You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by sciUser <sh...@securitycentric.net> on 2019/01/14 18:56:08 UTC
Secure restful url
Hello,
Where can I find an example of *secure token generation* and *restful API'*s
for Guacamole.
Example 1 of what we don't want:
http://10.20.20.3/guacamole/#/?username=username&password=password (not
secure)
Looking for something that can generate a one time URL or even a secure URL
per access.
Example 2 of something we do want:
https://10.20.20.3/guacamole/#/?labtoken=kjhsdf986sdfgjhsgdf765sdf
LDAP not an option since it can be hacked very easily.
Thank You
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Secure restful url
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Jan 14, 2019 at 2:07 PM Mike Jumper <mj...@apache.org> wrote:
> On Mon, Jan 14, 2019, 10:56 sciUser <shulbert@securitycentric.net wrote:
>
>> ...
>>
>> Looking for something that can generate a one time URL or even a secure
>> URL
>> per access.
>>
>> Example 2 of something we do want:
>> https://10.20.20.3/guacamole/#/?labtoken=kjhsdf986sdfgjhsgdf765sdf
>>
>>
> You can do this through writing an extension which generates/accepts
> tokens of whatever sort you like.
>
> There are third-party implementations of the same concept. I implemented
> the below at $dayjob, though it's not yet up to date with the recent 1.0.0
> release:
>
> https://github.com/glyptodon/guacamole-auth-json
>
I've also written some Python code that POSTs to the REST endpoint to
obtain a token:
https://github.com/necouchman/guacamole-python/blob/9ac3f9ff7728d976d6107809700cbdd6f0c97fdd/guacamole-cli.py#L21-L32
The output of this should be the token value you can add as a parameter to
the other URLs in order to use those REST endpoints.
-Nick
>
> LDAP not an option since it can be hacked very easily.
>>
>
> [Citation needed]
>
>
Yes, the back-end you use for authentication should be independent of how
you access the Guacamole URLs. I'm not quite sure what this means, here...
-Nick
Re: Secure restful url
Posted by sciUser <sh...@securitycentric.net>.
I get what you are saying, but you miss what I really said. We are running
advanced security labs and hacking labs with tools that can exploit LDAP,
Windows Systems, SQL and so much more. Here are some excellent references
in the book "The Web Application Hackers handbook second edition" or
ldap-exploiter, ldap-brute and many other tools out there. We actually
write the labs to train security professional on how to exploit, I am just
being gingerly as possible not to give any secret sauce away. Hint my broad
examples.
In the world of cybersecurity; we don't guard against the 99% we guard
against that 1%.
Again my apologies for using a broad term.
Thank You
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Secure restful url
Posted by Mike Jumper <mj...@apache.org>.
On Mon, Jan 14, 2019 at 12:23 PM Nick Couchman <vn...@apache.org> wrote:
> On Mon, Jan 14, 2019 at 2:44 PM sciUser <sh...@securitycentric.net>
> wrote:
>
>> Sure,
>>
>> We will not be moving to 1.0.0 until its had a full 120 day dev QA, so far
>> there are a lot of bugs that need to be worked out.
>>
>
sciUser, if you have found a bug, and you're sure you've found a bug,
please open an issue in our JIRA. We can't fix what we don't know about.
>
>> 1. https://securitytraning.com/ldap-injection-attacks-web-for-pentester/
>> 2.
>>
>> https://www.hackthis.co.uk/forum/hacking-security/tutorials-articles/604-ldap-injection-tutorial
>> 3. https://tools.kali.org/information-gathering/enum4linux
>>
>>
> As with many vulnerabilities, it seems like these rely on people not
> writing code correctly and failing to escape items which might be
> configured or input by the end-user. Proper escaping of that code should
> mitigate these attacks, no?
>
Yep.
>
>> I can cite a lot more, but we are running advanced security labs with
>> tools
>> that can rip a network apart if not correctly isolated. So this is why we
>> don't use LDAP which can be exploited.
>>
>
> This is, once again, a broad statement, that may or may not be true,
> depending on the quality of the code that is authenticating against LDAP.
> Obviously I would not recommend making an LDAP server available on the
> Internet directly, nor would I recommend making web pages available with
> basic code that doesn't correctly handle that escaping. But I would feel
> fairly confident in saying that not every piece of code that authenticates
> against LDAP is vulnerable to LDAP Injection attacks. It would be like
> saying, "Don't write code that uses a database, because it's vulnerable to
> SQL Injection attacks."
>
++1
It's certainly true that vulnerable apps exist, but it's not correct to
blanketly state that LDAP, SQL, etc. are inherently unsafe. Guacamole does
correctly escape untrusted input within LDAP queries, and administrators
should of course isolate systems from their users when those systems
shouldn't be accessed by those users.
These sort of vulnerabilities are things we carefully review for when
changes are made to the LDAP auth.
- Mike
Re: Secure restful url
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Jan 14, 2019 at 2:44 PM sciUser <sh...@securitycentric.net>
wrote:
> Sure,
>
> We will not be moving to 1.0.0 until its had a full 120 day dev QA, so far
> there are a lot of bugs that need to be worked out.
>
> 1. https://securitytraning.com/ldap-injection-attacks-web-for-pentester/
> 2.
>
> https://www.hackthis.co.uk/forum/hacking-security/tutorials-articles/604-ldap-injection-tutorial
> 3. https://tools.kali.org/information-gathering/enum4linux
>
>
As with many vulnerabilities, it seems like these rely on people not
writing code correctly and failing to escape items which might be
configured or input by the end-user. Proper escaping of that code should
mitigate these attacks, no?
> I can cite a lot more, but we are running advanced security labs with tools
> that can rip a network apart if not correctly isolated. So this is why we
> don't use LDAP which can be exploited.
>
This is, once again, a broad statement, that may or may not be true,
depending on the quality of the code that is authenticating against LDAP.
Obviously I would not recommend making an LDAP server available on the
Internet directly, nor would I recommend making web pages available with
basic code that doesn't correctly handle that escaping. But I would feel
fairly confident in saying that not every piece of code that authenticates
against LDAP is vulnerable to LDAP Injection attacks. It would be like
saying, "Don't write code that uses a database, because it's vulnerable to
SQL Injection attacks."
-Nick
Re: Secure restful url
Posted by sciUser <sh...@securitycentric.net>.
Sure,
We will not be moving to 1.0.0 until its had a full 120 day dev QA, so far
there are a lot of bugs that need to be worked out.
1. https://securitytraning.com/ldap-injection-attacks-web-for-pentester/
2.
https://www.hackthis.co.uk/forum/hacking-security/tutorials-articles/604-ldap-injection-tutorial
3. https://tools.kali.org/information-gathering/enum4linux
I can cite a lot more, but we are running advanced security labs with tools
that can rip a network apart if not correctly isolated. So this is why we
don't use LDAP which can be exploited.
Hope this helps.
Thank you for the reference to the guacamole-auth-json I was unaware that
this would generate urls and tokens, but fully aware it does authenticate
users in a static template.
I will look in to custom extensions.
Thank You
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Secure restful url
Posted by Mike Jumper <mj...@apache.org>.
On Mon, Jan 14, 2019, 10:56 sciUser <shulbert@securitycentric.net wrote:
> ...
>
> Looking for something that can generate a one time URL or even a secure URL
> per access.
>
> Example 2 of something we do want:
> https://10.20.20.3/guacamole/#/?labtoken=kjhsdf986sdfgjhsgdf765sdf
>
>
You can do this through writing an extension which generates/accepts tokens
of whatever sort you like.
There are third-party implementations of the same concept. I implemented
the below at $dayjob, though it's not yet up to date with the recent 1.0.0
release:
https://github.com/glyptodon/guacamole-auth-json
LDAP not an option since it can be hacked very easily.
>
[Citation needed]
- Mike