Mastodon

Azure

A 46-post collection

The ongoing scourge that is SQL injection and Azure’s new SQL Database Threat Detection

Hey, did you hear about this new security risk? It’s called SQL injection and attackers can just suck all your datas out of your system if you screw it up badly enough. Allegedly there’s like, millions of websites at risk and even kids can easily break into them! Wait – this isn’t a new risk?! Well how come it’s all over the news and these seriously large companies keep getting pwned by it?! How is that even possible?! And here we are at that reality of today; SQL injection, whilst well unders...

How did “Have I been pwned?” perform on Azure? An Ashley Madison retrospective

I’ve always written very publicly about how Have I been pwned [https://haveibeenpwned.com/] (HIBP) was conceived, built and indeed how it performs. If ever there was a time to look back at that performance, it’s in the wake of the first few days after loading in the Ashley Madison breach. I want to share the “warts and all account” of what I observed over the three days of utter chaos that ensued. I first learned of the incident at about 6am local on Wednesday which was very shortly after the t...

Azure websites SSL goes “A” grade

I’ve often received feedback from people about this SSL Labs test of Have I been pwned? [https://haveibeenpwned.com/] (HIBP): Just recently I had an email effectively saying “drop this cipher, do that other thing, you’re insecure kthanksbye”. Precisely what this individual thought an attacker was going to do with an entirely public site wasn’t quite clear (and I will come back to this later on), but regardless, if I’m going to have SSL then clearly I want good SSL and this report bugged me....

Sharing files on Azure with deployments from Dropbox

I regularly share files with people that I want them to grab over HTTP from a location without any auth or other hurdles. They’re not sensitive files, they’re things like exercises I might be running in workshops which I want people to download from a common location. I normally put them in Dropbox, “Share Dropbox Link” then shorten it with my custom troy.hn short URL so they can read it from the screen in a meeting room and point them there. In fact this is exactly what I did last week – just a...

Now you can monitor “Have I been pwned?” performance on Azure in real time

There’s been a huge amount of activity on Have I been pwned? [https://haveibeenpwned.com/] (HIBP) in recent weeks, particularly in the wake of the Adult Friend Finder breach [http://time.com/3893946/adultfriendfinder-data-breach/] which drew a lot of attention. The activity has comprised of organic browser-based traffic as well hits to the API [https://haveibeenpwned.com/API/v2]. The latter in particular is interesting as you can see a steady rate of traffic (or a steady increase of traffic) sud...

It’s time for A grade SSL on Azure websites

I get a lot of this sort of thing: “Hey, how come your site only gets a B grade on the SSL Labs test?” They’re referring to my Have I been pwned? [https://haveibeenpwned.com/] (HIBP) site and they’re right, it only scores a B grade [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com]: [https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com] The killer blow here is highlighted in orange – RC4. It’s a weak cipher by today’s terms and evidently it’s capped my grade lo...

Supercars suck at transporting TVs (and other Azure Table Storage lessons)

The other day my receiver for the home audio setup completely died. Kaput. So I go out to get another one and given a receiver is no larger than a couple of shoeboxes in size, I decide to drive the GT-R [https://www.troyhunt.com/2013/07/gt-r-technology-of-speed.html] instead of taking the family estate. I love the GT-R because it’s enormous fun and I smile every time I drive it so given my requirements were well within the capacity allowance of the GT-R’s supercar proportions, it was the natural...

Implementing a content security policy with NWebsec, Azure Table Storage and Raygun

I love it when a whole bunch of different bits play really nice together, especially when it’s making things more secure. Today I decided to properly implement a content security policy (CSP) on Have I been pwned? (HIBP) and managed to tie in a whole bunch of nice bits to create what I reckon is a pretty neat implementation. Firstly, if CSP is new to you, go and read Scott Helme’s overview [https://scotthelme.co.uk/content-security-policy-an-introduction/] which is excellent. The tl;dr version...

Orchestrating massive parallelisation of Azure WebJobs for fun and profit

I’ve been having a few sleepless nights lately worrying about the big one. The big “what”, you ask? I mean another massive data breach the scale of Adobe back in 2013, you know, the one where they had a 153 million user accounts wander out the door. If I had to load those into Have I been pwned? [https://haveibeenpwned.com/] (HIBP), frankly I’m not sure how I’d do it. Or at least I wasn’t sure. When I first wrote about how I built the system [https://www.troyhunt.com/2013/12/working-with-154-mi...

How to get your SSL for free on a Shared Azure website with CloudFlare

This content is now available in the Pluralsight course "Getting Started with CloudFlare Security" [http://www.pluralsight.com/courses/cloudflare-security-getting-started]As you may be well aware by this, Microsoft’s Azure gets me rather excited [https://www.troyhunt.com/search/label/Azure]. That’s not without merit IMHO, it’s a sensational product for all the reasons you can read about in the blog posts at the end of that link. Almost without exception, when I get a question about Azure I have...