1 00:00:12,799 --> 00:00:16,720 welcome back 2 00:00:14,480 --> 00:00:19,600 we are joined all the way from germany 3 00:00:16,720 --> 00:00:21,920 by andreas to give us a rundown on web 4 00:00:19,600 --> 00:00:23,840 security for newcomers 5 00:00:21,920 --> 00:00:26,880 uh andreas is a professional software 6 00:00:23,840 --> 00:00:29,279 engineer since 2011 uh both as an 7 00:00:26,880 --> 00:00:32,239 engineer and a manager for both national 8 00:00:29,279 --> 00:00:34,399 german and international companies 9 00:00:32,239 --> 00:00:37,680 he wrote his first line of code around 10 00:00:34,399 --> 00:00:40,480 2006 and in the last few years has been 11 00:00:37,680 --> 00:00:42,480 working as a freelance consultant 12 00:00:40,480 --> 00:00:44,480 andres is also a lecturer at 13 00:00:42,480 --> 00:00:47,680 universities for software engineering 14 00:00:44,480 --> 00:00:49,920 testing architecture and web security 15 00:00:47,680 --> 00:00:52,800 andreas considers himself a full stack 16 00:00:49,920 --> 00:00:54,559 developer but prefers the back end 17 00:00:52,800 --> 00:00:57,280 his primary programming language is 18 00:00:54,559 --> 00:00:59,039 python followed by javascript and 19 00:00:57,280 --> 00:00:59,840 typescript 20 00:00:59,039 --> 00:01:01,520 and 21 00:00:59,840 --> 00:01:03,600 andres really wants to hear your 22 00:01:01,520 --> 00:01:05,680 questions for the end of the session so 23 00:01:03,600 --> 00:01:07,520 we can answer them live so don't forget 24 00:01:05,680 --> 00:01:08,960 to get them into the list because we're 25 00:01:07,520 --> 00:01:10,640 a little behind you and we'll miss them 26 00:01:08,960 --> 00:01:12,400 if you're not quick 27 00:01:10,640 --> 00:01:14,880 over to you andreas 28 00:01:12,400 --> 00:01:17,200 okay yeah thank you very much i can just 29 00:01:14,880 --> 00:01:19,280 empathize really ask your questions it's 30 00:01:17,200 --> 00:01:22,080 for newcomers so 31 00:01:19,280 --> 00:01:25,439 yeah just ask them and i'm happy to 32 00:01:22,080 --> 00:01:27,439 to answer them um if i can but probably 33 00:01:25,439 --> 00:01:30,320 i should be able to do so 34 00:01:27,439 --> 00:01:32,320 okay so i'm not doing some slides 35 00:01:30,320 --> 00:01:34,960 because sometimes i think 36 00:01:32,320 --> 00:01:37,600 it can be a little bit boring so i 37 00:01:34,960 --> 00:01:39,600 reworked it and now it's a web page 38 00:01:37,600 --> 00:01:41,040 it's not publicly because it's full of 39 00:01:39,600 --> 00:01:43,840 security bugs and we're just 40 00:01:41,040 --> 00:01:44,799 investigating the security bugs i put in 41 00:01:43,840 --> 00:01:47,360 there 42 00:01:44,799 --> 00:01:49,600 and yeah let's see if we kind can find 43 00:01:47,360 --> 00:01:51,840 solutions for them 44 00:01:49,600 --> 00:01:54,799 they we are starting with like i think 45 00:01:51,840 --> 00:01:55,840 every webpage has a very simple search 46 00:01:54,799 --> 00:01:58,799 bar 47 00:01:55,840 --> 00:02:01,920 you maybe you wouldn't think they could 48 00:01:58,799 --> 00:02:04,159 go so many things wrong but we will see 49 00:02:01,920 --> 00:02:06,479 about a few things which can go wrong 50 00:02:04,159 --> 00:02:08,959 from a security perspective so i'm maybe 51 00:02:06,479 --> 00:02:10,399 just searching a little bit welcome 52 00:02:08,959 --> 00:02:13,280 pycon 53 00:02:10,399 --> 00:02:13,280 australia 54 00:02:13,360 --> 00:02:19,280 and well we have no search results but 55 00:02:16,319 --> 00:02:22,080 we have like it says like well here what 56 00:02:19,280 --> 00:02:24,319 what i searched and i also added a 57 00:02:22,080 --> 00:02:27,120 little bit of javascript in here so a 58 00:02:24,319 --> 00:02:28,800 little bit sba feeling if we are like 59 00:02:27,120 --> 00:02:31,840 when i was changing the search query 60 00:02:28,800 --> 00:02:33,920 it's also changing uh directly here so 61 00:02:31,840 --> 00:02:36,239 like welcome 62 00:02:33,920 --> 00:02:38,400 from germany it is changing here it's a 63 00:02:36,239 --> 00:02:42,680 very very simple 64 00:02:38,400 --> 00:02:44,319 feature which we have on web pages 65 00:02:42,680 --> 00:02:46,800 unfortunately 66 00:02:44,319 --> 00:02:48,720 um as i mentioned before it's there are 67 00:02:46,800 --> 00:02:52,080 security concerns we have to address 68 00:02:48,720 --> 00:02:54,000 here so imagine you're sharing this link 69 00:02:52,080 --> 00:02:56,400 with somebody else because i'm using a 70 00:02:54,000 --> 00:02:58,319 query param uh you cannot see that here 71 00:02:56,400 --> 00:03:01,519 i see ah okay i'm using a query 72 00:02:58,319 --> 00:03:04,640 parameter here it's um in the url it's 73 00:03:01,519 --> 00:03:06,879 just like if we look into the the form 74 00:03:04,640 --> 00:03:09,599 here it's quite simple you see it as a 75 00:03:06,879 --> 00:03:11,760 form with the methods action get 76 00:03:09,599 --> 00:03:14,319 you cannot see ah 77 00:03:11,760 --> 00:03:19,519 oh that's damn i never thought about 78 00:03:14,319 --> 00:03:23,040 that okay i'm sorry we cannot see the 79 00:03:19,519 --> 00:03:24,720 we cannot see the uh developer toolbar 80 00:03:23,040 --> 00:03:27,040 but okay you just have to believe me 81 00:03:24,720 --> 00:03:29,840 it's with a get method 82 00:03:27,040 --> 00:03:32,480 and somebody shares this with you 83 00:03:29,840 --> 00:03:34,480 and when somebody shares this with you 84 00:03:32,480 --> 00:03:35,920 and it's an evil person something like 85 00:03:34,480 --> 00:03:38,640 that can happen 86 00:03:35,920 --> 00:03:41,840 um right now it's just the javascript a 87 00:03:38,640 --> 00:03:44,159 lot but it could be a lot of more things 88 00:03:41,840 --> 00:03:46,319 for example it could be a whole phishing 89 00:03:44,159 --> 00:03:49,440 attack yeah right now the attacker it 90 00:03:46,319 --> 00:03:51,280 used my search form very very simple was 91 00:03:49,440 --> 00:03:55,200 just displaying that there are no search 92 00:03:51,280 --> 00:03:58,319 results but an attacker can use this to 93 00:03:55,200 --> 00:04:01,760 run a phishing attack because like as 94 00:03:58,319 --> 00:04:03,599 soon as he or she can execute 95 00:04:01,760 --> 00:04:06,000 javascript on my web page he could 96 00:04:03,599 --> 00:04:07,680 actually just say well i'm deleting the 97 00:04:06,000 --> 00:04:10,640 whole html 98 00:04:07,680 --> 00:04:13,519 element in the truncate the body in the 99 00:04:10,640 --> 00:04:16,239 html and just put their own forms in 100 00:04:13,519 --> 00:04:17,680 there and grab the user data yeah 101 00:04:16,239 --> 00:04:19,919 imagine something like that happening in 102 00:04:17,680 --> 00:04:21,759 your online banking i wouldn't be so 103 00:04:19,919 --> 00:04:22,720 happy about that to lose all my money 104 00:04:21,759 --> 00:04:24,479 there 105 00:04:22,720 --> 00:04:26,479 very very simple 106 00:04:24,479 --> 00:04:28,960 let's have a look at how this could 107 00:04:26,479 --> 00:04:30,560 happen actually yeah 108 00:04:28,960 --> 00:04:33,199 um 109 00:04:30,560 --> 00:04:35,759 what happened is 110 00:04:33,199 --> 00:04:38,479 which is i'm just realizing that you 111 00:04:35,759 --> 00:04:40,639 cannot see it but let's have a look into 112 00:04:38,479 --> 00:04:44,639 the um 113 00:04:40,639 --> 00:04:48,080 source code i hope you can see this 114 00:04:44,639 --> 00:04:48,080 view source 115 00:04:48,639 --> 00:04:52,880 change yes great 116 00:04:51,120 --> 00:04:55,360 let's have a look into the search code 117 00:04:52,880 --> 00:04:57,199 uh what was happening here because like 118 00:04:55,360 --> 00:04:59,360 um what was 119 00:04:57,199 --> 00:05:01,840 if you want to switch to full screen oh 120 00:04:59,360 --> 00:05:03,280 no no no it's fine we um i just found a 121 00:05:01,840 --> 00:05:05,280 workaround with the view source we can 122 00:05:03,280 --> 00:05:07,919 use this so 123 00:05:05,280 --> 00:05:10,960 you can see here like i'm returning what 124 00:05:07,919 --> 00:05:14,639 was like what was share what the user 125 00:05:10,960 --> 00:05:15,919 entered into the search bar 126 00:05:14,639 --> 00:05:18,080 and i just 127 00:05:15,919 --> 00:05:20,560 displaying it here and here it is empty 128 00:05:18,080 --> 00:05:23,360 i just wrote it in here that is empty 129 00:05:20,560 --> 00:05:25,680 but if we look into the 130 00:05:23,360 --> 00:05:27,360 source code in the html it's actually 131 00:05:25,680 --> 00:05:30,080 not empty 132 00:05:27,360 --> 00:05:32,479 there is a script in it 133 00:05:30,080 --> 00:05:36,639 and what the attacker did was actually 134 00:05:32,479 --> 00:05:39,120 quite easy he just entered into this 135 00:05:36,639 --> 00:05:40,800 very nice search form 136 00:05:39,120 --> 00:05:42,960 script 137 00:05:40,800 --> 00:05:44,720 for me it's like i prepared it with evil 138 00:05:42,960 --> 00:05:47,280 js 139 00:05:44,720 --> 00:05:49,199 but it could be anything else i'm just 140 00:05:47,280 --> 00:05:51,520 entering this one here 141 00:05:49,199 --> 00:05:53,199 clicking on search and now it's 142 00:05:51,520 --> 00:05:56,080 happening in here i could enter anything 143 00:05:53,199 --> 00:05:59,360 i want there and it's just 144 00:05:56,080 --> 00:06:01,199 executing it here yeah script tag 145 00:05:59,360 --> 00:06:03,600 alert 146 00:06:01,199 --> 00:06:06,600 this is 147 00:06:03,600 --> 00:06:06,600 worrying 148 00:06:09,120 --> 00:06:12,400 and 149 00:06:10,319 --> 00:06:15,280 it's appearing in there unlike the alert 150 00:06:12,400 --> 00:06:17,120 it's a very 151 00:06:15,280 --> 00:06:19,600 well let's say it's very nice from the 152 00:06:17,120 --> 00:06:22,400 attacker just to do a javascript alert 153 00:06:19,600 --> 00:06:24,880 but as i said it can be used for 154 00:06:22,400 --> 00:06:26,560 phishing attacks as well 155 00:06:24,880 --> 00:06:28,240 it can be used for phishing attacks as 156 00:06:26,560 --> 00:06:30,160 well 157 00:06:28,240 --> 00:06:32,160 the problem is 158 00:06:30,160 --> 00:06:34,400 well actually it's called non-persistent 159 00:06:32,160 --> 00:06:35,919 xss 160 00:06:34,400 --> 00:06:38,560 the problem is 161 00:06:35,919 --> 00:06:40,800 we can put into the http request which 162 00:06:38,560 --> 00:06:42,400 is behind every browser and direction 163 00:06:40,800 --> 00:06:43,440 what you're doing is actually a http 164 00:06:42,400 --> 00:06:46,639 request 165 00:06:43,440 --> 00:06:49,599 and when we're using the http request 166 00:06:46,639 --> 00:06:51,599 the data the user entered there directly 167 00:06:49,599 --> 00:06:53,919 and returning it in our response for 168 00:06:51,599 --> 00:06:55,840 example like i did i just returned it 169 00:06:53,919 --> 00:06:58,240 and the template in here and just said 170 00:06:55,840 --> 00:07:00,560 whatever the user entered i will return 171 00:06:58,240 --> 00:07:04,160 in here 172 00:07:00,560 --> 00:07:07,520 then it will be or executed in there 173 00:07:04,160 --> 00:07:09,759 that's quite bad as i said like 174 00:07:07,520 --> 00:07:12,639 most common vectors than the phishing 175 00:07:09,759 --> 00:07:15,039 attacks it and it's valid for everything 176 00:07:12,639 --> 00:07:16,800 so like if you're using url parameters 177 00:07:15,039 --> 00:07:18,720 or you're using forms 178 00:07:16,800 --> 00:07:21,120 it can be it can be even a user agent i 179 00:07:18,720 --> 00:07:25,520 have seen it once that an attack was 180 00:07:21,120 --> 00:07:27,919 done via an user agent yeah so 181 00:07:25,520 --> 00:07:29,280 that's quite bad and it cannot just 182 00:07:27,919 --> 00:07:31,199 happen if you're just doing it as a 183 00:07:29,280 --> 00:07:32,479 back-end developer 184 00:07:31,199 --> 00:07:34,960 yeah you're just returning in the 185 00:07:32,479 --> 00:07:38,319 template it can be also done when you're 186 00:07:34,960 --> 00:07:41,120 using the http request data so for 187 00:07:38,319 --> 00:07:43,680 especially the url parameters 188 00:07:41,120 --> 00:07:45,280 and you're just using some little bit of 189 00:07:43,680 --> 00:07:47,599 javascript 190 00:07:45,280 --> 00:07:50,400 you want to display it like i did before 191 00:07:47,599 --> 00:07:51,280 with this little bit of spa feeling even 192 00:07:50,400 --> 00:07:53,919 then 193 00:07:51,280 --> 00:07:55,199 uh we still have actually the same 194 00:07:53,919 --> 00:07:56,800 result 195 00:07:55,199 --> 00:07:57,840 there's one thing which is very very 196 00:07:56,800 --> 00:08:00,400 evil 197 00:07:57,840 --> 00:08:03,840 which is the inner html property in 198 00:08:00,400 --> 00:08:05,360 javascript so every html element 199 00:08:03,840 --> 00:08:08,560 you can 200 00:08:05,360 --> 00:08:11,440 set some inner html well at least if 201 00:08:08,560 --> 00:08:14,960 it's a block element and 202 00:08:11,440 --> 00:08:17,120 put in there a very nice shortcut you do 203 00:08:14,960 --> 00:08:20,240 not have to create the elements by hand 204 00:08:17,120 --> 00:08:23,120 if you're using vanilla.js and so on but 205 00:08:20,240 --> 00:08:25,520 it is really a security concern because 206 00:08:23,120 --> 00:08:27,280 we can just enter some script text in 207 00:08:25,520 --> 00:08:29,759 there and then 208 00:08:27,280 --> 00:08:32,320 uh well we are open for this 209 00:08:29,759 --> 00:08:34,959 vulnerability here 210 00:08:32,320 --> 00:08:37,279 however there is a very very simple 211 00:08:34,959 --> 00:08:39,360 solution to that usually i would ask if 212 00:08:37,279 --> 00:08:41,760 we are like in impressing so like if 213 00:08:39,360 --> 00:08:44,080 anybody has an idea but i'm just going 214 00:08:41,760 --> 00:08:46,640 to spoil it in here the solution is 215 00:08:44,080 --> 00:08:48,320 escaping and of course do not use inner 216 00:08:46,640 --> 00:08:50,720 html 217 00:08:48,320 --> 00:08:52,959 if we are escaping 218 00:08:50,720 --> 00:08:55,279 if we are escaping this then the reason 219 00:08:52,959 --> 00:08:57,839 we are seeing here is not like empty and 220 00:08:55,279 --> 00:09:00,800 directly the html element but 221 00:08:57,839 --> 00:09:03,519 the very 222 00:09:00,800 --> 00:09:06,399 let's say the very evil characters like 223 00:09:03,519 --> 00:09:08,640 these how is it called um 224 00:09:06,399 --> 00:09:10,399 greater in smaller sign these greater 225 00:09:08,640 --> 00:09:13,519 and smaller signs they're going to be 226 00:09:10,399 --> 00:09:16,480 escaped into html entities and they're 227 00:09:13,519 --> 00:09:19,519 no longer valid html code so it's really 228 00:09:16,480 --> 00:09:20,839 about when a user is entering some of 229 00:09:19,519 --> 00:09:24,720 the 230 00:09:20,839 --> 00:09:27,920 data what we do not want is that we are 231 00:09:24,720 --> 00:09:28,880 using the user content directly 232 00:09:27,920 --> 00:09:32,000 as 233 00:09:28,880 --> 00:09:34,880 valid html so we are escaping it and in 234 00:09:32,000 --> 00:09:36,480 this way we make sure that this cannot 235 00:09:34,880 --> 00:09:37,920 happen 236 00:09:36,480 --> 00:09:38,800 just a little bit so that you go out 237 00:09:37,920 --> 00:09:41,839 with the 238 00:09:38,800 --> 00:09:44,320 you go out with uh of this talk and you 239 00:09:41,839 --> 00:09:47,839 have some new password you can put into 240 00:09:44,320 --> 00:09:49,200 the next uh pull request um let's say 241 00:09:47,839 --> 00:09:51,600 the back end side is called 242 00:09:49,200 --> 00:09:54,800 non-persistent xss and the front and 243 00:09:51,600 --> 00:09:56,320 side is dom based xss it's 244 00:09:54,800 --> 00:09:59,680 actually it's still the same it's still 245 00:09:56,320 --> 00:10:01,800 a cross site scripting attack 246 00:09:59,680 --> 00:10:04,079 but a different name none it's called 247 00:10:01,800 --> 00:10:07,040 non-persistent on the back-end side 248 00:10:04,079 --> 00:10:07,760 because it uses the http request 249 00:10:07,040 --> 00:10:10,880 so 250 00:10:07,760 --> 00:10:12,800 it is like it's not stored anywhere this 251 00:10:10,880 --> 00:10:14,640 attack it's really just working with 252 00:10:12,800 --> 00:10:16,000 this one request if i'm changing the 253 00:10:14,640 --> 00:10:18,560 requests 254 00:10:16,000 --> 00:10:21,440 by changing the url parameters it's a 255 00:10:18,560 --> 00:10:23,279 different uh one so it's not persistent 256 00:10:21,440 --> 00:10:26,480 and the frontend part is called dom 257 00:10:23,279 --> 00:10:29,120 based because with inner html we are 258 00:10:26,480 --> 00:10:30,720 manipulating the dom 259 00:10:29,120 --> 00:10:32,640 xss it's 260 00:10:30,720 --> 00:10:33,680 the name for it i never mentioned it i'm 261 00:10:32,640 --> 00:10:36,160 so sorry 262 00:10:33,680 --> 00:10:39,920 um cross-site scripting 263 00:10:36,160 --> 00:10:42,240 um so like we're actually my evil js is 264 00:10:39,920 --> 00:10:44,320 not from my sides but from a different 265 00:10:42,240 --> 00:10:47,279 side so it's a cross-site scripting 266 00:10:44,320 --> 00:10:49,120 attack 267 00:10:47,279 --> 00:10:51,600 okay 268 00:10:49,120 --> 00:10:53,360 usually any questions already so i would 269 00:10:51,600 --> 00:10:54,959 really like because like the next one 270 00:10:53,360 --> 00:10:56,720 would be like a little bit of different 271 00:10:54,959 --> 00:10:58,399 still the search form but a little bit 272 00:10:56,720 --> 00:11:00,800 different so maybe there are already 273 00:10:58,399 --> 00:11:05,200 some questions for this part or dom 274 00:11:00,800 --> 00:11:05,200 based or non-persistent xss 275 00:11:13,440 --> 00:11:18,399 doesn't seem so okay i will just 276 00:11:15,839 --> 00:11:18,399 continue 277 00:11:19,360 --> 00:11:22,480 okay so i will just continue a little 278 00:11:21,440 --> 00:11:24,480 bit 279 00:11:22,480 --> 00:11:26,720 um well we are not doing the exercise 280 00:11:24,480 --> 00:11:28,720 it's um all whenever i'm when i'm doing 281 00:11:26,720 --> 00:11:31,040 a workshop here i also have some little 282 00:11:28,720 --> 00:11:33,200 exercises and stuff like that but today 283 00:11:31,040 --> 00:11:36,320 we're just going on the theoretical part 284 00:11:33,200 --> 00:11:37,680 here um the next thing i'm doing in here 285 00:11:36,320 --> 00:11:40,480 is like okay 286 00:11:37,680 --> 00:11:43,519 um my product owner he wants me to add 287 00:11:40,480 --> 00:11:45,360 the google tag manager snippet 288 00:11:43,519 --> 00:11:47,600 and it's just like a script text so i'm 289 00:11:45,360 --> 00:11:50,720 just gonna add it and i'm done with the 290 00:11:47,600 --> 00:11:53,519 ticket and can move on with some more 291 00:11:50,720 --> 00:11:55,120 interesting stuff hopefully and yeah 292 00:11:53,519 --> 00:11:57,040 well let's go to the 293 00:11:55,120 --> 00:11:59,600 to the page which is now tracked by the 294 00:11:57,040 --> 00:12:01,920 google tag manager 295 00:11:59,600 --> 00:12:03,600 well now i have a problem 296 00:12:01,920 --> 00:12:05,519 now it says i'm an evil google tag 297 00:12:03,600 --> 00:12:07,760 manager and it also says it's 298 00:12:05,519 --> 00:12:09,360 persistently happening well let's see 299 00:12:07,760 --> 00:12:11,200 i'm just reloading this page i'm not 300 00:12:09,360 --> 00:12:14,000 using the link maybe the link maybe the 301 00:12:11,200 --> 00:12:16,240 link is maybe it's an evil link 302 00:12:14,000 --> 00:12:18,240 oh sorry maybe it's an evil link so i'm 303 00:12:16,240 --> 00:12:19,839 not going to i'm not going to i'm not 304 00:12:18,240 --> 00:12:22,320 going to use this links and i'll go 305 00:12:19,839 --> 00:12:23,760 directly to the page to make sure 306 00:12:22,320 --> 00:12:26,079 i'm not going i'm not going to do the 307 00:12:23,760 --> 00:12:28,639 same thing so i'm going to execute it 308 00:12:26,079 --> 00:12:30,079 and say okay well i'm going to do this 309 00:12:28,639 --> 00:12:31,519 one 310 00:12:30,079 --> 00:12:33,760 now it's happening again it's not the 311 00:12:31,519 --> 00:12:37,040 link something else is happening 312 00:12:33,760 --> 00:12:40,240 and what is happening here is and 313 00:12:37,040 --> 00:12:41,920 persistent xss attack as you said like 314 00:12:40,240 --> 00:12:44,320 it's so there's no dom based 315 00:12:41,920 --> 00:12:45,839 manipulation you cannot we don't know 316 00:12:44,320 --> 00:12:47,519 that but i'm gonna 317 00:12:45,839 --> 00:12:49,920 tell you it's not and it's not a 318 00:12:47,519 --> 00:12:52,399 non-persistent xss attack because like 319 00:12:49,920 --> 00:12:54,480 even if i change the http request 320 00:12:52,399 --> 00:12:58,160 it's still going to happen 321 00:12:54,480 --> 00:13:00,560 what happened here is actually a typo 322 00:12:58,160 --> 00:13:03,200 yeah if you look very 323 00:13:00,560 --> 00:13:04,320 are you seeing my alert actually i hope 324 00:13:03,200 --> 00:13:07,040 so 325 00:13:04,320 --> 00:13:11,519 what was happening in here is 326 00:13:07,040 --> 00:13:13,040 it was a google tag manager with the q 327 00:13:11,519 --> 00:13:15,839 so instead of the 328 00:13:13,040 --> 00:13:18,560 g it should be it was a queue and 329 00:13:15,839 --> 00:13:20,880 if you think this is not gonna happening 330 00:13:18,560 --> 00:13:23,200 uh it is actually quite often there are 331 00:13:20,880 --> 00:13:27,360 a couple of stories where like these 332 00:13:23,200 --> 00:13:27,360 simple typos really were uh 333 00:13:28,160 --> 00:13:35,040 yeah patrick um yeah i saw that as well 334 00:13:31,680 --> 00:13:37,600 i just checked i'm really sorry um 335 00:13:35,040 --> 00:13:40,560 this takes away a lot of the experience 336 00:13:37,600 --> 00:13:43,120 with the alert messages i'm so sorry i 337 00:13:40,560 --> 00:13:46,720 did not experience that 338 00:13:43,120 --> 00:13:46,720 earlier damn it 339 00:13:47,199 --> 00:13:50,240 maybe maybe 340 00:13:48,079 --> 00:13:52,560 maybe we should switch over to the uh to 341 00:13:50,240 --> 00:13:54,320 the full screen could you change that 342 00:13:52,560 --> 00:13:57,279 for me please 343 00:13:54,320 --> 00:13:58,560 because i'm not sure if i can 344 00:13:57,279 --> 00:14:02,839 can i 345 00:13:58,560 --> 00:14:02,839 oh yes i can great 346 00:14:04,240 --> 00:14:08,320 so guys now it's looking a little bit 347 00:14:06,480 --> 00:14:10,800 more different let me reload the page 348 00:14:08,320 --> 00:14:13,040 and now you can see hopefully 349 00:14:10,800 --> 00:14:16,240 um the 350 00:14:13,040 --> 00:14:19,279 uh the 351 00:14:16,240 --> 00:14:20,399 messages in here so you see here now if 352 00:14:19,279 --> 00:14:23,360 the 353 00:14:20,399 --> 00:14:25,360 alert message in here now i'm an evil 354 00:14:23,360 --> 00:14:27,760 google tag manager 355 00:14:25,360 --> 00:14:32,639 uh persistently 356 00:14:27,760 --> 00:14:35,760 and it's just happening that this typo 357 00:14:32,639 --> 00:14:38,880 was is calling this js 358 00:14:35,760 --> 00:14:41,760 and in the in the past there were some 359 00:14:38,880 --> 00:14:45,199 attacks with these typos so for example 360 00:14:41,760 --> 00:14:46,079 we had some problems with npm packages 361 00:14:45,199 --> 00:14:48,959 where 362 00:14:46,079 --> 00:14:51,600 there was 363 00:14:48,959 --> 00:14:54,240 i'm sorry i just forgot the one name 364 00:14:51,600 --> 00:14:56,639 there was one package there was one with 365 00:14:54,240 --> 00:14:58,240 the dash and one without a dash maybe 366 00:14:56,639 --> 00:15:00,000 somebody knows you can put it into the 367 00:14:58,240 --> 00:15:02,480 shed but um 368 00:15:00,000 --> 00:15:03,680 just blank in my memory right now 369 00:15:02,480 --> 00:15:05,279 there was one with the dash and one 370 00:15:03,680 --> 00:15:08,000 without a dash 371 00:15:05,279 --> 00:15:09,760 one of the ones i i still cannot say 372 00:15:08,000 --> 00:15:12,560 which one is the correct one and which 373 00:15:09,760 --> 00:15:15,199 one was the malicious one but 374 00:15:12,560 --> 00:15:18,079 let's say the dash one was the malicious 375 00:15:15,199 --> 00:15:20,320 one you would not know them yeah it's 376 00:15:18,079 --> 00:15:22,480 this exactly the same name this just a 377 00:15:20,320 --> 00:15:24,880 dash you would just take this mpm 378 00:15:22,480 --> 00:15:27,120 package and use and you have an xss 379 00:15:24,880 --> 00:15:29,360 attack so you have to be very very 380 00:15:27,120 --> 00:15:31,120 careful if you're using third-party 381 00:15:29,360 --> 00:15:34,880 software that you're using the correct 382 00:15:31,120 --> 00:15:37,199 one which is also safe 383 00:15:34,880 --> 00:15:38,959 which means like never trust anybody 384 00:15:37,199 --> 00:15:41,279 you you cannot trust your user's input 385 00:15:38,959 --> 00:15:43,120 at all we have seen this with the 386 00:15:41,279 --> 00:15:44,480 non-persistent and with the dom based 387 00:15:43,120 --> 00:15:46,959 xss 388 00:15:44,480 --> 00:15:49,279 but we can we cannot even trust some 389 00:15:46,959 --> 00:15:51,199 open source software because even them 390 00:15:49,279 --> 00:15:52,800 are vulnerable 391 00:15:51,199 --> 00:15:54,480 for 392 00:15:52,800 --> 00:15:56,639 xss attacks well 393 00:15:54,480 --> 00:15:59,680 at least the social factor 394 00:15:56,639 --> 00:15:59,680 and human mistakes 395 00:16:00,079 --> 00:16:05,279 this kind of excess s is called 396 00:16:02,480 --> 00:16:07,440 persistent xss because it's not based on 397 00:16:05,279 --> 00:16:09,759 the request or the dom 398 00:16:07,440 --> 00:16:12,240 but the malicious code is stored 399 00:16:09,759 --> 00:16:14,079 somewhere it in this case it will be 400 00:16:12,240 --> 00:16:16,480 stored in the version control but it can 401 00:16:14,079 --> 00:16:19,440 also be stored in the database 402 00:16:16,480 --> 00:16:21,839 and then it's delivered to users again 403 00:16:19,440 --> 00:16:23,759 without escaping yeah that's the most 404 00:16:21,839 --> 00:16:26,480 important one is without escaping if i 405 00:16:23,759 --> 00:16:28,399 would escape it um would not happening 406 00:16:26,480 --> 00:16:29,199 well with persistence a little bit more 407 00:16:28,399 --> 00:16:31,360 wrong 408 00:16:29,199 --> 00:16:35,040 um i want to share a little anecdote 409 00:16:31,360 --> 00:16:38,720 about a very nice attack what's actually 410 00:16:35,040 --> 00:16:40,320 like a two-star attack there was 411 00:16:38,720 --> 00:16:42,639 a customer of mine they had an 412 00:16:40,320 --> 00:16:44,320 e-commerce system which was a little bit 413 00:16:42,639 --> 00:16:47,360 of old 414 00:16:44,320 --> 00:16:49,519 and they had some vulnerability so the 415 00:16:47,360 --> 00:16:51,680 attacker managed to get access to the 416 00:16:49,519 --> 00:16:53,440 database we will look into that how he 417 00:16:51,680 --> 00:16:56,160 how that was possible that he got access 418 00:16:53,440 --> 00:16:57,680 to the database uh in a minute 419 00:16:56,160 --> 00:16:59,680 but 420 00:16:57,680 --> 00:17:01,920 uh more importantly 421 00:16:59,680 --> 00:17:04,240 in this database there was a very nice 422 00:17:01,920 --> 00:17:06,559 field it was for the product owner to 423 00:17:04,240 --> 00:17:09,520 add some of these snippets to add the 424 00:17:06,559 --> 00:17:11,760 google tag manager snippet or some of 425 00:17:09,520 --> 00:17:14,480 his web tracking tools whatever he's 426 00:17:11,760 --> 00:17:16,079 doing for web analytics and what the 427 00:17:14,480 --> 00:17:16,880 attacker did 428 00:17:16,079 --> 00:17:18,880 they 429 00:17:16,880 --> 00:17:22,400 used this field 430 00:17:18,880 --> 00:17:24,000 they put a lot of blank lines into it 431 00:17:22,400 --> 00:17:26,000 and then they put this google tag 432 00:17:24,000 --> 00:17:27,439 manager with a queue so actually i took 433 00:17:26,000 --> 00:17:29,440 it from them 434 00:17:27,439 --> 00:17:32,559 and this google tag manager with the 435 00:17:29,440 --> 00:17:34,799 queue was hosted on a russian on the 436 00:17:32,559 --> 00:17:37,919 russian server and they did a phishing 437 00:17:34,799 --> 00:17:39,679 attack on our checkout 438 00:17:37,919 --> 00:17:42,960 which was really really bad for us 439 00:17:39,679 --> 00:17:46,720 because um the phishing attack was like 440 00:17:42,960 --> 00:17:49,200 they created a pop-up directly over the 441 00:17:46,720 --> 00:17:51,280 credit card iframe 442 00:17:49,200 --> 00:17:54,080 so the users entered the credit card 443 00:17:51,280 --> 00:17:55,760 data and they thought oh well i'm just 444 00:17:54,080 --> 00:17:58,160 entering my credit card data everything 445 00:17:55,760 --> 00:17:59,919 is fine i'm not on a malicious domain 446 00:17:58,160 --> 00:18:02,160 anything everything was fine it was just 447 00:17:59,919 --> 00:18:04,720 some javascript in there from 448 00:18:02,160 --> 00:18:07,760 something from somewhere else they 449 00:18:04,720 --> 00:18:09,679 entered it they have shown an error 450 00:18:07,760 --> 00:18:12,640 while you did a mistake entering your 451 00:18:09,679 --> 00:18:14,400 credit card data the user 452 00:18:12,640 --> 00:18:17,280 very very 453 00:18:14,400 --> 00:18:19,120 um nice oh well i'm gonna try it again 454 00:18:17,280 --> 00:18:21,280 but they closed 455 00:18:19,120 --> 00:18:22,960 their malicious pop up and then they 456 00:18:21,280 --> 00:18:26,000 entered the correct data in the correct 457 00:18:22,960 --> 00:18:28,080 iframe so there was no way so the users 458 00:18:26,000 --> 00:18:29,360 they did not complain that there was 459 00:18:28,080 --> 00:18:31,520 something like like a phishing attack 460 00:18:29,360 --> 00:18:34,640 because they were not able to detect it 461 00:18:31,520 --> 00:18:37,760 and we didn't realize that the attacker 462 00:18:34,640 --> 00:18:39,679 grabbed the credit card data 463 00:18:37,760 --> 00:18:42,320 so this was really a very very bad 464 00:18:39,679 --> 00:18:44,799 situation because if you're in europe i 465 00:18:42,320 --> 00:18:47,120 don't know actually about australia i'm 466 00:18:44,799 --> 00:18:49,200 very very happy shared in the chat about 467 00:18:47,120 --> 00:18:50,640 some data protection regulations in 468 00:18:49,200 --> 00:18:53,520 australia maybe you have something 469 00:18:50,640 --> 00:18:54,960 similar but in europe it is with the 470 00:18:53,520 --> 00:18:57,280 gdpr 471 00:18:54,960 --> 00:18:58,799 um which is like after fighting for over 472 00:18:57,280 --> 00:19:04,000 two years now 473 00:18:58,799 --> 00:19:04,960 um you have within 48 hours you have 474 00:19:04,000 --> 00:19:08,160 to 475 00:19:04,960 --> 00:19:11,120 write a very formal document put it to 476 00:19:08,160 --> 00:19:13,360 the authority so this for every for 477 00:19:11,120 --> 00:19:15,600 every city for every state 478 00:19:13,360 --> 00:19:18,000 there is a date an official data 479 00:19:15,600 --> 00:19:20,400 protection officer and you have to write 480 00:19:18,000 --> 00:19:23,520 him a very formal letter explaining oh 481 00:19:20,400 --> 00:19:25,679 we realized we had 482 00:19:23,520 --> 00:19:27,840 uh we had like a data breach there might 483 00:19:25,679 --> 00:19:30,080 be some customer data and then you have 484 00:19:27,840 --> 00:19:33,440 to fill out like what customer data 485 00:19:30,080 --> 00:19:35,679 payment data etc and so on and if you're 486 00:19:33,440 --> 00:19:37,840 lucky they say well you did you you 487 00:19:35,679 --> 00:19:39,760 solved the issue everything is fine you 488 00:19:37,840 --> 00:19:42,320 will get a warning but if you're like an 489 00:19:39,760 --> 00:19:45,280 internet company who is like doing a lot 490 00:19:42,320 --> 00:19:47,039 of your revenue with this with your 491 00:19:45,280 --> 00:19:49,280 e-commerce system so which means you 492 00:19:47,039 --> 00:19:50,400 have tech knowledge you can get a 493 00:19:49,280 --> 00:19:52,960 penalty 494 00:19:50,400 --> 00:19:55,679 and the worst thing is it is not the 495 00:19:52,960 --> 00:19:56,799 company you're working for but it's like 496 00:19:55,679 --> 00:19:59,360 your 497 00:19:56,799 --> 00:20:01,520 mother company so 498 00:19:59,360 --> 00:20:03,760 for example your investor if you're like 499 00:20:01,520 --> 00:20:06,480 a startup it could be also your investor 500 00:20:03,760 --> 00:20:08,000 who has to pay like this penalty and it 501 00:20:06,480 --> 00:20:11,120 can be 502 00:20:08,000 --> 00:20:12,640 up to i think it's up to 10 503 00:20:11,120 --> 00:20:14,480 of the 504 00:20:12,640 --> 00:20:17,440 one year 505 00:20:14,480 --> 00:20:20,720 gross revenue so it is a very high 506 00:20:17,440 --> 00:20:22,159 penalty they can put for you just to be 507 00:20:20,720 --> 00:20:24,159 vulnerable for 508 00:20:22,159 --> 00:20:25,919 attacks 509 00:20:24,159 --> 00:20:30,240 there's one project i want to i want to 510 00:20:25,919 --> 00:20:33,520 share with you which is called the open 511 00:20:30,240 --> 00:20:35,760 the ovap it's the open web application 512 00:20:33,520 --> 00:20:40,000 security project 513 00:20:35,760 --> 00:20:40,960 o vasp and overapps or wasp 514 00:20:40,000 --> 00:20:43,200 they 515 00:20:40,960 --> 00:20:45,679 have a lot of information and 516 00:20:43,200 --> 00:20:48,159 documentation about all possible web 517 00:20:45,679 --> 00:20:51,039 security problems so for example they 518 00:20:48,159 --> 00:20:53,200 have a very extensive xss prevention 519 00:20:51,039 --> 00:20:56,480 cheat you see it here like it's a very 520 00:20:53,200 --> 00:20:59,440 very long one on very detailed 521 00:20:56,480 --> 00:21:02,880 what you can do um everything against it 522 00:20:59,440 --> 00:21:05,280 um to be honest you can 523 00:21:02,880 --> 00:21:08,000 never trust data except in a lot of 524 00:21:05,280 --> 00:21:10,799 locations fun fact there are no allowed 525 00:21:08,000 --> 00:21:12,880 locations anyway and then 526 00:21:10,799 --> 00:21:14,799 always end code 527 00:21:12,880 --> 00:21:17,840 always 528 00:21:14,799 --> 00:21:21,200 if it's html elements attributes 529 00:21:17,840 --> 00:21:23,280 javascript data even in css it is 530 00:21:21,200 --> 00:21:25,840 possible for me it's some black magic 531 00:21:23,280 --> 00:21:28,240 but um even for me some black magic but 532 00:21:25,840 --> 00:21:30,880 it's like you could do an xss attack 533 00:21:28,240 --> 00:21:32,559 with css because there are this url 534 00:21:30,880 --> 00:21:35,520 fields where you can load from somewhere 535 00:21:32,559 --> 00:21:38,000 else so even with that you have to be 536 00:21:35,520 --> 00:21:41,440 very very sensitive and you have to 537 00:21:38,000 --> 00:21:42,320 always escape the data in there 538 00:21:41,440 --> 00:21:44,799 um 539 00:21:42,320 --> 00:21:47,280 sanitize your html markup which is 540 00:21:44,799 --> 00:21:49,840 actually almost the same like escaping 541 00:21:47,280 --> 00:21:50,799 which means like okay clean it up make 542 00:21:49,840 --> 00:21:51,600 sure 543 00:21:50,799 --> 00:21:53,840 that 544 00:21:51,600 --> 00:21:55,760 there are no malicious element that if 545 00:21:53,840 --> 00:21:58,960 somebody is allowed 546 00:21:55,760 --> 00:22:00,480 to to enter html sanitize it make sure 547 00:21:58,960 --> 00:22:03,039 it's just maybe in a headline and a 548 00:22:00,480 --> 00:22:05,440 strong text but especially no script 549 00:22:03,039 --> 00:22:08,400 talks or anything like that 550 00:22:05,440 --> 00:22:10,000 um this is very very bad actually their 551 00:22:08,400 --> 00:22:13,840 augmentation number seven avoid 552 00:22:10,000 --> 00:22:15,840 javascript urls which is like with html5 553 00:22:13,840 --> 00:22:18,240 and this very modern routing and react 554 00:22:15,840 --> 00:22:20,799 and angular actually they say this is 555 00:22:18,240 --> 00:22:23,679 vulnerable for xss attacks it's actually 556 00:22:20,799 --> 00:22:27,039 the same angle like we have seen with 557 00:22:23,679 --> 00:22:29,120 the search field right you have the url 558 00:22:27,039 --> 00:22:31,600 i could try to put 559 00:22:29,120 --> 00:22:32,960 some script tech into the url and the 560 00:22:31,600 --> 00:22:34,960 router would just 561 00:22:32,960 --> 00:22:37,679 show it and execute it would be very 562 00:22:34,960 --> 00:22:39,919 very bad well 563 00:22:37,679 --> 00:22:42,320 on the other hand the react and angular 564 00:22:39,919 --> 00:22:44,080 developers i'm pretty sure 565 00:22:42,320 --> 00:22:47,840 that they are 566 00:22:44,080 --> 00:22:49,520 very familiar with xss and how to avoid 567 00:22:47,840 --> 00:22:52,640 it and they're going to take care of 568 00:22:49,520 --> 00:22:54,480 that fortunately for us but still it's 569 00:22:52,640 --> 00:22:55,440 from a security perspective it is an 570 00:22:54,480 --> 00:22:58,480 angle 571 00:22:55,440 --> 00:23:00,799 you have to keep in mind prevent dom 572 00:22:58,480 --> 00:23:03,679 based xss this there's something very 573 00:23:00,799 --> 00:23:06,720 very interestingly um react is calling 574 00:23:03,679 --> 00:23:10,240 this inner is renaming this in html 575 00:23:06,720 --> 00:23:13,760 property they call it dangerously set in 576 00:23:10,240 --> 00:23:17,840 html just to make it very very visible 577 00:23:13,760 --> 00:23:19,919 that this is um open for xss attacks 578 00:23:17,840 --> 00:23:22,480 then there are some some more things 579 00:23:19,919 --> 00:23:24,720 some bonus rules but i'm not going to go 580 00:23:22,480 --> 00:23:26,720 into that one because i see 581 00:23:24,720 --> 00:23:28,720 that i'm running 582 00:23:26,720 --> 00:23:30,720 completely out of time i'm just talking 583 00:23:28,720 --> 00:23:33,360 about xsas 584 00:23:30,720 --> 00:23:37,280 let's have a look at the second 585 00:23:33,360 --> 00:23:39,919 attack which can do which is 586 00:23:37,280 --> 00:23:42,720 which has almost the same 587 00:23:39,919 --> 00:23:45,279 almost the same solution for it so which 588 00:23:42,720 --> 00:23:47,760 is i have again a search field but this 589 00:23:45,279 --> 00:23:49,120 time i'm gonna filter the articles i 590 00:23:47,760 --> 00:23:52,000 have three 591 00:23:49,120 --> 00:23:53,520 three pairs of shoes i'm i'm selling 592 00:23:52,000 --> 00:23:54,880 here so 593 00:23:53,520 --> 00:23:57,440 all of them are very stylish and 594 00:23:54,880 --> 00:23:58,960 comfortable but the first one or the 595 00:23:57,440 --> 00:24:01,520 second one is a premium on this or the 596 00:23:58,960 --> 00:24:03,120 last one and what i can do is i can just 597 00:24:01,520 --> 00:24:06,159 filter them 598 00:24:03,120 --> 00:24:07,760 and from the database it says okay only 599 00:24:06,159 --> 00:24:09,120 the products within e and this 600 00:24:07,760 --> 00:24:12,320 highlighted attribute are going to be 601 00:24:09,120 --> 00:24:14,880 shown i think everybody has done 602 00:24:12,320 --> 00:24:17,200 something like that very simple oh 603 00:24:14,880 --> 00:24:20,480 there's a form i'm gonna grab the data 604 00:24:17,200 --> 00:24:22,640 in there and build my sql statement 605 00:24:20,480 --> 00:24:24,320 around it 606 00:24:22,640 --> 00:24:27,760 problem is 607 00:24:24,320 --> 00:24:28,720 what i could do is run an sql injection 608 00:24:27,760 --> 00:24:31,760 attack 609 00:24:28,720 --> 00:24:35,360 and i have prepared this one here and 610 00:24:31,760 --> 00:24:37,279 what i did is here i just added this one 611 00:24:35,360 --> 00:24:40,159 and this is not supposed to happening 612 00:24:37,279 --> 00:24:42,000 yeah because i just add a product in 613 00:24:40,159 --> 00:24:44,320 here which doesn't cost anything which 614 00:24:42,000 --> 00:24:46,559 is actually quite nice for me as a user 615 00:24:44,320 --> 00:24:49,120 when i'm using this sql injection attack 616 00:24:46,559 --> 00:24:51,279 but i could also use it to read the data 617 00:24:49,120 --> 00:24:52,960 i could also use it to truncate the 618 00:24:51,279 --> 00:24:55,600 database which would really be bad 619 00:24:52,960 --> 00:24:58,480 because while we are developers we all 620 00:24:55,600 --> 00:25:00,559 know that most companies they 621 00:24:58,480 --> 00:25:04,000 well most companies i have seen at least 622 00:25:00,559 --> 00:25:06,480 they have a very poor backup system 623 00:25:04,000 --> 00:25:08,880 or not sure on are not able to do any 624 00:25:06,480 --> 00:25:11,200 recovery in time when the database is 625 00:25:08,880 --> 00:25:13,600 truncated apart from the data loss you 626 00:25:11,200 --> 00:25:14,480 have anyway at least for one day 627 00:25:13,600 --> 00:25:17,279 so 628 00:25:14,480 --> 00:25:20,960 um that's actually quite bad 629 00:25:17,279 --> 00:25:21,760 and what is happening in here is 630 00:25:20,960 --> 00:25:23,440 if 631 00:25:21,760 --> 00:25:25,039 can you i hope you can oh yeah you're 632 00:25:23,440 --> 00:25:27,039 now screwing my you're now seeing my 633 00:25:25,039 --> 00:25:29,600 screen so you can see it what is 634 00:25:27,039 --> 00:25:32,640 happening in here is you see it actually 635 00:25:29,600 --> 00:25:34,480 in the url uh because i did this again 636 00:25:32,640 --> 00:25:35,760 as a getform 637 00:25:34,480 --> 00:25:39,440 this 638 00:25:35,760 --> 00:25:42,559 percent 27 it's the com it's like the 639 00:25:39,440 --> 00:25:44,400 the quote sign and then i'm closing it 640 00:25:42,559 --> 00:25:46,159 yeah because you know it's a filter so 641 00:25:44,400 --> 00:25:49,200 it's somewhere in the where statement so 642 00:25:46,159 --> 00:25:50,799 i'm closing the the parameter which 643 00:25:49,200 --> 00:25:54,240 should be used here 644 00:25:50,799 --> 00:25:57,520 saying oh well quote semicolon sql 645 00:25:54,240 --> 00:26:00,400 statement ended then i am injecting 646 00:25:57,520 --> 00:26:03,120 mysql statement so it's an insert into 647 00:26:00,400 --> 00:26:04,320 products with the values you can see 648 00:26:03,120 --> 00:26:06,080 them here 649 00:26:04,320 --> 00:26:08,640 yeah you have to be a little bit trained 650 00:26:06,080 --> 00:26:11,760 with this 20 percent percent 20 in 651 00:26:08,640 --> 00:26:12,799 percent 21 but let's skip to the to the 652 00:26:11,760 --> 00:26:15,440 end 653 00:26:12,799 --> 00:26:17,120 and saying this is until here it's all 654 00:26:15,440 --> 00:26:19,600 of the insert you can say it here so 655 00:26:17,120 --> 00:26:21,039 like product was added this is the last 656 00:26:19,600 --> 00:26:23,760 property 657 00:26:21,039 --> 00:26:26,559 we can see it in here so it worked and 658 00:26:23,760 --> 00:26:28,240 then i'm just like opening again the 659 00:26:26,559 --> 00:26:30,960 statement so that it still works so 660 00:26:28,240 --> 00:26:34,080 nobody knows i sneaked in 661 00:26:30,960 --> 00:26:37,360 on this sql statement into the middle 662 00:26:34,080 --> 00:26:39,679 which was right now just this little 663 00:26:37,360 --> 00:26:42,000 adding the product and this is an sql 664 00:26:39,679 --> 00:26:43,520 injection attack 665 00:26:42,000 --> 00:26:46,640 problem 666 00:26:43,520 --> 00:26:48,880 every time you're using again user 667 00:26:46,640 --> 00:26:51,440 generated data user data 668 00:26:48,880 --> 00:26:53,919 in your sql statements you're not 669 00:26:51,440 --> 00:26:56,159 vulnerable for xss attack in this case 670 00:26:53,919 --> 00:26:58,880 but sql injection actually at the same 671 00:26:56,159 --> 00:27:00,640 side of the storybot database instead of 672 00:26:58,880 --> 00:27:03,600 html site 673 00:27:00,640 --> 00:27:04,880 so what you can do is actually the same 674 00:27:03,600 --> 00:27:08,400 escaping 675 00:27:04,880 --> 00:27:11,120 so if you're using um something like sql 676 00:27:08,400 --> 00:27:13,200 alchemy for example for an orm object 677 00:27:11,120 --> 00:27:15,440 relational mapper you're not writing the 678 00:27:13,200 --> 00:27:17,039 sql statements your own any longer and 679 00:27:15,440 --> 00:27:20,240 this is the best you can actually do 680 00:27:17,039 --> 00:27:22,320 because these kind of libraries they are 681 00:27:20,240 --> 00:27:25,279 doing the escaping for you 682 00:27:22,320 --> 00:27:27,520 yes you just have to say okay this is 683 00:27:25,279 --> 00:27:29,919 the value and they're doing the escaping 684 00:27:27,520 --> 00:27:31,840 and in case of escaping it would be like 685 00:27:29,919 --> 00:27:34,799 they would use this whole statement i 686 00:27:31,840 --> 00:27:38,159 injected in here as the search term yeah 687 00:27:34,799 --> 00:27:40,320 if i would have implemented this in here 688 00:27:38,159 --> 00:27:44,000 um which means actually 689 00:27:40,320 --> 00:27:46,080 escaping use rm but also which i could 690 00:27:44,000 --> 00:27:48,000 actually add here do not write sql 691 00:27:46,080 --> 00:27:50,399 statements on your own unless you 692 00:27:48,000 --> 00:27:51,360 absolutely have to do that 693 00:27:50,399 --> 00:27:53,600 yeah 694 00:27:51,360 --> 00:27:55,360 just use the library for scale 695 00:27:53,600 --> 00:27:57,039 statements and 696 00:27:55,360 --> 00:27:58,320 make sure that the 697 00:27:57,039 --> 00:27:59,840 content is 698 00:27:58,320 --> 00:28:01,520 escaped 699 00:27:59,840 --> 00:28:04,000 and in some other languages is called 700 00:28:01,520 --> 00:28:06,000 also binding parameters 701 00:28:04,000 --> 00:28:08,640 it's depending on the library you're 702 00:28:06,000 --> 00:28:11,039 using but do not use user content 703 00:28:08,640 --> 00:28:12,320 directly for anything without escaping 704 00:28:11,039 --> 00:28:15,679 it 705 00:28:12,320 --> 00:28:16,399 so if i have to nail down my talk to one 706 00:28:15,679 --> 00:28:18,559 thing 707 00:28:16,399 --> 00:28:20,640 it is like escape everything you get 708 00:28:18,559 --> 00:28:23,200 from a user and you're using 709 00:28:20,640 --> 00:28:25,679 nevertheless where it is 710 00:28:23,200 --> 00:28:29,039 um i'm so sorry i talked so much about 711 00:28:25,679 --> 00:28:32,159 xsl that we didn't come to csrf which is 712 00:28:29,039 --> 00:28:34,640 actually a very very nice topic but i 713 00:28:32,159 --> 00:28:35,520 guess i will just do it the next time 714 00:28:34,640 --> 00:28:37,520 and 715 00:28:35,520 --> 00:28:41,320 thank you very much 716 00:28:37,520 --> 00:28:41,320 what about some questions 717 00:28:56,399 --> 00:29:00,640 i guess somebody wanted to ask a 718 00:28:57,679 --> 00:29:01,520 question but you see muted 719 00:29:00,640 --> 00:29:03,120 ah 720 00:29:01,520 --> 00:29:05,919 that's the second time i've done that to 721 00:29:03,120 --> 00:29:05,919 myself today 722 00:29:06,240 --> 00:29:10,880 happens to all of us all the time 723 00:29:09,200 --> 00:29:13,200 it does it wouldn't be a virtual 724 00:29:10,880 --> 00:29:15,120 conference if someone wasn't muted on 725 00:29:13,200 --> 00:29:17,039 the stream 726 00:29:15,120 --> 00:29:19,600 so because we're running short of time 727 00:29:17,039 --> 00:29:21,360 i'll pull this one in again uh do modern 728 00:29:19,600 --> 00:29:24,240 web frameworks make these mistakes 729 00:29:21,360 --> 00:29:27,360 easier to avoid eg by handling safe and 730 00:29:24,240 --> 00:29:29,760 unsafe data separately yes for example 731 00:29:27,360 --> 00:29:31,919 django is doing a very very good job i 732 00:29:29,760 --> 00:29:34,240 love jungle i love the architecture i 733 00:29:31,919 --> 00:29:36,480 love the security stuff definitely 734 00:29:34,240 --> 00:29:37,360 they're doing it much more simpler but 735 00:29:36,480 --> 00:29:40,159 still 736 00:29:37,360 --> 00:29:42,640 you should know about that because what 737 00:29:40,159 --> 00:29:45,200 actually most of my job is telling 738 00:29:42,640 --> 00:29:47,840 experience about locals why they are 739 00:29:45,200 --> 00:29:50,159 doing this for example csf tokens why 740 00:29:47,840 --> 00:29:51,760 are you using csrf tokens asked with the 741 00:29:50,159 --> 00:29:54,480 developer most of them it's something 742 00:29:51,760 --> 00:29:56,320 with security but um 743 00:29:54,480 --> 00:29:58,000 yeah i think it's very important to know 744 00:29:56,320 --> 00:29:59,919 the reasons behind but they make it 745 00:29:58,000 --> 00:30:01,360 simpler 746 00:29:59,919 --> 00:30:03,440 yeah yeah 747 00:30:01,360 --> 00:30:04,960 i think they also do help you catch a 748 00:30:03,440 --> 00:30:07,200 lot of um 749 00:30:04,960 --> 00:30:08,880 a lot of the easy mistakes that someone 750 00:30:07,200 --> 00:30:11,039 else has already thought about so they 751 00:30:08,880 --> 00:30:13,039 help you out on that front although be 752 00:30:11,039 --> 00:30:15,520 careful some of them definitely make it 753 00:30:13,039 --> 00:30:17,600 easier for you to make a mistake 754 00:30:15,520 --> 00:30:19,840 it depends it really depends so for 755 00:30:17,600 --> 00:30:21,279 example if you have like uh let's put 756 00:30:19,840 --> 00:30:24,880 another very 757 00:30:21,279 --> 00:30:27,039 famous python framework in this flask 758 00:30:24,880 --> 00:30:28,960 which is like actually the complete 759 00:30:27,039 --> 00:30:31,279 opposite from a framework perspective 760 00:30:28,960 --> 00:30:34,640 compared with jungle really huge flask 761 00:30:31,279 --> 00:30:36,720 very very simple you have to think about 762 00:30:34,640 --> 00:30:39,600 these kind of attacks on your own there 763 00:30:36,720 --> 00:30:41,360 if you're not using um special libraries 764 00:30:39,600 --> 00:30:42,880 who have the security already 765 00:30:41,360 --> 00:30:46,320 incorporated so 766 00:30:42,880 --> 00:30:49,679 um yeah be careful but i think like 767 00:30:46,320 --> 00:30:51,039 at least a lot of xss attacks are very 768 00:30:49,679 --> 00:30:53,279 very 769 00:30:51,039 --> 00:30:57,039 um covered by template engines for 770 00:30:53,279 --> 00:30:59,120 example right so i know one good php 771 00:30:57,039 --> 00:31:01,440 library to be honest 772 00:30:59,120 --> 00:31:04,080 um i'm not so much of a php fan although 773 00:31:01,440 --> 00:31:07,200 i had to program in it so but i love the 774 00:31:04,080 --> 00:31:09,919 trick templating engine because they 775 00:31:07,200 --> 00:31:11,679 they they say i'm always escaping i 776 00:31:09,919 --> 00:31:14,080 don't care what you want as a developer 777 00:31:11,679 --> 00:31:16,000 i'm always escaping if you want to 778 00:31:14,080 --> 00:31:18,159 unescape it you have to do some extra 779 00:31:16,000 --> 00:31:20,320 work to get it unescaped but then i'm 780 00:31:18,159 --> 00:31:22,399 telling you this is not secure and i and 781 00:31:20,320 --> 00:31:25,120 i get i think they they gave a warning 782 00:31:22,399 --> 00:31:27,200 in the past so um that's really really 783 00:31:25,120 --> 00:31:29,600 nice there's some libraries who really 784 00:31:27,200 --> 00:31:33,360 emphasize the security concern and say 785 00:31:29,600 --> 00:31:36,000 okay if you do that use you're really 786 00:31:33,360 --> 00:31:39,919 open for security attacks like react is 787 00:31:36,000 --> 00:31:41,519 doing it with dangerously set in html 788 00:31:39,919 --> 00:31:42,960 yeah excellent 789 00:31:41,519 --> 00:31:46,000 well i guess you'll just have to take 790 00:31:42,960 --> 00:31:48,159 your csrf into the hallway track and 791 00:31:46,000 --> 00:31:51,200 have a chat with everyone there 792 00:31:48,159 --> 00:31:53,600 thank you very much and it's been fun 793 00:31:51,200 --> 00:31:57,200 doing debugging from halfway across the 794 00:31:53,600 --> 00:31:57,200 earth while you're live on stream 795 00:31:57,679 --> 00:32:01,279 thank you very much i'm sorry for the 796 00:31:59,279 --> 00:32:02,399 technical problems 797 00:32:01,279 --> 00:32:04,799 i didn't 798 00:32:02,399 --> 00:32:06,880 it had to happen eventually 799 00:32:04,799 --> 00:32:08,640 yeah i thought my website was broken 800 00:32:06,880 --> 00:32:11,360 with all the bugs but 801 00:32:08,640 --> 00:32:13,840 it was the screen sharing 802 00:32:11,360 --> 00:32:16,240 perfect we will be back at half past 803 00:32:13,840 --> 00:32:20,200 four australian eastern time 804 00:32:16,240 --> 00:32:20,200 so we'll see you all shortly