Our Secret [demo] [APK] !!TOP!!
Since we know the app must be computing this HMAC request header, we can attempt to decompile it using freely-available reverse engineering tools and perform static analysis. We know the result is added to an "SF-HMAC" header. We know an HMAC is used. We can hypothesise that the app must contain an embedded secret for the HMAC and probably uses whatever HMAC function comes as part of the standard libraries. We will now test our hypothesis.
Our Secret [demo] [APK]
In this stage of the demo, the secret is in code which is much better than in a static text file, but is still easily retrievable. Armed with our new knowledge, we can update ShipRaider to compute the new HMAC header and therefore continue to authenticate our rogue API requests.
The problem is our implementation. To begin with, we use a static secret in code in the form of a single string. You may think this is obvious now that I mention it, but you would be surprised, even shocked, to discover the number of cloud-based services which offer access through an API or SDK which involves initialization using an API key, an API secret and often a base URL in code. This makes it easy to adopt the service, but unfortunately also makes it easy to exploit the service. Do you remember from the previous article how Google recommends you to add the Google maps API key?
We can obfuscate the HMAC secret by computing it at runtime which means regular static analysis will not yield the secret: the app must be run to generate the secret and store it in memory for use in the HMAC computation. The approach we use is kept simple for demonstration purposes, and the process is as follows:
It is almost like some strange game of spot the difference, but as you can hopefully see, the app and server perform the same HMAC calculation using the same secret key and message, and the server ensures both components end up with the same answer before authenticating the API request.
For the dynamic HMAC demo stage, you need to install this APK on your mobile device (no need to uninstall the previous one). Now launch the ShipFast app to see the initial screen with the dynamic HMAC colour scheme (red), and the mobile app should work as it did before:
Now go back to the ShipRaider web interface for the static HMAC demo stage and update the API version on the ShipFast API url to v3, the same one now used by the ShipFast app, and you will see that ShipRaider no longer appears to work.
The Doppler CLI provides access to your secrets in every environment, from local development, CI/CD, staging, and production. It is a lightweight binary available for every major operating system, package manager, and Docker.
In order for the Doppler CLI to access secrets for your projects, it needs an access token. For local development, we use the doppler login command which will open a browser window and ask you to authenticate.
To run one-off commands using a secret in Doppler, please make sure to escape the secret or use single quotes. You will need to do this to guard against shell parsing the variable before the run command executes.
This instantly improves security by removing the storage of unencrypted secrets from your file system and avoids potential confusion as to what the source of truth is for the loading of environment variables.
In the modal that appears, make sure you assign a role name (dbUserRole), select the actions (Collection Actions) and the database (demo-db), and click the Add custom Role button Fig 13).
We need a way to retrieve our secret from the Conjur server using our host credentials. Currently there is no official Node.js client for accessing the Conjur REST API so we need to do it the old way.
There you have it then! We have a complete Node.js application that connects to a third-party Mongo API using Conjur to manage its secrets. I hope you enjoyed this tutorial as much as I did. Stay put for more exciting tutorials with Conjur.
One-time codes have several security advantages. With codes, Googleprovides tokens directly to your server without any intermediaries.Although we don't recommend leaking codes, they are very hard to usewithout your client secret. Keep your client secret secret!
Part of the answer to that question is that I have a secret weapon that helps me develop X-Plane at a much faster rate than any would-be competitors. While other teams are struggling to keep their organization and computers working, I and my team are able to work quickly and freely with no computer glitches holding us back, unlike almost everyone else using computers today.
For example, if you're trying to understand where some HTTP API data comes from, you could try searching for the API endpoint path, or the name of query parameters. If you're looking for the implementation of a specific algorithm, it's worth searching for the common domain terms in that algorithm, or if you're trying to extract secrets or keys from the app then 'secret', 'key', and 'auth' are all worth investigating.
For our demo app, this works great. By enabling logging when pressing the button, if you look carefully between the other noisy log output, we can now get the specific error message unique to that button:
In this specific case, we're looking to patch the doesCertMatchPin function in the tech.httptoolkit.pinning_demo.MainActivity class. Within a Frida script, we first need to get a reference to that method:
If you want examples of more advanced Frida behaviour, take a look through the my cert unpinning script for certificate pinning examples for every popular library and some other interesting cases, or check out this huge selection of Frida snippets for snippets demonstrating all sorts of other tricks and APIs available.
Absolutely obsessed with this game and it's characters. I literally played it for 24+ hours straight! (I'm going straight to bed lol) I remember playing the demo so long ago, and I had to buy the DLC content! It was so worth it, I'm so infatuated with the characters, and Cove
Today developers need to deal with an increasing amount of sensitive data, these include what we collectively call secrets, API tokens, security certificates and credentials to name a few. These are the modern day keys to the kingdom. Because these need to be handled regularly by developers they are commonly found within source code and subsequently anywhere source code lives. Git repositories are a very common place these secrets end up. There are 1,001 reasons why secrets leak into public git repositories, some we have covered in other articles of this blog. This article is going to review data gathered by GitGuardian over 2020 to uncover what file extensions most frequently leak secrets. In reviewing this information we share some insights into common causes why secrets leak and some general practices developers should implement.
GitGuardian is a security company that scans git repositories for secrets and alerts developers when they are discovered. Since 2017 GitGuardian has scanned every public commit made on GitHub, this is nearly 1 billion commits scanned each year. The data gives detailed insights into how secrets are leaked. GitGuardian released their annual State of Secret Sprawl report which analyzed data gathered by scanning all public commits in 2020. This is a deep dive into results taken from that report, specifically around file extensions that commonly contain secrets.
As you might expect, with the many programming languages, frameworks and coding practices adopted throughout the world, there is a very long list of extensions that can contain secrets, for this article we have only focused on the top 10.
Programming language files leak secrets through both, hardcoded secrets within application scripts and hardcoded secrets in configuration files. Hardcoding secrets directly into source code is never a good practice and can expose secrets, in addition to being exposed into git repositories, hardcoded secrets can also be exposed through web browsers or reverse engineered from application files. All secrets should be configured with external variables and imported into a project through local memory. Application configuration files often contain important data relating to running and setting up an application and therefore should be included within a repository. But when secrets are mixed into these files they become incredibly sensitive, it is therefore very important to keep secrets centralized and separate from source code, including configuration files.
Data storage or serialization formats like XML or yaml files make it easy to store data in an organized structure which makes them very useful when storing configuration settings. As you will see in the results, secrets are very commonly found alongside configuration information which is why these file extensions commonly appear. As mentioned above, keeping secrets out of source code including configuration files is very important in the prevention of secret sprawl.
Forbidden files are files that include environment variable files (.env) and Privacy-Enhanced Mail files (.pem). These are files which are specifically used to store and send sensitive information, these are frequent causes of leaked secrets and should never be stored inside a git repository.
Managing secrets can be complicated, there is not one universal set of best practices to adopt in all scenarios, it changes with the technology stack, size of teams and coding practices. You can read more about API best practices in our blog post and cheatsheet here. In saying that, there are good practices that should be applied in most cases.
Hardcoding secrets either within your application script or within configuration files is a bad practice, where appropriate developers should use environment variables. Environment variables load data into local memory at the operating system level, this way data is never exposed to the client. In this case secrets are typically centralized in a .env file. 041b061a72