Wednesday, March 30, 2016

Passing secrets in a URL is vulnerable

Today I saw a website with REST API and an example of a request to it:

    curl "https://api.website.com/v1/entity/123&key=YOUR-API-KEY"

Note that it's a client-to-server REST API request, and there're no cookies being sent.

It reminded me of dozens of the websites with REST API designed the same way which I've seen so far where they pass the secret, API KEY, in the url. The protocol can be HTTP or HTTPS, but there's no difference. No matter how you slice it, the secret is sent in plain text and thus can be intercepted by man-in-the-middle or seen in the logs on a server. And that's a vulnerability.

To fix this, the API KEY has to be passed in the headers.

UPDATE:

Actually, the query string or path after the domain name, is not transmitted in the clear. The TLS handshake is done using the main, domain part of a url.  After that all the traffic, including the request path in the url, is encrypted. However, depending on the implementation of a web server, the part of the url might or might not appear in the logs. Depending on the settings of a server, even the POST data might be logged httpd.apache.org/docs/current/mod/mod_dumpio.html

Also,  it still can appear in other places such as history of a browser.

Thursday, March 24, 2016

The dependencies in Javascript projects have played a trick on the developers using them.

Many Javascript and Ruby developers have the addiction of using the dependencies of 1 line of code long instead of writing that line of code themselves. But one must remember that a dependency makes you dependent. Here's my previous article about the matter http://www.alexmaslakov.com/2016/02/that-application-is-wise-which-has-less.html

And here you go:

http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

http://www.haneycodes.net/npm-left-pad-have-we-forgotten-how-to-program/

Note that some of the dependencies in npm had literally 1 line of code.

Thursday, March 17, 2016

Dual-booting with 2 Linux distributions: Ubuntu and Arch and a separate partition for Home

On my laptop I have 2 Linux OS, Ubuntu and Arch,  and a separate partition for the home directory which is convenient for sharing files between them. It's recommended, however, not to share the home directory completely because even the same applications from the different OS can spoil each others files such as configuration ones. Thus I've given a different name to my default user in Arch. That way, in Ubuntu I have the user Alex and in Arch I have the user Arch. Here's what my home partition look like:


    /home (/dev/sda5)
      /alex
      /arch


Each of them has his own directory for Document, Downloads, etc.  That's not wise and I'm going to change that and intertwine those directories by linking them so there won't redundant copies:

    ln -s /home/alex/Documents /home/arch/Documents 
    ln -s /home/alex/Downloads /home/arch/Downloads 

And no avail. The error occurred because the 2nd arguments, the folders of the arch, those folders were real and existed. It's impossible to do relink 2 real directories because the whole idea of the command link is to create a link from a virtual directory to real and here we had 2 directories being real. Let's fix that:

    rm -rf /home/arch/Documents
    rm -rf /home/arch/Downloads

Now we can go back to square one and create the sym links all over again:


    ln -s /home/alex/Documents /home/arch/Documents 
    ln -s /home/alex/Downloads /home/arch/Downloads 





The same way we can create the links for the Music, Videos, .ssh and other directories.