We’re pretty sure we’re almost done and we’re definitely all present for the recording as we continue discussing PagerDuty’s Security Training, while Allen won’t fall for it, Joe takes the show to a dark place, and Michael knows obscure, um, stuff.

The full show notes for this episode are available at https://www.codingblocks.net/episode176.

Sponsors

• Datadog – Sign up today for a free 14 day trial and get a free Datadog t-shirt after creating your first dashboard.
• Linode – Sign up for $100 in free credit and simplify your infrastructure with Linode’s Linux virtual machines.
• Shortcut – Project management has never been easier. Check out how Shortcut is project management without all the management.

Survey Says

News

• Thanks for the reviews!
  • iTunes: YouCanSayThisNickname
• Game Ja Ja Ja Jam is coming up! Just a few days away! (itch.io)

XSS – Cross Site Scripting

• Q: What is XSS? A: XSS is injecting snippets of code onto webpages that will be viewed by others.
  • This can allow the attacker to basically have access to everything a user does or types on a page.
• Consider something like a comment on a forum, or blog that allows one to save malicious code.
  • The attacker could potentially access cookies and session information,
  • As well as gain access to keyboard entry on the page.
• You can sanitize the inputs, but that’s not good enough.
  • You can’t check for everything in the world.
• You really need to be encoding the stored information before you present it back to any users.
  • This allows things to be displayed as they were entered, but not executed by the browser.
  • Different languages, frameworks, libraries, etc., have their own ways of encoding information before it’s rendered by the browser. Get familiar with your library’s specific ways.
• User supplied data should ALWAYS be encoded before being rendered by the browser. ALWAYS.
  • This goes for HTML, JS, CSS, etc.
• Use a library for encoding because the chances are they’ve been vetted.
  • Just like we mentioned before, you still have to be diligent about using 3rd party libraries. Using a 3rd party library doesn’t mean you can wash your hands of it.
• Content Security Policy (CSP) is another way to handle this. (Wikipedia)
• OWASP considers XSS a type of Injection attack in 2021.

CSRF – Cross Site Request Forgery

• Q: What is CSRF? A: CSRF is tricking someone into doing something they didn’t want to do, or didn’t know they were doing.
• A couple of examples were given:
  • For example, set the img src to the logout for the site so that when someone visits the page, they’re automatically logged out.
    • Just imagine if the image source pointed to something a little more nefarious.
  • Another example is a button that tricked you into performing an action such as an account deletion on another site. Can be done using a form post and a simple button click.
• How do you avoid this?
  • Synchronizer token:
    • This is a hidden field on every user submittable form on a site that has a value that’s private to the user’s session.
      • These tokens should be cryptographically strong random values so they can never be guessed or reverse engineered.
      • These tokens should never be shared with anyone else.
    • When the form is submitted, the token is validated against the user’s session token, and if it matches, go ahead with the action, otherwise abort.
  • Again, there are a number of frameworks and libraries out there that have anti-forgery built in. Check with your specific documentation.
• They go on to say that anything that is not a READ operation should have CSRF tokens.
• NEVER use GET requests for state changing operations!
  • PagerDuty had a funny mention about an administrative site that included links to delete rows from the database using GET requests. However, as the browser pre-fetched the links, it deleted the database.
• OWASP dropped CSRF from the Top 10 in 2017 because the statistical data didn’t rank it highly enough to make the list.

Click-jacking

• Q: What is click-jacking? A: Click-jacking is when you are fooled into clicking on something you didn’t intend to.
  • For example, rendering a page over the top of an iframe, and anything that was clicked on that top page (that seemed innocent) would actually make the click happen on the iframe‘d page, like clicking a Buy it Now button.
  • Another example is moving a window as soon as you click causing you to click on something you didn’t intend to click.
• The best way to prevent click-jacking is to lock down what an iframe can load using the HTTP header X-FRAME-OPTIONS, set to either SAMEORIGIN or DENY. (developer.mozilla.org)

Account Enumeration

• Q: What is account enumeration? A: Account enumeration is when an attacker attempts to extract users or information from a website.
  • Failed logins that take longer for one user than another may indicate that the one that took longer was a real user, maybe because it takes longer as it tries to hash the password.
  • Similar type of thing could happen if customers are subdomained. One subdomain shows properly and another fails. This reveals information about the customers.
• These may be frustrating, as they pointed out, as you have to walk the line between user experience and security.
  • Just be aware of what type of data you might be exposing with these types of operations.
• Regarding logins:
  • If the user exists or doesn’t, run the same hashing algorithm to not give away which is real or not.
  • If a user does a password reset, don’t give a message indicating whether the account really existed or not. Keep the flow and messaging the same.

Resources we Like

• For Engineers – PagerDuty Security Training (sudo.PagerDuty.com)
• For Everyone – PagerDuty Security Training (sudo.PagerDuty.com)
• Cross-Site Request Forgery (OWASP.org, Wikipedia)
• About User Enumeration (blog.rapid7.com)

Tip of the Week

• CloudFlare let’s you deploy JAMStack websites for free using their edge network. (pages.cloudflare.com)
• Amazon has their own open-source game engine, Open 3D Engine, aka O3DE. It’s the successor to Lumber Yard, a AAA-capable, cross-platform, open source, 3D engine licensed under Apache 2.0. (aws.amazon.com, o3de.org)
• Let’s talk about CSS! Ever use border to try and figure out layout issues? Why not use outline instead? Thanks Andrew Diamond! (W3Schools.com)
  • We discussed a similar technique as a TotW for episode 81.
• Have you seen those weird mobile game ads? Click this link, maybe when you’re not at work, and embrace the weird world of mobile game ads. (Reddit)
  • Nostalgia for the 80’s? People have uploaded some of the tapes that used to play on the loudspeakers at US department store, K-Mart (Nerdist.com)
• OWASP publishes cheat sheets for security. (cheatsheetseries.owasp.org)