- Home
- Forums
- Solveforum All topics
- Tech Forum
- Thread starterromeil
- Start dateMonday at 11:53 PM
R
romeil
Guest
- Monday at 11:53 PM
- #1
romeil : How to set HMAC CSRF token in Actix Rust?
So I've been doing some research on web security, in which I came upon on this OWASP article on HMAC CSRF tokens. With that in mind, I've been trying to implement it using this middleware:
Code:
impl<S, B> Service<ServiceRequest> for CSRFTokenMiddleware<S>where S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>, S::Future: 'static, B: 'static,{ type Response = ServiceResponse<EitherBody<B>>; type Error = Error; type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>; dev::forward_ready!(service); fn call(&self, mut request: ServiceRequest) -> Self::Future { let mut res = self.service.call(request); Box::pin(async move { let res = res.await; set_csrf_token(res.unwrap().response_mut().head_mut(), &request); res.map(ServiceResponse::map_into_left_body) }) }}I'm not done yet, but it's supposed to set a token after the user successfully logs in. The issue is that self.service.call() takes ownership of the ServiceRequest but I need it for my set_csrf_token() function. Here's how that's like:
Code:
pub fn set_csrf_token(response: &mut ResponseHead, req: &ServiceRequest) -> Result<(), ()> { let csrf_token = generate_csrf_token(req); let cookie = Cookie::new("csrf", csrf_token); let val = HeaderValue::from_str(cookie.to_string().as_str()).unwrap(); response.headers_mut().append(SET_COOKIE, val); Ok(())}And the corresponding, generate_csrf_token() function inside set_csrf_token() is:
Code:
pub fn generate_csrf_token(req: &ServiceRequest) -> String { let session_id = req.cookie("id").unwrap().value().to_string(); let hmac_key_value = generate_hmac_key_value(); let s_key = hmac::Key::new(hmac::HMAC_SHA256, hmac_key_value.as_ref()); let random_value = Uuid::new_v4(); let message = session_id.clone() + "!" + random_value.to_string().as_str(); let hmac = hmac::sign(&s_key, message.as_bytes()); let hmac_string = hex::encode(hmac.as_ref()); let csrf_token = hmac_string + "." + message.as_str(); csrf_token}I thought of making a POST request handler alongside my login function (which would be in the same resource), but that would set the token regardless of whether the user successfully logged in or not.
Would really appreciate any help. Thank you!
You must log in or register to reply here.
Recent Threads
Why is it okay for my .bashrc or .zshrc to be writable by my normal user?
- Zach Huxford
- Main forum
- Replies: 0
Zach Huxford Asks: Why is it okay for my .bashrc or .zshrc to be writable by my normal user?
My user ~/.zshrc file has the following default privileges
Code:
-rw-r--r--My understanding of user permissions is that any process spawned by my user will then have read/write permissions to this file.
In malicious hands this could probably be used to edit aliases or append a directory of the attackers choosing to the beginning of the $PATH. I'm concerned that a malicious program that I install on the user level could then trick me into somehow giving up my sudo password through this method.
Obviously I do trust most of the programs that I install to not be malicious, however, I do use npm as a package manager for my own projects which is commonly accepted to be a vector for malware due to the sheer number of dependencies each module and it's dependencies can have.
I know that running sudo npm install -g is really bad practice but is using npm as a user which has write access to your main shell configuration file almost as bad just with a few extra steps in between, or am I lacking an understanding of how user permissions/shell configuration/npm works?
If this is insecure, then have I somehow missed security good practice for handling node js projects?
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
SFTP user login details real-time filtering
- Amal P Ramesh
- Main forum
- Replies: 0
Amal P Ramesh Asks: SFTP user login details real-time filtering
I have enabled the SFTP login log into the default logfile /var/log/syslog and tried to filter the login time of each user and insert it into the database.
But the filtering is not worked as I expected.
Sample log file:
Code:
Jun 23 15:47:03 ip-172-16-0-62 systemd[24938]: Reached target Shutdown.Jun 23 15:47:03 ip-172-16-0-62 systemd[24938]: Starting Exit the Session..c.Jun 23 15:47:03 ip-172-16-0-62 systemd[24938]: Received SIGRTMIN+24 from PID 24980 (kill).Jun 23 15:47:03 ip-172-16-0-62 systemd[1]: Stopped User Manager for UID 1051.Jun 23 15:47:03 ip-172-16-0-62 systemd[1]: Removed slice User Slice of nidasu.Jun 23 15:47:13 ip-172-16-0-62 systemd[1]: Created slice User Slice of ftpuser1.Jun 23 15:47:13 ip-172-16-0-62 systemd[1]: Starting User Manager for UID 1069...Jun 23 15:47:13 ip-172-16-0-62 systemd[1]: Started Session 11907571 of user ftpuser1.Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Listening on REST API socket for snapd user session agent.Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Paths.Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Timers.Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Sockets.Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Basic System.Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Reached target Default.Jun 23 15:47:13 ip-172-16-0-62 systemd[24987]: Startup finished in 15ms.Needs to filter user login messages, like:
Code:
Jun 23 15:47:13 ip-172-16-0-62 systemd[1]: Started Session 11907571 of user ftpuser1.I need to grep it out by matching the string "Started Session 11907571 of user ftpuser1"
The session number 11907571 is a random number and usernames also differ so grepping can ignore the numbers and usernames, only need to check the string like: **"Started Session *** of user ***"
And need to parse the line and grep the date + time, and username then insert it into the MySQL database.
If there is any option to create a daemon process to run and insert the details into DB, it will help me to do the task.
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
get nat port forwarding IP address
- gyandoo
- Main forum
- Replies: 0
gyandoo Asks: get nat port forwarding IP address
I am using an android phone that is connected to an openwrt router via usb tether
The android phone has a dynamic wan gateway on each reboot
To make things easy for me to connect to the webui of some of the apps on the android phone via the openwrt router, I created a port forwarding rule in openwrt and entered the wan ip of the android phone manually. port forwarding rule
On each reboot of the android phone, i will have to check the routes in openwrt, get the new wan ip and update the port forwarding rule, which is fine
to make things easier on my linux machine, id like to be able to use CLI to get that wan ip that i set in port forwarding i.e 192.168.1.1:32399
not that it matters, but curlftpfs ftp mounting isn't playing well with nat, all other android app webui's are working fine with the port redirect, curlftpfs requires the wan ip, it finds the wan ip in debug but skips it
thanks
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
Using docker does not give error with sudo but using ctr does on starting a container
- Mithilesh
- Main forum
- Replies: 0
Mithilesh Asks: Using docker does not give error with sudo but using ctr does on starting a container
I am starting a container using the docker run command, it works fine. However when I try to start the same container using ctr command (irrespective of whatever snapshotter I use) I get this error:
Code:
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?The error is coming from one of the lines in the dockerfile which is prepended by sudo . Please note that I tried removing sudo but then it gives permission denied error. As per my understanding docker engine uses ctr under the hood. Then why does not working for ctr? How shall I proceed to de
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
What are some of the latest Nike soccer shoes that have gained popularity among players and enthusiasts in recent years?
- Bryan Fury
- Main forum
- Replies: 0
Bryan Fury Asks: What are some of the latest Nike soccer shoes that have gained popularity among players and enthusiasts in recent years?
In recent years, the Nike Mercurial Vapor XI NJR soccer shoes have gained significant popularity among players and enthusiasts. These cleats, also known as the “Neymar edition”, are renowned for their explosive speed and agility on the field. With a lightweight and streamlined design, the Nike Mercurial Vapor allows players to move swiftly and effortlessly. Equipped with innovative technology and high-quality materials, these cleats offer exceptional traction and responsiveness, making them a top choice for players seeking optimal performance. The sleek aesthetic of the Nike Mercurial Vapor XI NJR, inspired by Neymar Jr., one of the world's top soccer players, has contributed to their widespread acclaim among soccer enthusiasts.
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
Can't change TCP/IPv4 settings on windows 10
- AbdelKh
- Main forum
- Replies: 0
AbdelKh Asks: Can't change TCP/IPv4 settings on windows 10
As I am trying to change my wireless IPv4 or DNS IP address, everything goes well until I click OK.
The adapter window pops up this error: "An unexpected condition occurred. Not all of your requested changes in settings could be made"
Even when I restored Windows, disabled and re enabled the adapter, the problem was not solved.
Any help would be appreciated.
Edit: I fixed that by resetting Windows 10. No other solution worked for me.
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
Customer service access 2007 template
- tintincutes
- Main forum
- Replies: 0
tintincutes Asks: Customer service access 2007 template
anybody is familiar with this? can you please help me understand where can I find the other tables, Cases_1 and Employees_1? If I click on the relationship I can see these tables but I can't see that on the Main Page? are they some kind of being hidden?
SolveForum.com may not be responsible for the answers or solutions given to any question asked by the users. All Answers or responses are user generated answers and we do not have proof of its validity or correctness. Please vote for the answer that helped you in order to help others find out which is the most helpful answer. Questions labeled as solved may be solved or may not be solved depending on the type of question and the date posted for some posts may be scheduled to be deleted periodically. Do not hesitate to share your thoughts here to help others.
Latest posts
D
Enabling Template Path Hints for Storefront for Magento 2 has no Effect
- Latest: Dennis Chan
Tech Forum
E
Disable crons permanently in a specific Cloud Environment
- Latest: Eliacim DAVILA - CENSERE
Tech Forum
T
What protocols are involved in the options/modes for USB connection from an Android phone to a computer?
- Latest: Tim
Tech Forum
T
Is MTP only used for transferring media files?
- Latest: Tim
Tech Forum
K
How can Proton and Tutanota not support IMAP access if Hushmail is able to?
- Latest: Klevis Stackpole
Tech Forum
Newest Members
- D
- B
- E
- H
- D
- Home
- Forums
- Solveforum All topics
- Tech Forum
