In this episode I explain and then start to add HTTP Basic Authentication to the Saturday MP website which is a Ruby on Rails application hosted on a Passenger Docker image. As usual I ran into some trouble and at the end of the video figured out I should use the envsubst command to dynamically set the Basic Auth, and other values, in the NGINX config.
Found this video useful? Then help others find it by liking, subscribing, and sharing.
Have question you want answered in a future video? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
In this episode I find the root flag for the Busqueda machine on Hack the Box. Took a wrong turn looking for Gitea and Git vulnerabilities but eventually found the root flag with help from the walkthrough.
Watch part 2 of me hacking the Busqueda machine:
Thanks to Hack the Box for creating a playground for myself, and others, to learn cyber security skills. Thanks to kavigihan for creating the Busqueda machine.
Found this video useful? Then help others find it by sharing it.
Have question you want answered in a future video? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
Thanks to victorajayi9056 for asking the question. Thanks to Docker for creating Docker. That sounded weird. Anyway it has been an invaluable tool for creating development environments for my clients.
Have question you want answered in a future video? A question I should ask you? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
In this episode I get a reverse shell working and make some progress on capturing the root flag. Spoiler: There is a self hosted GitHub like website.
Watch part 1 of me hacking the Busqueda machine at:
Thanks to Hack The Box for creating a playground for myself, and others, to learn cyber security skills. Thanks to kavigihan for creating the Busqueda machine:
Have question you want answered in a future video? A question I should ask you? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
One of the most common security issues I in code reviews is sensitive information, such as production credentials, API keys, etc, in the source code. The source code I just pulled from the repository. The source code all the developers before me have also pulled down to their local computers. Developers who might not work at the company anymore.
Most people are honest and won’t do anything bad with the information but there are exceptions. Even if developer is honest they might accidently expose the sensitive information such as a stolen laptop or their home network getting compromised.
Some examples of sensitive information I’ve seen:
AWS Simple Email Service (SES) key: This can be used by others to send email as if they are your company. I’ve seen it used by spammers and once AWS notices they will disable your SES account until you can prove to them the problem is fixed.
Production Database credentials: Often this is not a high priority issue because the database is usually not publicly accessible (i.e. behind a firewall) but in one case the production database was accessible on the internet.
FTP credentials to Government Services: Attackers could upload malicious files as if they where company in question.
Private SSH for Production: With this key anyone can log into to production but also pretend to be the production server.
For local development developers shouldn’t need access to the production environments. Instead they should setup the services they need access to on their local development environment such as a local development database.
For 3rd party services that can’t be installed or mimcied locally developers should be given access to a test/development copy. For example, a test S3 bucket instead of production.
Applications should read sensitive information from environment variables. Most frameworks provide a way to store environment variables in a file, usually called .env, and read this file when the application starts. This file contains key-value pairs and looks like:
The .env should never be committed to the repository and ideally added to the .gitignore or equivalent. Instead I recommended committing a .example.env file to the repository which has all the keys expected but not the values. At least not the production values, but possibly some development values. When a developer first sets up their development environment they copy the .env.example to .env and fill in the missing values that they find in the password manager:
DB_USER=devuser
DB_PASSWORD=<local db password>
DB_SERVER=localhost
DB_NAME=dev_db
AWS_S3_BUCKET=test-bucket.s3.us-east.amazonaws.com
AWS_S3_BUCKET_KEY=<get from password manager>
AWS_S3_BUCKET_SECRET=<get from password manager>
How to fix the problem?
Unfortunately you can’t just remove the sensitive information because it is still viewable in the repository history. Also, it might also exist on others that have forked the repository.
If there are multiple credentials you need to remove then pick one and do the following:
Add the sensitive information to your password or secret manager.
Setup a .env file, or something similar, if it does not exist.
Move the sensitive information to the .env file.
Do a release to test you have the sensitive information migrated correctly. You will need to add the sensitive information to the staging/production environment variables or files.
Change the sensitive information (change password, regenerate API key, etc). This should only require an update to the system and the environment variable in production.
Repeat the above steps for the next piece of sensitive information until they are all removed from the respository.
P.S. – Not related to the above post. I’m just really like the new Blink-182 album.
Do I have to die to hear you miss me Do I have to die to hear you say goodbye I don’t want to act like there’s tomorrow I don’t want to wait to do this one more time One more time, one more, one more time, one more time
Posted inSecurity|Taggedcredentials, security|Comments Off on Don’t Commit Sensitive Information to the Repository
In this episode I find the user flag for the Busqueda machine on Hack the Box. Perhaps with a little help from the walkthrough and Chat GPT to assist with my lack of Python knowledge.
Thanks to Hack the Box for creating a playground for myself, and others, to learn cyber security skills. Thanks to kavigihan for creating the Busqueda machine.
Have question you want answered in a future video? A question I should ask you? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
Custom software is expensive to build and usually delivered late and overbudget. Custom software, like a garden, needs to maintained and frequently updated. Especially for security updates. Everyone, well almost everyone, forgets to budget time and money for maintenance.
Before getting custom software built you should check for an existing solution. I’m willing to bet something does exist. Don’t get hung up on the 10% the custom software can’t do. Look at the 90% of the problem it does solve.
Get custom software built when it will save you more time and/or money then existing solution. When your business has outgrown the existing solutions. When it makes sense.
In this episode I try out the new Docker Compose Watch developer feature that synchronizes files on the host and the container. Similar to Docker Volumes. It won’t replace Docker Volumes for for me, at least not yet. Are you using, or thinking about using, Watch?
I did encounter a known bug where Docker Watch won’t run again after a Ctrl-C stop. You can find a workaround for the issue here.
Thanks to Docker for creating Docker. That sounded weird. Anyway it has been an invaluable tool for creating development environments for my clients.
Have question you want answered in a future video? A question I should ask you? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
This book has a lot of stories that include a police stop gone wrong, pyramid scheme, Cuban spies, drinking, sexual assault, and torture. A bit hard to follow all the different stories and pick out a theme for the book. At least for me.
My biggest takeaway was finding the balance between trust and doubt. The book points out that most humans are wired to trust by default. We believe what others say and this trust can override nagging doubts.
At first this seems like a bad thing that we humans are so trusting but the book does a good job of highlighting an example of someone who has doubts by default. In the story about Bernie Madoff, who ran the largest Ponzi scheme in history, Harry Markopolos noticed right away that something was wrong with Madoff’s investments but had trouble convincing people. He started getting paranoid and not trusting anyone which, from my take, made it harder from him to find people to report his suspicions of Madoff too and likely made it hard for the people he did contact to believe him. The chapter ends with the lines:
Then he [Markopolos] dug out his gas mask from his army days. What if they came in using tear gas? He sat at home, guns at the ready – while the rest of us calmly went about our business.
I am too trusting by default and got burned a couple times. For example, contractors working on our home. I ignored the signs and ended up with a partially completed basement reno with lots of problems I had to fix myself or hire someone else to fix.
This book was good reminder to listen to my gut feel that something is not right. Politely but firmly push back and verify if my gut feelings are correct or not. Especially for items that will have a big impact on my life, such as expensive renovation. Just don’t take it too far so I mistrust everyone and end up holed up in my house with guns at the ready.
I finally create the PR for Standard Ruby Linter Bug I’ve been working on the base several videos and months. I also fix the merge conflict noticed in the previous video.
Read about the bug I’m trying to fix here and the PR here.
Thanks to Test Double for creating Standard! It is a great linter for Ruby projects.
Have question you want answered in a future video? A question I should ask you? Pair on a problem? Constructive feedback? Comment, DM me, or send an email to ask@saturdaymp.com.
