If companies want to take software security seriously, they should let their technicians play a role in protecting against cyber attacks as they write their code.
The problem is that developers haven’t had the most inspiring introduction to security training in years, and anything that can be done to make their experience more engaging, productive, and fun will be a powerful motivation to help them acquire valuable secure encryption skills.
And after spending valuable time mastering new skills that can help defeat intruders in their own game, the chance to test these new powers is not easy to find in a safe environment.
So what does a seasoned safety engineer do?
A new feature called Missionsis available on the Secure Code Warrior platform. This is a task category that guides users from the storage of security knowledge to its application in a real simulation environment.
This micro-learning approach to scaffolding provides solid and safe coding skills that are relevant to work and much more interesting than watching endless training videos (vertically) against the backdrop of a working day.
The first available mission is to simulate a GitHub Unicode offense. It’s not as simple as it seems at first glance, and it’s a really clever weakness that can be dissected with pleasure. The 0xsha security researcher conducted an in-depth case study on how the same bug can be used to transform Django on a case-by-case basis, and also showed how the behavior of vulnerabilities can change between programming languages.
There is much more to learn about this safety issue and there is a good starting point.
GitHub Head-on Collision (Mapping the Fall)
In a blog post of 28. In November 2019, the Wisdom security research group reported a security flaw they found on GitHub. They discussed how to use the Unicode Case Mapping collision method to initiate a password reset to the wrong email address (or, if you think the attacker is the attacker, the email address selected by the threat agent).
Although vulnerability is never good news, the security researchers who rock the white kettle have a certain grace – not to mention the possibility of preventing a disaster – when they discover potentially dangerous flaws in the code base. Their blogs and reports are often worth reading, and it’s fun to get to know a new vulnerability and how it works.
To move to a new level of secure encryption capabilities, it is not only necessary to find common vulnerabilities, but also to have a secure and convenient environment to understand how to use them.
Read on to learn how to use Case Mapping Collision in Unicode, what it looks like in real time, and how to adopt and test the reasoning of security researchers.
Unicode: More than one emogis
Unicode may not be on the radar of a normal person, but chances are that most people use it in one form or another every day. If you were using a web browser or Microsoft software or sending emoticons, you were close to Unicode.
It is the standard for the consistent encoding and processing of text from most writing systems in the world and ensures that everyone can express themselves (digitally) with one character set.
More than 143,000 characters have been translated from Icelandic into Russian. So you can use the Icelandic or Turkish dotted line, or whatever you want in between.
Due to the large number of characters in the Unicode game, you often have to convert the characters to another equivalent character. For example, it seems reasonable that if you convert a Unicode string with a dotted line ı to ASCII, it is simply converted to an i, right?
When the number of characters is large, the coding has a high potential for disaster liability.
A collision of the Unicode-box display is a drawback of business logic and can lead to the entry of accounts that are not protected by the 2FA. See an example of this error in a real code fragment:
The logic is this:
- It accepts the e-mail address provided by the user and specifies it in the register for higher standards.
- It checks if an email address exists in the database.
- If this is the case, a new temporary password will be set (this is not the best way to proceed, by the way). Instead, use a link to a token to reset the password)
- It will then send an email with the temporary password to the address you entered in step 1 (this is very bad use for many reasons).
Let’s see what happens to the example of the original blog post where the user asks to reset the password at [email protected]ıtHub.com (note the point i in Turkish) :
- Logica turns [email protected]ıthub.com into [email protected].
- To do this, it searches the database and finds the user [email protected].
- It generates a new password and sends it to [email protected]ıthub.com.
Note that this process ends with sending a very sensitive email to the wrong email address. Oops!
How to banish this Unicode daemon
An interesting aspect of this specific vulnerability is that there are many factors that make them vulnerable:
- Actual behavior of a Unicode casting,
- Logic that defines the e-mail address, i.e. the e-mail address provided by the user and not the address that already exists in the database.
Theoretically, you can solve this specific problem in two ways, as defined in a Wisdom blog article :
- E-mail conversion to ASCII with Punchcode conversion,
- Use the e-mail address from the database, not the address provided by the user.
When it comes to hardening software, it’s a good idea to leave nothing to chance and use as many layers of protection as possible. As far as you know, there may be other ways to use this coding – you just don’t know them yet. Anything you can do to reduce risk and close windows that can remain open to the abuser is valuable.
Ready to fly your mission?
It’s time to take your secure encryption and awareness skills to the next level. Test this GitHub vulnerability in a safe, immersive simulation where you can see the effects of bad code on the front and back. Attackers have an advantage, so let’s level the playing field and use real counter-attack capability.
Related Tags:
secure code warrior contact number,secure code warrior answers,andy k secure code warrior