Category Archives: Chat

AWS S3 at Speed

Why a “503: Slow Down” response from Amazon S3 can actually be good for you!

The official AWS S3 docs on Request Rate and Performance Considerations for S3 clearly state, Amazon S3 scales to support very high request rates.
Sometimes this doesn’t appear to be the case in practise given you start pushing your request rates to the bucket and around the 700 requests per second mark you suddenly get hit with these slow down responses.

This is actually a good thing!

Continue reading

‘Insecure’ Concepts

An extract straight from ISC2’s CSSLP Overview but always useful to consider. The rest of the CSSLP brochure can be found here (pdf).

Characteristic What is it? Insecure Code Examples How to Fix It
I Injectable Code Code that makes injection attacks possible by allowing user supplied input to be executed as code. No input validation,
Dynamic construction of queries
Input validation,
Parameterized queries
N Non-Repudiation Mechanisms not Present Authenticity of code origin and actions are disputable. Unsigned executables,
Auditing not present
Code Signing
S Spoofable Code Code that makes spoofing attacks possible. Predictable session identifiers, hard-coded passwords, caching credentials and allowing identify impersonation Session, Cache and Password Management,
Managing identify impersonation
E Exceptions and Errors not Properly Handled Code that reveals verbose error messages and exception details, or fails-open in the event of a failure. Verbose errors,
Unhandled exceptions,
Fails open
Non-verbose error messages,
Explicit exception handling (Try-Catch-Finally blocks),
Fail-secure
C Cryptographically Weak Code Code that uses non-standard, weak or custom cryptographic algorithms and manages keys insecurely. Key not derived and managed securely Do no use weak, non-standard, algorithms, custom cryptography,
Use RNG/PRNG for key derivation
U Unsafe/Unused Functions and Routines in Code Code that increases attach surface by using unsafe routines or containing unused routines. Banned API functions,
Easter Eggs
Do no use banned APIs, unsafe functions, Input validation, remove unused routines and Easter Eggs
R Reversible Code Code that allows for determination of internal architecture or design. Unobfuscated code,
Unsigned Executables
Code obfuscation (shrouding),
Digitally signing code
E Elevated Privileges Required to Run Code that violates the principle of least privilege. Administrative accounts Environment configuration, Code set explicitly to run with least privilege

Apache 2 Module API

My latest exploits have involved writing an apache module so let’s look at a basic getting started guide for developing apache modules.

Requirements

This assumes running on a RHEL platform with httpd-dev installed.

Basic Structure

Apache modules can both process requests and output information, the following basic example outputs an extra header in response to any requests and outputs the text Hello World onto the page. Continue reading