Do you feel secure? I feel something. Something else.



  • Found this in some production code:

    namespace OurCompany.OurApplication.WebServices
    {
     public class SecurityManager
    {
      public static void AuthenticateUser(ApplicationUser pApplicationUser)
      {
    
      INamingContext context = NamingContextFactory.CreateContext();
      //if (!Membership.Provider.ValidateUser(pApplicationUser.UserName, pApplicationUser.Password))
      //{
      //  context.Log("User authentication failed for user - " + pApplicationUser.UserName + " MachineID: " + pApplicationUser.MachineId, null, LogLevel.Warning);
      //  throw new SoapException("Unauthorized user, access denied.", SoapException.ServerFaultCode);
      //}
      //else
      //{
    
      context.Log("User authentication succeeded for user - " + pApplicationUser.UserName + " MachineID: " + pApplicationUser.MachineId, null, LogLevel.Debug);  
    
      //}
      }
    }
    

    }

    Okay, it's a web service on a secure machine behind the firewall that only we can get to and it might have some security on the web server that only allows traffic to our specified client servers and applications but GAWD DAMN IT!!


  • Notification Spam Recipient

    Someone did a Ted Talk on this situation once IIRC. It was about someone at google turning off authentication and the world summarily ending because of it.



  • Did you also check on the website side? Maybe they've moved on Windows credential based authentication and that eliminates the need to do actual authentication on web service. The method is not removed presumably to create the log entry.

    Btw, if they really need to do authentication through webservice, it should return a authentication token instead and require all other web methods to pass in the token to access.



  • "ticket", not "token". But yes, that's where I'd go next, and leave a comment in the source code about that.



  • Could one of you guys point me in the direction of how to go about using that ticket thing? A link or a general search term I could use would be appreciated.



  • @TwelveBaud said:

    "ticket", not "token".

    Yeah, tokens are for buses; you need a ticket to ride this train wreck.



  • @SteamBoat said:

    Could one of you guys point me in the direction of how to go about using that ticket thing?

    Please don't write your own security infrastructure. Use something that's resistant to replay attacks, padding oracles, MITM, and the 7000 other things that can go wrong when rolling your own security.



  • Maybe, but as long as you protect the transportation through HTTPS, I think even a simple method like "store list of issued GUID based tokenticket with expiry time in static List of your custom defined class" will do. This is also roughly what the .NET runtime do when you store your session in SQL server.

    After all, if the attacker can break security offered by HTTPS, they already have access to the inner network of the server environment. I think more complicated method (like OTP token generation with shared secret) could be an overkill and should only be employed when you know the web service could be exposed to public.



  • :facepalm: I saw the OP this afternoon, and couldn't figure out what was wrong with the code.

    So I just checked back now and finally spotted the //comments.

    I guess I don't win the ninja-code-reviewer badge :rolleyes:



  • @cheong said:

    token ticket
    :facepalm:

    In Kerberos, which is Windows Integrated Authentication and some weird Unixy thing, they're tickets.

    In pretty much every other case, such as JWT or OAuth or "bearer" or whatever, they're tokens.

    No, I don't know why.


  • Discourse touched me in a no-no place

    @TwelveBaud said in Do you feel secure? I feel something. Something else.:

    In Kerberos, which is Windows Integrated Authentication and some weird Unixy thing, they're tickets.

    It's used with AFS, which is one of the saner networked filesystems (because it was written by someone who actually knows what sort of shit can happen on networks). The main problem with it, as with all Kerberos-based systems, is that federating across organisations is a PITA.

    Also, our Active Directory team have turned Kerberos off in our deployment.



  • @skotl said in Do you feel secure? I feel something. Something else.:

    :facepalm: I saw the OP this afternoon, and couldn't figure out what was wrong with the code.

    So I just checked back now and finally spotted the //comments.

    I guess I don't win the ninja-code-reviewer badge :rolleyes:

    Why is //comments a link?



  • @aliceif because it is a valid url in html hrefs?



  • @Tsaukpaetra said in Do you feel secure? I feel something. Something else.:

    someone at google turning off authentication and the world summarily ending because of it

    That was Tom Scott, I think.
    Single Point of Failure: The (Fictional) Day Google Forgot To Check Passwords – 13:05
    — Tom Scott


Log in to reply