security risk when exporting & importing cookies on a Laravel - laravel-8

I am facing a security risk when exporting & importing cookies on a Laravel setup. In short, you can log in to the project without using credentials.
Steps to reproduce:-
Add extension to Chrome - Edit This Cookie . For Firefox - Cookie Editor
Open your Laravel setup on Firefox/Chrome. Login with correct credentials. On the top right, click on Cookie and then click on export. This action will copy all the cookies to your clipboard.
Open your project on another browser (different than step 2). Click on Cookie extension and click on import and paste (your cookies).
Refresh your /login route and you will see that after importing cookies you were able to log in without the right credentials.
Things I've tried so far:-
.env file SESSION_SECURE_COOKIE=true
config/session 'encrypt' => true,
But this is not preventing to login.

Related

Unable to login https://dashboard.honeygain.com using cookies

I want to login https://dashboard.honeygain.com/ using the cookies I get from J2TEAM Cookies Chrome plugin.
There are my steps:
Go to https://dashboard.honeygain.com/login and click "Accept All".
Login with my email and password so that I can get my honeygain cookies.
Use the export button of J2TEAM Cookies to export my cookies as a json file.
4. Delete the cookies of honeygain in my Chrome browser.
Go to https://dashboard.honeygain.com/login and import the cookies I exported in step 3 using J2TEAM Cookies, then refresh the page.
I expect that I can see my honeygain profile at this moment. But what I actually see is the login page of honeygain.
Why can't I login honeygain using the cookies I just exported?
Does honeygain use some techiques to prevent users from doing this kind of activtiy?
https://dashboard.honeygain.com uses both cookies and localstorage in my browser to identify me.
So in order to login Honeygain without using my email and password, I also have to export and restore localstorage in step 3 and 5 respectively.
I use LocalStorage Manager plugin to export and restore my localstorages.

Export Application and API Settings from Auth0 via Web UI

I'm using Auth0 to manage authentication in a web app.
Since it took me a while to get it working, I'd like to export the application and API settings like for example:
the application name
the client id
the supported auth methods
the allowed callback URLs
basically everything else relevant to reproduce the application configuration
I found a lot of documentation about exporting user data but nothing about exporting application or API settings.
Generally, the steps described here are just a quick&dirty workaround to read data from the Auth0 Management API without leaving your browser. I wonder why there is no "export" button for this directly in the UI. In both cases (application and API settings), open the network monitoring tab of your browser (usually F12); Then...
Exporting Application Settings
Load the "settings" page of the application you'd like to export (e.g. https://manage.auth0.com/dashboard/eu/<your_auth0_tenant_name_here>/applications/<your_application_client_id_here>/settings)
You'll see a GET request to manage.auth0.com/api/clients/<your_application_client_id_here>.
The response to this GET request is a JSON containing everything you need to reproduce the application settings; also sensitive data like the client secret and signing keys.
Exporting API Settings
Load the "settings" page of the API you'd like to export (e.g. https://manage.auth0.com/dashboard/eu/<your_auth0_tenant_name_here>/apis/<your_api_id_here>/settings)
You'll see a GET request to manage.auth0.com/api/resource-servers/<your_api_id_here>.
The response to this GET request is a JSON containing everything you need to reproduce the API settings.

Cypress cannot request API or display content with the new auth0-spa-js package

I tried to sign in to Auth0 with the new package (https://github.com/auth0/auth0-spa-js).
Attempt 1: I did try a best practice that uses cy.request() but seem like new the auth0-spa-js package now requires a random state string (which I don't have and it was generated from loginWithRedirect function) in the request URL. So I can not call sign in API of Auth0
Attempt 2: I set "chromeWebSecurity": false, I click sign in button -> my web is redirected to Auth0 page, the URL is load correctly but Auth0 refused to display 'auth0 url' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
Does you guy have any solution for this situation?
For now, this is the workaround solution of me.
Disable chrome security in Cypress config.
Login through the auth0 page (we will redirect to log-in page and log out due to the fact that I cannot generate the random state in the new auth0 package: auth0-spa-js)
Note: If you’re not custom login page in auth0, use the classic page in Universal Login. I found that the new UI of Auth0 login page has a lot of security enhance that prevents us render auth0 in an iframe. (like image below)
Auth0 seting
Then, Go to Auth0 -> Tenant Setting -> Advanced -> Enable Clickjacking Protection to allow auth0 load in an iframe.
Enalbe Clickjacking
Ok, that all the step that I did to make it work. Hope this help you

Sign in as a different Box user

I am trying to integrate my iPad app with Box. I am having an issue with the Box API where files in the account of one user are returned for some other user. Here are the steps to reproduce this issue:
Make the authorization calls and get the access token as mentioned in this guide. For login, I am opening the Box login page in Safari. I have the specified a custom url scheme for the redirect url, which opens up my app after the user logs in.
Once you get the access token, make a call to list the contents of the root folder. This succeeds.
Delete the app from the iPad and rebuild it.
Again go to the login process (as in step 1), but this time use a different Box account to login. You get a new access code and OAuth token this time.
If you make the call to list the files using the new token, you will get the response from the earlier account. Ideally it should return the files for the currently authorized user.
Does Box use just OAuth to return response or does it use cookies as well? Because after authentication and receiving the access token, I also see a cookie from Box (verified using [[NSHTTPCookieStorage sharedStorage] cookies]).
I have tried repeating the above process by deleting all Box cookies before starting the authentication flow. Also, I am not saving the OAuth token on disk and retrieving it. I am not saving/caching the response in any way.
One more thing that I have noticed is that there can be two Box users logged in at once in Safari. Also, if I make the authentication request, get the access token and again make the authentication request, it shows the login page again (instead of showing the allow/deny access page). Is this intentional?
I am using the Box v2 API and iOS 5/6
Upon further inspection, the problem seems to be with Box servers caching response. I did a quick test with curl using two different access tokens created from the iPad app. I made a call to fetch the user files for the root folder using both tokens. The results were correct, i.e. I got the correct files for each account.
When I did the same test on the iPad app, the files for one user were returned for the other user. If I maintained a considerable gap between the two logins, I got the correct files.
To permanently fix this, I am setting the Cache-Control header to no-cache for the request to fetch the user's files.
But it is strange that I have to do this. Box needs to check their cache validation logic IMHO.

JMeter - Auth file is not opening

I am working on JMeter Authorization Manager. I created a Test Plan by adding a Thread Group in it. I have an HTTP Authorization Manager in my Thread Group. I ran my test and it was successful. After that I click Save button of HTTP Authorization Manager. A text file is saved in bin folder named as auth.txt and having this data:
# JMeter generated Authorization file
10.10.10.42 username password
After then I closed the JMeter. Later I wanted to open that .txt file again so that I should not have to enter username and password again, I added an HTTP Authorization Manager and right-clicked on it. Clicked on Open and selected my file auth.txt. But it showed me the error:
: only whitespace content allowed before start tag and not #
(position: START_DOCUMENT seen#...#1:1)
What wrong am I doing, can anybody specify please?
Thanks in advance.
I was just doing wrong way to add Auth file.
It can be added through Load button in HTTP Authorization Manager like this: