Caleb Cushing's Blog

Beware of SQL injection with Spring Boot and Flyway

So this is a hard to accomplish exploit, and is really only accomplishable by first exploiting another exploit first, or by an employee with some level of trusted access, though this employee might not normally have actual database access. I do believe you should be aware of it, as it leaves open an avenue you may not be thinking of. A sample application So the first thing we need is an application that uses Flyway, let’s just use the Spring Boot Flyway Sample. Read more →

Log (CRLF) Injection with SLF4J

At my job we have a CIO installed policy of remediating issues found by a static analysis tool and what it finds are most targeted at finding security issues. Currently this tool is Veracode, and I don’t recommend it, it misses more problems than it finds, and what it finds, including this issue, are often false positives. Our most common issue, is CRLF (Carriage Return Line Feed) or other log injection, which we have mitigated in a custom log appender (which Veracode doesn’t recognize). Read more →

Celebrity nude scandal, on security, an analogy

Though I won’t say they aren’t victims of a crime… What the victims did is fundamentally the equivalent of using skeleton keys in the modern day. What apple did or rather didn’t do, is prevent that. Apple could have used a tool like cracklib, and said at the time of password creation, this is too short, this is not random enough, we are refusing to allow you to put this skeleton key lock on your front door. Read more →

PostgreSQL initial setup (authentication) Part 2

I ran into so problems and lack of information with my last post on this topic. Firstly my syntax for local all all to local all all ident devel doesn’t seem to work in my current setup. It’s possible that it has something to do with the configuration of the Debian/Ubuntu server I was basing that against, and now my targets are Arch Linux and Slackware. So our goal here will be to provide an alternate user that can log in as postgres via ident. Read more →

More Security = Better. Wrong!

So I just had a discussion on #ubuntu-server on freenode about why my not having a password to connect to postgresql via a socket (read local cli) is insecure. So I asked them, how exactly is it that someone is going to get this access? The answer “there are bad people on the Internet”. I’m sure many people right now are agreeing with them and thinking I’m crazy. Let’s discuss my setup though shall we. Read more →

Making secure recoverable passwords

Update: I would suggest using a password manager like LastPass, or a long passphrase before this method now. For the basic you need a calculator with a decimal to hex function. Your OS should have one built in (scientific mode), many calculator’s do to. For advanced you’ll need special hashing software, suggestions for it can be found below. Windows: HashCalc Macintosh MacHash Linux/(*nix) Gnu Coreutils Now that we have the software we need. Read more →