• Creating and consuming JWT tokens in .Net WebAPI

    Creating and consuming JWT tokens in .Net WebAPI

    In this post I’ll explain how to create and consume the JWT tokens in .Net WebAPI. I’m using this in an OWIN-based WebAPI project under .Net v4.6.1. If you’re using .Net Core instead – the token generation will probably be the same, but the way of consuming it might differ slightly because of differences between the classic and Core middleware API’s. I used the official Microsoft Microsoft.Owin.Security.Jwt NuGet package. One important thing to note is that this is an alternative approach to using the default .Net bearer token.

    Why use JWT anyway? Well JWT is nice because the payload part of the token (usually containing user data such as email, username or user roles) is only encoded and can be read on the client-side very easily (good auth libraries such as Satellizer for AngularJS or ng2-ui-auth for Angular 2+ will take care of that for you out of the box). This saves you an additional round-trip to the server which you would otherwise have to do to “load up the current user” into your SPA app.

    Let’s get started. The first thing we’re going to need is this small extension class which we’ll need both in token generation and in the middleware setup. It contains two simple string extension methods which allow us to create SigningCredentials and the SymmetricSecurityKey from a jwtSecret key (which should be a long string of random characters).

    Now let’s move on the the most important part, the class which actually creates the token – JwtTokenProvider. You would typically use this provider from your AccountController in actions such as Login or SocialAuth after you’ve successfully authenticated the user. In you Login action simply swap the old code which you might have which generates the default bearer token, and return the newly created JWT token instead (only if the user has been successfully authenticated of course!).

    The client-side will then need to properly store the token and use it in each request that requires authentication (the typical way of handling this is by setting the token as the value of the Authorization header for each request via some sort of request interceptor).

    Also, if you’re using dependency injection, you’ll have to add the IJwtTokenProvider interface yourself. To simplify the post and to concentrate on the most important bits to JWT token creation, I left that part out on purpose. If you’re not using DI, simply instantiate the provider class and create the token.

    Also, here is the simple UserModel that was used in the JwtTokenProvider. Feel free to extend it to your needs.

    Now, to glue this all together and to enable the WebAPI to read (decrypt and decode) the tokens on each request, we need to tell the middleware how to do it. You can add this piece of code to your Startup.cs or even better, extract this code into a separate method inside App_Start/AuthConfig.cs and then just call it from the Startup.cs.

    After this, all the [Authorize] attributes you had previously should continue working as before when you were still using the default bearer token. You should also be able to access the current user using for example HttpContext.Current.User.Identity from within your controller actions.

    In one of the upcoming posts I’ll demonstrate a neat technique to share the current user context vertically between all your app layers (such as the business layer and/or repository) – something that you can’t do using the HttpContext because you don’t really want to have all the “web” dll’s in your lower layers, they should stay clean and agnostic.

    If you have any questions or comments, leave them below. Thnx!

  • Automating Risu report dumping

    Here is a small bash script to automate Risu reporting. It’s not the most elegant thing out there, but it gets the job done. You will have to make Risu config file beforehand and put it in the same folder with this script and all the Nessus scans you’ve got. The script will pipe all the scans into Risu, create pdf reports for you and dump them into the same folder.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    #!/bin/bash
    # perhaps you will have to set custom Risu path
    #risu="/var/lib/gems/1.9.1/bin/risu"
    nessus_logs=()

    $risu --create-tables

    for file in $(ls *.nessus);
    do
       nessus_logs=("${nessus_logs[@]}" $file)
    done

    $risu ${nessus_logs[@]}
    echo -e "\n"

    echo "Dumping findings_summary.pdf"
    $risu -t findings_summary -o "findings_summary.pdf"

    echo "Dumping findings_summary_with_pluginid.pdf"
    $risu -t findings_summary_with_pluginid -o "findings_summary_with_pluginid.pdf"

    echo "Dumping exec_summary.pdf"
    $risu -t exec_summary -o "exec_summary.pdf"

    echo "Dumping cover_sheet.pdf"
    $risu -t cover_sheet -o "cover_sheet.pdf"

    echo "Dumping pci_compliance.pdf"
    $risu -t pci_compliance -o "pci_compliance.pdf"

    echo "Dumping ms_update_summary.pdf"
    $risu -t ms_update_summary -o "ms_update_summary.pdf"

    echo "Dumping graphs.pdf"
    $risu -t graphs -o "graphs.pdf"

    echo "Dumping technical_findings.pdf"
    $risu -t technical_findings -o "technical_findings.pdf"

    echo "Dumping finding_statistics.pdf"
    $risu -t finding_statistics -o "finding_statistics.pdf"

    echo "Dumping assets.pdf"
    $risu -t assets -o "assets.pdf"

    echo "Dumping exec_summary_detailed.pdf"
    $risu -t exec_summary_detailed -o "exec_summary_detailed.pdf"

    echo "Dumping host_summary.pdf"
    $risu -t host_summary -o "host_summary.pdf"

    echo "Dumping findings_host.pdf"
    $risu -t findings_host -o "findings_host.pdf"

    echo "Dumping ms_patch_summary.pdf"
    $risu -t ms_patch_summary -o "ms_patch_summary.pdf"

    echo "Dumping template.pdf"
    $risu -t template -o "template.pdf"

    echo -e "\n"
    $risu --drop-tables
  • Merging multiple Nessus scans (Python script)

    nessus

    If you for any reason have the need to merge / combine a few Nessus scans into a single *.nessus file, you can do so using this simple Python script. Since *.nessus files are basically just XML files with a different extension, what this script does is it finds all the *.nessus files in the current folder, finds all the “ReportHost” XML nodes accumulating them into a single report.nessus file which is then exported to nss_report folder.

    Note that scans must be of the same type (same plugins must be used), but they can be from different subnets or different parts of the same subnet.

    How to use it? – Put the script and all your *.nessus files into a same folder, run the script, import nss_report/report.nessus into Nessus – and there you have it, all the hosts are in one place..

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    #! /usr/bin/env python3.2

    import xml.etree.ElementTree as etree
    import shutil
    import os

    first = 1
    for fileName in os.listdir("."):
       if ".nessus" in fileName:
          print(":: Parsing", fileName)
          if first:
             mainTree = etree.parse(fileName)
             report = mainTree.find('Report')
             first = 0
          else:
             tree = etree.parse(fileName)
             for element in tree.findall('.//ReportHost'):
                report.append(element)
          print(":: => done.")

    if "nss_report" in os.listdir("."):
       shutil.rmtree("nss_report")

    os.mkdir("nss_report")
    mainTree.write("nss_report/report.nessus", encoding="utf-8", xml_declaration=True)

    If you have any questions, just drop a comment bellow..

    edit: mastahyeti made some improvements to this script, you can get it at his github

  • Locking a session after suspending to disk in Ion3

    Ok, so I wanted to lock my session after suspending to disk while using Ion3 WM. There are a few solutions to this but what I’ve found works best for me is using vlock. What you should do to make this work is the following (after you have installed vlock):

    Edit your .xinitrc and add the following line before the exec part:

    1
    vlock -n &

    Also, uncomment the following line in /etc/hibernate/common.conf

    1
    LockConsoleAs

    After you suspend to disk, vlock will lock all virtual terminals and sessions and again later after unsuspending will it prompt you for your username and password.

  • Radionica u nedjelju (2.11.2008.) 16-20h – Linux-Osijek

    tux

    Početak: u 16 sati
    Tema: Sigurnost bežičnih mreža (WEP i WPA enkripcija)
    Predavac: Boris Jukić
    Lokacija: Osijek, Vukovarska 3


    View in a larger mapk

    Pozivamo sve zainteresirane na radionicu o sigurnosti bežičnih mreža koja će se održati u nedjelju u prostoru Udruge obitelji poginulih hrvatskih branitelja iz Domovinskog rata – Osijek. Radionicu će održati članovi Hrvatske udruge Linux korisnika Osijek u suradnji s Klubom Info Junior.

    Teme su sljedeće: Legalni aspekti napada na WEP i WPA enkriptirane bežične mreže, lažna sigurnost pri filtriranju MAC adrese (postavljanje lažne MAC adrese), praćenje i sniffing prometa, cracking WEP-om zaštićene pristupne točke sa i bez klijenta te WPA cracking.

    Svrha radionice je edukacija kako bi se uvidjelo koliko je današnja tehnologija ranjiva te kako sami možete što bolje zaštititi svoje bežičnu mrežu i podatke. Želimo potaknuti sve da razmisle o nesavršenosti sustava koji se danas koriste te čiju “sigurnost” uzimaju zdravo za gotovo. Najlakši način obrane je poznavanje nedostataka i ranjivosti onoga što koristimo.

    Molimo one koji posjeduju vlastita prijenosna računala da ih ponesu sa sobom na radionicu kako bi i pomoću njih, ukoliko podržavaju packet injection, mogli odraditi praktični dio radionice. Onima koji su zainteresirani za radionicu, ali nisu toliko upoznati s ovim područjem, a kako bi lakše pratili teorijski dio te lakše sudjelovali u praktičnom dijelu radionice, preporučamo da pročitaju ponešto o ovim temama na nekim od sljedećih linkova:

    MAC adresa
    WEP enkripcija
    WPA enkripcija
    Probijanje WEP zaštite
    Cracking WEP i WPA bežične mreže

    Sniffing prometa ili analiza paketa

    Također, kako bismo se mogli prostorno organizirati, molimo sve zainteresirane da se prijave za radionicu slanjem e-maila pod naslovom “WEP/WPA cracking radionica” na adresu [email protected] This e-mail address is being protected from spambots. You need JavaScript enabled to view it ili da se prijave na ovom threadu našeg foruma. Ukoliko se pokaže veliki interes za ovu temu, radionica će se ponoviti kako bi ju svi zainteresirani mogli odslušati.

  • Clipperz – online password manager

    What is Clipperz? It’s an online password manager where you can store your passwords, pins, credit card details, software keys, or any other confidential data without worrying about the security. It solves you the trouble of worrying about too many different passwords you can not (or don’t want to) remember…

    clipperz

    What you are also able to do with Clipperz is – you can login to online service you use with only “one click” without typing any usernames and passwords… You can create a read-only encrypted portable version of Clipperz to put it on your local hard drive or USB stick in case no Internet connection is available to you. Importing and/or exporting to Clipperz from formats like Excel, Keepass, etc. are also avaliable. You can use it from any computer, any browser, any OS and it’s completely anonymous. There is also one very very interesting feature – logging in with a “one time keyphrase” (very useable if logging from soneone elses computer and let’s say he has a keylogger on it, he gets your keyphrase but after you logout – it’s useless).

    It works in the way that your data is encrypted localy by the browser itself before uploading it to the server. The key to the encryption is a passphrase (kind of like a password) which never even gets sent or saved on the server. Therefore, no one except you can not access your data. Clipperz guarantees 128-bit security level.

    “Clipperz password manager is the first zero-knowledge web application. This means that Clipperz knows nothing about its users and their data. Not even their usernames!

    So you’re probably asking yourself – “How come not even Clipperz can se my personal data?”, right?
    It’s all completely transparent, and you can view the whole source code of the application here. Clipperz developers say not to trust them, but to check it yourself =)

    A flash introduction to Clipperz

Back to top