S3 Bucket Security: More Than ACLs and Policies

Many companies are suffering data breaches because attackers gain access to data in AWS S3 buckets. I don’t want to repeat all the news articles outlining all the S3 data breaches. A Google search will give many examples, and it seems like by the time I write this another one will be in the news. Instead, I’d like to jump to why these S3 bucket breaches are happening and how to securely store data in an S3 bucket.

https://www.secplicity.org/2017/10/13/s3-bucket-security-acls-policies/amp/

Advertisements

5 Handy ‘Serverless’ APIs for Web Development

Why spend time building things that you can buy or rent?

For those who have never heard of the term “BaaS” before, it stands for “Backend as a Service” and refers to third-party API services that can be integrated into your applications to build out specific functionality quickly.

For example, imagine how much work it’d take your team to build a single sign-on service for your product along with an admin interface for provisioning and managing user permissions. Sound like a pain? Well good news, there are plenty of services that you can drop-in to achieve this without writing a single line of server code.

In fact, these days there are a number of successful companies who have been able to produce compelling products with barely any of their own server-side code.

In this article, we’ll introduce five API service providers that address common features and take a look at how they work.

https://thenewstack.io/5-handy-api-services-web-development/

Run your own OAuth2 server

In this guide, you will set up a hardened, fully functional OAuth 2.0 (OAuth2) server. It will take you about ~15 minutes. This guide is for you, if you are looking to do something like in the gif on the right, or more specifically:

  • You want to use OAuth2 for API security.
  • You want to open up your API to third party developers like Dropbox, or GitHub.
  • You want to become and identity provider like GoogleFacebook, or Twitter.
  • You need to federate (delegate) authentication or authorization.

We will use ORY Hydra (open source), a security-first OAuth2 and OpenID Connect server written in Golang.

https://www.ory.am/run-oauth2-server-open-source-api-security.html?

Node.js Express API Development Security Checklist

The folks at RisingStack have published a really good article on security in Node.js applications and this checklist is meant to complement it with specifics for API development using the express framework.

  • [ ] Secure headers: use helmet, especially to set the Strict Transport Security header which will keep all your connections on HTTPS. Also see here on how to setup https using a free certificate from letsencrypt.
  • [ ] Log all errors but don’t expose stacktraces to the client.
  • [ ] Rate limit api calls to protect against DoS attacks. Can use expres-rate-limit.
  • Sanitize all user input
    • [ ] Sql injection: use prepared statements in favor of concatenating user input. For e.g.
      app.get('/', function(req, res) {
        Promise.using(getSqlConnection(), function(connection) {
          var sql = 'SELECT * from users where id = "' + req.query.username + '"';
          return connection.queryAsync(sql, [id])
            .then(function(rows, cols) {
              return rows;
            });
        });
      });

      can be hijacked to /?username=anything%22%20OR%20%22x%22%3D%22x which results in the following sql query being executed: select * from users where id = "anything" OR "x"="x". This will always result in true and return data for all the users in the system. This can be further extended to cause a lot more damage.

    • [ ] XSS: prevent the ability of an attacker to inject arbitary code into your application by sanitizing user input. For e.g. the following end point which accepts user input
      app.get('/', function(req, res) {
        var html = 'Hello ' + req.query.username;
        res.send(html);
      });

      can then be hijacked to create a url as follows /?username=%3Cbody%20onload%3Dalert(%27test1%27)%3E. This link can then be sent to unsuspecting users of your website and have arbitary code being executed on their machine. See here for more types of XSS attacks and examples.

    • [ ] Command injection: for example, a url like https://example.com/downloads?file=user1.txt could be turned into https://example.com/downloads?file=%3Bcat%20/etc/passwd.
    • [ ] MongoDb query injection: similar to sql injection but using MongoDb’s special operators instead. As an example consider the following end point
      app.post('/', function (req, res) {
        db.users.find({username: req.body.username, password: req.body.password}, function (err, users) {
            // TODO: handle the rest
        });
      });

      where sending in

      POST http://target/ HTTP/1.1
      Content-Type: application/json
      
      {
          "username": "vic@smalldata.tech",
          "password": {"$gt": ""}
      }
      

      will result in a successful match. Use mongo-express-sanitize to sanitize all user input.

    • [ ] Regex Denial of Service: a situation where user inputted regex can lead to blocking the event loop and a hanging application. See here for examples.
  • [ ] Use TLS for all connections. Also see here on how to setup https using a free certificate from letsencrypt.
  • [ ] Keep dependencies updated to stay ahead of any security issues. Use nsp to check dependencies for security vulnerabilities. Another great platform for open source projects is snyk.io.
  • [ ] Check for permissions at every step of the API chain: for e.g. GET /users/:userId/contacts/:contactId should not assume that the userId authenticated for the request is also authorized to make this call. Check that request.params.userId === request.authenticatedUserId or isAuthorized(authenticatedUserId, {userId: authenticatedUserId, resource: 'CONTACTS'}.
  • [ ] Don’t block the event loop: as an example parsing json is not a free operation and can potentially block the event loop for large json files (> 1Mb). Note that using the bodyparser module globally will give you a default maximum of 100kb for json payloads. It is efficient to only use it for routes which require it.

Please note that this checklist is meant to be used as a reference for further study. It is by no means an exhaustive list of all potential security issues. See also the web developer security checklist. Additions and comments are welcome.

https://smalldata.tech/blog/2017/05/19/nodejs-express-api-development-security-checklist

A Guide to Crypto Currencies

This guide is meant to serve as both an easy-to-understand introduction to the world of cryptocurrencies as well as an insightful view into the different projects competing for your investments and market dominance and a look at the underlying technology, history and trends.

For many years Bitcoin would occasionally appear in the media after it spiked in price. I didn’t think there was anything inherently useful about it. I thought it was a novelty, a ponzi scheme, hysteria. It was only after the most recent price spike in another cryptocurrency, Ethereum, that the crazy returns finally tempted me. What started out as a skeptical look into a get-rich-quick scheme led me down a rabbit hole and my mind was promptly blown at the potential of the technology. The hype surrounding it is nothing short of mania, but it’s not without merit. Cryptocurrencies will almost certainly revolutionize everything from insurance, logistics and the stock market to ownership and even create entire economies which don’t currently exist. You may feel skeptical when hearing something so optimistic but when banks, governments and research institutions start to take notice and want to work with these projects maybe it’s time we paid some attention.

Many of you reading may be likening the current craze with the dotcom bubble and I’m afraid I absolutely agree with you. The speculation surrounding cryptocurrencies and the ease of which the average person can invest has created an environment where an idea can raise hundreds of millions of dollars without even a proof of concept. This is part of the reason this guide was written, to steer you clear of these massively overvalued “pet.com” equivalents and towards the future Amazons and Googles.

https://mycrypto.guide/

Building Business Systems with Domain-Specific Languages for NGINX & OpenResty

This post is adapted from a presentation at nginx.conf 2016 by Yichun Zhang, Founder and CEO of OpenResty, Inc. This is the first of two parts of the adaptation. In this part, Yichun describes OpenResty’s capabilities and goes over web application use cases built atop OpenResty. In Part 2, Yichun looks at what a domain-specific language is in more detail.

You can view the complete presentation on YouTube.

https://www.nginx.com/blog/building-business-systems-with-domain-specific-languages-for-nginx-openresty-part-1/
https://www.nginx.com/blog/building-business-systems-with-domain-specific-languages-for-nginx-openresty-part-2/

Let’s Encrypt and Google App Engine in 2017

So yesterday I set out to protect my Google App Engine (GAE) API with HTTPS. I had already set up my Google App Engine instance. I was vaguely familiar with Let’s Encrypt (https://letsencrypt.org/), although I had never used it. I also had a basic grasp of cryptographic primitives used in encryption and certificates.

There are a lot of blog posts out there about this along with a bunch of StackOverflow posts, all with varying instructions. The official ones by Google seem outdated, and the only thing I could find on Let’s Encrypt side was a bug saying something along the lines of “plz add support for GAE”. I tried a few, and by combining steps in some of them (and a lot of frustration and eventually-resolved confusion) I got it to work. I’m writing up this blog post primarily for myself (so that when I need to re-encrypt in a few months I know how), but hopefully someone out there might find it useful.

https://medium.com/google-cloud/lets-encrypt-and-google-app-engine-in-2017-7cfe0928768e