undefined | Better HN

0 pointsdeergomoo4y ago0 comments

I am currently arguing with the bargain-basement pentesters one of our clients hired. They are claiming the system we built is vulnerable because, and I quote, “any credentials sent over HTTPS are transmitted in plain text until they leave the user’s local network”. Not sure how exactly they think HTTPS works, but five minutes on Wikipedia could debunk that one.

They also flagged up that users can access JavaScript and CSS files. Not the original source files mind you, nor is directory indexing enabled or anything like that. They pointed to our compiled and minified app.js and app.css, and suggested we block access to these files as the source code to the app is “sensitive information”.

Having to tell a client another company they’ve hired are absolute clowns, without making it seem like we’re trying to save our own skin, is certainly interesting.

0 comments

kstrauser4y ago

"Look, I'm going to be honest with you: your pentesters are morons. They're grossly incompetent and should be embarrassed. I can give you a list of qualified alternatives you might want to choose from, and not just to test the work I've done for you, but for all your other projects too. Seriously, their advice is just awful and you really need to switch."

This isn't the time to tread lightly, but to go scorched earth. This isn't an "oh, we disagree on the finer points!" debate between peers kind of situation, but a flat-out "these knuckleheads are putting you at risk and you need to know it". You want to get the point across that you're not messing around or leaving room for doubt.

Source: have had these conversations several times over the years. I normally pride myself on tact, but in my experience tact is the exact wrong approach here as it gives the client the impression that there's a wiggle room of doubt.

bradknowles4y ago

The key here is to make this a do-or-die conversation. Tell the customer the truth, and then tell them you’re not going to work for them any more if they keep the other morons on the payroll — you’re not going to risk your reputation and your business on being associated with that other company.

“I’m sorry if this means we can’t do business any more, but this situation has gotten so severe, that I just have to tell you the unvarnished truth, and ….”

kstrauser4y ago

Yep. This isn’t just complaining about someone saying something you don’t like. You mean business, literally.

geoduck144y ago

>any credentials sent over HTTPS are transmitted in plain text

Hummmm. So a couple of years back, I was working on some internal tools that passed sensitive information around and I found some interesting info.

Some bloggers INCORRECTLY thought that HTTPS didn't secure the URL Flags. Correct fact: parameters passed in the URL like ?item=bla is encrypted

Also, some cloud providers aload Balancers (AWS) allow you to offer load HTTPS encryption/decryption - so there REALLY IS plain text stuff in the final leg of the journey (e.g. from the LB to the server)

In the end, the biggest thing I learned is that HTTPS is hard and it sucks.

Hackbraten4y ago

> Some bloggers INCORRECTLY thought that HTTPS didn't secure the URL Flags. Correct fact: parameters passed in the URL like ?item=bla is encrypted

It’s still good practice to keep sensitive info out of URL query parameters, which often leak into server logs.

detaro4y ago

And are (were, maybe modern browsers fixed that by now?) sent in HTTP Referers to linked sites, end up in browser history, ...

missblit4y ago

The current default for the Referer header is to send the complete referrer for same-origin requests, to send the origin for cross-origin requests, and to send nothing if going from HTTPS to HTTP.

This is customizable by setting the referrer policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...

deergomooOP4y ago

> Also, some cloud providers aload Balancers (AWS) allow you to offer load HTTPS encryption/decryption - so there REALLY IS plain text stuff in the final leg of the journey

At first I thought this must have been what they meant; perhaps there was some configuration thing we got wrong.

So we asked for clarification and nope, the example given was that someone logging in from an office could have their credentials sniffed freely by anyone else on the office LAN.

vidarh4y ago

I had someone complaint they could ping the public address of our load balancer.

I sent the client back a list of government and military websites that responds to ping. As an extra bonus, it turned out the pentesters own website responded to ping.

AlfeG4y ago

Some hired "pentesters" found in our Asp.Net application that "Connection to the prod database is established before the user credentials have been validated.". They even insist that this is come from some ISO security guidelines.

Cheese, this one line in their report causes around 3 hours of meetings with around 10-20 people on them... and there were a lot of lines like this.

sipos4y ago

This is the DB that contains the usernames and (hashed) passwords right? What do they expect? That you have a separate DB for authentication from everything else? What does that achieve? If you DoS the auth DB, you still DoS the application in this scenario.

eurasiantiger4y ago

The application has a much larger attack surface than the auth/user system, so it makes sense to store PII separately.

AlfeG4y ago

Actually yes.

They try to sell us external/internal Auth service, similar to KeyCloack with their support. What pentesters want to achieve is not improved security, but to sell their services as DevOps and developers. This were not what we expected from pentesting.

randombits04y ago

In the biz. What you need to do is address each issue with dispassionate detail in the response. Make no value judgements in the individual responses. Feel free to use words like “incorrect”, “false”, and my personal favorite, “logical inconsistency”. Quote specs, RFCs, platform dynamics, everything. Use diagrams, flowcharts, whatever it takes. But again, dispassionate, detached, and nonjudgmental. Then...

In the very last paragraph, as a conclusion to YOUR exercise, explain how the utter lack of competence in the subject matter displayed by the consultant has resulted in blah, blah, dollars, time, effort, all down the drain. Emphasize the harm to the organization and how it affects the trust required between different groups.

I guarantee it will get you promoted or fired. Which one depends on the organization and I expect you already know what will happen.

sirsinsalot4y ago

That is dire. Almost as bad as the NCC reports we had for an old client.

dec0dedab0de4y ago

wait, so what do they suggest you do instead?

deergomooOP4y ago

For the HTTPS thing, they’re suggesting client-side encryption. Which, to me, seems to be a combination of no real benefit and opens a window to introduce vulnerabilities if we get anything wrong.

Interestingly, I checked a few big sites, and while Google doesn’t, Facebook and Amazon both use client-side encryption. Is it just to provide some extra protection for pwned users who have trusted bad certs? I’m no security expert, and I’m struggling to think of any real benefit.

For the JS/CSS thing, I have literally no idea.

scintill764y ago

If you're stuck following their recommendations, you could try to sniff Accept headers or user agent or something to "block access" to JS/CSS but still allow the browser to load them in your page. Might risk breaking the app though.

j / k navigate · click thread line to collapse

0 comments

kstrauser4y ago

bradknowles4y ago

“I’m sorry if this means we can’t do business any more, but this situation has gotten so severe, that I just have to tell you the unvarnished truth, and ….”

kstrauser4y ago

Yep. This isn’t just complaining about someone saying something you don’t like. You mean business, literally.

geoduck144y ago

>any credentials sent over HTTPS are transmitted in plain text

Hummmm. So a couple of years back, I was working on some internal tools that passed sensitive information around and I found some interesting info.

Some bloggers INCORRECTLY thought that HTTPS didn't secure the URL Flags. Correct fact: parameters passed in the URL like ?item=bla is encrypted

In the end, the biggest thing I learned is that HTTPS is hard and it sucks.

Hackbraten4y ago

> Some bloggers INCORRECTLY thought that HTTPS didn't secure the URL Flags. Correct fact: parameters passed in the URL like ?item=bla is encrypted

It’s still good practice to keep sensitive info out of URL query parameters, which often leak into server logs.

detaro4y ago

And are (were, maybe modern browsers fixed that by now?) sent in HTTP Referers to linked sites, end up in browser history, ...

missblit4y ago

The current default for the Referer header is to send the complete referrer for same-origin requests, to send the origin for cross-origin requests, and to send nothing if going from HTTPS to HTTP.

This is customizable by setting the referrer policy: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...

deergomooOP4y ago

> Also, some cloud providers aload Balancers (AWS) allow you to offer load HTTPS encryption/decryption - so there REALLY IS plain text stuff in the final leg of the journey

At first I thought this must have been what they meant; perhaps there was some configuration thing we got wrong.

So we asked for clarification and nope, the example given was that someone logging in from an office could have their credentials sniffed freely by anyone else on the office LAN.

vidarh4y ago

I had someone complaint they could ping the public address of our load balancer.

I sent the client back a list of government and military websites that responds to ping. As an extra bonus, it turned out the pentesters own website responded to ping.

AlfeG4y ago

Cheese, this one line in their report causes around 3 hours of meetings with around 10-20 people on them... and there were a lot of lines like this.

sipos4y ago

eurasiantiger4y ago

The application has a much larger attack surface than the auth/user system, so it makes sense to store PII separately.

AlfeG4y ago

Actually yes.

randombits04y ago

I guarantee it will get you promoted or fired. Which one depends on the organization and I expect you already know what will happen.

sirsinsalot4y ago

That is dire. Almost as bad as the NCC reports we had for an old client.

dec0dedab0de4y ago

wait, so what do they suggest you do instead?

deergomooOP4y ago

For the JS/CSS thing, I have literally no idea.

scintill764y ago

j / k navigate · click thread line to collapse