I created a simple authentication extension that works in conjunction with PluggableAuth for the user to login automatically. Currently, I need two parameters: a username and a token. These parameters are generated by an external system that sends the data by hidden input. I can get the url data and authenticate correctly. But for security reasons I want to pass this data via $_POST and not via $_GET. But I cannot receive this data and store it in the session so that I can retrieve it in my authentication class. Basically, the user receives a link from a wiki page and Pluggableauth does the checks. But I can't find what code I can use to save the post in the session and retrieve it later. Does anyone have any examples of how to do this? Thanks!
Edit: For example, the user needs to go to www.minhawiki.com/something, the external system sends the post data with username and password to this example page, but because of pluggableauth it redirects to Special:UserLogin, then to PluggableAuthLogin and then to my authentication extension. I've tried to get the data on all these redirects but none of them work. The only way that worked to get the data was to direct the post directly to Special:UserLogin but that way I can't redirect to the login page.
Related
I am trying to redirect my user from a html page to a jsp page which has been deployed on tomcat/webapps using .war file.
While doing so, I am also sending the session information of the user as an hidden parameter via POST method.
With the help of burpsuite tool(security testing tool) one can easily manipulate the cookie and change the username of the user logged in. How will I be able to block such kind of cookie manipulation?
You cannot control/prevent what the browser/client is sending, so do not consider the data received as fact/true. Your application shouldn't just look at the username and say "oh, it's the admin user, I show the whole admin area".
To prevent tampering the data originated from the server or at least detect changes, you use encryption or digital signatures. With encrypted data, it is not possible to change the data. You don't know how to decrypt the data and encrypt the changed data correctly since you don't have the encryption key to do so. With signed data you can still read the data but the signature makes sure that you can detect, if the data has been changed.
In your case, you can use a JWT instead of just the username. The JWT contains a digital signature which is used to check if the data has been changed. Your "testing team" can change the data but your server can see immediately that it has been changed and reject the received (changed) information.
I have a firebase data link located in app say, https://appname.firebaseio.com/.
There is no authentication to firebase links, all data is public.
We have a custom authentication system. But I am unable to add authentication via custom tokens to firebase because they expire after one hour and I can't force the user to login again.
But I secure the data by adding a sha1 hash for each user in data as label.
So data will link for user will be like:
https://appname.firebaseio.com/356a192b7913b04c54574d18c28d46e6395428ab.json
Is this a good method?
Can a user get all data from https://appname.firebaseio.com/, without providing my sha1 embedded url? Is there a way to get all the data or something that I should worry about?
No it no a good method.
All data from a public app can be retrieved by this using .json with app url.
https://appname.firebaseio.com/.json
I'm building an app on angular and ionic, I'm trying to access my WordPress and create new post.
I've generated auth cookie using JSON API User plugin (https://wordpress.org/plugins/json-api/)
I've got a valid nonce to create posts.
I'm using all the right parameter to create new post:
$http.post(domain+'/posts/create_post?nonce='+nonce.nonce+'&title='+title+'&content='+content+'&status='+status+'&author='+author)
But when I've tried to insert new post i get this massage:
"Error: You need to login with a user that has 'edit_posts' capacity"
i've that i need to add the cookie parameter to the header request, but i don't understand how.
Please help me to solve this :)
This is about the user's role, not the the auth cookie. The auth cookie would login the user, but their roles and capabilities are stored in the database. There are many ways to change the user's role, including going into the Admin Dashboard as as admin, clicking Users, the user's name, and selecting "Editor" [or whatever is appropriate] in the drop down menu.
For complete details, see https://wordpress.org/support/topic/error-you-need-to-login-with-a-user-that-has-edit_posts-capacity.
But just in case you are having issues with cookie:
Cookie need to be added to the headers like this:
Header:Cookie
Value:<cookie_name>=<cookie>
Also, if you are testing via Postman app from chrome, make sure to enable sending restricted headers (since "Cookie" is a restricted header, for more info see https://www.getpostman.com/docs/requests)
I have a simple login form that submits to a service.
The service has the following behavior
If proper auth details are provided, the service accepts the login and redirects the user to the destination
If the login credentials are incorrect, the service responds by setting a 'abc-xyz' header. The html page submitting the form needs to read the 'abc-xyz' header and display and error message to the user.
I converted the form to make an AJAX call. Now I can read the response header and show the error message. But I'm running into CORS issues and limitations on the service doesn't permit me to configure the service to add the appropriate CORS headers. So I have to submit the form normally without AJAX. But when I do so (with wrong credentials for testing), the html form page refreshes thus losing all the headers.
Is it even possible to read the response headers with a regular form submission? Thanks.
Is there a way to include additional request headers in form data, other than action and method? I am hoping to send some authentication credentials cross domain without making the user re-enter their login credentials. ie I want to build an Authentication header directly from form submission.
The domain is SSL enabled, so I considered including credentials in the URL, but as explained here this is a bad idea, as those credentials may be secure over the connection, but can be accessed through the browser by other apps potentially.
Larger Picture
I have access to the cross domain username and password through an AJAX request to the client server (home domain). I want to take those credentials and submit them through a non-AJAX request, so a user can download a document securely without the URL being publicly accessible.
To the specific question, I believe the answer is no - you can't control sending any extra headers from the form itself. There are some other things you can send with a form, but they are not useful to what you want to do: W3 Form Tag Specification
What you could do is do a form POST, which is the standard way to communicate when sessions cookies are out of the question and a query string won't do; just use a hidden field with some sort of token/hash of the credentials. Avoid clear-text of passwords like the plague, and really try to avoid reversible encryption of them too. This is just one of those areas you have to be extra careful to avoid creating an easily exploitable security vulnerability.
But generally speaking it works just fine, and anything that can do an AJAX GET should be able to do an AJAX POST.