I have custom policies for all my authentication scenarios. I didn't use the new recommended sub journey pattern because I need to get back to my own site for some validation questions. It was simpler to do this instead of having to migrate some sensitive data to B2C for this purpose. So when the user clic "Forgotten password" link, it returns an "access denied AADB2C90118" error. I then trap it within my MSAL plugin and do my things. Everything works fine, except for the language.
In our custom version of the "unified.html" template, we added a link to change language. Its just a link on the same page with a different "ui_locales" request parameter. But the language is not passed back in any way when I click on "Forgotten password". I can see in console that the "login_hint" is returned, but not "ui_locales". Is there any way that I can add this parameter in the error?
Related
When a user tries to log in but fails with a bad password and then clicks the forgot password link, they are directed to a URL containing their PII email.
The hint is not injected until the link is clicked, so it can probably be fudged with some custom JS, but we would like to use configuration rather than customisation..
e.g.
https://b2ctenant.b2clogin.com/b2ctenant.onmicrosoft.com/B2C_1A_customflow/api/CombinedSigninAndSignup/forgotPassword?csrf_token=xxxx&tx=StateProperties=xxxx&p=B2C_1A_customflow&hint=blablablah#example.com
This PII has potential to be captured/logged/etc, which we would really like to avoid.
So, can we turn that off?
Yes, we understand this is a convenience/quality-of-life feature to help clients, but revealing their PII seems a poor trade-off.
If you initiate Password Reset by clicking on the "Forgot your password?" link at the sign-in page, clicking this link doesn't automatically trigger a password reset user flow. Instead, the error code AADB2C90118 is returned to your application. Your application needs to handle this error code by running a specific user flow that resets the password. You should be able to handle the URL and forgot password from the application.
The Azure AD B2C guidelines for using custom JS (https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-javascript-overview#guidelines-for-using-javascript) direct prohibit binding the click event on anchors/links, but we can use the mousedown event.
With that, we can use a JS snippet as below to clear the signInName field, and so prevent the link from containing the hint parameter:
$("#forgotPassword").mousedown(function () {
$("#signInName").val("");
});
This addresses the issue with customisation, so now we wait to see if we can replace it with an official configuration option.
We are hitting a bit of a brick wall with this one – if you go to this article and look at the final screenshot, it includes a message 'To sign in with your new password, click here' and the click here must be configurable:
http://www.rebeladmin.com/2019/02/step-step-guide-using-microsoft-authenticator-app-public-preview-reset-azure-ad-user-password/
Can anyone tell us how to config that link on the success page please? Otherwise, the user will have to manually enter in the URL to login which seems a bit bonk.
Any help appreciated!
That option isn't configurable for SSPR and it's most likely by design for security reasons.
I don't see any legitimate use case for configuring this URL either. When the user clicks the link they should be taken to login.microsoftonline.com and after successfully logging in will be taken to the original site the user was trying to access since it's embedded in all links across the SSPR experience by means of query parameters.
I need a simple solution here... I'm pretty sure this is possible, I just don't know how to set it up.
I need squid to redirect all users to a simple user acceptance agreement before allowing them out to the internet. No username and password, they either accept the agreement and get allowed access, or the don't and get a permission denied page.
I don't want to have anything complicated, lets keep it simple if we can.
I have reviewed this: http://wiki.squid-cache.org/ConfigExamples/Portal/Splash#Portal_Splash_Pages
However its not very clear to me...
Thanks in advance...
From auth_param section in squid.conf file:
Specify the command for the external authenticator. Such a program
reads a line containing "username password" and replies "OK" or "ERR"
in an endless loop. "ERR" responses may optionally be followed by a
error description available as %m in the returned error page.
By default, the basic authentication scheme is not used unless a
program is specified.
There are lots of examples around. This link has an example of a custom squid helper in PHP. It can easily be modified to have a checkbox for agreement iso a username/password authentication.
Im using GWT, GAE to make a web app.
I looked at a bunch of tutorials regarding implementing a login system but most of those tutorials implement it so it's mandatory to login to access the web app. How would I go about making it so that anyone can access the app but if they want to use account specific functionality, they they have the option of signing up for an account.
There are two parts to it.
First, in your client code you check if a user is logged in. If so, you allow access to the "closed" parts of the app. If not, you show a link/button to login and hide tabs/views that are accessible to authorized users.
Second, in your server code you specify which requests do not require authentication and which do require it. This is necessary if a user somehow figures out how to send a request without using your client code.
For example, in my code some requests have checkSession() called at the very beginning. If no authentication object is found for this user in session, this method throws LoginException to the client. If the authentication object is present, the request continues to execute normally and returns requested data to the client.
Further to Andrei's answer, if you want a framework to manage the sessions for you, you can use GWT-Platform, which has an excellent Gatekeeper feature.
I use it for mine and I have a LoggedInGatekeeper class. Simply add #UseGatekeeper(LoggedInGatekeeper.class) to the constructor of each presenter proxy and it checks if the user is logged in. If you want anyone to be able to access that page simply annotate with #NoGatekeeper. Easy!
It takes a bit of setting up but it's a great MVP framework. There are maven archetypes and samples etc.
Hope this helps.
I am trying to test a webpage using Nessus. I have tested all the stuff about the Server. But now I want to proceed by login to the webpage and test all possible pages behind the login form. But I couldn't achieve it. I gave all(text, password and hidden fields) the form fields' values including the ticket generated by Central Authentication System. But nothing happens. Either there isn't any security issue behind the login page ( :P ), or I couldn't login to the page (100% possibility :D ). For extra info:
These are login fields. ;)
username=
&password=
<=_c0C1F5872-F217-B20F-6D86-AA3AA1C1262E_kC7BEB4F7-5216-53EB-2F9A-7FDDFE01D145
&_eventId=submit
&submit=Login
Is there anyone who used Nessus and know how to solve this problem? And is there anyone who knows how to import Cookies to Nessus?
Thanks in advance. ;)
I had similar problems; can't speak for you, but sounds like you have about as much website knowledge as I do (which ain't much!) - no offense intended. In my case I'm not sure I'm understanding the most most basic structural elements of the website, such as what URL to point the scan at, and then concatenating that correctly with the login pages in the policy. I'm far better at the network and infrastructure penetration testing :D
I did a search in a search engine for "Nessus HTTP cookie import", and found that Tenable discussed this on their podcast, episode 14:
http://blog.tenablesecurity.com/2009/11/tenable-network-security-podcast---episode-14.html
If you look at the "Stories" note on the above web page, there's a hint to use the "Export Cookies" Firefox add-on. The add-on has some guidance, but essentially:
Install the add-on to your browser (I'm using the OWASP Mantra browser; I urge you to look at it)
Restart your browser
Login into the subject website and authenticate
From the Tools menu, go for "Export Cookies"
Save to file, and point your Nessus scan policy at that file
NOTE: I'm still trying this now, but thought I'd post the possibility anyway in case I forget - I will update this thread with a confirm or deny shortly.
Best of luck!
UPDATE: Well, it didn't work for me on first attempt. I'm confirming I don't have any conflicting or superseding settings in the policy, but if that doesn't work it's on to Tenable Support, I fear...
According to the documentation, besides importing cookies, the other way to do it (currently at 7.0) is:
Create new scan
Web Application Tests
Credentials:
which are filled out like these (taken from documentation):
Username: Login user’s name.
Password: Password of the user specified.
Login page: The absolute path to the login page of the application, e.g., /login.html
Login submission page: The action parameter for the form method. For example, the login form for: <form method="POST" name="auth_form" action="/login.php"> would be: /login.php
Login parameters: Specify the authentication parameters (e.g., login=%USER%&password=%PASS%). If the keywords %USER% and %PASS% are used, they will be substituted with values supplied on the Login configurations drop-down menu. This field can be used to provide
more than two parameters if required (e.g., a group name or some other piece of information is required for the authentication process).
Check authentication on page: The absolute path of a protected web page that requires authentication, to better assist Nessus in determining authentication status, e.g., /admin.html.
Regex to verify successful authentication: A regex pattern to look for on the login page. Simply receiving a 200 response code is not always sufficient to determine session state. Nessus can attempt to match a given string such as Authentication successful
However, looking at the reports, in my case, it couldn't authenticate for some reason