MASSIVE Identity column value jump in SQL Server 2014

So in the middle of basic coding and testing we saw a huge non-patterned jump in Identity values for multiple tables. We are unaware of any server blips or attempted bulk operations, but DBAs are looking into logs. The gaps are not the typical 1,000 or 10,000 seen with server restarts and such. The gap for Application_NO is 10,410,345 for a table with 2,320 rows and Transaction_Payment_NO jumped an astonishing 1,712,149,313 for a table with 685 records. Any ideas on what could be causing such large and seemingly arbitrary jumps.

Identity value jumps on multiple tables

Go to Source
Author: BikeMrown

Centralized authorization – via token or endpoint?

Firstly, I want to clarify the title. After spending a few weeks now tackling centralized identity I have found a lot of differing opinions and implementation of authorization (permissions). Mainly, there seems to be 2 ways I see it done

  • Store roles, and sometimes even strict permissions, in the access token (or some token associated with whatever protocol you are using). The upsides are ease of distributing this data to the client and resource, and security. The downsides are a potentially large token, and immutability of JWTs cause potentially out-of-date information.
  • Provide a centralized authorization server, or simply use endpoints on the identity server itself to serve specific authorization information, kind of like /userinfo but for authorization information. The upsides of this are up-to-date information and a clear separation of concerns. The downsides are a lot of calls to this endpoint, the fewest being one call per request as far as I can tell.

I see Auth0 allows a way to update token data on the fly (permissions, avatar, etc.) which is really convenient, however what are the downsides of using JWTs this way? I am confused as to why these protocols (OpenIdConnect, etc.) do not implement some way to force a token refresh, and thus a refresh of claims. I may be overthinking this, but what if a reference token was used, and we marked it as out-of-date? I mean, if we can mark a token as revoked then surely we can use some trick to mark it as stale? The client then would have default logic in this scenario to use its still-valid refresh token to receive a new access token. I feel like the utility of this whole system is really brought down by the fact that refreshing isn’t supported. Even if it was a separate permissions token, is this a valid idea? It just seems much more convenient than the latter.

For the second point, when using separate authorization and calling and endpoint for this info there are a few problems too. While I don’t know how PolicyServer’s paid version works, the OSS version uses this methodology. My problem with it is that the overhead of an http request is added to almost every page load, button click, etc. Using a refreshing JWT theoretically sounds like a nice way to only force a refresh when claims information is changed for a specific user only. In addition to this, basically every client and resource will need to know this claims information. While the resource itself should use authorization information, the client is still going to need to dynamically show/hide content based on this info as well. How do we easily share this information without having both the resource and client(s) request this information on every action? In PolicyServer’s demo, it’s just a bare client using authorization information from the API endpoint, there is no resource involved, probably because it was a complicated issue.

Is my idea in the first point of marking a reference token as stale practical? It would take a lot of work and would have to override existing interfaces both on the server and client. However, I just cannot see a dedicated authorization endpoint as a possibility given the concerns above. I’m still perplexed as to why none of these protocols have an easy way to refresh claims information after specific actions.

Go to Source
Author: perustaja

Are there security reasons for prohibiting universal mac address modification?

Background

In a standard 48-bit MAC address, the 7th (most significant) bit specifies whether it is a universally-administered address (UAA) or a locally-administered address (LAA).

If it is 0, then the MAC address is a UAA and the first 24-bits are the organizationally-unique identifier (OUI) of the manufacturer of the network interface card (NIC).

If it is 1, then the MAC address is just an LAA.

Question

Many drivers and NIC’s often allow users to modify the MAC address of their device.

But, it seems Windows does not allow modifying mac addresses to universal ones (i.e., UAA’s): https://superuser.com/questions/1265544/

What is the reason for this restriction? Are there security implications if this was not the case? Or, perhaps, is this merely just to prevent someone from spoofing a device as some legitimate company’s network communications product? (to their ISP)

Go to Source
Author: ManRow

ASP.NET Identity using only Active Directory

We have an existing ASP.NET web app that is using Microsoft.AspNet.Identity framework. The previous developer wrote the code for this and unfortunately I don’t have much experience with it. It currently allows users to create an account on our app and that gets saved to the AspNetUsers table. I’m assuming that’s the default way accounts are stored with this framework.

This has been working well so far, but we want to expand our functionality in a way that we think would be better if accounts were stored in Active Directory. Ideally users would have a single login that would allow the following:

  • Login to our web app.
  • Ability to change password via the web app.
  • Log into SQL Server Reporting Services portal.
  • Log into SSRS server when building reports in Report Builder.
  • Provide database access as follows:
    • Only be able to see and SELECT from a handful of views.
    • These views would be able to filter data based on the user.
    • There would be groups that the user belongs to. Each group has ownership of a schema in the database. Members of the group would have full access to that schema.

With the current AspNetUsers table implementation, users can create accounts, login and reset password. For the SSRS functionality we’ve been creating a separate user in AD manually. So at this point, the user has two accounts to deal with, though they could use the same username/password so that it seems like one.

On the database access it is a little complicated, but seems to work:

  1. First, our users belong to one or more “Organizations”. And really that’s pretty much like a group, but it doesn’t use any kind of built in group functionality. We basically have an Organizations table in the database and then an OrganizationUser table that links AspNetUsers to Organizations.

  2. Each Organization has a Data Source in SSRS. Depending on what Organization the user is writing reports for, they will choose the appropriate Data Source. Organizations have corresponding local DB logins and that is the login used by the SSRS Data Source.

  3. On the database itself, the Organization login has ownership of it’s own schema. The schema is there so that users can store and retrieve tables of their own design. This is mainly for pre-computing of data for use in reports. The login also has access to a few views in the dbo schema. Those views utilize the DB login to determine what Organization it’s dealing with. That’s used to filter out any data that is “owned” by an AspNetUser entry that isn’t linked to the Organization.

As you can see, we also end up with a third Organization login on the database which is not really ideal either. Plus, we’re also seeing a need to have a user-level login because we also want to add a database view that only shows the users data rather than the data for the entire Organization.

I should also mention that I’d really like if, when a user creates an account, it gets created in AD rather than the database. I haven’t been able to find an example of being able to do this. There seems to be a lot of examples on how to login to AD, but not to create the account in the first place. I suppose I could keep the existing AspNetUsers implementation and write some AD code alongside all the existing endpoint code, however that seems like a waste if there was some way to just do it all in AD.

I was going to post in StackOverflow to see if anyone could help me on getting Microsoft.AspNet.Indentity to create users in AD, but I decided it might be a good idea to get some feedback on this design before I go down that route as I’m wondering whether it’s a good idea or not.

I know one of the concerns my co-worker brought up was getting too many accounts in AD. I don’t think it’s a big issue. This isn’t the type of application that would have a lot of users. His other concern was getting tied too close to a Microsoft stack, but I don’t think that’s a big problem either.

Go to Source
Author: Dan

Is there some method to track what changes to files a website does?

So I was trying to find out how this site pentest-tools tracks me without normal MAC address or even IP address. This website basically gives us 2 “free scans” allowing us to scan any 2 sites and find some of the basic vulnerabilities present in websites.

So there are plenty of websites out there (actually, only 2) that provide this free “scans” for basic vulnerabilities. So as a challenge, I wanted to find out whether I could fool the website into allowing me more than 2 scans by changing my identity thus having the server think of me as a new user.

So, I tried all the basic methods of hiding my identity (BTW I am not a hacker or anywhere near) which included MAC and IP spoofing and cookies clearing. But they didn’t work. So, I had a few questions:-

  1. Is there any way to track what file changes the site performs to identify me so that I can find those cookies responsible for storing the number of scans I have used and delete them?

  2. Also, would there be any program that immediately removes whatever files generated by the website (tracker by the above method) and placed on the computer files be deleted automatically? something which even prevents supercookies?

TIA

Regards,
Neel Gupta

Go to Source
Author: neel g