrokes.
• SALVAGERABBIT is for accessing data on removable flash drives that connect to the infected computer.

New Terms for Shadow Brokers Monthly Dump Service

The Shadow Brokers is now only accepting payments in ZCash (ZEC) from its monthly subscribers, rather than Monero since it uses clear text email for delivery, and has also raised the rates for exploits, demanding nearly $4 Million.

The group demanded 100 ZEC when it started its first monthly dump service in June, but now the hackers are demanding 16,000 ZEC (which costs $3,914,080 in total) for all NSA dumps. Zcash currently trades at $248 per unit.

Those who want to gain access only to the September dump that includes the new NSA malware files need to pay hackers 500 ZEC.

The Shadow Brokers gained popularity after leaking the SMB zero-day exploit, called Eternalblue, that powered Wannacry ransomware attack that crippled large businesses and services around the world in May.

After that, the mysterious hacking group announced a monthly data dump service for those who want to get exclusive access to the NSA arsenal, which they claim to have stolen from the agency last year.