The Death and Rebirth of Musashi.js OR How I turned personal failure into better teaching tools.


Just a little background…

As I stood in entrance of a category of builders making an attempt to clarify cross-origin useful resource sharing (CORS), I knew I wasn’t conveying it nicely sufficient for a big subset of the group. It was Autumn 2017 (not my password on the time, by the way in which), and I used to be on-site with certainly one of our purchasers. We had been doing a two-day secure-coding coaching for his or her PCI compliance requirement. I received to the subject of CORS on the afternoon of the primary day, after roughly six hours of lecturing and labs. I defined it as soon as with simply the slides. The category had few questions, however I might inform from their faces that I hadn’t actually defined the fabric in a manner that they understood. The irritating half was that I knew CORS inside and outside, I used to be simply struggling to switch that data to my college students I pulled collectively a few rolling whiteboards and tried once more. I designated one board because the front-end of the applying in a browser and the opposite board as the applying server. My physique was the bodily illustration of the communication touring between the 2, each the request and the response. I described the change of knowledge as much as the purpose the place the browser’s native code examined the response for the CORS headers and determined whether or not or to not share it with the applying’s JavaScript. Lastly, I assumed many of the class understood, though I’m sure some nonetheless didn’t. In that second I knew that I needed to have a greater, extra interactive visible help for explaining that particular subject. That’s what prompted me to construct Musashi, a modular, open-source node.js software for demonstrating some simple-but-problematic-to-explain ideas. I constructed it to be used within SamuraiWTF, but it surely’s an unbiased part that may stand alone as nicely.

Skip ahead to August 2020, and now we have the two.Zero launch. Let’s take a high-level have a look at what makes up Musashi 2.0.

Cross-Origin Useful resource Sharing (CORS)


The CORS demonstrator continues to be there, consisting of each a consumer app and a REST API that facilitates CRUD (create/learn/replace/delete) operations with completely different CORS insurance policies. Right here’s what that view appears like in 2.0:

Most of this interface is functionally unchanged for the reason that unique iteration, however there have been some under-the-hood enhancements. Up to now, it anticipated api.cors.dem and consumer.cors.dem, and deviating these added a handbook configuration step at runtime, and broke the pattern-based coverage that allowed Origins that matched hardcoded regex. It now makes use of configurable hostnames provided within the .env. The configured hostname for the API is robotically populated in the course of the server-side render, so it doesn’t have to be manually configured after-the-fact. The regex for the pattern-based CORS coverage is dynamically generated based mostly on the desired consumer hostname, that means that it’s going to typically proceed to work whatever the names assigned.

Workout routines

New to 2.Zero is a pair of workouts to apply analyzing flawed CORS insurance policies. These are small, straight-forward examples to assist a pupil perceive the risks of misconfigured coverage. Each examples relate to flawed common expressions used when permitting origins. Each signifies a specific aim the coed is making an attempt to attain by modifying the request (most frequently the Origin header) of their interception proxy. They will additionally difficulty a pattern request to be intercepted as a place to begin.

Content material-Safety-Coverage (CSP)


This module was created a while after the CORS module, to deal with the identical kind of difficulty explaining CSPs. The readme indicated it wasn’t prepared for basic use beforehand, that warning has been eliminated in 2.Zero because it has matured sufficient. It’s an idea that’s merely a lot simpler to grok when you may see it. The centerpiece of this module is the CSP configuration perform, seen right here:

It lets the consumer set the CSP for the entire software, apart from that web page They will then navigate again to the house web page which has bins for DOM-based and mirrored injection of HTML and JavaScript. These are fully unfiltered and can write no matter enter the consumer provides to the web page both by the server-side render (mirrored) or totally client-side by JavaScript (DOM-based):

This permits the scholars and teacher alike to see how the CSP blocks completely different interactions, and learn how to amend the coverage to deliberately enable sure issues, equivalent to inline scripts bearing a sure nonce.

Workout routines

The CSP module has workouts as nicely. They’ve a one-click choice to set their coverage for the applying. From there, the coed can attempt to discover an injection payload within the train that evades the CSP to attain the outlined aim. For instance, the one under signifies that the aim is to inject a payload that redirects the credentials from this mock login type to what could possibly be the attacker’s server.

Closing ideas

This can be a work-in-progress, and can proceed to be a work-in-progress with new modules on the roadmap, extra workouts so as to add, plus an countless practice of bug-fixes and refinements. However because it stands at this time, it does what it was designed to do fairly nicely. I discover there’s an inclination to ask builders to comply with finest practices that seem arbitrary, as a result of they don’t include a proof of why. Usually this works nicely from a safety standpoint, up till the purpose that some technical or enterprise edge-case forces them right into a personalized construct that has to diverge from one of the best apply. Tiny particulars are the distinction between a well-secured implementation and a serious safety flaw. If we don’t empower builders with the understanding essential to critically consider safety points themselves, we’re setting them as much as fail. My hope is that this mission contributes some small quantity to serving to those that educate builders and safety people, to raised empower these college students to make selections about safety because it pertains to the restricted set of matters coated by Musashi.

*** This can be a Safety Bloggers Community syndicated weblog from Professionally Evil Insights authored by Mic Whitehorn-Gillam. Learn the unique publish at:

fear of failure quotes,fear of failure in students,atychiphobia,fear of failure procrastination,fear of failure statistics,fear of failure and success,george packer twitter,the assassins’ gate: america in iraq,the unwinding,failed state examples,coronavirus success

You May Also Like