Search the Community

Critical vulnerabilities exist in several JSON Web Token (JWT) libraries – namely the JavaScript and PHP versions – that could let an attacker bypass the verification step. Tim McLean, a Canadian security researcher who specializes in cryptography and dug up the issues, points out that attackers could exploit one of those vulnerabilities, which abuses an asymmetric signing algorithm, in some JWT libraries. Introduced a few years back, JWT is a standard that produces tokens between two parties. For example, a server can produce an admin token, transferred in JSON, signed by the server’s key. Clients can go on to use that token to verify the user is logged in as an admin. The issue revolves around a public key confusion between systems signed with the hash function HMAC and those signed with RSA. “If a server is expecting a token signed with RSA, but actually receives a token signed with HMAC, it will think the public key is actually an HMAC key,” McLean explained in a blog post Tuesday. “How is this a disaster? HMAC secret keys are supposed to be kept private, while private keys are well, public.” In this scenario if an attacker got access to a public key, through an API in some JWT libraries, they could use it as a token and the server would accept it. McLean advises anyone who runs a JWT implementation to verify that tokens with different signatures are set up to be rejected either via a whitelisting or blacklisting mechanism. “The server should already know what algorithm it uses to sign tokens, and it’s not safe to allow attackers to provide this value.” A separate issue, since fixed in many JWT libraries, previously let attackers choose the way tokens are verified, a condition that had “disastrous implications for some implementations,” according to McLean. McLean initially blogged about the issue in February and elaborated further on the issue this week. OAuth, one of the more popular standards for authorization, found his research so important, it republished the work on its own blog yesterday. This issue is rooted in the way that some libraries handled an algorithm known as “none.” Tokens signed with “none” could have be acknowledged as valid tokens with valid signatures, according to McLean. Attackers could modify tokens and sign them with “none” instead of HMAC-SHA256, or HS256. The tokens would then appear “signed.” Attackers then could have gone on to attach their own payload to gain arbitrary account access on some systems. According to McLean most libraries have fixed the “none” issue by ensuring that token verification fails any tokens that use the “none” algorithm. In order to fix the asymmetric keys issue, McLean, with the help of Auth0 got in touch with several of the library’s authors to make sure that any tokens with a different signature type are rejected by their libraries. Since JWTs can work across several languages, .NET, Node.js, Python, PHP, Java, Ruby, to name a few, there were a handful of libraries to contact about the vulnerability. Auth0 fixed the issue in its Node.js library last Thursday and is encouraging users to upgrade to 4.2.2, the latest version. Jose Padilla, who maintains the Python build of the library, fixed the signature verification vulnerability in version 1.0.0 last month by adding support for an alg whitelist. The most recent version, 1.0.1, also includes the fix. According to jwt.io, a service run by Auth0, the PHP or JavaScript versions of the libraries remain vulnerable. Auth0 instructing those who run those versions of JWT to seek out another non-vulnerable library until the issues are fixed or verified. Source

Configuring libcurl 7.41.0 with OpenSSL for Visual Studio 2013 In this tutorial I will go over configuring Visual Studio for seamless usage with the libcurl 7.41.0 and OpenSSL libraries. I have included references to articles found related to the compilation and common issues. What is curl? curl is a command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMTP, SMTPS, Telnet and TFTP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, HTTP/2, cookies, user+password authentication (Basic, Plain, Digest, CRAM-MD5, NTLM, Negotiate and Kerberos), file transfer resume, proxy tunneling and more. Required tools & libraries 1.] Visual Studio 2013 for Desktop (Ultimate, Team, etc) 2.] ActivePerl 5.20.1 3.] 7-Zip 9.20 for Extracting tar.gz 4.] OpenSSL 1.0.2 5.] curl 7.41.0 Compiling OpenSSL static libraries OpenSSL has made it quite easy with integrating Perl and Visual Studio to compile right from the Visual Studio Command Prompt. 1.] Verify ActivePerl 5.20.1 and Visual Studio 2013 are correctly installed. 2.] Download and extract OpenSSL with 7-Zip, in this example we will use: C:\openssl 3.] Open the Visual Studio Developer Command Prompt 4.] Start -> All Programs -> Visual Studio 2013 -> Visual Studio Tools -> Developer Command Prompt for VS2013 5.] Make sure to run as administrator in case there any file permission errors while executing Perl Now, we are ready to configure OpenSSL, as said there is no major changes that need made to make this function without issue. We have a few options depending on the specifics of your target base, in this case, I am going to deploy 32 bit static libraries as they work fine on the x64 based processor line. 1.] In the command prompt, change to the directory you extracted OpenSSL, I used c:\openssl. 2.] cd c:\openssl Type the build that best suits your needs, you can just copy the following and it should execute without problem. Building the 32-bit static libraries perl Configure VC-WIN32 --prefix=C:\Build-OpenSSL-VC-32 ms\do_ms nmake -f ms\nt.mak nmake -f ms\nt.mak install Building the 32-bit static libraries with debug symbols perl Configure debug-VC-WIN32 --prefix=C:\Build-OpenSSL-VC-32-dbg ms\do_ms nmake -f ms\nt.mak nmake -f ms\nt.mak install Building the 64-bit static libraries perl Configure VC-WIN64A --prefix=C:\Build-OpenSSL-VC-64 ms\do_win64a nmake -f ms\nt.mak nmake -f ms\nt.mak install Building the 64-bit static libraries with debug symbols perl Configure debug-VC-WIN64A --prefix=C:\Build-OpenSSL-VC-64-dbg ms\do_win64a nmake -f ms\nt.mak nmake -f ms\nt.mak install After executing it may take a minute, but will output your includes and static libraries afterwords. perl util/copy.pl "out32\openssl.exe C:\Build-OpenSSL-VC-32\bin" Copying: out32/openssl.exe to C:/Build-OpenSSL-VC-32/bin/openssl.exe perl util/mkdir-p.pl "C:\Build-OpenSSL-VC-32\ssl" created directory `C:/Build-OpenSSL-VC-32/ssl' perl util/copy.pl apps\openssl.cnf "C:\Build-OpenSSL-VC-32\ssl" Copying: apps/openssl.cnf to C:/Build-OpenSSL-VC-32/ssl/openssl.cnf perl util/copy.pl "out32\ssleay32.lib" "C:\Build-OpenSSL-VC-32\lib" Copying: out32/ssleay32.lib to C:/Build-OpenSSL-VC-32/lib/ssleay32.lib perl util/copy.pl "out32\libeay32.lib" "C:\Build-OpenSSL-VC-32\lib" Copying: out32/libeay32.lib to C:/Build-OpenSSL-VC-32/lib/libeay32.lib Note: * If you are trying to link your libraries and receive an error relating to ml64, then your Visual Studio isn't configured as x64, you will need to go in the OpenSSL folder and delete the tmp32 folder and recompile as a 32 bit library, if this folder is not deleted you will continue to receive errors. 1.] After it's compiled, go to the output directory, example, C:\Build-OpenSSL-VC-32. 2.] Open your Visual Studio C directory, example, C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC. 3.] Copy and merge the 'lib' and 'include' directory from the OpenSSL output directory into the 'C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC' directory. You are done with the OpenSSL portion. Compiling libcurl static libraries Now, that you have that done. We will need to configure libcurl. It has been made quite simple if you download the latest build, it comes with Visual Studio 2013 projects included. 1.] Extract libcurl 2.] Open libcurl folder, then go to: projects -> Windows -> VC12 3.] Open 'curl-all.sln' 4.] Go to Build -> Uncheck 'curlsrc' as we don't need this. 5.] Under 'libcurl', Choose LIB Release - LIB OpenSSL, as it will bind a static library that does not require exported DLLs. After it's done compiling, go to the 'curl-7.41.0' directory. Copy and merge the 'include' folder from there with 'C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC' as we did in the previous steps while setting up OpenSSL. There will also be a 'build' folder in the root of the 'curl-7.41.0' directory. build -> Win32 -> VC12 -> LIB Release - LIB OpenSSL Copy the file 'libcurl.lib' into the 'lib' folder located at 'C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC'. Since these are static libraries, not all functions from Windows have been previously exported. You will still need to link against 'Ws2_32.lib' and 'Wldap32.lib' for specific functions of 'libcurl' in Visual Studio, however you will not need any external DLL files. Make sure to define 'CURL_STATICLIB' in your Preprocessor Definitions. If you are having linker errors, try going to your Project Properties -> Linker -> Additional Dependencies in your Visual Studio project. Add the following: libcurl.lib libeay32.lib ssleay32.lib ws2_32.lib wldap32.lib You should be good to go after this. Example source for Visual Studio 2013.. #include "stdafx.h" #include <windows.h> #include <stdio.h> #include <curl\curl.h> int main(void) { CURL *curl; CURLcode res; curl = curl_easy_init(); if (curl) { curl_easy_setopt(curl, CURLOPT_URL, "http://example.com"); /* example.com is redirected, so we tell libcurl to follow redirection */ curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); /* Perform the request, res will get the return code */ res = curl_easy_perform(curl); /* Check for errors */ if (res != CURLE_OK) fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res)); /* always cleanup */ curl_easy_cleanup(curl); } return 0; } References: http://developer.covenanteyes.com/building-openssl-for-visual-studio/ Source: sludg3 @ TF

In prezent atat piata cat si ansamblul domeniului dezvoltarii software a atins un punct de saturatie. Cu ce ne avantajeaza acest lucru? In primul rand la orice ne-am gandi sa dezvoltam, cineva, mai mult ca sigur s-a gandit inaintea noastra si are deja o varianta functionala(chiar si in stadiile alfa sau beta). Exista numeroase bibilioteci care ne permit dezvoltarea rapida si facila a noi module software. Cateva dintre acestea sunt C++ boost, C++ poco si opencv de asemenea pentru C++. Etapele urmatoare au fost realizate pe o platforma Win 7 x64 impreuna cu Visual Studio 2010. Boost poate fi gasita aici: Boost C++ Libraries Pentru compilare trebuie sa efectuam urmatorii pasi: Dezarhivam boost intr-un nou director. Lansam in executie un command promp(x64) dupa care navigam in directorul unde am extras arhiva Rulam bootstrap.bat Rulam b2 toolset=msvc-12.0 --build-type=complete --libdir=C:\Boost\lib\x64 architecture=x86 address-model=64 install Pentru Visual Studio 2012, folosim toolset=msvc-11.0 Pentru Visual Studio 2012, folosim toolset=msvc-10.0 Adaugam C:\Boost\include\boost-(versiune_boost) in include path in visual studio Adaugam C:\Boost\lib\x64 in libs path. Visual Studio are unele dificultati in ceea ce priveste incarcarea bibliotecilor, atat celor statice(.lib) cat si ale celor dinamice(.dll): fiecare versiune Visual Studio(2005, 2008, 2009, 2010, 2012) poate incarca biblioteci compilate cu aceiasi versiune(nu putem folosi o biblioteca compilata cu VS2005 intr-un proiect VS2010 un executabil x86(32-bit) nu poate incarca biblioteci x64 un executabil x64 nu poate incarca biblioteci x86 un executabil compilat ca si Release nu poate incarca biblioteci compilate ca si Debug un executabil compilat ca si Debug nu poate incarca biblioteci compilate ca si Release alte combinari ale regulilor de mai sus Poco se gaseste aici: Download | POCO C++ Libraries Pentru a compila biblioteca urmam pasii de mai jos: Dezarhivam arhiva(de exemplu in C:\poco) Deschidem o consola(cmd prompt) si navigam in directorul respectiv Rulam "build_vs100.cmd" Este util sa observam si optiunile pe care le avem la compilare(destinatia fisierelor binare si tipul acestora: debug sau release. Noua, de regula, ne trebuiesc ambele). opencv se gaseste aici: DOWNLOADS | OpenCV Aplicatie vine cu un installer care nu necesita o instalare/configurare detaliata(este de tipul Next->Next->...->Done) Exemple de tutoriale boost(din perspectiva transmiterea datelor prin retele) pot fi gasite aici: Tutorial - 1.40.0 Cateva exemple de tutoriale Poco se gasesc aici: Learning Poco: Getting started with threads - CodeProject Index of /slides Pentru a dezvolta aplicatii intr-un mod rapid putem recicla secvente de cod din cadrul altor module. O lista de site-uri care sunt dedicate stocarii de cod sursa se gaseste mai jos: http://freshmeat.net/ http://sourceforge.net/ http://www.codeproject.com http://osliving.com/ http://www.opensourcewindows.org/ http://www.fsf.org/