Conversation

Notices

1. Embed this notice
   buherator (buherator@infosec.place)'s status on Thursday, 13-Feb-2025 23:40:53 JST buherator
   Re: CVE-2025-0108
   
   Can we agree that "X-Trust-Me-Bro: $boolean" headers set by reverse proxies are an anti-pattern?
   
   If so, what is the best practice?
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 13-Feb-2025 23:40:52 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     @buherator Just encode the data with a JWT.

     (lest anyone take this seriously, I am shitposting here...)

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 14-Feb-2025 00:31:52 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     @buherator JWT being a great complex insecure solution 😁

   • Embed this notice
     buherator (buherator@infosec.place)'s status on Friday, 14-Feb-2025 00:31:53 JST buherator

     in reply to

     • Ryan Castellucci :nonbinary_flag:
     @ryanc I was actually thinking whether some (not so) fancy crypto could be used to pass some instead of a bool that the attacker can't forge, then realized reverse proxy configs are not exactly designed to implement such transformations in the first place :)
     
     Nonetheless, this is an illustrative example that unless we point to some robust solution ppl *will* come up with complex but insecure solutions (see also Schneier's Law).
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 14-Feb-2025 01:09:28 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     @buherator lulz driven development

   • Embed this notice
     buherator (buherator@infosec.place)'s status on Friday, 14-Feb-2025 01:09:29 JST buherator

     in reply to

     • Ryan Castellucci :nonbinary_flag:
     @ryanc X-Trust-Me-Bro: {"alg":"nOnE"...} vulns would be pretty funny actually :) let's hope we'll never get there though...