Whose Input Is It Anyways?

uh so first of all I just want to go so yeah this talk is called who's input Is It Anyway so you're in the wrong talk you can start leaving now um the story that named this talk so this this talk came about because I was working as an application security specialist for a company and what that used what that meant was that in my office I was working I work in Amsterdam where I worked in Amsterdam uh if anything an incident happened to anything that one of the teams in the Amsterdam office worked on they would come to me and then I would help coordinate that team's fixes I would also kind of make sure the whole teams were doing security training or kind of understanding security trying to make sure that all of our Engineers are secure so we received a report of an xss on one of our customer support pages and in Customer Support was based in Amsterdam I get sent the link hey can you verify this is it real we don't know what the hell xss is does it work if it if it's a problem coordinate effects and I looked into it it's a reflected exercise on a thank you page so customers sent in a message we say thanks for the message we'll respond to you in a couple of days let's say um and so I've got to validate it liaise with the engineering team and so just for a stupid bit oh it's not going to show up on that screen so I'm going to pull that across let's say that there's a web page here um I'm not going to code up the actual web page but there's a web page here we've got I'm serving on localhost thanks with language code on it and language codes are fairly common when you've got multinational websites because uh you know we presented a bunch of languages you say hey it's Ashley I need this language to explain French and then I'm going to call an API and it's going to get all the translations of the strings that should appear on that page but the French versions of it and so well I validated that the xss works there was a you could just it was the Lang x uh the Lang parameter but when you're validating things like that uh you always get given alerts and those are really boring and I hate those and I just realized this demo won't work because I'm not actually connected into the internet and I forgot to do it but you can have to trust me that if you are in the position where you have to show off to an exec code that there is an exercise on your vulnerability or exercise on one of your websites look into a website called cornify kona5 provides you with a JavaScript API and every time you call it it will put another unicorn on the screen and then another one and this script here basically just sets it to put a new unicorn on the screen every five seconds and it's very hackers 1995 but execs get that they understand that that's really bad if there's unicorns popping up all over their nice screen that they spent you know years or thousands of in engineering costs so rather than just alert one get yourself a qualified script and put that in your payloads where possible this one was really easy because I could literally put as much as I could in so at this point you know I've confirmed that the xss is a problem um but you know my job is more than that my job is not just saying ah there's a problem blah blah blah it's why did that problem come in place what's the procedures that we were lacking as a company that led to this problem existing you know their tools or anything like that because we need to fix that one to make sure it doesn't happen again well so I'm gonna start digging around in the code base because never trust an engineer trust the code first uh so and I kind of find something that looks like this in a code base and this is kind of classic PHP unfortunately um there's some HTML above it there's a script tag that gets opened and then they put in a language parameter and they take whatever was in the get parameter of the Lang slap it between coats and quotes in the script tag and go fine straight into your script tag hopefully you all realize why this is really problematic and the the stupid amounts of problems there are with this but you know hey why did this happen why did someone think that this was acceptable so I go and find the person um get blame is a thing uh and I want to talk to them first as opposed to their team because maybe there's something really embarrassing that I have to talk to them through first before I do a wider lesson so I asked him like why is why was it coded like that what is the thing that you were trying to achieve and they say well it's so that we can display the page in the user's language as they were navigating you know we need to maintain English French Portuguese okay yeah but why were you putting the language parameter straight into a strip script tag you weren't filtering it you want you know Dom sanitize anything no no filtration no checking you know it's a country code did you at least check it was two letters only well it's not user input is it we've set it during navigation this is a 301 redirect when you submit your post we send a 301 redirect we put the Lang parameter in is wherever the Customs count it's not user data well so whose input Is It Anyways and that's really what kind of made me to understand that especially as security people we have to recognize where our language is not effective for other people who have different understandings of what that language means so always remember languages communication not code I don't really care what uh the meaning the the meaning of what you say is more important than how you say it I don't care if you use incorrect grammar when you're saying something as long as the meaning is put forward and that's the real thing we need to care about so when I'm saying to someone or when you're teaching people in engineering you're saying hey remember to always validate and sanitize user input you know oh wasp top 10 says injection is a bad thing so you always sanitize and validate user input wherever possible and you're thinking to yourself any user any data that a user haven't has influence on and also because you're a security person you're not just thinking users malicious users attackers some random script kiddie somewhere out there anything someone external to your company can influence well the dev just hears anything that a user types in that's user input I don't see why anything else is you know again the server set that URL when it was redirecting and then you've also got to understand that the devs don't necessarily understand what is vulnerable and they will have a lot of pressures within their scope that they might understand not understand the full context of the attack that you've just told them so this exercise was on the thank you page and the customer support person the engineer who would coded that page for customer support was saying you know well what does it matter if someone gets an exercise on the support Pages they don't get access to the back-end database that's so and it's just a reflected access it just presents to the user as something else they can deface it maybe they can throw some unicorns on it is that a business impact well it is because then I had to explain to them yeah but I can rebuild our login page inside this page now and it's being served from our domain so I send someone a link with it to my company.com it's got on my company.com domain and it shows up with the login screen that looks exactly like the normal login screen from the same domain all of the browsing things are the same so they type in their credentials it ends up being an attack on some other part of our company but through their their issue and the other thing they said was that you know users don't see this page unless there's a bit of a message to us it was the last page in a journey well they didn't really kind of couldn't comprehend the idea that someone would just take the URL as is and send it to someone just as I'd sent it to them in teams this is the link if you click on it you get to it you don't have to go through the whole journey where you post the message first you can just access that page but you know you're telling devs what is vulnerable um but often we fall back on very easy things if we're insecurity what are we going to tell people when there's you know hey we've got to do some security training well we're going to tell them oh what's top 10. learn that you're secure right this this covers the most the attacks that happen all the time this is the things that are really causing us issues learn that devs will be secure well that's a lot in there especially when we look at how we've been folding more and more things into certain categories what we just talked about in the xss was injection injection also has sqli that's a completely different style of attack to what the SSS is injection also has command injections none of what they were doing could have would have been or none of their work would have been impacted by sqli or command injections so if they're looking and they say oh I'm looking at the injection tax there's a lot of content in injection attacks learning about how to prevent them that wasn't relevant to them maybe there was a sentence down at the bottom that said oh by the way xss or well ideally there's more than that but you've got to understand that out of the scope of just injection they had a tiny bit that was actually relevant to them and maybe they missed it and you might be saying to yourself well it's okay you know we've got OAS top 10 training and we have training that repeats every year we have some uh product that you know you join the company you have to have certified yourself in a self-study course in my experience self-study courses are rarely effective at fighting misconceptions someone comes in going I know injection attacks they're that thing where you know you hack into a database because you put in a wrongful app or you make it sleep for a while they know what injection is so they go yeah yeah injection page skip to the next bit of it let's look on to the other bits that I don't know yet you're not fighting those misconceptions if people can skip over things and often I find instructor-led training is better for that because people can ask questions they can be like hey with this also classes that or you know is this also a problem what about if they've got a different web browser they can ask these weird questions but that really helps them understand the Nuance of what you're telling them it's not just user input it's malicious users anyone can be a malicious user anything can be changed and if you want to understand a bit more about you know bad mandatory training I've done a talk preview well I've done a talk but the slides are available called Confessions of a software Dev where I talk about how as a software Dev I have ignored training or how I've got around requirements that have been set for me because it's just not worth my time right it's not just me it's a whole bunch of it's a collection of stories from a bunch of people well what are we going to do as security people and what I want you to kind of take away is to be more aware of what it's like to be an engineer in a company and not just a security person because when I moved into security I found that a lot of people had some engineering background or maybe from a while ago or maybe they never came in from that maybe they came in from completely you know different set of things and they never worked in a corporate environment with this pressures and struggles of Engineers let's say so let's go for a classic one that people like to laugh at including myself front-end devs they are the shittiest of devs um I have been a front-end Dev so I can say that um I moved out of it as soon as possible um but a good front-end Dev and I will say not all of them look at all of this but a good front end Dev cares about accessibility they're checking every web page does it have the right arrow tags does have the right alt texts on things have we got good contrast between elements you're making sure things aren't flying in how is this built so that screen readers can read it correctly right well they also have to care about customer experience uh research shows that if a customer a page takes more than a second and a half to load you drop off a whole bunch of traffic um so you need to be presenting things something for the user to engage with as fast as possible and if you're typing into a search box and you type and then letter appears later you're going to be infuriated you're going to think it's crashed again we care a lot about input latencies we have to care about browser automation testing prove this person was talking about browser automation if you're a front-end Dev you have to make sure everything works everything clicks everything you have to learn a completely separate method of testing the web page you just built see that's another thing you have to learn about if you've worked in a bank you have to care about Internet Explorer 7 for some reason [Music] um but all the time there are browsers coming out with new apis new things that are happening there's this new thing in CS styling that you now have to rebuild your web page because we don't use tables for layouts anymore please don't use tables for layouts um you've got to make your design cohesive responsive As you move around your screen as the person Clips it to the right side of their screen the browser looks different the web page has got to be still accessible every single API that your front end calls has a way it fails and they have to know about every single way in which it can fail because if it fails and the browser stops working on the website stops working customer support calls come in and you get blamed for the fact that you know some other person's API started throwing 500s because they didn't scale up correctly but you have to know that and you account for that in your front-end building and then you have to care about security after all of that you also got this other part of your job that wasn't what you signed up to be a front-end Dev for telling you hey by the way also there's this other thing but also there's a whole bunch of other things there um and one of the ones I want to call out in particular is incidents from teams as someone who's worked front end and who then worked in authentication for the back end apis uh if anything goes wrong on your website you as the front end team are the first people to be called out and you your job basically becomes find out whose API failed and actually say that team failed subscriptions team is failing at the moment it's not our fault so front end Dev actually has a lot of frustrations from just other teams failures coming through them first even though again it wasn't their job I recognize the proficiencies of different people and even something that you take for granted a lot of people will assume everyone else has a knowledge like them recognize that your experiences are unique to you and you are the only person who's ever had that chain of experiences in that particular order it's a great extra DC Comic that says you know there's a 30 000 people every day who are discovering that new thing that everyone should know before they're 30. right knowing what to Google is a skill often times being in security knowing what phrases are going to go into the search box to get you the information you need is the thing you need to do and if you're a Dev that doesn't really understand security you're just like alert 1 is being popped up on my screen how fix what is that there's a security person you go oh yeah reflected xss um and they were using PHP uh is there a Dom sanitization API for PHP something like that and even experts get security wrong like we've seen Heartbleed and various other kind of high-profile security products with issues so don't blame anyone for getting security wrong right only when you know questions do you know answers to things and that's the first step that you have to get into Engineers is having them being able to ask the right questions so I already mentioned the all of your unique uh your your experiences are unique and if you're sitting in this room and your team isn't then chances are you're the security person for your team I don't care what job role you're in but if you're the person that's here and your team isn't you're probably the person that people go to for security questions you're the person that people go hey um something went weird or hey I've got this idea for how we can make things better they might ask you first and let's acknowledge that let's take on that responsibility um and so I want to give you some ideas on what you can do things that I found effective so one of the things I've absolutely loved doing um and one of the things I found really effective is supporting people who are pretty good so you're in this room and people come to you with an idea and let's say for example so I had a an engineer in my previous company and their team was being asked to implement something to protect media that was being streamed and they had been asked to put in some watermarking systems but they thought it would be much more effective if we really uh solidified down our player systems on browser and they wanted to kind of push the business talk away from this watermarking system which was just going to be like a HTML overlay it said that's not going to be effective what we really need to do is something more like this but they didn't feel like they had a voice to say that to the business people you know they're not going to trust me I'm just an engineer they think I'm trying to get rid of the boring work and do the fun work that I want to do so he comes to me because I'm a security person and he talks me through the concept of what he wants to do and he's asking for acknowledgment and I say yeah that's that's actually a great idea you know here's some extra things you can mention as to why what they're trying to do is problematic and I think but I said at the end of it let's go into a meeting with you your team manager and whatever business owner we have you lay out the plan and all I will do is say yes and if anyone asks me a question I will probably just repeat what you said but I'm just gonna say yes I'm not gonna present this idea this isn't my this is your idea and after that meeting that person feels really confident they they came up with a security thing they can do security they didn't train for it but they know hey this was validated everyone in the team knows that that person had good security ideas so now no one has to come to me from that team they can talk to that person who's already there that they work with day to day and just leveraging your position as the security person doesn't have to mean you step in and fix everything it can just mean you support other people who already have good ideas and ease your own load right I didn't I no longer have to care about that team for a while because they can talk to that dude maybe you're working in a bit more of a big corporate scenario and you're looking for you know hey I need something that's written on a uh month to month or you know something that happens regularly that we can write in our audit reports that we do this and so this is what I've typically found effective uh security Champions hopefully it's a system you've heard of so the idea here is that every team has to either assign designate or elect a person who is the security Champion for their team that person becomes the main channel of contact into and out of that team if the team has concerns about something they want to implement or they want to get some more expertise on something that person is sitting in on every team meeting because they're part of the team channels that back to security maybe asked hey we can we get some budget for this or we want to do this