Content Security Policy in Salesforce

 The Lightning Component framework uses the Content Security Policy (CSP) to impose restrictions on content. 

The main objective is to help prevent cross-site scripting (XSS) and other code injection attacks.

 To use third-party APIs that make requests to an external (non-Salesforce) server or to use a WebSocket connection, add a CSP Trusted Site.

CSP is a W3C standard that defines rules to control the source of content that can be loaded on a page. All CSP rules work at the page level and apply to all components and libraries.

When you define a CSP Trusted Site, the site’s URL is added to the list of allowed sites for the following directives in the CSP header.

• connect-src
• frame-src
• img-src
• style-src
• font-src
• media-src

This change to the CSP header directives allows Lightning components to load resources, such as images, styles, and fonts, from the site. It also allows client-side code to make requests to the site.

Path
From Setup, enter CSP Trusted Sites in the Quick Find box, and then select CSP Trusted Sites.

1. Enter the site URL
2. Select the Context for this trusted site to control the scope of the approval.
All  -  (Default)CSP header is approved for both your organization’s Lightning Experience and Lightning Communities.

LEX - CSP header is approved only for your organization’s Lightning Experience.

Communities - CSP header is approved only for your organization’s Lightning Communities.

 

The framework enables these specific CSP rules:

 JavaScript libraries can only be referenced from your org

All external JavaScript libraries must be uploaded to your org as static resources. The script-src 'self' directive requires script source be called from the same origin.

 Resources must be located in your org by default

The font-src, img-src, media-src, frame-src, style-src, and connect-src directives are set to 'self'. As a result, resources such as fonts, images, videos, frame content, CSS, and scripts must be located in the org by default.

 You can change the CSP directives to permit access to third-party resources by adding CSP Trusted Sites.

 HTTPS connections for resources

All references to external fonts, images, frames, and CSS must use an HTTPS URL. This requirement applies whether the resource is located in your org or accessed through a CSP Trusted Site.

 

Inline JavaScript disallowed

Script tags can’t be used to load JavaScript, and event handlers can’t use inline JavaScript. The unsafe-inline source for the script-src directive is disallowed. For example, this attempt to use an event handler to run an inline script is prevented:

<button onclick="doSomething()"></button>

Note:

CSP isn’t enforced by all browsers. For a list of browsers that enforce CSP, see caniuse.com.

IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.

Finding CSP Violations

CSP policy violations are logged in the browser’s developer console. The violations look like the following message.

Refused to load the script 'https://externaljs.docsample.com/externalLib.js'

because it violates the following Content Security Policy directive: ...

If your app’s functionality isn’t affected, you can ignore the CSP violation.

Stricter CSP Restrictions

The Lightning Component framework uses Content Security Policy (CSP), which is a W3C standard, to control the source of content that can be loaded on a page. The CSP rules work at the page level, and apply to all components and libraries, whether Lightning Locker is enabled or not.

The “Enable Stricter Content Security Policy” org setting was added in the Winter ’19 release to further mitigate the risk of cross-site scripting attacks. This setting was enabled by default.

Salesforce Content Security Policy

 The Lightning Component framework uses Content Security Policy (CSP) to impose restrictions on content. 

The main objective is to help prevent cross-site scripting (XSS) and other code injection attacks.To use third-party APIs that make requests to an external (non-Salesforce) server or to use a WebSocket connection, add a CSP Trusted Site.

CSP is a W3C standard that defines rules to control the source of content that can be loaded on a page. All CSP rules work at the page level and apply to all components and libraries.

When you define a CSP Trusted Site, the site’s URL is added to the list of allowed sites for the following directives in the CSP header.

connect-src

frame-src

img-src

style-src

font-src

media-src

This change to the CSP header directives allows Lightning components to load resources, such as images, styles, and fonts, from the site. It also allows client-side code to make requests to the site.

Note: 

• LEX - CSP header is approved only for your organization’s Lightning Experience.
• Communities - CSP header is approved only for your organization’s Lightning Communities.
•  You can’t load JavaScript resources from a third-party site, even if it’s a CSP Trusted Site. To use a JavaScript library from a third-party site, add it to a static resource, and then add the static resource to your component. After the library is loaded from the static resource, you can use it as normal.

Keycloak

 Keycloak is an open source Identity and Access Management solution targeted towards modern applications and services.

Keycloak offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.

Below are keycloak features:

1)Multiple protocols support

2)SSO support

3)Offers Web based GUI

4)External Identity Source Sync

In case when your client currently has some type of user database, Keycloak allows us to synchronize with such database. By default, it supports LDAP and Active Directory but you can create custom extensions for any user database using Keycloak User storage API.

4)Identity Brokering

Keycloak can also work as a proxy between your users and some external identity provider or providers. Their list can be edited from Keycloak Admin Panel.

5)Social Identity Providers

Additionally, Keycloak allows us to use Social Identity Providers. It has built-in support Google, Twitter, Facebook, Stack Overflow but, in the end, you have to configure all of them manually from admin panel. 

6)Customizations

Currently  Keycloak supports following distributions.

1)server

2)Docker Image

3)Operator

Link: https://www.keycloak.org/

Vulnerabilities in Python Applications

Below are the types of security vulnerabilities that Python developers should be concerned with:

SQL INJECTIONS (SQLI)

A malicious user controls the execution of SQL statements for an application at the backend database server. 

There are four sub-classes in SQLi:

• In-band SQL Injection / Classic SQLi
• Inferential / Blind SQL injection
• DBMS SQLi
• Compounded SQLi (Eg: Strom Worn)
• SQLi with inadequate authentication
• SQLi with DDoS attacks
• SQLi with DNS hijacking
• SQLi with XSS

CROSS SITE SCRIPTING (XSS)

In XSS, a malevolent user can trick any web application to steal stored cookies, saved passwords, and script code that served unsuspecting users of that application.

CROSS SITE REQUEST FORGERY (CSRF)

This security vulnerability occurs when a compromised website is forced to perform an action by another logged-in user like clicking on a button. Also, it includes the hacking or logging into of a website with others’ login credentials.

LDAP (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL) INJECTIONS

This vulnerability occurs when a malicious user inserts/modifies LDAP statements that lead to speculations.

COMMAND INJECTIONS

Here, a malicious user executes OS commands on a web server by abusing it in order to insert their own commands to gain complete control over the server.

XPATHI

This occurs when a malevolent user intentionally passes data to a website. They can use that interaction to find out how the data is structured in XML, or they can access secured data that they can’t access normally.

Security Scanners

Python Taint (PYT) – Static Analysis Tool: This utility is used for identifying command injection, XSS, SQLi, interprocedural, path traversal HTTP attacks in Python web apps. Python Taint is based on the Control flow graphs, data flow analysis and fixed points that are theoretical foundations built using the Flask framework.

Tinfoil Security Website Scanner: Tinfoil is an affordable security scanner for Python & Django that helps find holes in web servers and applications and also tells you the ways to fix them.

Bandit – AST Based Static Analyzer: It’s an OpenStack security linter that identifies the common security risks in Python programming. It is distributed using pip. To install bandit from source, we can use the command python setup.py install after downloading the pypi source tarball. You can even access the reports from bandit.

Pyntch – Static Code Analyzer: Pyntch (PYthoN Type CHecker) helps in detecting runtime errors such as exceptions, not found attributes and variable type missmatchings. It supports Python 2.x currently. It won’t address style issues like Pychecker or Pyflakes, but it works pretty fast and efficient in scanning thousands of lines within a minute.

Spaghetti Security Scanner: Spaghetti an open-source web application security scanner built on Python version 2.7. It detects default files, misconfigurations, and insecure files, and it supports numerous frameworks including Django, CherryPy, CakePHP, and others. 

The tool is capable of finding attacks like admin panel, cookie security, credit card/email/private IP disclosures, SQL injections, ShellShock, Struts-shock, Apache ModStatus, Anonymous cipher, and others.

Rough Auditing Tools for Security (RATS): It’s a free tool that scans languages like C, C++, PHP, Perl and Python and emphasizes the errors that are related to security like TOC (Time of Check), TOU (Time of Use), Buffer overflows and Acunetix. Manual code introspection is still important, but this tool still greatly assists us.

PyDbgEng – Windows Debugging Engine’s Python Wrapper: It helps in debugging user mode, kernel mode, software and hardware breakpoints, etc. With the help of this PyDbgEbg, you can do fault injection, fuzzing of applications, and unpacking executables automatically.

Python-ptrace: It’s an opensource debugging tool that uses ptrace developed and written in Python. Here, ptrace works as an tracer that hands the system calls in Linux, BSD and Darwin.

vdb / vtrace – Debugger for Exploit Malware Analysis: Here, VDB refers to a dynamic debugging element; vtrace refers to a platform that’s used in debugging frameworks implemented in Python. Vdb utilizes vtrace.

Immunity Debugger – Python Penetration Testing Tool: It uses python scripts and supports Windows with Graphical user interface and command line debuggers.

Time-Based One Time Password

Conventional passwords – however strong the user makes them – have a disadvantage: if somebody else knows the character string, security is no longer guaranteed. One solution would be to change passwords regularly, but even the most exemplary users do not do this every hour. 

The solution is a TOTP.

A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors.

Time-based one-time passwords are commonly used for two-factor authentication and have seen growing adoption by cloud application providers.

TOTP is in fact a further development of HOTP, which stands for HMAC-based one-time password. Like HOTP, TOTP is based on the HMAC procedure – the hash operation in the background. Both the user’s device and the server generate a hash value by combining the secret key with a counter. 

The two values are identical, which is how the authentication works.

The hash function itself is not defined; in practice SHA-1 is often used (including by Google Authenticator, for example). SHA-1 generates a 160-bit hash value. For convenience, this value is truncated using a compression function. 

The final result is a short number (six digits for example) which the user can easily use to sign in to the web service.

For the time-based one-time password algorithm, there are three important formulas:

TOTP = HOTP(SecretKey,CurrentTime)

This basic formula simply defines that the TOTP is a HOTP procedure with two parameters – SecretKey and CurrentTime:

SecretKey: Randomly generated password, known to both the server and the client

CurrentTime: Current time in Unix time

However, this time value changes every second, which doesn’t leave the user long enough to enter the generated code. 

In other words, one second later, the TOTP is no longer valid, because the server has already generated a new hash value. A further formula is therefore required:

CurrentTime = floor((unixtime(now) – unixtime(T0))/T1)

The CurrentTime parameter is defined as follows:

unixtime(now): Current time in Unix time

unixtime(T0): Unix time at T0, the point from which the time steps are counted – in most cases midnight on January 1, 1970 (=0)

T1: The period for which the TOTP will be valid (usually 30 seconds)

floor: Rounding function to round the calculated value down to a whole number

Akka Toolkit

Akka is a free and open-source toolkit and runtime simplifying the construction of concurrent and distributed applications on the JVM.

Akka supports multiple programming models for concurrency, but it emphasizes actor-based concurrency, with inspiration drawn from Er-lang.

Akka handles all of the underlying threading complexities by allowing you to just focus on dividing your tasks into actors, defining messages to pass among actors, and wiring together their communication logic.

The real power of Akka is realized when you distribute actors across multiple machines.

Akka folows Actor Model.

In the actor model, the actor is represented as an individual entity. 

Some characteristics of the actor are as follows:

• Actor encloses the state and application logic
• Actor interacts only using messages.
• Every actor has an exclusive address and mailbox through which he can receive messages from others.
• Mailbox messages are processed by the actor in consecutive order.
• Tree hierarchy is used to represent the actor system.

Benefits of using the Actor Model:

The following characteristics of Akka allow you to solve difficult concurrency and scalability challenges in an intuitive way:

• Event-driven model — Actors perform work in response to messages. Communication between Actors is asynchronous, allowing Actors to send messages and continue their own work without blocking to wait for a reply.
• Strong isolation principles — Unlike regular objects in Java, an Actor does not have a public API in terms of methods that you can invoke. Instead, its public API is defined through messages that the actor handles. This prevents any sharing of state between Actors; the only way to observe another actor’s state is by sending it a message asking for it.
• Location transparency — The system constructs Actors from a factory and returns references to the instances. Because location doesn’t matter, Actor instances can start, stop, move, and restart to scale up and down as well as recover from unexpected failures.
• Lightweight — Each instance consumes only a few hundred bytes, which realistically allows millions of concurrent Actors to exist in a single application.

Akka Actors:

• Ask Pattern
• Ask Pattern mapTo
• Ask Pattern pipeTo
• Actor Hierarchy
• Actor Lookup
• Child actors
• Actor Lifecycle
• Actor PoisonPill
• Error Kernel Supervision

Akka Routers:

• RoundRobinPool
• ScatterGatherFirstCompletedPool
• TailChoppingPool
• BroadcastPool

Akka Dispatchers:

• Akka Default Dispatcher
• Akka Lookup Dispatcher
• Fixed Thread Pool Dispatcher
• Resizable Thread Pool Dispatcher
• Pinned Thread Pool Dispatcher

Akka HTTP: 

As the name implies, this module is typically best suited for middle-tier applications which require an HTTP endpoint. As an example, you could use Akka HTTP to expose a REST endpoint that interfaces with a storage layer such as a database. For additional information, you can refer to the official Akka documentation on Akka HTTP.

Akka Streams:

This module is useful when you are working on data pipelines or even stream processing. For additional information, you can refer to the official Akka documentation on Akka Streams.

Akka Networking:

This module provides the foundation for having actor systems being able to connect to each other remotely over some predefined network transport such as TCP. For additional information, you can refer to the official Akka documentation on Akka Networking.

Akka Clustering:

This module is an extension of the Akka Networking module. It is useful in scaling distributed applications by have actors form a quorum and work together by some predefined membership protocol. For additional information, you can refer to the official Akka documentation on Akka Clustering.

For Creating a Simple Application,use the below link

https://developer.lightbend.com/start/?group=akka&project=akka-quickstart-java

 

Man-in-The-Middle Attack

Man-in-the-middle attack is a type of cyber attack where a malicious actor inserts herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other.

Key Concepts of a Man-in-the-Middle Attack(MITMA):

• Man-in-the-middle is a type of eavesdropping attack that occurs when a malicious actor inserts himself as a relay/proxy into a communication session between people or systems.
• A MITM attack exploits the real-time processing of transactions, conversations or transfer of other data.
• Man-in-the-middle attacks allow attackers to intercept, send and receive data never meant to be for them without either outside party knowing until it is too late.

A public key infrastructure, such as Transport Layer Security, may harden Transmission Control Protocol against MITM attacks. 

Clients and servers exchange certificates which are issued and verified by a trusted third party called a certificate authority (CA).

If the original key to authenticate this CA has not been itself the subject of a MITM attack, then the certificates issued by the CA may be used to authenticate the messages sent by the owner of that certificate.

Use of mutual authentication, in which both the server and the client validate the other's communication, covers both ends of a MITM attack, though the default behavior of most connections is to only authenticate the server.

Offensive Security Tools:

• SQLMap
• Air Crack-Ng
• ncrack
• SSl Strip
• EtterCap
• MetaSploit framework