1
00:00:02,000 --> 00:00:07,319
good morning it's the steer this thing
2
00:00:04,109 --> 00:00:08,730
is on welcome to my talk exercises dad
3
00:00:07,319 --> 00:00:10,350
we just don't get it it's actually not
4
00:00:08,730 --> 00:00:12,360
really a talk it's just like me ranting
5
00:00:10,350 --> 00:00:13,799
for one hour if that's okay I think
6
00:00:12,360 --> 00:00:16,079
that's quite a deal for the early hours
7
00:00:13,799 --> 00:00:17,880
in the morning I have two tendency to
8
00:00:16,079 --> 00:00:19,409
talk too quickly if that happens just
9
00:00:17,880 --> 00:00:22,680
like way if I'm gonna slow down it's
10
00:00:19,410 --> 00:00:25,590
okay already so a quick word about
11
00:00:22,680 --> 00:00:27,509
myself my name is Mario I have been to
12
00:00:25,590 --> 00:00:29,520
the confidence for many many many times
13
00:00:27,510 --> 00:00:31,140
many years in the past and then I did
14
00:00:29,520 --> 00:00:32,640
like a break for five years and now I'm
15
00:00:31,140 --> 00:00:35,730
back here and this thing is huge this is
16
00:00:32,640 --> 00:00:37,590
awesome so I'm from Berlin I lead a
17
00:00:35,730 --> 00:00:40,769
company this coke here 53 is mentioned
18
00:00:37,590 --> 00:00:42,090
we do pen tests and I wrote some books
19
00:00:40,770 --> 00:00:43,649
and wrote some papers and my core
20
00:00:42,090 --> 00:00:46,230
research topic is cross that's cryptic
21
00:00:43,649 --> 00:00:47,910
and I'm here because of the fact that
22
00:00:46,230 --> 00:00:49,349
I'm slowly getting bored by this topic
23
00:00:47,910 --> 00:00:51,599
because I think that we're actually at
24
00:00:49,350 --> 00:00:54,239
the point of being able to solve it but
25
00:00:51,600 --> 00:00:55,530
somehow we just don't wanna so this kind
26
00:00:54,239 --> 00:00:57,360
of corresponds with the title slide
27
00:00:55,530 --> 00:00:58,920
across that scripting is dead like there
28
00:00:57,360 --> 00:01:00,450
is nothing new to it we just don't get
29
00:00:58,920 --> 00:01:02,100
it and I want to kind of have a look at
30
00:01:00,450 --> 00:01:03,719
why we don't get it what the problem is
31
00:01:02,100 --> 00:01:06,109
and maybe find like a different problem
32
00:01:03,719 --> 00:01:10,979
during this particular journey
33
00:01:06,109 --> 00:01:12,600
so let's first see who is here like what
34
00:01:10,979 --> 00:01:14,969
kind of people are here who here is a
35
00:01:12,600 --> 00:01:16,798
pen tester raise your hand please that's
36
00:01:14,969 --> 00:01:19,229
like a couple people that's good cool
37
00:01:16,799 --> 00:01:22,700
here is a developer security developer
38
00:01:19,229 --> 00:01:22,700
or like a defender of web applications
39
00:01:23,060 --> 00:01:29,520
who here is like like a manager like an
40
00:01:25,770 --> 00:01:32,969
IOC so or something like this one person
41
00:01:29,520 --> 00:01:35,459
one excellent all right and who hears
42
00:01:32,969 --> 00:01:40,318
about body hunter who hunts for bug
43
00:01:35,459 --> 00:01:43,049
bounties also not that many anyway thank
44
00:01:40,319 --> 00:01:44,549
you very much umm let's get started and
45
00:01:43,049 --> 00:01:48,119
quickly talk about the structure of this
46
00:01:44,549 --> 00:01:49,529
particular talk the first act is gonna
47
00:01:48,119 --> 00:01:51,119
be the unborn we're gonna learn why
48
00:01:49,529 --> 00:01:54,598
we're actually here are we going to be
49
00:01:51,119 --> 00:01:56,249
talking about and then we're gonna talk
50
00:01:54,599 --> 00:01:57,689
about a small historic overview how we
51
00:01:56,249 --> 00:01:59,098
got here because the thing that's
52
00:01:57,689 --> 00:02:01,408
fundamentally important to understand
53
00:01:59,099 --> 00:02:02,549
and then but not least last but not
54
00:02:01,409 --> 00:02:03,810
least or almost left but not least we're
55
00:02:02,549 --> 00:02:05,969
gonna talk about the problem statement
56
00:02:03,810 --> 00:02:08,310
because we will learn that something is
57
00:02:05,969 --> 00:02:09,720
a problem and we need to fix it and in
58
00:02:08,310 --> 00:02:11,370
the final act I'm gonna propose
59
00:02:09,720 --> 00:02:13,150
solutions most of them are garbage but
60
00:02:11,370 --> 00:02:14,439
at least a proposal we can maybe
61
00:02:13,150 --> 00:02:16,799
them to kind of think about a little bit
62
00:02:14,439 --> 00:02:20,049
and eventually find something together
63
00:02:16,799 --> 00:02:22,329
so let's talk about the first act the
64
00:02:20,049 --> 00:02:24,189
onboarding why are we actually here well
65
00:02:22,329 --> 00:02:25,569
the topic we're talking about is cross
66
00:02:24,189 --> 00:02:27,189
that scripting but we don't want to kind
67
00:02:25,569 --> 00:02:28,480
of uncover new techniques because most
68
00:02:27,189 --> 00:02:30,939
of them have been uncovered so let's go
69
00:02:28,480 --> 00:02:33,069
very much back and past and talk about
70
00:02:30,939 --> 00:02:34,599
what cross-site scripting actually is so
71
00:02:33,069 --> 00:02:36,369
this is like a classic process cryptic
72
00:02:34,599 --> 00:02:37,720
situation right we have your L and there
73
00:02:36,370 --> 00:02:39,519
is like the get parameter and then we
74
00:02:37,720 --> 00:02:41,170
put something in who here thinks that
75
00:02:39,519 --> 00:02:44,379
this is cross-site scripting or that the
76
00:02:41,170 --> 00:02:46,030
result is cross-site scripting no one
77
00:02:44,379 --> 00:02:47,560
that's good because it's not because
78
00:02:46,030 --> 00:02:49,090
that's just a script injection we just
79
00:02:47,560 --> 00:02:51,370
take something we put it in the URL and
80
00:02:49,090 --> 00:02:53,349
it reflects cross-site scripting as
81
00:02:51,370 --> 00:02:56,739
Sarge is pretty much an attack where one
82
00:02:53,349 --> 00:02:58,480
side scripts the other across origins
83
00:02:56,739 --> 00:03:00,069
this is not cross that scripting there
84
00:02:58,480 --> 00:03:01,298
is no multiple origins we just call it
85
00:03:00,069 --> 00:03:03,189
like this but it's pretty much wrong
86
00:03:01,299 --> 00:03:04,480
anyway I mean if you put Facebook
87
00:03:03,189 --> 00:03:06,189
Connect into your web site or Google
88
00:03:04,480 --> 00:03:07,659
Analytics that's actually cross that
89
00:03:06,189 --> 00:03:08,920
scripting but it's legitimate benign
90
00:03:07,659 --> 00:03:11,730
cross-site scripting you want that
91
00:03:08,920 --> 00:03:15,069
because they script your page across
92
00:03:11,730 --> 00:03:18,010
origin boundaries and that's XSS like in
93
00:03:15,069 --> 00:03:19,629
the classic meaning of the word anyway
94
00:03:18,010 --> 00:03:21,040
that's observed objection but we can
95
00:03:19,629 --> 00:03:22,959
call it cross-site scripting because why
96
00:03:21,040 --> 00:03:24,608
not because it goes so well off the
97
00:03:22,959 --> 00:03:29,250
tongue and the name is just so nice and
98
00:03:24,609 --> 00:03:29,250
we can kind of give it like this XSS
99
00:03:29,400 --> 00:03:33,579
there is a couple of different kinds of
100
00:03:31,930 --> 00:03:35,349
cross-site scripting like this the
101
00:03:33,579 --> 00:03:37,329
easiest kind the stuff that you put in
102
00:03:35,349 --> 00:03:39,459
by URL where I get parameter or by a
103
00:03:37,329 --> 00:03:40,510
post field of whatever you sent over to
104
00:03:39,459 --> 00:03:41,949
the server and that's usually called
105
00:03:40,510 --> 00:03:43,239
reflected cross-site scripting
106
00:03:41,949 --> 00:03:44,889
then there's persistent cross-site
107
00:03:43,239 --> 00:03:46,629
scripting that is something from the
108
00:03:44,889 --> 00:03:48,010
database or any other storage system
109
00:03:46,629 --> 00:03:50,138
that then reflects on your site so you
110
00:03:48,010 --> 00:03:51,548
can't find it in the parameters then
111
00:03:50,139 --> 00:03:53,169
there's dom-based cross-site scripting
112
00:03:51,549 --> 00:03:55,239
that comes from only broker browser
113
00:03:53,169 --> 00:03:56,620
based clients have properties and last
114
00:03:55,239 --> 00:03:58,810
but not least this mutation XSS
115
00:03:56,620 --> 00:04:01,090
something that the browser takes and
116
00:03:58,810 --> 00:04:02,440
forms into something that is bad whereas
117
00:04:01,090 --> 00:04:05,169
the server things say everything is fine
118
00:04:02,440 --> 00:04:06,790
here this is valid markup I think most
119
00:04:05,169 --> 00:04:08,229
of these categories are highly debatable
120
00:04:06,790 --> 00:04:09,909
it's questionable whether they make
121
00:04:08,229 --> 00:04:11,650
sense but this is pretty much what we go
122
00:04:09,909 --> 00:04:14,620
with in pen test reports and how we kind
123
00:04:11,650 --> 00:04:16,358
of line it out and how we kind of put it
124
00:04:14,620 --> 00:04:18,459
into shelves and basically say this is
125
00:04:16,358 --> 00:04:22,150
this particular kind of thing so we know
126
00:04:18,459 --> 00:04:23,770
all this this is no new to be able to
127
00:04:22,150 --> 00:04:25,150
kind of understand how this all came
128
00:04:23,770 --> 00:04:25,729
together and how we arrived at this
129
00:04:25,150 --> 00:04:27,560
point
130
00:04:25,730 --> 00:04:29,300
and how we can actually get to the
131
00:04:27,560 --> 00:04:31,460
problem statement of this particular
132
00:04:29,300 --> 00:04:33,440
talk I would say let's go back in time
133
00:04:31,460 --> 00:04:36,500
and let's go back a couple of years more
134
00:04:33,440 --> 00:04:38,030
than 20 years and let's go to that year
135
00:04:36,500 --> 00:04:40,760
where cross-site scripting was actually
136
00:04:38,030 --> 00:04:43,099
invented or found or first documented
137
00:04:40,760 --> 00:04:45,080
and let's adjust our time line and let's
138
00:04:43,100 --> 00:04:47,360
say this is the year 0 after cross-site
139
00:04:45,080 --> 00:04:50,419
scripting the year 0 after scarcer
140
00:04:47,360 --> 00:04:51,920
scripting is about 20 years ago and we
141
00:04:50,420 --> 00:04:54,170
want to see how it all came together and
142
00:04:51,920 --> 00:04:58,070
where people did back then to realize
143
00:04:54,170 --> 00:05:02,180
what it is to fight it and to tackle it
144
00:04:58,070 --> 00:05:04,670
because that's actually quite funny the
145
00:05:02,180 --> 00:05:09,380
year 0 after cross-site scripting is the
146
00:05:04,670 --> 00:05:11,150
year 1999 of our current calendar and it
147
00:05:09,380 --> 00:05:12,890
was the three kings called how scheming
148
00:05:11,150 --> 00:05:14,719
partout came and visited baby brain and
149
00:05:12,890 --> 00:05:16,219
I she was born in an iframe what he got
150
00:05:14,720 --> 00:05:18,620
was a blank Martinez of course it's
151
00:05:16,220 --> 00:05:20,840
really not accurate but in this
152
00:05:18,620 --> 00:05:22,370
particular year Microsoft coined the
153
00:05:20,840 --> 00:05:23,840
term cross-site scripting they called it
154
00:05:22,370 --> 00:05:25,550
like this and they had a discussion in a
155
00:05:23,840 --> 00:05:27,140
blog post and basically said like so
156
00:05:25,550 --> 00:05:29,060
there's this thing now you can like put
157
00:05:27,140 --> 00:05:31,280
stuff from somewhere into some others
158
00:05:29,060 --> 00:05:33,380
website and then it executes like HTML
159
00:05:31,280 --> 00:05:36,109
or JavaScript how should we call it what
160
00:05:33,380 --> 00:05:37,610
would a name should we give to it they
161
00:05:36,110 --> 00:05:40,070
came up with a couple of proposals back
162
00:05:37,610 --> 00:05:42,230
then the first one was unauthorized site
163
00:05:40,070 --> 00:05:43,820
scripting I actually liked that quite a
164
00:05:42,230 --> 00:05:46,130
lot because it's kind of true in its
165
00:05:43,820 --> 00:05:47,570
meaning but it really sucks to talk that
166
00:05:46,130 --> 00:05:49,370
you just like to spell it out or to
167
00:05:47,570 --> 00:05:51,710
pronounce it it's just not really fun
168
00:05:49,370 --> 00:05:53,360
it's like too long and if an official
169
00:05:51,710 --> 00:05:54,710
site scripting which is a bit better
170
00:05:53,360 --> 00:05:57,770
goes better off the tongue then you have
171
00:05:54,710 --> 00:05:59,150
your L parameter script insertion ups I
172
00:05:57,770 --> 00:06:00,140
you've seen nope then you have
173
00:05:59,150 --> 00:06:02,359
cross-site scripting which eventually
174
00:06:00,140 --> 00:06:03,740
won the trophy and you have synthesized
175
00:06:02,360 --> 00:06:05,420
scripting not sure who came up with that
176
00:06:03,740 --> 00:06:07,490
and last but not least fraudulent
177
00:06:05,420 --> 00:06:10,310
scripting so all of them are sort of
178
00:06:07,490 --> 00:06:11,780
correct but this one actually got the
179
00:06:10,310 --> 00:06:16,730
trophy and the whole attack technique
180
00:06:11,780 --> 00:06:19,849
was called Raza scripting and not soon
181
00:06:16,730 --> 00:06:21,800
after the first advisory from cert was
182
00:06:19,850 --> 00:06:23,240
issued describing this particular attack
183
00:06:21,800 --> 00:06:24,830
because back then people knew sequel
184
00:06:23,240 --> 00:06:25,430
injection remote code execution of all
185
00:06:24,830 --> 00:06:27,740
these things
186
00:06:25,430 --> 00:06:30,950
targeting servers but this one was new
187
00:06:27,740 --> 00:06:32,570
who back then 1999 and they postulated
188
00:06:30,950 --> 00:06:34,099
that a website may inadvertently include
189
00:06:32,570 --> 00:06:35,360
malicious HTML text or a script in a
190
00:06:34,100 --> 00:06:37,220
dynamically generated page based on
191
00:06:35,360 --> 00:06:38,199
anomaly dated input from untrustworthy
192
00:06:37,220 --> 00:06:40,779
sources and so
193
00:06:38,199 --> 00:06:43,029
and so on and when input is not
194
00:06:40,779 --> 00:06:45,669
validated to pretend malicious HTML from
195
00:06:43,029 --> 00:06:47,409
being presented to the user and I think
196
00:06:45,669 --> 00:06:49,029
this is one of the most compact most
197
00:06:47,409 --> 00:06:50,349
accurate descriptions of cross-site
198
00:06:49,029 --> 00:06:52,990
scripting this is what's actually going
199
00:06:50,349 --> 00:06:54,099
on like back then in the year 1999 they
200
00:06:52,990 --> 00:06:57,189
had it figure out already
201
00:06:54,099 --> 00:06:58,870
so they had figured out the problem
202
00:06:57,189 --> 00:07:01,300
that they were just like millimeters
203
00:06:58,870 --> 00:07:03,430
away from the solution still we're in
204
00:07:01,300 --> 00:07:04,960
2018 and we still don't have a solution
205
00:07:03,430 --> 00:07:09,759
everybody has XSS so that's a bit
206
00:07:04,960 --> 00:07:13,419
strange anyway back then the whole topic
207
00:07:09,759 --> 00:07:15,849
of web security was so small and so tiny
208
00:07:13,419 --> 00:07:18,128
that it was possible for experts on
209
00:07:15,849 --> 00:07:21,009
completely different fields like for
210
00:07:18,129 --> 00:07:22,419
example Human Genome Research to on the
211
00:07:21,009 --> 00:07:25,599
side write like a book about web
212
00:07:22,419 --> 00:07:29,948
security because it's just such a tiny
213
00:07:25,599 --> 00:07:31,240
over topic and linkle steen in fact a
214
00:07:29,949 --> 00:07:32,889
human genome researcher at the Cold
215
00:07:31,240 --> 00:07:34,659
Spring Harbor Laboratory he wrote this
216
00:07:32,889 --> 00:07:36,580
particular book good web security in a
217
00:07:34,659 --> 00:07:38,560
spare time and he also got it quite
218
00:07:36,580 --> 00:07:41,229
right he said cross-site scripting
219
00:07:38,560 --> 00:07:44,189
allows the bad guy to Crick an innocent
220
00:07:41,229 --> 00:07:46,990
guy into running code the bad guy wrote
221
00:07:44,189 --> 00:07:49,000
that's quite accurate like he completely
222
00:07:46,990 --> 00:07:50,529
gets what is going on here he writes
223
00:07:49,000 --> 00:07:51,969
something on the client kind of gets it
224
00:07:50,529 --> 00:07:54,550
across to the victim and then it
225
00:07:51,969 --> 00:07:57,729
executes it's more accurate than most
226
00:07:54,550 --> 00:08:00,610
descriptions than we read nowadays but
227
00:07:57,729 --> 00:08:03,219
well people start to think about how to
228
00:08:00,610 --> 00:08:05,229
fix it I like this one specifically I
229
00:08:03,219 --> 00:08:06,699
like to read php.net especially the docs
230
00:08:05,229 --> 00:08:08,589
because there's hilarious comments in
231
00:08:06,699 --> 00:08:11,669
there but this one kind of really there
232
00:08:08,589 --> 00:08:14,889
was this one jump to shark it was from
233
00:08:11,669 --> 00:08:17,229
and he was talking about how you can use
234
00:08:14,889 --> 00:08:19,149
HTML entities and HTML special chars to
235
00:08:17,229 --> 00:08:20,289
actually fix cross-site scripting he
236
00:08:19,149 --> 00:08:22,509
said this function is particularly
237
00:08:20,289 --> 00:08:24,460
useful against XS a success makes use of
238
00:08:22,509 --> 00:08:29,080
whole the code whether it be JavaScript
239
00:08:24,460 --> 00:08:31,628
or PHP xsf often if not always uses HTML
240
00:08:29,080 --> 00:08:33,159
entities to do its evil deeds and so of
241
00:08:31,629 --> 00:08:34,719
course complete bullshit but still he
242
00:08:33,159 --> 00:08:36,218
says it so this function is in
243
00:08:34,719 --> 00:08:37,750
cooperation with the earth Script
244
00:08:36,219 --> 00:08:39,279
cooperation with the script particularly
245
00:08:37,750 --> 00:08:41,169
search or submitting script is a very
246
00:08:39,279 --> 00:08:43,568
useful tool in combating Haxorus
247
00:08:41,169 --> 00:08:45,399
right that was about 13 years ago that
248
00:08:43,568 --> 00:08:46,930
people had this particular attitude it's
249
00:08:45,399 --> 00:08:49,209
completely wrong content wise it has
250
00:08:46,930 --> 00:08:51,008
nothing to do with HTML entities
251
00:08:49,209 --> 00:08:52,209
and still that was the level of
252
00:08:51,009 --> 00:08:54,329
discussion that they had back then I
253
00:08:52,209 --> 00:08:57,939
thought this be like a very good example
254
00:08:54,329 --> 00:08:59,829
so back then we had a set a small set of
255
00:08:57,939 --> 00:09:01,480
tools that we could actually use as
256
00:08:59,829 --> 00:09:03,998
defenders to protect our websites
257
00:09:01,480 --> 00:09:06,459
against cross-site scripting escaping
258
00:09:03,999 --> 00:09:08,139
escape your stuff before processing it
259
00:09:06,459 --> 00:09:10,929
on the server to protect your database
260
00:09:08,139 --> 00:09:12,939
or whatever is going on there and encode
261
00:09:10,929 --> 00:09:14,860
your staff before echoing it to the user
262
00:09:12,939 --> 00:09:16,449
because then you can't have HTML
263
00:09:14,860 --> 00:09:19,240
injections and you can't have process
264
00:09:16,449 --> 00:09:21,339
scripting right it's a simple fix for a
265
00:09:19,240 --> 00:09:23,079
simple buck for very simple and very
266
00:09:21,339 --> 00:09:24,819
trivial attack and pretty much we can
267
00:09:23,079 --> 00:09:27,998
say case closed and that's that that's
268
00:09:24,819 --> 00:09:31,809
it right but unfortunately not it
269
00:09:27,999 --> 00:09:34,029
continues in the year 2002 which should
270
00:09:31,809 --> 00:09:36,779
pretty much be like the year 3 after XSS
271
00:09:34,029 --> 00:09:40,029
with the release of Internet Explorer 6
272
00:09:36,779 --> 00:09:41,740
service pack 2 the first targeted
273
00:09:40,029 --> 00:09:45,369
mitigation against cross-site scripting
274
00:09:41,740 --> 00:09:47,319
was published and was introduced in this
275
00:09:45,369 --> 00:09:49,029
ancient browser that no one uses anymore
276
00:09:47,319 --> 00:09:52,719
hopefully and there was HTTP only
277
00:09:49,029 --> 00:09:54,819
cookies now thanks to H should be only
278
00:09:52,720 --> 00:09:57,220
cookies it's not possible anymore for
279
00:09:54,819 --> 00:09:58,719
the attacker to steal cookies when they
280
00:09:57,220 --> 00:10:01,929
have a cross-site scripting situation
281
00:09:58,720 --> 00:10:03,819
and back then people were like I don't
282
00:10:01,929 --> 00:10:06,339
know is that really like so much of a
283
00:10:03,819 --> 00:10:07,990
contribution because let's be honest if
284
00:10:06,339 --> 00:10:09,939
you really want to exploit across that
285
00:10:07,990 --> 00:10:12,040
scripting attack and you don't really
286
00:10:09,939 --> 00:10:13,689
give jack about cookies like come on
287
00:10:12,040 --> 00:10:15,339
there are so many more sexy things you
288
00:10:13,689 --> 00:10:19,990
can do but cookies who cares about
289
00:10:15,339 --> 00:10:21,819
cookies so basically lots of money and
290
00:10:19,990 --> 00:10:23,920
lots of resources were going into
291
00:10:21,819 --> 00:10:25,329
inventing something that didn't have any
292
00:10:23,920 --> 00:10:26,920
effect with the attacker would say like
293
00:10:25,329 --> 00:10:28,599
ok so this door is closed but there's
294
00:10:26,920 --> 00:10:33,790
another open door so let's take one of
295
00:10:28,600 --> 00:10:36,879
these so what keeps well XSS was not
296
00:10:33,790 --> 00:10:38,589
quite yet defeated I think HTTP only
297
00:10:36,879 --> 00:10:41,949
cookies are still particularly useless
298
00:10:38,589 --> 00:10:43,480
and I don't think they don't make too
299
00:10:41,949 --> 00:10:45,490
much sense but still we recommend them
300
00:10:43,480 --> 00:10:47,920
and penetration test reports so I think
301
00:10:45,490 --> 00:10:50,139
the only scenario where HTTP only
302
00:10:47,920 --> 00:10:52,839
cookies actually makes sense is where
303
00:10:50,139 --> 00:10:54,549
you have the possibility of being able
304
00:10:52,839 --> 00:10:56,319
to find a cross-site scripting on a
305
00:10:54,549 --> 00:10:58,870
subdomain where you can't have plausible
306
00:10:56,319 --> 00:11:00,459
phishing or markup injections or don't
307
00:10:58,870 --> 00:11:01,550
have the possibility to steal see surf
308
00:11:00,459 --> 00:11:03,199
tokens
309
00:11:01,550 --> 00:11:04,969
you have good cookie security and you
310
00:11:03,200 --> 00:11:06,740
want to prevent that the sub domain XSS
311
00:11:04,970 --> 00:11:07,850
can interact with your main domain and I
312
00:11:06,740 --> 00:11:09,220
think that's like the only thing where
313
00:11:07,850 --> 00:11:11,269
this really makes sense
314
00:11:09,220 --> 00:11:13,279
yesterday alert something new because
315
00:11:11,269 --> 00:11:15,890
last day I learned that there is like a
316
00:11:13,279 --> 00:11:17,660
new use case for HTTP only cookies so
317
00:11:15,890 --> 00:11:19,880
since yesterday or a couple of days ago
318
00:11:17,660 --> 00:11:23,630
they make more sense that they did for
319
00:11:19,880 --> 00:11:27,500
the last 20 years 17 actually and it
320
00:11:23,630 --> 00:11:29,750
turns out that HTTP only cookies can be
321
00:11:27,500 --> 00:11:32,060
used to mitigate a text like specter
322
00:11:29,750 --> 00:11:33,470
because by using HTTP only cookies you
323
00:11:32,060 --> 00:11:36,290
make sure that they don't even hit the
324
00:11:33,470 --> 00:11:38,510
renderer and Chrome or v8 and that makes
325
00:11:36,290 --> 00:11:40,219
sure that you can't execute these kinds
326
00:11:38,510 --> 00:11:42,230
of attacks and this is like a new layer
327
00:11:40,220 --> 00:11:43,970
that kind of makes HTTP only cookies be
328
00:11:42,230 --> 00:11:48,380
useful again but this just happened a
329
00:11:43,970 --> 00:11:51,500
couple of days ago so well exercise is
330
00:11:48,380 --> 00:11:54,079
still there it's still not defeated to
331
00:11:51,500 --> 00:11:55,760
be able to kind of go further and cover
332
00:11:54,079 --> 00:11:58,250
all the complex cases that web sites
333
00:11:55,760 --> 00:12:00,200
have and the developers create we need
334
00:11:58,250 --> 00:12:02,930
to kind of find a way to determine who
335
00:12:00,200 --> 00:12:04,190
can execute scripts and who can't so we
336
00:12:02,930 --> 00:12:06,109
have this escaping and the encoding
337
00:12:04,190 --> 00:12:08,930
that's all fine but we don't have trust
338
00:12:06,110 --> 00:12:11,240
yet and again Microsoft Internet
339
00:12:08,930 --> 00:12:13,010
Explorer and very early versions was the
340
00:12:11,240 --> 00:12:15,170
first browser to invent and introduced
341
00:12:13,010 --> 00:12:16,970
something that allowed us to add trust
342
00:12:15,170 --> 00:12:18,800
so we could for example say well there
343
00:12:16,970 --> 00:12:21,170
is one site and that is ours we trust
344
00:12:18,800 --> 00:12:22,729
this this can execute JavaScript but we
345
00:12:21,170 --> 00:12:24,500
want to embed another side with an
346
00:12:22,730 --> 00:12:27,170
iframe we don't trust this side because
347
00:12:24,500 --> 00:12:29,329
who knows what that stuff is so we want
348
00:12:27,170 --> 00:12:30,770
to distrust it and there was no way of
349
00:12:29,329 --> 00:12:32,120
actually doing this until Microsoft
350
00:12:30,770 --> 00:12:34,579
invented and they call it restricted
351
00:12:32,120 --> 00:12:36,320
iframes it's pretty much the predecessor
352
00:12:34,579 --> 00:12:39,199
or the precursor to the development of
353
00:12:36,320 --> 00:12:40,730
sandbox iframes but it was there years
354
00:12:39,200 --> 00:12:42,110
and years and years before that and
355
00:12:40,730 --> 00:12:44,149
basically you had the possibility to
356
00:12:42,110 --> 00:12:46,040
load an external resource in an iframe
357
00:12:44,149 --> 00:12:47,870
and say look you're not trusted you
358
00:12:46,040 --> 00:12:49,550
can't do anything you can't do audio you
359
00:12:47,870 --> 00:12:51,680
can't do video you can't do scripting
360
00:12:49,550 --> 00:12:55,339
you can't annoy people this just doesn't
361
00:12:51,680 --> 00:12:57,199
fly it's untrusted script that should be
362
00:12:55,339 --> 00:12:59,300
good and it gives us another tool right
363
00:12:57,199 --> 00:13:02,000
now we have content transformation we
364
00:12:59,300 --> 00:13:05,510
escaped and we encode and we have
365
00:13:02,000 --> 00:13:09,170
content restriction we define who and
366
00:13:05,510 --> 00:13:10,760
what can do what and where by simply
367
00:13:09,170 --> 00:13:12,020
saying look we can trust your recon
368
00:13:10,760 --> 00:13:14,240
trust you that that's pretty much it
369
00:13:12,020 --> 00:13:16,130
what a simple anymore because once
370
00:13:14,240 --> 00:13:18,410
Trust is being added to like a security
371
00:13:16,130 --> 00:13:19,970
model usually it's already something is
372
00:13:18,410 --> 00:13:21,649
already quite wrong because Trust is
373
00:13:19,970 --> 00:13:24,350
hard to be find in an extremely complex
374
00:13:21,649 --> 00:13:27,140
topic but at least there is another tool
375
00:13:24,350 --> 00:13:27,920
that we can use so are we close to
376
00:13:27,140 --> 00:13:31,370
fixing it yet
377
00:13:27,920 --> 00:13:33,319
probably let's see well then there was
378
00:13:31,370 --> 00:13:35,149
another thing happening and what reads
379
00:13:33,320 --> 00:13:36,760
here is German that says like it vermin
380
00:13:35,149 --> 00:13:40,910
this is like yeah there's warmth and
381
00:13:36,760 --> 00:13:42,200
people figured quite quickly out what
382
00:13:40,910 --> 00:13:44,600
they could do with cross the scripting
383
00:13:42,200 --> 00:13:46,279
attacks if they went from the classic
384
00:13:44,600 --> 00:13:48,709
alert to doing something actually
385
00:13:46,279 --> 00:13:51,320
creative and they looked at certain
386
00:13:48,709 --> 00:13:55,069
platforms like social media platforms
387
00:13:51,320 --> 00:13:56,630
like MySpace or web mailers or stuff
388
00:13:55,070 --> 00:14:00,170
like this and they erased wait a second
389
00:13:56,630 --> 00:14:02,870
if I can execute JavaScript on behalf of
390
00:14:00,170 --> 00:14:04,670
the locked and victim then I can do
391
00:14:02,870 --> 00:14:06,140
whatever the victim can do so that means
392
00:14:04,670 --> 00:14:08,029
I can just like emit clicks and
393
00:14:06,140 --> 00:14:10,279
keystrokes and do all sorts of things so
394
00:14:08,029 --> 00:14:13,640
that means in a web mailer I can likely
395
00:14:10,279 --> 00:14:15,290
send emails normally only the victim can
396
00:14:13,640 --> 00:14:17,149
do this or the legitimate user but the
397
00:14:15,290 --> 00:14:19,040
process scripting can do this as well
398
00:14:17,149 --> 00:14:20,329
and depending on the context of the site
399
00:14:19,040 --> 00:14:21,740
you can do a lot of stuff usually the
400
00:14:20,329 --> 00:14:23,060
sky's the limit and people figure that
401
00:14:21,740 --> 00:14:25,339
out and people did that and played with
402
00:14:23,060 --> 00:14:27,199
us in the Year 3ax
403
00:14:25,339 --> 00:14:30,200
there was the mention of the ad Vigano
404
00:14:27,200 --> 00:14:32,570
virus and the at Oh godoh virus was
405
00:14:30,200 --> 00:14:35,180
something that basically had the
406
00:14:32,570 --> 00:14:36,770
possibility of injecting JavaScript and
407
00:14:35,180 --> 00:14:38,810
HTML into an existing website and then
408
00:14:36,770 --> 00:14:40,579
propagate from there and infect other
409
00:14:38,810 --> 00:14:41,510
web sites as well so the user would go
410
00:14:40,579 --> 00:14:44,420
there and then it would kind of
411
00:14:41,510 --> 00:14:46,010
propagate through the contacts and at
412
00:14:44,420 --> 00:14:47,899
some point you have a lot of infected
413
00:14:46,010 --> 00:14:49,730
users with a lot of impact and a lot of
414
00:14:47,899 --> 00:14:51,920
calculation from computing power and it
415
00:14:49,730 --> 00:14:54,200
gets interesting then needless to say
416
00:14:51,920 --> 00:14:55,579
there was myspace that thing that sent
417
00:14:54,200 --> 00:14:59,240
me actually unleashed a couple of years
418
00:14:55,579 --> 00:15:01,849
ago and he also basically found a way to
419
00:14:59,240 --> 00:15:03,680
take his payload and when people visited
420
00:15:01,850 --> 00:15:05,660
his profile he would take his payload
421
00:15:03,680 --> 00:15:07,189
put it into their profile as well and
422
00:15:05,660 --> 00:15:08,870
visited their profile
423
00:15:07,190 --> 00:15:10,970
well you kind of can see what happens it
424
00:15:08,870 --> 00:15:12,709
spread exponentially and it was pretty
425
00:15:10,970 --> 00:15:14,089
bad and also you went to prison for that
426
00:15:12,709 --> 00:15:17,510
so that wasn't good don't do this at
427
00:15:14,089 --> 00:15:18,980
home and in the year six after
428
00:15:17,510 --> 00:15:21,470
cross-site scripting there was a paper
429
00:15:18,980 --> 00:15:23,300
by Wade Elkhorn who was a long time
430
00:15:21,470 --> 00:15:26,750
behind beef and
431
00:15:23,300 --> 00:15:27,920
he pretty much specified what needs to
432
00:15:26,750 --> 00:15:29,390
be done to create a cross that's
433
00:15:27,920 --> 00:15:31,069
crippling virus in create a
434
00:15:29,390 --> 00:15:33,290
proof-of-concept he specified what is
435
00:15:31,070 --> 00:15:35,600
necessary in terms of components and you
436
00:15:33,290 --> 00:15:37,399
can see in those early years in 2005
437
00:15:35,600 --> 00:15:38,839
people were already all around that like
438
00:15:37,399 --> 00:15:40,670
they realized what's going on what you
439
00:15:38,839 --> 00:15:44,060
can do what the potential is and some of
440
00:15:40,670 --> 00:15:46,130
them even did it but the problem is to
441
00:15:44,060 --> 00:15:48,018
tackle this particular kind of thing you
442
00:15:46,130 --> 00:15:50,570
can't just have encoding you need more
443
00:15:48,019 --> 00:15:53,300
because in these situations you usually
444
00:15:50,570 --> 00:15:57,680
have websites or platforms that want the
445
00:15:53,300 --> 00:15:59,630
user to submit rich text and this which
446
00:15:57,680 --> 00:16:01,279
takes to be stored and then to be shown
447
00:15:59,630 --> 00:16:02,870
could be like a web mailer of course you
448
00:16:01,279 --> 00:16:04,370
have rich text in your emails that you
449
00:16:02,870 --> 00:16:05,959
send it could be like your Facebook
450
00:16:04,370 --> 00:16:08,269
profile or anything else that requires
451
00:16:05,959 --> 00:16:10,459
you to have like bold fonts and red
452
00:16:08,269 --> 00:16:13,910
backgrounds and all these things so now
453
00:16:10,459 --> 00:16:15,560
this is a new challenge because by using
454
00:16:13,910 --> 00:16:18,439
encoding we destroy all that we don't
455
00:16:15,560 --> 00:16:20,500
want this so what we have to do is we
456
00:16:18,440 --> 00:16:23,329
have to find a way to sanitize to tell
457
00:16:20,500 --> 00:16:24,649
apart the good from the bad parts and
458
00:16:23,329 --> 00:16:26,859
only leave the good parts and throw out
459
00:16:24,649 --> 00:16:29,329
the bad parts and then hopefully be safe
460
00:16:26,860 --> 00:16:30,920
that was being done and all of a sudden
461
00:16:29,329 --> 00:16:32,599
everybody wrote their own sanitizer as
462
00:16:30,920 --> 00:16:34,729
you can imagine that most of them are
463
00:16:32,600 --> 00:16:36,050
extreme and you should never use them
464
00:16:34,730 --> 00:16:37,490
don't touch them with the stick but
465
00:16:36,050 --> 00:16:38,930
there is many of them there's HTML
466
00:16:37,490 --> 00:16:40,579
purifier which is actually quite good
467
00:16:38,930 --> 00:16:42,229
there's anti semi which has been
468
00:16:40,579 --> 00:16:44,029
discontinued it's no nois project
469
00:16:42,230 --> 00:16:45,709
there's HTML lot which you should never
470
00:16:44,029 --> 00:16:48,140
use it's really really broken there's
471
00:16:45,709 --> 00:16:49,459
what's what's HT wash HTML on the ratio
472
00:16:48,140 --> 00:16:51,860
or how to how to actually pronounce it
473
00:16:49,459 --> 00:16:54,020
it's used in roundcube
474
00:16:51,860 --> 00:16:56,060
don't don't use it oh by the way also
475
00:16:54,020 --> 00:16:57,740
don't use roundcube on there is cases
476
00:16:56,060 --> 00:16:59,540
that was used for wordpress a while ago
477
00:16:57,740 --> 00:17:01,430
then they forked it and they kind of do
478
00:16:59,540 --> 00:17:03,260
something else now there are safe HTML
479
00:17:01,430 --> 00:17:05,780
and then there's sanitized HTML HTML
480
00:17:03,260 --> 00:17:08,480
sanitizer HTML - sanitizer HTML space
481
00:17:05,780 --> 00:17:09,918
sanitizer and HTML rule sanitizer and
482
00:17:08,480 --> 00:17:13,370
last but not least there's google kaha
483
00:17:09,919 --> 00:17:15,860
which also has been discontinued I have
484
00:17:13,369 --> 00:17:17,869
no idea if any of these are good I know
485
00:17:15,859 --> 00:17:19,609
that HTML purifier is pretty good and I
486
00:17:17,869 --> 00:17:21,139
know that the next project that came out
487
00:17:19,609 --> 00:17:22,159
of this one here is pretty good but
488
00:17:21,140 --> 00:17:25,220
that's pretty much all I know
489
00:17:22,160 --> 00:17:26,900
I created a sanitizer myself because why
490
00:17:25,220 --> 00:17:28,429
not I called a Dom purify it still
491
00:17:26,900 --> 00:17:31,179
maintained and still very active about
492
00:17:28,429 --> 00:17:33,530
180,000 people downloaded per month and
493
00:17:31,179 --> 00:17:34,140
it's a good tool however it doesn't run
494
00:17:33,530 --> 00:17:36,030
on the server
495
00:17:34,140 --> 00:17:37,880
advance in the browser directly so it is
496
00:17:36,030 --> 00:17:41,280
different use cases and different
497
00:17:37,880 --> 00:17:43,080
different attack scenarios but the fun
498
00:17:41,280 --> 00:17:45,750
thing is that pretty much most of these
499
00:17:43,080 --> 00:17:47,760
sanitizers had a back or a problem at
500
00:17:45,750 --> 00:17:49,980
some point so we can't really trust them
501
00:17:47,760 --> 00:17:52,320
here's like a code that I really liked
502
00:17:49,980 --> 00:17:54,960
and I found it on the SourceForge page
503
00:17:52,320 --> 00:17:57,419
of cases and it says cases it's an XHTML
504
00:17:54,960 --> 00:17:58,950
HTML filter written in PHP it's a good
505
00:17:57,420 --> 00:18:00,390
sign in the first place it removes all
506
00:17:58,950 --> 00:18:02,970
unwanted HTML elements and attributes
507
00:18:00,390 --> 00:18:05,520
and it also does several checks and
508
00:18:02,970 --> 00:18:08,700
attribute values cases can be used to
509
00:18:05,520 --> 00:18:12,510
avoid cross site scripting XSS note I
510
00:18:08,700 --> 00:18:13,680
don't have time for cases right now so
511
00:18:12,510 --> 00:18:15,540
there's this guy and he writes a
512
00:18:13,680 --> 00:18:17,850
security tool and then he tells people
513
00:18:15,540 --> 00:18:19,350
on the source forest page yeah I don't
514
00:18:17,850 --> 00:18:20,790
really have time for this right now so
515
00:18:19,350 --> 00:18:23,490
your mileage might vary like whatever
516
00:18:20,790 --> 00:18:25,290
happens I really care so this product
517
00:18:23,490 --> 00:18:27,420
description is like so vague it's like
518
00:18:25,290 --> 00:18:29,580
yeah some things we remove maybe it does
519
00:18:27,420 --> 00:18:32,520
this maybe it does that but also I don't
520
00:18:29,580 --> 00:18:33,870
really have time for this so yeah most
521
00:18:32,520 --> 00:18:35,460
of the other tools going in this
522
00:18:33,870 --> 00:18:37,469
direction had a similar level of
523
00:18:35,460 --> 00:18:40,560
seriousness so you can kind of imagine
524
00:18:37,470 --> 00:18:42,030
all of them had bypasses literally all
525
00:18:40,560 --> 00:18:44,639
of them including our own of course we
526
00:18:42,030 --> 00:18:46,889
hit bypass to some of the bypasses were
527
00:18:44,640 --> 00:18:48,690
reported and them are fixed some of them
528
00:18:46,890 --> 00:18:51,780
were not reported so they're still there
529
00:18:48,690 --> 00:18:53,790
some were attempted to be fixed by the
530
00:18:51,780 --> 00:18:55,860
developers and then they failed and it
531
00:18:53,790 --> 00:18:59,850
had to be done again and some simply
532
00:18:55,860 --> 00:19:01,110
ignored the reports so sometimes you
533
00:18:59,850 --> 00:19:03,090
don't get feedback from the maintainer
534
00:19:01,110 --> 00:19:04,560
it's not really a problem or hey I'm
535
00:19:03,090 --> 00:19:06,360
doing something else right now or hey I
536
00:19:04,560 --> 00:19:10,800
retired I'm in southern France right now
537
00:19:06,360 --> 00:19:12,719
in my small house who knows so maybe we
538
00:19:10,800 --> 00:19:14,399
have to change the title slide because
539
00:19:12,720 --> 00:19:15,300
maybe the title slide is not that super
540
00:19:14,400 --> 00:19:17,550
accurate anymore
541
00:19:15,300 --> 00:19:18,870
I mean XSS sort of is that because we
542
00:19:17,550 --> 00:19:21,360
have all those tools we have all those
543
00:19:18,870 --> 00:19:23,040
sanitizers and encoding and escaping and
544
00:19:21,360 --> 00:19:24,570
Trust and all these things but we
545
00:19:23,040 --> 00:19:26,670
somehow don't seem to have the
546
00:19:24,570 --> 00:19:28,169
possibility to use them the right way we
547
00:19:26,670 --> 00:19:29,850
seem to be not smart enough because
548
00:19:28,170 --> 00:19:33,000
whatever tool we create it's either
549
00:19:29,850 --> 00:19:34,560
insufficient or broken or we use it the
550
00:19:33,000 --> 00:19:37,260
wrong way and that's maybe why we still
551
00:19:34,560 --> 00:19:38,610
have cross-site scripting maybe maybe
552
00:19:37,260 --> 00:19:40,020
not maybe the reason it's a different
553
00:19:38,610 --> 00:19:44,669
one I'm just trying to get closer here
554
00:19:40,020 --> 00:19:45,799
so the tools we have our content
555
00:19:44,670 --> 00:19:47,210
transformation
556
00:19:45,799 --> 00:19:49,070
mentioned them before we escaped we
557
00:19:47,210 --> 00:19:50,659
encode we don't echo before we actually
558
00:19:49,070 --> 00:19:52,279
do this we have content sanitization we
559
00:19:50,659 --> 00:19:53,509
tell apart the bad from the good we
560
00:19:52,279 --> 00:19:54,950
leave only the good and work with that
561
00:19:53,509 --> 00:19:57,470
and we have last button this content
562
00:19:54,950 --> 00:20:01,059
restriction so we add trust we define
563
00:19:57,470 --> 00:20:04,970
who and what can do what and where sorry
564
00:20:01,059 --> 00:20:07,340
honest those three tools really fix
565
00:20:04,970 --> 00:20:09,200
99.9% of all the cross-site scripting
566
00:20:07,340 --> 00:20:10,908
problems we just have to use them the
567
00:20:09,200 --> 00:20:13,100
right way that is all that we need to do
568
00:20:10,909 --> 00:20:14,869
somehow we seem to be stuck and using
569
00:20:13,100 --> 00:20:17,209
them the wrong way or propagating wrong
570
00:20:14,869 --> 00:20:22,009
news or having broken tools in the first
571
00:20:17,210 --> 00:20:23,359
place but this can be fixed so I wanted
572
00:20:22,009 --> 00:20:25,279
to have a look at what academia says
573
00:20:23,359 --> 00:20:27,230
about this because when a problem slowly
574
00:20:25,279 --> 00:20:28,730
blows up out of proportion than usually
575
00:20:27,230 --> 00:20:31,749
academia is there and tries to harvest
576
00:20:28,730 --> 00:20:34,309
some papers I did so myself so no blank
577
00:20:31,749 --> 00:20:37,190
most of Chris's reading is covered and I
578
00:20:34,309 --> 00:20:39,259
wanted to find out what happened in the
579
00:20:37,190 --> 00:20:41,899
year aid after cross-site scripting in
580
00:20:39,259 --> 00:20:43,429
the year 2007 what I could omit it until
581
00:20:41,899 --> 00:20:45,229
then and with Google Scholar you can do
582
00:20:43,429 --> 00:20:46,519
like these these state windows and you
583
00:20:45,230 --> 00:20:47,629
can find out how many people were
584
00:20:46,519 --> 00:20:50,299
actually publishing about a certain
585
00:20:47,629 --> 00:20:51,769
thing in a certain time frame and then
586
00:20:50,299 --> 00:20:53,779
check for cross-site scripting and a
587
00:20:51,769 --> 00:20:55,279
gave it a custom date range and it told
588
00:20:53,779 --> 00:20:56,749
me that there is like one thousand nine
589
00:20:55,279 --> 00:20:58,129
hundred and thirty different papers and
590
00:20:56,749 --> 00:21:00,769
articles about cross-site scripting holy
591
00:20:58,129 --> 00:21:03,559
shit that's like too much like this is
592
00:21:00,769 --> 00:21:10,519
impossible 1930 and no it no actual
593
00:21:03,559 --> 00:21:12,799
process no actual progress sorry so even
594
00:21:10,519 --> 00:21:14,869
though academia really went the whole
595
00:21:12,799 --> 00:21:16,460
nine yards here and try to kind of fix
596
00:21:14,869 --> 00:21:18,320
it they didn't seem to manage because
597
00:21:16,460 --> 00:21:23,269
cross the scripting is still around 2000
598
00:21:18,320 --> 00:21:24,439
papers didn't fix it well maybe the
599
00:21:23,269 --> 00:21:27,259
reason is that there's like a lot of
600
00:21:24,440 --> 00:21:30,379
niche problems and edge cases and
601
00:21:27,259 --> 00:21:31,999
special situations where even if you use
602
00:21:30,379 --> 00:21:34,639
those three tools that we have
603
00:21:31,999 --> 00:21:36,169
consistently and the right way then you
604
00:21:34,639 --> 00:21:37,699
still have cross-site scripting or the
605
00:21:36,169 --> 00:21:39,350
possibility for people to inject stuff
606
00:21:37,700 --> 00:21:41,269
into your website because there's like
607
00:21:39,350 --> 00:21:42,799
da mixer says with like location
608
00:21:41,269 --> 00:21:45,470
certification hash and all these
609
00:21:42,799 --> 00:21:47,179
properties there is mutation XSS where
610
00:21:45,470 --> 00:21:49,460
style properties are changing when being
611
00:21:47,179 --> 00:21:51,259
treated by the web browser and stuff
612
00:21:49,460 --> 00:21:52,580
like this and this is maybe something
613
00:21:51,259 --> 00:21:54,080
where those tools can't really help
614
00:21:52,580 --> 00:21:55,389
because they're not strong enough or not
615
00:21:54,080 --> 00:21:57,830
fine right
616
00:21:55,390 --> 00:22:00,860
what can we do if those tools are not
617
00:21:57,830 --> 00:22:02,750
enough one of my favorite ones is mine
618
00:22:00,860 --> 00:22:05,389
sniffing cross-site scripting basically
619
00:22:02,750 --> 00:22:07,340
in most situations where you want to
620
00:22:05,390 --> 00:22:09,320
inject HTML and JavaScript you need to
621
00:22:07,340 --> 00:22:11,270
have some kind of scaffold around where
622
00:22:09,320 --> 00:22:14,750
you inject into so it actually executes
623
00:22:11,270 --> 00:22:16,580
this HTML or SVG or XML but if you for
624
00:22:14,750 --> 00:22:18,710
example inject into something that would
625
00:22:16,580 --> 00:22:21,740
be returned from the server as plain
626
00:22:18,710 --> 00:22:23,630
text or as application Jason then you
627
00:22:21,740 --> 00:22:25,250
usually say well Jason in plain text
628
00:22:23,630 --> 00:22:27,230
they don't really execute anything if
629
00:22:25,250 --> 00:22:29,660
you open them directly so we don't have
630
00:22:27,230 --> 00:22:31,370
to encode here it's not true because a
631
00:22:29,660 --> 00:22:32,960
couple of browsers including latest
632
00:22:31,370 --> 00:22:36,350
versions of Microsoft Internet Explorer
633
00:22:32,960 --> 00:22:38,750
still execute JavaScript and HTML from
634
00:22:36,350 --> 00:22:41,689
text files if you iframe them from an
635
00:22:38,750 --> 00:22:44,300
EML file and it's again ie 11 that
636
00:22:41,690 --> 00:22:46,429
executes JavaScript from jason files if
637
00:22:44,300 --> 00:22:48,200
you iframe them with applicator with a
638
00:22:46,429 --> 00:22:49,670
regular page and then reload the iframe
639
00:22:48,200 --> 00:22:51,679
once the never gets the content type and
640
00:22:49,670 --> 00:22:52,820
boom you have code execution it's
641
00:22:51,679 --> 00:22:55,250
documented in our browser security
642
00:22:52,820 --> 00:22:57,169
papers you can read it up in there and
643
00:22:55,250 --> 00:22:59,840
there's more and more and more of these
644
00:22:57,170 --> 00:23:02,030
weird niche cases still in the year 20
645
00:22:59,840 --> 00:23:05,470
after a cross-site scripting and they
646
00:23:02,030 --> 00:23:08,389
can't easily be tackled with our
647
00:23:05,470 --> 00:23:09,770
trust or sanitization cause I mean they
648
00:23:08,390 --> 00:23:11,179
could but we have to know that it's an
649
00:23:09,770 --> 00:23:14,330
issue to actually apply those tools
650
00:23:11,179 --> 00:23:15,800
there and then was plugin exercise I
651
00:23:14,330 --> 00:23:18,320
really like this one it's it's quite a
652
00:23:15,800 --> 00:23:21,740
while ago it was a thing in 2009 when
653
00:23:18,320 --> 00:23:24,740
Adobe's PDF reader had a back and you
654
00:23:21,740 --> 00:23:27,620
can pretty much open any PDF any like
655
00:23:24,740 --> 00:23:29,390
whatever PDF out there and you would use
656
00:23:27,620 --> 00:23:30,800
any parameter name whatever you could
657
00:23:29,390 --> 00:23:32,510
come up with and you would call it
658
00:23:30,800 --> 00:23:34,550
JavaScript alert 1 and then it would
659
00:23:32,510 --> 00:23:36,530
execute just so because they were like
660
00:23:34,550 --> 00:23:37,700
oh this is like a JavaScript your eye we
661
00:23:36,530 --> 00:23:39,710
should kind of parse this and put this
662
00:23:37,700 --> 00:23:40,910
into an eval no one knows why but they
663
00:23:39,710 --> 00:23:42,590
did the spec then that's pretty much
664
00:23:40,910 --> 00:23:45,230
meant that every single website out
665
00:23:42,590 --> 00:23:47,330
there had cross-site scripting if the
666
00:23:45,230 --> 00:23:48,890
victim had Adobe Reader installed and of
667
00:23:47,330 --> 00:23:53,149
course pretty much everybody had this
668
00:23:48,890 --> 00:23:54,890
installed so that was kind of bad and
669
00:23:53,150 --> 00:23:56,660
this is one of the situation where those
670
00:23:54,890 --> 00:23:58,760
three tools that we have really don't
671
00:23:56,660 --> 00:24:00,860
help like there's nothing they could do
672
00:23:58,760 --> 00:24:02,360
because it's a problem and a different
673
00:24:00,860 --> 00:24:03,500
software that locks itself into the
674
00:24:02,360 --> 00:24:04,820
browser and the
675
00:24:03,500 --> 00:24:06,140
her needs to fix it and people need to
676
00:24:04,820 --> 00:24:08,450
upgrade whatever you do as a developer
677
00:24:06,140 --> 00:24:10,750
you can't do anything I remember that
678
00:24:08,450 --> 00:24:13,250
back then people were seriously
679
00:24:10,750 --> 00:24:15,860
recommending to developers to delete all
680
00:24:13,250 --> 00:24:17,540
the PDFs from the web prudence come on
681
00:24:15,860 --> 00:24:22,250
just like wait for the fixes on Ted that
682
00:24:17,540 --> 00:24:24,080
anyway so we can see the tools that we
683
00:24:22,250 --> 00:24:26,210
had so far binary trust encoding
684
00:24:24,080 --> 00:24:27,560
escaping and sanitization are not really
685
00:24:26,210 --> 00:24:28,910
100 percent enough they're still like a
686
00:24:27,560 --> 00:24:32,179
couple of niche cases that we need to
687
00:24:28,910 --> 00:24:33,380
address that we need to tackle and we
688
00:24:32,180 --> 00:24:35,870
need something that's more granular
689
00:24:33,380 --> 00:24:38,750
needs to say there's also more complex
690
00:24:35,870 --> 00:24:40,969
but let's see with this there probably
691
00:24:38,750 --> 00:24:42,740
everybody here knows CSP right as far as
692
00:24:40,970 --> 00:24:45,770
I know in fact - there's like a CSP 12
693
00:24:42,740 --> 00:24:47,420
happening right now but CSP content
694
00:24:45,770 --> 00:24:49,490
security policy allows us to do that
695
00:24:47,420 --> 00:24:52,760
exact thing we can kind of define a rule
696
00:24:49,490 --> 00:24:54,770
set that clarifies whom to trust and
697
00:24:52,760 --> 00:24:56,470
from whom to execute JavaScript fetch
698
00:24:54,770 --> 00:24:59,750
images and whatnot
699
00:24:56,470 --> 00:25:01,100
CSP had its origin in the Year five
700
00:24:59,750 --> 00:25:03,620
after cross-site scripting that's the
701
00:25:01,100 --> 00:25:05,929
year 2004 few people know that and was
702
00:25:03,620 --> 00:25:08,270
called not CSP but content restrictions
703
00:25:05,930 --> 00:25:09,890
0.5 and it was created by Joe bass mark
704
00:25:08,270 --> 00:25:11,480
hem of Mozilla back then and he
705
00:25:09,890 --> 00:25:13,130
basically says yeah we need headers in
706
00:25:11,480 --> 00:25:15,860
these headers need to specify trust and
707
00:25:13,130 --> 00:25:17,330
do things and well then then we should
708
00:25:15,860 --> 00:25:19,100
be able to kind of make sure that the
709
00:25:17,330 --> 00:25:20,330
evil guys can't execute JavaScript in
710
00:25:19,100 --> 00:25:21,469
our website anymore because we don't
711
00:25:20,330 --> 00:25:22,850
trust them in the first place we'd
712
00:25:21,470 --> 00:25:27,050
already trust us and then then we're
713
00:25:22,850 --> 00:25:28,370
done yeah the result from that respect
714
00:25:27,050 --> 00:25:30,470
then very simple approach was a more
715
00:25:28,370 --> 00:25:32,629
complex thing co-developed by Brennan
716
00:25:30,470 --> 00:25:34,610
stern from Mozilla and they call it
717
00:25:32,630 --> 00:25:37,190
content security policy CSP and
718
00:25:34,610 --> 00:25:38,689
meanwhile we're at CSP version 3.0 and
719
00:25:37,190 --> 00:25:40,460
it gets bigger and bigger and there's
720
00:25:38,690 --> 00:25:41,810
more directives and more complexity and
721
00:25:40,460 --> 00:25:44,680
more implementation work for browsers
722
00:25:41,810 --> 00:25:48,860
and still across the scripting is around
723
00:25:44,680 --> 00:25:52,520
and I believe that the problem with CSP
724
00:25:48,860 --> 00:25:55,070
is that it's too complex and not really
725
00:25:52,520 --> 00:25:57,650
suited for the use case it's pretty much
726
00:25:55,070 --> 00:25:59,300
like this gun that tries to shoot in all
727
00:25:57,650 --> 00:26:00,470
four directions at the same time but
728
00:25:59,300 --> 00:26:04,970
never hits the target
729
00:26:00,470 --> 00:26:07,400
and I think CSP is great for websites
730
00:26:04,970 --> 00:26:09,650
that have one single purpose for example
731
00:26:07,400 --> 00:26:11,450
something like global leagues or secure
732
00:26:09,650 --> 00:26:13,100
drop like something where you can't have
733
00:26:11,450 --> 00:26:14,630
any attacks against something that needs
734
00:26:13,100 --> 00:26:15,719
to be secured and only does one thing
735
00:26:14,630 --> 00:26:17,970
but this thing
736
00:26:15,720 --> 00:26:19,710
really really well but if you look at
737
00:26:17,970 --> 00:26:21,960
the website like Facebook or something
738
00:26:19,710 --> 00:26:23,490
that has like decent complexity how are
739
00:26:21,960 --> 00:26:24,899
you gonna put CHP in there how are you
740
00:26:23,490 --> 00:26:26,159
gonna tell apart the bad from the good
741
00:26:24,899 --> 00:26:28,739
the trusted from the untrusted there's
742
00:26:26,159 --> 00:26:29,940
literally no way and it's quite
743
00:26:28,740 --> 00:26:31,230
interesting because we have a couple of
744
00:26:29,940 --> 00:26:33,960
clients that come at us and then
745
00:26:31,230 --> 00:26:36,330
basically say like hey so um we created
746
00:26:33,960 --> 00:26:37,470
CSP policies for our website and we want
747
00:26:36,330 --> 00:26:39,539
to have a review can you have a look at
748
00:26:37,470 --> 00:26:41,549
our CSP so they don't come for us for a
749
00:26:39,539 --> 00:26:44,190
pen test they exclusively comment as for
750
00:26:41,549 --> 00:26:45,870
a CSP reviews and want us to tell them
751
00:26:44,190 --> 00:26:48,210
whether their CSP policy is actually
752
00:26:45,870 --> 00:26:50,340
good if the two years that they invested
753
00:26:48,210 --> 00:26:51,990
were well invested or if it turns out
754
00:26:50,340 --> 00:26:54,959
that the rules are broken and we can
755
00:26:51,990 --> 00:26:56,519
still bypass them and we look at the one
756
00:26:54,960 --> 00:26:58,139
from Facebook and I encouraged you to
757
00:26:56,519 --> 00:26:59,909
have a look at the CSP policy from
758
00:26:58,139 --> 00:27:02,070
Facebook as well because it's ridiculous
759
00:26:59,909 --> 00:27:04,350
it doesn't do anything it's like pretty
760
00:27:02,070 --> 00:27:06,570
much half a kilobyte of absolute nothing
761
00:27:04,350 --> 00:27:09,090
and has no purpose because in the first
762
00:27:06,570 --> 00:27:11,789
line it essentially says default source
763
00:27:09,090 --> 00:27:14,490
is asterisk so they pretty much trust
764
00:27:11,789 --> 00:27:15,929
everything then why have CSP in the
765
00:27:14,490 --> 00:27:17,549
first place if you trust everything look
766
00:27:15,929 --> 00:27:20,460
it up it should be online right now we
767
00:27:17,549 --> 00:27:22,139
refer to this as cargo called CSP do we
768
00:27:20,460 --> 00:27:24,629
know what carbuckle is who knows what
769
00:27:22,139 --> 00:27:26,729
cargo cool this I think it's like the
770
00:27:24,629 --> 00:27:29,279
perfect the perfect example here are
771
00:27:26,730 --> 00:27:31,320
like the perfect metaphor that's
772
00:27:29,279 --> 00:27:33,240
actually quite a sad story imagine
773
00:27:31,320 --> 00:27:34,740
you're like an injudicious people you're
774
00:27:33,240 --> 00:27:36,629
living in the Amazon in the Amazon
775
00:27:34,740 --> 00:27:37,919
jungle right and then you're living
776
00:27:36,629 --> 00:27:39,330
there you're hunting and you're doing
777
00:27:37,919 --> 00:27:40,409
your stuff and you're like in unity with
778
00:27:39,330 --> 00:27:42,539
the forest and everything is like
779
00:27:40,409 --> 00:27:44,490
perfectly fine and then someone comes
780
00:27:42,539 --> 00:27:47,789
with like a silver bird aka airplane
781
00:27:44,490 --> 00:27:49,679
look at these and lands on a landing
782
00:27:47,789 --> 00:27:51,120
strip that they made and then there is
783
00:27:49,679 --> 00:27:52,350
like weird people coming out with
784
00:27:51,120 --> 00:27:54,330
different skin color and they do stuff
785
00:27:52,350 --> 00:27:55,860
in your jungle and you're like wow who
786
00:27:54,330 --> 00:27:58,918
are those people they come with silver
787
00:27:55,860 --> 00:28:00,508
Birds holy shit they must be gods and at
788
00:27:58,919 --> 00:28:02,399
some point they disappear again because
789
00:28:00,509 --> 00:28:03,779
they did whatever they wanted to do and
790
00:28:02,399 --> 00:28:05,219
you're like oh man it would be really
791
00:28:03,779 --> 00:28:08,309
good if the gods came back because that
792
00:28:05,220 --> 00:28:09,990
was so cool so they need this landing
793
00:28:08,309 --> 00:28:11,519
strip right so here's what we're gonna
794
00:28:09,990 --> 00:28:13,409
do we're gonna chop some trees and we're
795
00:28:11,519 --> 00:28:15,600
gonna create some some some some some
796
00:28:13,409 --> 00:28:17,429
you know some some planks and then we
797
00:28:15,600 --> 00:28:18,750
built like an artificial landing strip
798
00:28:17,429 --> 00:28:22,320
for them because maybe then they come
799
00:28:18,750 --> 00:28:24,509
back needless to say building a wooden
800
00:28:22,320 --> 00:28:26,070
artificial landing strip is not gonna
801
00:28:24,509 --> 00:28:27,429
make the gods and their silver birds
802
00:28:26,070 --> 00:28:29,950
come back so this is
803
00:28:27,429 --> 00:28:31,210
futile but people at least believe that
804
00:28:29,950 --> 00:28:33,039
they might come back and if they're
805
00:28:31,210 --> 00:28:35,109
trying the hardest they can and maybe it
806
00:28:33,039 --> 00:28:36,908
works and I have the feeling that with
807
00:28:35,109 --> 00:28:39,099
many CSP policies that we see it's the
808
00:28:36,909 --> 00:28:40,719
very same thing people just hope that
809
00:28:39,099 --> 00:28:42,039
maybe magically with the budget that
810
00:28:40,719 --> 00:28:43,509
they put into their headers that are
811
00:28:42,039 --> 00:28:45,158
actually gonna fix cross-site scripting
812
00:28:43,509 --> 00:28:47,440
but they don't because those policies
813
00:28:45,159 --> 00:28:49,749
are meaningless and just a waste of
814
00:28:47,440 --> 00:28:51,489
space so it's expensive to implement
815
00:28:49,749 --> 00:28:53,950
it's hard to get right there's browser
816
00:28:51,489 --> 00:28:56,379
Baxter's bypasses and it's not yet the
817
00:28:53,950 --> 00:28:57,879
solution and I'm not really sure if it
818
00:28:56,379 --> 00:29:00,309
will ever be the solution because there
819
00:28:57,879 --> 00:29:01,658
is a lot of unrest in the specification
820
00:29:00,309 --> 00:29:03,190
I think like okay this is bad and that
821
00:29:01,659 --> 00:29:04,539
is bad and this we can't do and this we
822
00:29:03,190 --> 00:29:05,889
can tell so we kind of had to invent
823
00:29:04,539 --> 00:29:07,869
this and you don't have to invent that
824
00:29:05,889 --> 00:29:10,089
it's growing more and more complex and
825
00:29:07,869 --> 00:29:12,789
I'm not really sure if it's messing more
826
00:29:10,089 --> 00:29:15,789
time into this thing actually helps so
827
00:29:12,789 --> 00:29:18,519
we have another tool but it's again not
828
00:29:15,789 --> 00:29:20,999
enough or not suited for most of the use
829
00:29:18,519 --> 00:29:23,200
cases that actually exist out there
830
00:29:20,999 --> 00:29:24,549
there's a lot of new security features
831
00:29:23,200 --> 00:29:26,349
coming at us and some of them are
832
00:29:24,549 --> 00:29:28,149
already live in the Canary versions or
833
00:29:26,349 --> 00:29:29,499
will be live or are hidden behind the
834
00:29:28,149 --> 00:29:30,908
flag and there's tons of stuff like
835
00:29:29,499 --> 00:29:33,159
sandbox iframes we know already we've
836
00:29:30,909 --> 00:29:35,440
had them for ages and basically have the
837
00:29:33,159 --> 00:29:38,519
possibility to add more granularity to
838
00:29:35,440 --> 00:29:41,019
the trust of externally loaded content
839
00:29:38,519 --> 00:29:42,519
same with a sub resource integrity which
840
00:29:41,019 --> 00:29:44,589
kind of checks for hashes when we
841
00:29:42,519 --> 00:29:46,869
request something external from a CDN or
842
00:29:44,589 --> 00:29:48,908
something like this there's sub oranges
843
00:29:46,869 --> 00:29:49,959
to kind of isolate different apps on
844
00:29:48,909 --> 00:29:51,099
which other that are residing in the
845
00:29:49,960 --> 00:29:52,839
same origin there's permission
846
00:29:51,099 --> 00:29:55,599
delegation trust subtypes the referrer
847
00:29:52,839 --> 00:29:57,309
policy and tons of other things if you
848
00:29:55,599 --> 00:29:58,899
want to find out how much is happening
849
00:29:57,309 --> 00:30:01,418
right now in the realm of web security
850
00:29:58,899 --> 00:30:03,218
in browser security go to the pull up
851
00:30:01,419 --> 00:30:05,379
through the platform Status pages to the
852
00:30:03,219 --> 00:30:07,330
chrome platform Status page or to two
853
00:30:05,379 --> 00:30:09,339
edge status page or to Mozilla's pages
854
00:30:07,330 --> 00:30:10,960
and check out how many new features are
855
00:30:09,339 --> 00:30:12,249
actually relating to security I have
856
00:30:10,960 --> 00:30:13,659
like a little search field you can just
857
00:30:12,249 --> 00:30:15,969
let go in there and check it out and
858
00:30:13,659 --> 00:30:17,409
we'll see oh my god this is like 38 new
859
00:30:15,969 --> 00:30:19,719
features coming in the next three months
860
00:30:17,409 --> 00:30:21,190
that are all security relevant we should
861
00:30:19,719 --> 00:30:23,080
know these things we're pen testers or
862
00:30:21,190 --> 00:30:24,129
security developers but the point is not
863
00:30:23,080 --> 00:30:25,928
that we should know these things
864
00:30:24,129 --> 00:30:28,059
the point is that there's so much coming
865
00:30:25,929 --> 00:30:30,039
at us so much new edit complexity and
866
00:30:28,059 --> 00:30:32,499
still we haven't solved the problem and
867
00:30:30,039 --> 00:30:36,369
I'm not really sure of more more more
868
00:30:32,499 --> 00:30:37,770
more morally the answer here so the
869
00:30:36,369 --> 00:30:39,840
tools that we have
870
00:30:37,770 --> 00:30:42,030
content transformation we escape stuff
871
00:30:39,840 --> 00:30:44,459
we encode stuff so the easy things
872
00:30:42,030 --> 00:30:46,050
content sanitization we tell the good
873
00:30:44,460 --> 00:30:49,260
stuff apart from the bad we only leave
874
00:30:46,050 --> 00:30:51,570
the good content restriction we define
875
00:30:49,260 --> 00:30:54,990
who and what can do what and where and
876
00:30:51,570 --> 00:30:56,280
we hope that the trustee is actually
877
00:30:54,990 --> 00:30:58,500
trust able because we don't know that
878
00:30:56,280 --> 00:31:01,110
maybe jquery.com got hacked and they
879
00:30:58,500 --> 00:31:02,580
deploy petrov ascription or maybe HX the
880
00:31:01,110 --> 00:31:04,139
google api Starcom has insecure
881
00:31:02,580 --> 00:31:05,970
javascript or knows which is we can just
882
00:31:04,140 --> 00:31:09,120
hope that everything is fine and that
883
00:31:05,970 --> 00:31:11,460
our policies are holding and making
884
00:31:09,120 --> 00:31:15,510
sense in the end and keep people from
885
00:31:11,460 --> 00:31:16,620
injecting JavaScript into our website so
886
00:31:15,510 --> 00:31:17,940
again i think you have to change the
887
00:31:16,620 --> 00:31:19,649
title flight because it's again on
888
00:31:17,940 --> 00:31:22,080
accurate anymore Chrissa scripting is
889
00:31:19,650 --> 00:31:23,550
dead we just forget about this because
890
00:31:22,080 --> 00:31:26,909
we have all the tools and the tools are
891
00:31:23,550 --> 00:31:28,559
good but we don't use them quantum
892
00:31:26,910 --> 00:31:30,120
transformation people just forget to
893
00:31:28,559 --> 00:31:32,330
escape and to encode and this is how we
894
00:31:30,120 --> 00:31:35,070
find box and then we get money for them
895
00:31:32,330 --> 00:31:37,379
content sanitization senators will get
896
00:31:35,070 --> 00:31:40,050
bypass the authors don't fix it so what
897
00:31:37,380 --> 00:31:43,650
or it's being used in such weird context
898
00:31:40,050 --> 00:31:45,870
that something completely different must
899
00:31:43,650 --> 00:31:47,760
happen to defuse it or this any ties a
900
00:31:45,870 --> 00:31:50,100
library that is being and uses outdated
901
00:31:47,760 --> 00:31:52,020
because the website owners don't update
902
00:31:50,100 --> 00:31:54,419
this thing on the website is abandoned
903
00:31:52,020 --> 00:31:56,190
but still has users who know and content
904
00:31:54,420 --> 00:31:58,050
restriction was just too much more or
905
00:31:56,190 --> 00:31:59,670
our ads won't work anymore we have a
906
00:31:58,050 --> 00:32:01,559
couple of clients that we asked look why
907
00:31:59,670 --> 00:32:02,940
don't you use CSP not that we wanted to
908
00:32:01,559 --> 00:32:04,830
encourage them to use this but we just
909
00:32:02,940 --> 00:32:07,950
wanted to know why they don't use CSB in
910
00:32:04,830 --> 00:32:09,809
the first place but we have so many
911
00:32:07,950 --> 00:32:11,340
affiliates and partners we want to buy
912
00:32:09,809 --> 00:32:13,050
iframe we want to be I framed by those
913
00:32:11,340 --> 00:32:14,610
but not by these and then we have like
914
00:32:13,050 --> 00:32:17,790
ads and trekking and all this garbage
915
00:32:14,610 --> 00:32:19,678
scripts so if we don't have these we
916
00:32:17,790 --> 00:32:22,800
lose a lot of money and if we have CSP
917
00:32:19,679 --> 00:32:26,429
we can't have those or we have a policy
918
00:32:22,800 --> 00:32:27,600
that is so generous that it doesn't do
919
00:32:26,429 --> 00:32:28,550
anything in the first place like
920
00:32:27,600 --> 00:32:30,629
Facebook's
921
00:32:28,550 --> 00:32:32,159
so that's kind of complicated no one
922
00:32:30,630 --> 00:32:33,690
really wants to fix it or sometimes
923
00:32:32,160 --> 00:32:37,040
people forget about fixing it the right
924
00:32:33,690 --> 00:32:40,020
way and we're not really moving forward
925
00:32:37,040 --> 00:32:41,550
so I think we've seen enough of history
926
00:32:40,020 --> 00:32:44,160
and where we actually are right now to
927
00:32:41,550 --> 00:32:48,300
kind of formulate a problem statement
928
00:32:44,160 --> 00:32:50,070
and to be able to solve something we
929
00:32:48,300 --> 00:32:51,040
need to have a problem first and maybe
930
00:32:50,070 --> 00:32:52,120
we don't even really know
931
00:32:51,040 --> 00:32:53,500
what the problem is with cross-site
932
00:32:52,120 --> 00:32:57,760
scripting because it's so complex so it
933
00:32:53,500 --> 00:32:59,560
has grown so complex over time so year
934
00:32:57,760 --> 00:33:03,490
20 ax which is where we are right now
935
00:32:59,560 --> 00:33:04,990
20:18 we have all the research we know
936
00:33:03,490 --> 00:33:06,850
what cross-site scripting is we know how
937
00:33:04,990 --> 00:33:09,310
it works everybody can do it it's
938
00:33:06,850 --> 00:33:11,530
actually quite easy to learn with all
939
00:33:09,310 --> 00:33:14,590
the tools the encoding the escaping the
940
00:33:11,530 --> 00:33:16,270
sanitization the the trust and so on we
941
00:33:14,590 --> 00:33:17,889
pretty much know all those nasty tricks
942
00:33:16,270 --> 00:33:19,570
because there's always tricks and
943
00:33:17,890 --> 00:33:21,520
browser backs and these things and I
944
00:33:19,570 --> 00:33:23,560
notice that in the golden years a couple
945
00:33:21,520 --> 00:33:24,580
of years ago like five years ago people
946
00:33:23,560 --> 00:33:26,230
were like publishing cross-site
947
00:33:24,580 --> 00:33:27,639
scripting tricks all over the place but
948
00:33:26,230 --> 00:33:28,870
this is decreased like it's not
949
00:33:27,640 --> 00:33:30,520
happening anymore it's pretty much
950
00:33:28,870 --> 00:33:32,469
flatlining because there is not many
951
00:33:30,520 --> 00:33:34,540
tricks left that's maybe something
952
00:33:32,470 --> 00:33:36,100
exotic here maybe something exotic there
953
00:33:34,540 --> 00:33:37,629
but this gold rush that we had a couple
954
00:33:36,100 --> 00:33:39,010
of years ago when everybody and their
955
00:33:37,630 --> 00:33:40,990
dog was finding new attack techniques
956
00:33:39,010 --> 00:33:44,170
every day this is over and it's not
957
00:33:40,990 --> 00:33:45,910
gonna come back we know all the risks we
958
00:33:44,170 --> 00:33:47,110
know what worms are we know what you can
959
00:33:45,910 --> 00:33:48,970
do with cross-site scripting we have
960
00:33:47,110 --> 00:33:50,679
seen life attacks we have seen server
961
00:33:48,970 --> 00:33:52,300
going down we have seen code execution
962
00:33:50,680 --> 00:33:53,770
we have seen all the mess that is
963
00:33:52,300 --> 00:33:54,940
happening on the crypto websites with
964
00:33:53,770 --> 00:33:57,010
their wallet implementations on a
965
00:33:54,940 --> 00:33:58,180
website because you put some JavaScript
966
00:33:57,010 --> 00:34:00,790
into the transaction commit and then
967
00:33:58,180 --> 00:34:02,560
you're rich we know all that we know
968
00:34:00,790 --> 00:34:04,149
that it's real we know how to fight it
969
00:34:02,560 --> 00:34:06,639
we know what it does what it is and we
970
00:34:04,150 --> 00:34:09,000
have pretty much found almost all the
971
00:34:06,640 --> 00:34:12,490
tricks that exist to sneak it in anyway
972
00:34:09,000 --> 00:34:14,889
we know how to kill it now we don't do
973
00:34:12,489 --> 00:34:16,509
it and the question is why why is this
974
00:34:14,889 --> 00:34:18,100
still a topic why am I still standing
975
00:34:16,510 --> 00:34:19,870
here and talking about this topic and
976
00:34:18,100 --> 00:34:21,759
it's this may be something that is
977
00:34:19,870 --> 00:34:22,810
symptomatic maybe for other security
978
00:34:21,760 --> 00:34:27,419
problems as well or for other
979
00:34:22,810 --> 00:34:29,860
technologies as well let's see I think
980
00:34:27,418 --> 00:34:33,310
there might be like a variety of reasons
981
00:34:29,860 --> 00:34:34,450
the stuff that we usually hear when
982
00:34:33,310 --> 00:34:38,918
talking to developers after a
983
00:34:34,449 --> 00:34:41,109
penetration test it's like normally we
984
00:34:38,918 --> 00:34:43,060
do it but this one time we forgot it all
985
00:34:41,110 --> 00:34:44,650
right oh yeah this is like the legacy
986
00:34:43,060 --> 00:34:46,179
system and the legacy system we don't do
987
00:34:44,650 --> 00:34:47,530
patches anymore and she's like we
988
00:34:46,179 --> 00:34:50,620
migrate slowly to the new one this mess
989
00:34:47,530 --> 00:34:52,000
is just as much safer or we don't have
990
00:34:50,620 --> 00:34:54,279
budget for security right now because
991
00:34:52,000 --> 00:34:55,630
management decided that security is
992
00:34:54,280 --> 00:34:57,060
something that should be tackled at a
993
00:34:55,630 --> 00:35:00,280
later point in time
994
00:34:57,060 --> 00:35:01,750
or people say yeah this isn't really an
995
00:35:00,280 --> 00:35:03,430
issue for us because we don't really see
996
00:35:01,750 --> 00:35:04,070
the scenario our custom code is much
997
00:35:03,430 --> 00:35:05,299
faster than
998
00:35:04,070 --> 00:35:08,900
the framework we don't have to have Auto
999
00:35:05,300 --> 00:35:10,910
escaping so yeah that happens or our
1000
00:35:08,900 --> 00:35:13,790
advertisers don't like CSP it's too
1001
00:35:10,910 --> 00:35:15,589
restrictive or the developer who wrote
1002
00:35:13,790 --> 00:35:16,940
this code is now selling used cars and
1003
00:35:15,590 --> 00:35:18,260
can't take care of this anymore we don't
1004
00:35:16,940 --> 00:35:19,910
have any idea about the code we actually
1005
00:35:18,260 --> 00:35:21,290
heard the story like this and it was a
1006
00:35:19,910 --> 00:35:23,000
bit more tragic because someone died and
1007
00:35:21,290 --> 00:35:25,490
that was horrifying because they lost to
1008
00:35:23,000 --> 00:35:26,690
developer yeah to an accident and then
1009
00:35:25,490 --> 00:35:27,709
the pretty much the entire code paper
1010
00:35:26,690 --> 00:35:28,880
was useless to them and they couldn't
1011
00:35:27,710 --> 00:35:33,050
fix the backs anymore because they
1012
00:35:28,880 --> 00:35:33,560
didn't know how so that's a couple of
1013
00:35:33,050 --> 00:35:35,240
reasons
1014
00:35:33,560 --> 00:35:36,860
but we're turning ourselves what I
1015
00:35:35,240 --> 00:35:38,299
believe in to achieve excuse officers
1016
00:35:36,860 --> 00:35:41,660
because we basically come up with more
1017
00:35:38,300 --> 00:35:43,430
more excuses that effectively try to
1018
00:35:41,660 --> 00:35:44,870
hide that we don't really want to fix it
1019
00:35:43,430 --> 00:35:45,799
now then we'd already have time for that
1020
00:35:44,870 --> 00:35:48,080
and I'll be actually quite comfortable
1021
00:35:45,800 --> 00:35:50,120
with the situation as it is we cannot
1022
00:35:48,080 --> 00:35:51,410
implement foo because bar or I was
1023
00:35:50,120 --> 00:35:53,660
dehydrated I've been writing that code
1024
00:35:51,410 --> 00:35:55,940
or we delegate guilt and responsibility
1025
00:35:53,660 --> 00:35:57,049
and that's something that pretty much
1026
00:35:55,940 --> 00:35:59,030
everybody in here likely that's
1027
00:35:57,050 --> 00:36:00,620
including myself yeah that was the dirty
1028
00:35:59,030 --> 00:36:02,810
intern like they wrote this code like
1029
00:36:00,620 --> 00:36:04,910
blame them or the Project Lead accepted
1030
00:36:02,810 --> 00:36:06,830
the risk our management is not running a
1031
00:36:04,910 --> 00:36:08,120
security budget there's always some sort
1032
00:36:06,830 --> 00:36:10,279
of excuse that we can come up with
1033
00:36:08,120 --> 00:36:14,660
select yeah but this part like this is
1034
00:36:10,280 --> 00:36:16,250
totally not our fault and what we could
1035
00:36:14,660 --> 00:36:17,480
derive from that is the assumption that
1036
00:36:16,250 --> 00:36:19,550
the fish rots from the head down
1037
00:36:17,480 --> 00:36:20,750
basically this is like a flying word the
1038
00:36:19,550 --> 00:36:21,800
basically says management this
1039
00:36:20,750 --> 00:36:24,080
management's fault they don't give us
1040
00:36:21,800 --> 00:36:26,240
money it's it's them up there like it's
1041
00:36:24,080 --> 00:36:29,690
all their fault which is of course
1042
00:36:26,240 --> 00:36:31,399
extreme nonsense because I think it's
1043
00:36:29,690 --> 00:36:33,380
all of us I think it's like the entire
1044
00:36:31,400 --> 00:36:35,810
community developers security people pen
1045
00:36:33,380 --> 00:36:36,950
testers even myself we're all stuck with
1046
00:36:35,810 --> 00:36:38,270
those because we don't really want to
1047
00:36:36,950 --> 00:36:39,950
fix the problem because we actually
1048
00:36:38,270 --> 00:36:42,350
quite comfortable with the situation as
1049
00:36:39,950 --> 00:36:44,149
it is and I ran into like a very
1050
00:36:42,350 --> 00:36:47,000
interesting situation in while ago that
1051
00:36:44,150 --> 00:36:49,220
was about half a year ago and it was in
1052
00:36:47,000 --> 00:36:50,540
India and it knock on and go on and it
1053
00:36:49,220 --> 00:36:52,220
was quite late already I was pretty
1054
00:36:50,540 --> 00:36:54,500
hammered and I was going to the bar to
1055
00:36:52,220 --> 00:36:57,319
grab another beer and I was talking to a
1056
00:36:54,500 --> 00:36:59,810
friend over there and I was like yeah
1057
00:36:57,320 --> 00:37:01,730
this talk about how crusted scripting is
1058
00:36:59,810 --> 00:37:03,410
dead but not really is the interesting
1059
00:37:01,730 --> 00:37:05,270
interesting and then he looked at me and
1060
00:37:03,410 --> 00:37:06,770
says like oh man I hope cross that
1061
00:37:05,270 --> 00:37:08,180
scripting is never gonna die because
1062
00:37:06,770 --> 00:37:12,860
then a lot of people are gonna lose a
1063
00:37:08,180 --> 00:37:14,569
lot of money it's like wow that's yeah
1064
00:37:12,860 --> 00:37:16,460
that's kind of exactly the materia that
1065
00:37:14,570 --> 00:37:18,140
I need for my presentation because yeah
1066
00:37:16,460 --> 00:37:21,470
that actually happens if this particular
1067
00:37:18,140 --> 00:37:23,839
entire attack class dies then a lot of
1068
00:37:21,470 --> 00:37:26,230
people will lose money a lot of business
1069
00:37:23,839 --> 00:37:29,390
models will not exist anymore or shrink
1070
00:37:26,230 --> 00:37:31,369
so why would we wanna fix cross-site
1071
00:37:29,390 --> 00:37:33,618
scripting if all that happens as the
1072
00:37:31,369 --> 00:37:35,119
consequence is us losing money or losing
1073
00:37:33,619 --> 00:37:36,380
incentives we would be with suffer
1074
00:37:35,119 --> 00:37:37,849
gnashing who here would suffer
1075
00:37:36,380 --> 00:37:39,190
financially if process scripting was
1076
00:37:37,849 --> 00:37:45,349
solved all of a sudden if it was gone
1077
00:37:39,190 --> 00:37:47,210
just me two people okay thank you so
1078
00:37:45,349 --> 00:37:48,859
that kind of sucks and it makes it hard
1079
00:37:47,210 --> 00:37:49,849
to fix a problem if you don't wanna if
1080
00:37:48,859 --> 00:37:50,839
you don't have him I haven't any
1081
00:37:49,849 --> 00:37:55,820
motivation if we don't have any
1082
00:37:50,839 --> 00:37:58,580
incentives so now the question is like
1083
00:37:55,820 --> 00:38:00,740
what do we really want do we really want
1084
00:37:58,580 --> 00:38:02,869
to solve cross-site scripting or Doby
1085
00:38:00,740 --> 00:38:05,089
just like pretend to our clients to our
1086
00:38:02,869 --> 00:38:06,290
customers to our users that we do so and
1087
00:38:05,089 --> 00:38:08,839
tell them oh yeah you need to do this
1088
00:38:06,290 --> 00:38:10,279
you need to do that but secretly we hope
1089
00:38:08,839 --> 00:38:11,810
that the issue is gonna be around for a
1090
00:38:10,280 --> 00:38:15,080
long long time because new nights we
1091
00:38:11,810 --> 00:38:16,759
treat money and it is I have to ask that
1092
00:38:15,080 --> 00:38:19,520
myself do I want to keep popping alerts
1093
00:38:16,760 --> 00:38:21,020
until I'm 85 and make money with them or
1094
00:38:19,520 --> 00:38:25,790
do a kind of at some point want to move
1095
00:38:21,020 --> 00:38:27,259
to something else not sure yet so what
1096
00:38:25,790 --> 00:38:29,000
do you think should be like soft
1097
00:38:27,260 --> 00:38:30,589
cross-site scripting and be done with it
1098
00:38:29,000 --> 00:38:32,000
because I think we can do it or should
1099
00:38:30,589 --> 00:38:33,859
we gets just leave things as they are
1100
00:38:32,000 --> 00:38:35,750
who who is for solving sik process
1101
00:38:33,859 --> 00:38:38,359
scripting and kind of getting rid of it
1102
00:38:35,750 --> 00:38:41,240
a couple of people are for solving who
1103
00:38:38,359 --> 00:38:42,830
wants to keep things as they are not
1104
00:38:41,240 --> 00:38:45,859
that many it's fine it's fine and not
1105
00:38:42,830 --> 00:38:48,049
judging or judging anyway so a couple of
1106
00:38:45,859 --> 00:38:50,930
people went to solder a couple of people
1107
00:38:48,050 --> 00:38:52,700
want to leave it as it is let's move to
1108
00:38:50,930 --> 00:38:54,109
the final act and ask ourselves to what
1109
00:38:52,700 --> 00:38:55,368
now can we do anything about this is
1110
00:38:54,109 --> 00:38:57,380
there anything that we can kind of
1111
00:38:55,369 --> 00:38:59,119
derive from this from this run anything
1112
00:38:57,380 --> 00:39:04,640
that's productive or constructive at
1113
00:38:59,119 --> 00:39:06,770
least I don't know if we want to solve
1114
00:39:04,640 --> 00:39:09,170
it we need to ask ourselves the question
1115
00:39:06,770 --> 00:39:11,420
do we really need more tools do we
1116
00:39:09,170 --> 00:39:13,730
really need more stuff in the browser on
1117
00:39:11,420 --> 00:39:15,740
the server in our headers to actually
1118
00:39:13,730 --> 00:39:16,250
feed to developers and ask them to
1119
00:39:15,740 --> 00:39:18,140
implement
1120
00:39:16,250 --> 00:39:21,050
do we need more HTTP only cookies do we
1121
00:39:18,140 --> 00:39:23,299
need more CSP or whatever other proposal
1122
00:39:21,050 --> 00:39:24,740
do we need SEC metadata or yet another
1123
00:39:23,300 --> 00:39:27,140
layer in the stack do we need more
1124
00:39:24,740 --> 00:39:27,430
complexity and are we are working on the
1125
00:39:27,140 --> 00:39:29,109
right
1126
00:39:27,430 --> 00:39:31,270
direction as pen testers as browser
1127
00:39:29,109 --> 00:39:35,440
vendors as developers and certainly also
1128
00:39:31,270 --> 00:39:37,359
as users I found this thing on the
1129
00:39:35,440 --> 00:39:39,460
shipping announcements for Chrome and
1130
00:39:37,359 --> 00:39:41,650
it's about tech headers or SEC metadata
1131
00:39:39,460 --> 00:39:44,020
one of the new headers that is that is
1132
00:39:41,650 --> 00:39:46,660
implemented pretty much right now and it
1133
00:39:44,020 --> 00:39:48,490
says yes this mechanism is simply an
1134
00:39:46,660 --> 00:39:49,899
additional HTTP header there's little
1135
00:39:48,490 --> 00:39:52,000
risk created by shipping it other
1136
00:39:49,900 --> 00:39:54,220
vendors can pick it up over time or if
1137
00:39:52,000 --> 00:39:56,680
it turns out to be a bad idea we can
1138
00:39:54,220 --> 00:39:58,089
drop it without much fanfare which is
1139
00:39:56,680 --> 00:40:00,700
awesome because it basically says like
1140
00:39:58,089 --> 00:40:02,410
yeah think about like a feature for
1141
00:40:00,700 --> 00:40:04,750
security and we have really no idea if
1142
00:40:02,410 --> 00:40:06,250
it's any good let's just try it out and
1143
00:40:04,750 --> 00:40:09,700
if it's shit that we remove it again so
1144
00:40:06,250 --> 00:40:11,530
let's see this kind of shows me that
1145
00:40:09,700 --> 00:40:13,149
there is like not really much focus
1146
00:40:11,530 --> 00:40:14,589
anymore and that people actually don't
1147
00:40:13,150 --> 00:40:15,970
really know what to do anymore so they
1148
00:40:14,589 --> 00:40:18,069
just try it's like a shotgun approach
1149
00:40:15,970 --> 00:40:19,540
just like maybe maybe we could fix it
1150
00:40:18,069 --> 00:40:23,308
with this maybe not if not the mill just
1151
00:40:19,540 --> 00:40:27,329
did lead it again which is quite funny
1152
00:40:23,309 --> 00:40:30,970
quick glance at academia in the meantime
1153
00:40:27,329 --> 00:40:35,319
so I mean paper solve everything and I
1154
00:40:30,970 --> 00:40:37,689
checked from the beginning of days to
1155
00:40:35,319 --> 00:40:40,630
today how many papers have meanwhat been
1156
00:40:37,690 --> 00:40:43,240
written remember before it was 1930 and
1157
00:40:40,630 --> 00:40:45,130
then I checked from back then - no and
1158
00:40:43,240 --> 00:40:47,740
it was like nineteen thousand five
1159
00:40:45,130 --> 00:40:49,660
hundred papers holy shit like this is
1160
00:40:47,740 --> 00:40:51,700
ridiculous and still the problem is
1161
00:40:49,660 --> 00:40:53,290
around so papers don't fix it and you
1162
00:40:51,700 --> 00:40:54,759
can write as many as you want and get
1163
00:40:53,290 --> 00:40:56,770
your currency in academia to get your
1164
00:40:54,760 --> 00:41:02,109
PhD it doesn't have any actual
1165
00:40:56,770 --> 00:41:03,970
contribution sorry but well pencils down
1166
00:41:02,109 --> 00:41:05,650
we need to maybe kind of step back a
1167
00:41:03,970 --> 00:41:08,529
little bit and think about what actually
1168
00:41:05,650 --> 00:41:10,240
is missing for us for all of us to solve
1169
00:41:08,530 --> 00:41:12,880
this particular problem and I think what
1170
00:41:10,240 --> 00:41:15,578
is missing is motivation we don't have
1171
00:41:12,880 --> 00:41:17,589
the right motivation because we do all
1172
00:41:15,579 --> 00:41:19,510
these things for completely different
1173
00:41:17,589 --> 00:41:25,000
purposes and that's wrong because that
1174
00:41:19,510 --> 00:41:26,920
ruins it how about we think about adding
1175
00:41:25,000 --> 00:41:28,360
some motivation through punishment I
1176
00:41:26,920 --> 00:41:30,190
like punishment
1177
00:41:28,360 --> 00:41:31,750
so we use punishment pretty much
1178
00:41:30,190 --> 00:41:34,210
everywhere we use punishment to fight
1179
00:41:31,750 --> 00:41:35,740
crime and keep people from speeding and
1180
00:41:34,210 --> 00:41:37,990
we raise our kids using punishment Oh
1181
00:41:35,740 --> 00:41:39,669
Polly not that much why do we not punish
1182
00:41:37,990 --> 00:41:41,770
developers for the security box that
1183
00:41:39,670 --> 00:41:43,270
they create could have like a small box
1184
00:41:41,770 --> 00:41:44,710
with kitty litter and every time to
1185
00:41:43,270 --> 00:41:45,670
develop crates like a pack is like into
1186
00:41:44,710 --> 00:41:47,650
the head with the kitty litter goes
1187
00:41:45,670 --> 00:41:49,990
super disgusting the developer would not
1188
00:41:47,650 --> 00:41:53,800
produce any security bugs any time soon
1189
00:41:49,990 --> 00:41:56,560
so maybe that works you think that works
1190
00:41:53,800 --> 00:41:59,320
punishment it's a good thing excellent I
1191
00:41:56,560 --> 00:42:02,170
like it I like we should have a beer or
1192
00:41:59,320 --> 00:42:03,910
we use gratification maybe that's better
1193
00:42:02,170 --> 00:42:06,100
we use gratification for like bonus
1194
00:42:03,910 --> 00:42:08,589
systems or compromise managers or giving
1195
00:42:06,100 --> 00:42:10,690
a trophies badges Awards candy for good
1196
00:42:08,590 --> 00:42:11,920
grades maybe we can put some candy into
1197
00:42:10,690 --> 00:42:13,870
the kitty litter that the developer can
1198
00:42:11,920 --> 00:42:17,080
wrap our breath nah we shouldn't do this
1199
00:42:13,870 --> 00:42:19,690
but well why not reward developers for
1200
00:42:17,080 --> 00:42:21,430
producing fewer security box for
1201
00:42:19,690 --> 00:42:24,130
actually contributing to more secure
1202
00:42:21,430 --> 00:42:26,109
software like why don't we do this maybe
1203
00:42:24,130 --> 00:42:27,670
this works who thinks this is gonna work
1204
00:42:26,110 --> 00:42:33,810
like gratification giving give me people
1205
00:42:27,670 --> 00:42:37,270
candy again everything works excellent
1206
00:42:33,810 --> 00:42:39,730
maybe we should also kind of try to find
1207
00:42:37,270 --> 00:42:41,860
out who introduced the security bug I
1208
00:42:39,730 --> 00:42:43,780
mean it's not always as obvious as it
1209
00:42:41,860 --> 00:42:45,910
was with that lock like this particular
1210
00:42:43,780 --> 00:42:47,920
disaster but we need to find out who
1211
00:42:45,910 --> 00:42:49,480
actually did the exercise who put it in
1212
00:42:47,920 --> 00:42:51,160
the code who edit the sequel injection
1213
00:42:49,480 --> 00:42:53,140
where does the code injection who did it
1214
00:42:51,160 --> 00:42:55,270
and who reviewed the code and then
1215
00:42:53,140 --> 00:42:56,830
greenlit it and why someone must have
1216
00:42:55,270 --> 00:42:58,480
done it and we need to talk to those
1217
00:42:56,830 --> 00:43:00,520
people and kind of explain to them that
1218
00:42:58,480 --> 00:43:02,410
this was like a bad idea and tell them
1219
00:43:00,520 --> 00:43:05,020
how to do it better in the future so
1220
00:43:02,410 --> 00:43:06,339
that same issue doesn't pop up again how
1221
00:43:05,020 --> 00:43:10,900
about like a fix of a month
1222
00:43:06,340 --> 00:43:13,150
how about gratifying developers for
1223
00:43:10,900 --> 00:43:17,170
outstanding performance in securing the
1224
00:43:13,150 --> 00:43:19,690
platform even more fix challenges fix
1225
00:43:17,170 --> 00:43:20,890
bounties or something like this but then
1226
00:43:19,690 --> 00:43:22,510
it kind of gets us again into the
1227
00:43:20,890 --> 00:43:24,870
situation saying like we put ourselves
1228
00:43:22,510 --> 00:43:27,340
on a very high force since again us
1229
00:43:24,870 --> 00:43:28,600
suggesting to others were to do and the
1230
00:43:27,340 --> 00:43:30,630
point that I'm trying to make is that
1231
00:43:28,600 --> 00:43:33,870
it's all of us that are involved in this
1232
00:43:30,630 --> 00:43:36,610
we need to maybe start with ourselves
1233
00:43:33,870 --> 00:43:39,150
and I think one of the ways to actually
1234
00:43:36,610 --> 00:43:41,520
get there and
1235
00:43:39,150 --> 00:43:43,740
getting the right motivation to actually
1236
00:43:41,520 --> 00:43:45,420
fix and terror attack classes would be
1237
00:43:43,740 --> 00:43:47,279
to stop the buck fetish because I think
1238
00:43:45,420 --> 00:43:49,260
we have a serious back fetish we love
1239
00:43:47,280 --> 00:43:51,150
box so marches like what look at this
1240
00:43:49,260 --> 00:43:52,500
critical look at this logo back here
1241
00:43:51,150 --> 00:43:55,170
logo back there everything is fucked
1242
00:43:52,500 --> 00:43:56,880
like this is bad this is not an healthy
1243
00:43:55,170 --> 00:43:58,590
attitude this is not an attitude that
1244
00:43:56,880 --> 00:44:00,330
actually allows us to fix things and to
1245
00:43:58,590 --> 00:44:02,310
keep them fixed we keep fetishizing the
1246
00:44:00,330 --> 00:44:04,470
back but not the fix we praise the back
1247
00:44:02,310 --> 00:44:06,090
hunters but not the fixers we completely
1248
00:44:04,470 --> 00:44:08,310
ignore those people who do the dirty
1249
00:44:06,090 --> 00:44:10,260
work afterwards or entire mindset is
1250
00:44:08,310 --> 00:44:11,850
around box and not to fix this it's not
1251
00:44:10,260 --> 00:44:14,460
secure software that we want at parks
1252
00:44:11,850 --> 00:44:17,250
dogs dogs including myself I'm not
1253
00:44:14,460 --> 00:44:19,050
judging maybe we could have fixed
1254
00:44:17,250 --> 00:44:21,300
bounties and CC on Google dude already
1255
00:44:19,050 --> 00:44:22,830
sort of and I wanted to find out how
1256
00:44:21,300 --> 00:44:26,100
many people actually do fixed bounties
1257
00:44:22,830 --> 00:44:28,230
and if you look for fixed boundaries or
1258
00:44:26,100 --> 00:44:31,259
patch bounties on Google you will find
1259
00:44:28,230 --> 00:44:32,520
2,000 hits so that's not that many and
1260
00:44:31,260 --> 00:44:35,760
you look for background this and you'll
1261
00:44:32,520 --> 00:44:37,320
find 431 thousand hits so that kind of
1262
00:44:35,760 --> 00:44:39,420
tells us something like this this weird
1263
00:44:37,320 --> 00:44:41,910
ratio so we keep glorifying the finder
1264
00:44:39,420 --> 00:44:44,070
but not the fixer if like interviews
1265
00:44:41,910 --> 00:44:45,980
with legendary buck hunters with like
1266
00:44:44,070 --> 00:44:48,720
media campaigns to raise awareness
1267
00:44:45,980 --> 00:44:50,760
self-proclaimed super hackers and people
1268
00:44:48,720 --> 00:44:52,680
who kind of call themselves cross-site
1269
00:44:50,760 --> 00:44:54,600
scripting gods and masters and this and
1270
00:44:52,680 --> 00:44:56,819
this and that bullshit's makes no sense
1271
00:44:54,600 --> 00:44:59,220
and they get praised for what we've top
1272
00:44:56,820 --> 00:45:00,570
lists also fame award ceremonies what's
1273
00:44:59,220 --> 00:45:03,089
next an audience with the Pope I don't
1274
00:45:00,570 --> 00:45:04,860
know I would kind of propose for us to
1275
00:45:03,090 --> 00:45:06,540
stop doing this to stop living this back
1276
00:45:04,860 --> 00:45:09,260
fetish or at least give the fixers some
1277
00:45:06,540 --> 00:45:11,910
glory as well because they deserve it
1278
00:45:09,260 --> 00:45:13,890
not everybody agrees with this I receive
1279
00:45:11,910 --> 00:45:15,600
a response or two days ago or three days
1280
00:45:13,890 --> 00:45:17,220
ago about this like he was very much in
1281
00:45:15,600 --> 00:45:18,480
disagreement with this particular bit of
1282
00:45:17,220 --> 00:45:21,509
the presentation it's just like no
1283
00:45:18,480 --> 00:45:23,250
there's no way we can do this we need to
1284
00:45:21,510 --> 00:45:25,320
punish developers and like they produce
1285
00:45:23,250 --> 00:45:27,810
the buggy software fair enough what
1286
00:45:25,320 --> 00:45:29,220
everybody has to agree but what we can
1287
00:45:27,810 --> 00:45:31,290
agree on and this is pretty much the end
1288
00:45:29,220 --> 00:45:33,180
of this particular presentation we don't
1289
00:45:31,290 --> 00:45:35,160
really have a working solution yet and
1290
00:45:33,180 --> 00:45:37,140
the problem is not that we don't have
1291
00:45:35,160 --> 00:45:39,029
enough technology I don't have the
1292
00:45:37,140 --> 00:45:41,330
solution needless to say I'm probably
1293
00:45:39,030 --> 00:45:44,550
part of the problem as well but maybe
1294
00:45:41,330 --> 00:45:46,230
maybe if we start realizing what and who
1295
00:45:44,550 --> 00:45:48,600
and where the problem is actually
1296
00:45:46,230 --> 00:45:50,160
located we can kind of find out how to
1297
00:45:48,600 --> 00:45:51,430
get there and solve it because this is
1298
00:45:50,160 --> 00:45:52,690
what we need to do
1299
00:45:51,430 --> 00:45:54,430
and I think it's all of us that can
1300
00:45:52,690 --> 00:45:55,809
contribute to this not just a couple of
1301
00:45:54,430 --> 00:45:58,419
people not just academia not just
1302
00:45:55,809 --> 00:45:59,740
industry not just researchers and I
1303
00:45:58,420 --> 00:46:01,180
think we need to start by being honest
1304
00:45:59,740 --> 00:46:02,799
we need to either say alright I don't
1305
00:46:01,180 --> 00:46:05,470
want to fix it I'm fine with the status
1306
00:46:02,799 --> 00:46:07,150
quo I'm not complaining or judging as
1307
00:46:05,470 --> 00:46:08,470
mentioned but at some point it's going
1308
00:46:07,150 --> 00:46:11,140
to fix anyway and you need to rethink
1309
00:46:08,470 --> 00:46:12,609
your business model or you can say well
1310
00:46:11,140 --> 00:46:14,020
I do want to fix it and then I want to
1311
00:46:12,609 --> 00:46:15,940
explore what is afterwards what's
1312
00:46:14,020 --> 00:46:17,770
happening after that many interesting
1313
00:46:15,940 --> 00:46:19,599
let's meet let's discuss let's talk
1314
00:46:17,770 --> 00:46:21,700
about this let's together use Occam's
1315
00:46:19,599 --> 00:46:23,349
razor strip off although the nonsense
1316
00:46:21,700 --> 00:46:25,240
strip of all the bullshit and identify
1317
00:46:23,349 --> 00:46:27,039
the actual obstacle and then work on
1318
00:46:25,240 --> 00:46:28,390
this and create a new post cross a
1319
00:46:27,039 --> 00:46:30,130
scripting security business models
1320
00:46:28,390 --> 00:46:31,960
because they exist there's still so much
1321
00:46:30,130 --> 00:46:35,230
more stuff to explore and it's getting
1322
00:46:31,960 --> 00:46:37,779
interesting so I think we can now
1323
00:46:35,230 --> 00:46:39,460
conclude and say process scripting is
1324
00:46:37,779 --> 00:46:40,210
indeed dead we have everything that we
1325
00:46:39,460 --> 00:46:41,799
need
1326
00:46:40,210 --> 00:46:43,329
we just need to accept it for ourselves
1327
00:46:41,799 --> 00:46:45,520
we need to have the motivation to
1328
00:46:43,329 --> 00:46:47,020
actually pull it off to accept that it's
1329
00:46:45,520 --> 00:46:48,700
dead that we have all that is there as
1330
00:46:47,020 --> 00:46:52,140
we don't need additional technology and
1331
00:46:48,700 --> 00:46:54,939
that pretty much we're good to go and
1332
00:46:52,140 --> 00:46:57,129
now the only thing is if you want it
1333
00:46:54,940 --> 00:46:58,660
let's let's do it let's throw away all
1334
00:46:57,130 --> 00:47:00,520
the other garbage let's focus on solving
1335
00:46:58,660 --> 00:47:01,690
the problem identifying the problem the
1336
00:47:00,520 --> 00:47:03,400
ROI for the first or the right way in
1337
00:47:01,690 --> 00:47:04,900
the first place and if not they're not
1338
00:47:03,400 --> 00:47:06,520
but then please don't stand in the way
1339
00:47:04,900 --> 00:47:07,990
of those who will because that's
1340
00:47:06,520 --> 00:47:11,559
actually quite annoying and that's
1341
00:47:07,990 --> 00:47:12,700
pretty much it so summary I think we
1342
00:47:11,559 --> 00:47:13,900
have all that we need we have all the
1343
00:47:12,700 --> 00:47:15,359
tools we have all the knowledge we have
1344
00:47:13,900 --> 00:47:18,549
all the research we know all the tricks
1345
00:47:15,359 --> 00:47:20,140
what we're lacking is the motivation and
1346
00:47:18,549 --> 00:47:22,390
we need to kind of get together and
1347
00:47:20,140 --> 00:47:23,859
build up this motivation and then we can
1348
00:47:22,390 --> 00:47:25,629
actually do this we can kill this and
1349
00:47:23,859 --> 00:47:28,049
maybe other attack classes if we saw
1350
00:47:25,630 --> 00:47:31,139
what thank you very much
1351
00:47:28,050 --> 00:47:31,139
[Applause]