i use a decryption method to decrypt the encrypted_value from the google chrome's cookie's database for certain records.
This worked very well until version 104, now with version 105 decrypting it using BCryptOpenAlgorithmProvider, BCryptSetProperty and on BCryptGenerateSymmetricKey it returns value -1073741811 while it should return 0, i am unsure which changes they made to the cookies value and can't find information about it.
Does anyone have any hints on what's changed?
Nevermind, i found the reason, i am using the os_crypt value from the local state file to do the decryption, which is a json file, and i see that the
os_crypt key now has 2 subkeys "app_bound_fixed_data" and "encrypted_key"
So i need to change my json read method and look for the subkey if it exists.
Related
We've got some user data stored in LDAP that has been "encrypted" by an iRule with the AES::Encrypt function. We now find we need to use the encrypted value elsewhere.
We need to decrypt and re-encrypt it because : The Encrypt uses AES-CWC - which appears to be virtually unused anywhere else. So, we really need the F5's own code to decrypt it.
I was hoping to run a script from the console or TMOS. I can run tcl UI, but somehow need to "import" the code to do the AES functions. Is there an easy way to make a tcl session work like it does in the iRules, or a path that the iRule functions are stored in?
(And no, I can't get the F5 to provide the decrypted value to the app with an API (if there is one). The other app is querying LDAP, and can happily decode AES-CBC - but not CWC. And we can't wait for the users to login and re-encrypt with a different iRule when they do. It needs to be fixed "now"!)
A number of my tests use a DeleteCookies method which does this:
chromeDriver.Manage().Cookies.DeleteAllCookies();
This was great until today, when one of the tests made the app take exception:
The required anti-forgery cookie "__RequestVerificationToken" is not present.
So I decided to delete the specific cookie in question, rather than all of them:
chromeDriver.Manage().Cookies.DeleteCookieNamed("user%40user.com");
The specified cookie was not deleted.
To verify DeleteCookieNamed actually worked at all, I deleted two of the other cookies the app creates and it worked.
When a user logs in, the app sets the name of the cookie to their username (in this case, user#user.com) ...but presumably due to URL encoding, changes # to %40.
The cookies that did delete didn't contain %40.
If it was the case that you can't delete cookies where the name contains %40, then DeleteAllCookies wouldn't have worked. Therefore I suspect my targeted cookie has dependencies, similar to how foreign key constraints work in relational databases, such that I need to delete one or more other cookies in a specific order before I can delete the specified one.
A cursory glance at Google provides me with instructions on how to delete cookies in Chrome, rather than how Chrome deletes cookies. Joy. I've run out of time today, please do you have any insights?
The way I got round this issue when I had it was to create the cookie through selenium, and then I was able to delete it. I did find it easier though not to use the # in the cookie names. Hope that helps.
This seems an appropriate work-around for my particular situation - run the CanLogIn test last, using a Playlist:
https://stackoverflow.com/a/29039261/1875540
Use Chrome DevTools:
https://chromedevtools.github.io/devtools-protocol/tot/Network/#method-deleteCookies
The code will be like this:
ChromeDriver driver;
var parameters = new Dictionary<string, object>
{
["name"] = "user%40user.com";
};
driver.ExecuteChromeCommand("Network.deleteCookies", parameters);
You can do this by Selenium DevTools as well. But since they have some problems with integrations, and you may need to upgrade the library after every google update, using the above code can be more efficient and easier.
Currently, I use a single SSM parameter to store a set of properties separated by newlines, like this:
property1=value1
property2=value2
property3=value3
(I am aware of the 4K size limit, it's fine.)
This works well, for normal String type parameters that store non-sensitive information like environment configuration, but I'd also like to do similar for secrets using the SecureString parameter type.
The problem is that I can't edit the parameter value in the console because it's using a HTML input field of type="password" that doesn't handle newlines.
The multi-line value works fine with the actual parameter store backend - I can set a value with multiple lines with the SSM API no problem and they can be read with the EC2 CLI properly too.
But I can't edit them using the console. This is a problem because the whole point of using a SecureString parameter is that I intend the only place to edit/view these secrets to be via the console (so that permissions are controlled and access is audited).
There's a few infrastructure workarounds I could implement (one parameter for each secret, store the secrets on S3 or other secret storing service, etc.) but they all have drawbacks - I'm just trying to find out if there's a way around this using the console?
Is there any way I can work around this and use the console to edit multi-line SecureString parameters?
Any kind of browser workaround or hack that I might be able to use to tell the browser to use a textarea instead of a "password" type field?
I'm using Chrome, but I'd be happy to work around this by using another browser or something (editing the secrets is pretty rare, and viewing multi-line values in the console works fine).
EDIT
After posting this question, AWS notified me there was a whole new "AWS Systems Manager" UI, but it still has the same problem - I tried the below browser hacks on this new UI, but no luck.
Failed browser hack attempt 1: I tried opening the browser console, running document.getElementById("Value").value = "value1\nvalue2" and then clicking the save button, which set the value I injectec, but the newline was filtered out.
Failed browser hack attempt 2: I tried using the browser instpector to change the element to a TextArea and then typed in two lines of input and clicked save, but that didn't set the value at all.
From https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-file, I learned you can pass a file as parameter to the --value argument. So if your file is called secrets.properties, you can do this:
aws ssm put-parameter --type SecureString --name secrets --value file://secrets.properties
I found a way to do it, but it's too much effort and too weird - if anyone can find a simpler way, I will mark that as the answer.
The hacky workaround is to install the "Tamper Chrome" extension + app, then capture the XHR request as the browser sends it and edit the new lines into the JSON.
Blech. Plus "Tamper Chrome" is pretty awful, I don't want to run it on my machine.
This might be better to use the new secrets manager that was launched recently. The interface for it is very close to parameter store but it has better support for multiple parameters in one place.
I wonder if the change in the console was due to the expected release of the service since they have a pricing model around secrets whereas parameter store is free
In the end, I decided the answer to this question is "don't do that". Not that I would've wanted to hear that when I was trying to make it work.
You should use a separate SSM param per secret for these reasons:
ability to grant permissions at fine grained level; e.g. you have an API password for calling your service, and a DB password for the service talk to a DB - if you store them in the same secret you couldn't only grant access to the API password.
ability to track key access separately - the SSM access logs can only tell you that the target machine/user accessed the SSM param at that time, it won't be able to tell you which secret was accessed
ability to use separate KMS keys to encrypt
Just watch out for the fact that you can only request a max of 10 SSM params at a time.
if you want, you can try with my app https://github.com/ledongthuc/awssecretsmanagerui
I try to create it to easier to update multi-line values and binary easier. Hope it's helpful with your case.
I have recently installed FreeBPX with asterisk included. I activated the rest interface, so I can see /ari/asterisk/info and it responds with a JSON. Now I want to see all my call recordings. I configured recordings and the server saves them in wav format. It's ok, but how can I see them through json/rest? I tried open /ari/asterisk/recordings, but it responds with "resource not found".
As yo can see in the docs, you can use:
GET /recordings/stored/{recordingName}
EDIT: You can see the list of recordings stored with
GET /recording/stored
You are missing the point here, the ARI recordings interface isn't meant to be used with the files that you have stored via FreePBX. The recordings API is meant to allow you to manage recordings, from within a Stasis application. That means, start a recording from a Stasis application and manage it. If the recording had been performed outside of Stasis, the ARI engine will not be aware of it.
Well, at least that's what it's supposed to do.
Nir
This is partly doable - FreePBX doesn't seem to use the native Asterisk recording APIs so you can only retrieve the filename
First get all the channels:
GET /ari/channels
Find your channel's ID from the response's id field
Then you can request the variable CALLFILENAME from the channel's variable endpoint:
GET /ari/channels/{id}/variable?variable=CALLFILENAME
In Box API v1, it was possible to request creation of a shared link for a file or folder, without caring about what kind of sharing was required. In fact, it was not possible to ask for a particular type of share - you just used the public_share method and passed in the target type (file/folder) and target ID, and optionally a share password. In an Enterprise Account, for instance, this might result in the maximum access level being "company" or "collaborators", if public links are disallowed.
With Box API v2, according to the docs here, you need to specify an access parameter that has to be "open", "company", or "collaborators".
The problem is, using the wrong type may cause the share to fail. For instance, in a folder/account that only allows collaborators, I get a 400 error if I ask for a "open" share.
What I really want is to get exactly the same result as if the user clicked the "Share" link in the Box web site. Which is, it should enable sharing for the file but default the level appropriately.
Is there a way to do this with v2, without the admin having to tell us their "preferred" access level for shared links we create? I'm using the Java SDK, like this:
BoxItemRequestObject req = BoxItemRequestObject.createSharedLinkRequestObject(BoxSharedLinkRequestObject.createSharedLinkRequestObject("open"));
BoxItem item = itemsManager.createSharedLink(<ID>, req, BoxResourceType.FILE);
Thanks,
Ben Gilbert
Smartsheet.com
Just set the access to the empty set {}
So your request would look like this:
{"shared_link": {}}
I figured out how to make this work. I need to set access to null when creating the BoxSharedLinkRequestObject, like this:**
BoxItemRequestObject req = BoxItemRequestObject.createSharedLinkRequestObject(BoxSharedLinkRequestObject.createSharedLinkRequestObject(null));
This doesn't produce quite the same JSON as was recommended (shared_link: {}), but it does produce JSON that is apparently equivalent: shared_link: { access: null }. I couldn't figure out any way to produce an empty shared_link object using the SDK -- I either had to have a null shared_link (which didn't work at all) or some value for the access field.