From 5cbb3f64afe8c81669784c81b4883e858971c634 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20Rodr=C3=ADguez=20Varela?= Date: Sun, 12 Nov 2023 18:59:11 +0100 Subject: [PATCH] refactor: repo examples to neutral brand names --- README.md | 25 +++++++++++++++---------- cookies/Pages/CookiesGet.cshtml | 2 +- cookies/Pages/CookiesSet.cshtml.cs | 2 +- cookies/README.md | 6 +++--- csp/Pages/CSP.cshtml | 2 +- csp/Pages/CSP.cshtml.cs | 4 ++-- csrf/README.md | 2 +- csrf/wwwroot/csrf_form.html | 2 +- hashes/readme.md | 2 +- 9 files changed, 26 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 33e7b62..3b7bf75 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,14 @@ -# [dotnetconf 2023](https://dotnetconfspain.com/) - Desarrollo seguro para Muggles +# Desarrollo seguro para Muggles -This repository contains demos performed in the "Desarrollo seguro para Muggles" talk in the dotnet2023 tech conference. +This repository contains demos performed in the "Desarrollo seguro para Muggles" talk. + +**Check out the official slides for:** + +1. dotnet2023 [Slides](./assets/dotNET2023_Desarrollo%20Seguro%20para%20Muggles.pdf). +2. netcoreconf + -**Check out the official [Slides](./assets/dotNET2023_Desarrollo%20Seguro%20para%20Muggles.pdf).** **Check out the site [devsec.fyi](https://book.devsec.fyi/) and [its repository](https://github.com/piraces/DevSecTricks) for more resources and info.** @@ -123,9 +128,9 @@ This repository has been modified to **avoid to deploy extra unneeded resources 3. Open an Azure Cloud shell in the portal (note: this needs an storage account, that you can create when initializing the shell the first time, which may incur in additional charges). -4. Clone this repository in your shell: `git clone https://github.com/rpiraces-plain/dotnet2023` +4. Clone this repository in your shell: `git clone https://github.com/rpiraces-plain/security-development-muggles.git` -5. Get into the folder `./azure-goat` folder of this repository by executing `cd dotnet2023/azure-goat`. +5. Get into the folder `./azure-goat` folder of this repository by executing `cd security-development-muggles/azure-goat`. 6. Once in the folder, initialize the terraform state by executing `terraform init`. @@ -166,7 +171,7 @@ From there, we can use the leaked credentials to access the Cosmos database and ### Detecting the vulnerability and attempting to stop it before reaching production Using static analysis tools, we can detect the vulnerability before deploying the application to production. -In this case we have a [GitHub Action](https://github.com/rpiraces-plain/dotnet2023/actions/workflows/security_scan.yml) which runs the following tools: +In this case we have a [GitHub Action](https://github.com/rpiraces-plain/security-development-muggles/actions/workflows/security_scan.yml) which runs the following tools: - [Trivy](https://aquasecurity.github.io/trivy): has multiple scanners that look for security issues, and targets where it can find those issues. - [TruffleHog](https://github.com/trufflesecurity/trufflehog): to find and verify credentials in this repo. - [tfsec](https://aquasecurity.github.io/tfsec): to find security issues in the terraform code. @@ -217,9 +222,9 @@ Posts are kept stored in the DB with the original id, and the HashId is generate 5. Create two Web Apps in the App Service Plan, try to give them different and coherent names to differentiate them. -6. Clone this repository in your shell: `git clone https://github.com/rpiraces-plain/dotnet2023` +6. Clone this repository in your shell: `git clone https://github.com/rpiraces-plain/security-development-muggles` -7. Get into the folder `./broken-access-control` folder of this repository by executing `cd dotnet2023/broken-access-control`. +7. Get into the folder `./broken-access-control` folder of this repository by executing `cd security-development-muggles/broken-access-control`. 8. Open the main solution file `ProCodeGuide.Samples.BrokenAccessControl.sln` in Visual Studio (Rider or your IDE of preference). @@ -379,9 +384,9 @@ _**Note:** the extension is build and zipped ready to use by the action availabl **Step by step:** -1. Clone this repository in your shell: `git clone https://github.com/rpiraces-plain/dotnet2023` +1. Clone this repository in your shell: `git clone https://github.com/rpiraces-plain/security-development-muggles` -2. Get into the folder `./spy-extension` folder of this repository by executing `cd dotnet2023/spy-extension`. +2. Get into the folder `./spy-extension` folder of this repository by executing `cd security-development-muggles/spy-extension`. 3. Install the dependencies by executing `yarn` (ensure you have [Yarn 1.x](https://classic.yarnpkg.com/en/) installed). diff --git a/cookies/Pages/CookiesGet.cshtml b/cookies/Pages/CookiesGet.cshtml index 87a196e..58563bb 100644 --- a/cookies/Pages/CookiesGet.cshtml +++ b/cookies/Pages/CookiesGet.cshtml @@ -3,7 +3,7 @@ @{ ViewData["Title"] = "Cookie Get"; var browserAndTimeCookie = HttpContext.Request.Cookies["BrowserAndTime"]; - var insecureCookie = HttpContext.Request.Cookies["Dotnet2023Key"]; + var insecureCookie = HttpContext.Request.Cookies["Insec2023Key"]; }
diff --git a/cookies/Pages/CookiesSet.cshtml.cs b/cookies/Pages/CookiesSet.cshtml.cs index 189e17c..5a500f6 100644 --- a/cookies/Pages/CookiesSet.cshtml.cs +++ b/cookies/Pages/CookiesSet.cshtml.cs @@ -28,7 +28,7 @@ public void OnGet() HttpOnly = false, SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None }; - Response.Cookies.Append("Dotnet2023Key", "1234Qwert"); + Response.Cookies.Append("Insec2023Key", "1234Qwert"); } } diff --git a/cookies/README.md b/cookies/README.md index 5f7ca96..ab6d684 100644 --- a/cookies/README.md +++ b/cookies/README.md @@ -8,12 +8,12 @@ What do Secure, HttpOnly, Lax, Strict or None means in terms of cookies? 2. Open the browser at this URL: [https://localhost:6001](https://localhost:6001) 3. You have two main pages, the `Get Cookies` and the `Set Cookies` 4. Start by going to the Set Cookies page, and then click the `Check the cookies!` link at the bottom. -5. Open the dev tools from your browser and check the flags for these two cookies: Dotnet2023Key and BrowserAndTime +5. Open the dev tools from your browser and check the flags for these two cookies: Insec2023Key and BrowserAndTime 1. In Chrome, F12, "Application", "Cookies" and select the web page -6. The Dotnet2023Key is unprotected, and represents a bad practice in development, saving a key or password as the value of the cookie. +6. The Insec2023Key is unprotected, and represents a bad practice in development, saving a key or password as the value of the cookie. 7. Try the dev-tool's console, and type `document.cookie` -You should be seeing the Dotnet2023Key, that can be changed right from the console. Chose any new value, update it (document.cookie='') from the console and refresh the `Get Cookies` page. Hacked! +You should be seeing the Insec2023Key, that can be changed right from the console. Chose any new value, update it (document.cookie='') from the console and refresh the `Get Cookies` page. Hacked! We were able to to modify its value because of the configuration we set to these cookies. Now we are going to see how to protect them. diff --git a/csp/Pages/CSP.cshtml b/csp/Pages/CSP.cshtml index adde123..a3a4afa 100644 --- a/csp/Pages/CSP.cshtml +++ b/csp/Pages/CSP.cshtml @@ -5,7 +5,7 @@

Content Security Policy

-
diff --git a/csp/Pages/CSP.cshtml.cs b/csp/Pages/CSP.cshtml.cs index 4a76d0a..3f99f93 100644 --- a/csp/Pages/CSP.cshtml.cs +++ b/csp/Pages/CSP.cshtml.cs @@ -14,11 +14,11 @@ public CSPModel(ILogger logger) public void OnGet() { - // 1º Iteration: Collect endpoint and all blocked + // 1º Iteration: Collect endpoint and all blocked var cspHeader = "default-src 'self'; report-uri /collect"; //var cspHeader = "default-src 'self'; " + - // "img-src 'self' https://dotnetconfspain.com/wp-content/webp-express/webp-images/uploads/2023/04/; " + + // "img-src 'self' https://cdn.plainconcepts.com/wp-content/uploads/2021/10/; " + // "style-src 'self' https://cdn.jsdelivr.net 'unsafe-hashes' " + // Inline style hashes // "'sha256-yckz1zrIL2HgQwm7x1ins99s5jndZE3XnmgOAkJvDOg=' " + // "'sha256-cr42sjoWSSOFzzQSZXmLpq70OHNKYvOVmFo9ESrqcH0=' " + diff --git a/csrf/README.md b/csrf/README.md index 082b6f1..ac789ac 100644 --- a/csrf/README.md +++ b/csrf/README.md @@ -28,4 +28,4 @@ Start by checking these two files: 4. The attack shouldn't work now, we are safer than at the beginning! -But what if we want to protect every controller from our server instead? We can do that by adding the code we have in the lines 25-29 in the `Program.cs`. \ No newline at end of file +But what if we want to protect every controller from our server instead? We can do that by adding the code we have in the lines 25-29 in the `Program.cs`. \ No newline at end of file diff --git a/csrf/wwwroot/csrf_form.html b/csrf/wwwroot/csrf_form.html index 25fb6dd..c1ea63b 100644 --- a/csrf/wwwroot/csrf_form.html +++ b/csrf/wwwroot/csrf_form.html @@ -9,7 +9,7 @@ -

Hey Dotnet!

+

Hey Folks!