Web Security Thread

ITT we discuss web security.

I wonder how many web security nerds even know how to do anything with XSS vulns aside from useless shit like alert boxes lol

``it's a proof of concept, use your imagination to figure out the possibilities for post-exploitation''

translation: how do i sploit xss? i dunno lol

You should only use cgis written in C.

>>3
Why would you mention C in a thread about security?
U MENA RUST?
muh memory safety

That being said, C and cgi are ancient as fuck. It's all about Node now, gramps.

I don't even know what security issues cgi/C stuff has, but it's so old that it's no longer relevant. Regardless of what you think about the current state of modern web development, the fact of the matter is that people are using shit like MEAN, so you need to keep up with current tech trends, even if you insist that older shit is better.

But then again, you were probably just joking and I'm probably just autistic, right?

>>2
Say you have a xss. The "best" you can do I think is silently insert a script to keylog an user's input. This is better than stealing cookies, because their logins might be cross-tested on different sites and applications and pass, meaning you can get logins to many different things like social media and even bank accounts, if you get an email and password that they use for everything. (A "master key".)

You can even force them out of the website (they'll think it's a bug) so they have to login again. You log them off without changing the page, just by manipulating html elements, then insert an event listener on the input elements you've created or exposed, in such a way that they think the webpage is behaving normally and some sort of regular fault got them off of the service.

Another alternative to xss is inserting these things in "popular addons" in Firefox Stores and such. These take time to verify, and you always catch something (I assume) before it is completely exposed, more so if your addon does in fact solve a problem or is functional. Just make sure to do the basics of protecting your identity and you can keep trying these and redoing them for literally forever (for some understood definition of literally and forever).

>>6
Most normies either use Chrome (desktop and mobile) or Safari (on iOS) though. Firefox is dying slowly but surely.

>>7
I think chrome desktop supports addons/extensions, so it's basically the same thing. Unless they sandbox it efficiently, or implement it differently.

>>2
I don't do security on web (I'm more of a low-level buffer overflowing kinda guy) but if I had an XSS vuln I'd just use it to mine cryptocurrencies, that has the best effort-to-profit ratio

>>5
what if instead you show an alert popup that says ''haxx0red!!'

what if it showed you an alert which checked your're are dubs?

If a site has rate-limiting for login attempts, you can just rotate VPNs or Tor exit nodes to get more attempts. So how would a web developer make their site safe from these kinds of attacks? Getting around rate limiting, that is.

Is security impossible?

>>12
rate limit based on username

>>14
But then you can just lock people out of their accounts by making a bunch of incorrect login attempts. Or is that more desirable than the alternatives?

my girlfrend make out
my phone rigns
I anser it yet dad is ded
but who was phone?

Anybody here know anything about XML External Entity Processing (XXE)?

I learned JSON instead of XML in uni because XML is older/outdated, but it seems interesting from a security standpoint.

>>12
Profiling, treating login attempts like spam. It's what google does with their search requests, no bots pass, and sometimes it catches people too.

Alternatively, captchas for each login attempt.

>>18

and sometimes it catches people too.

I have to fill out extra captchas all the time because I use a VPN
no VPN = no more extra captchas

>>17

I learned JSON instead of XML in uni

Neither JSON nor XML is something that you need to go to uni to learn. You can understand both of them in just 5 minutes.

>>20

t. no-degree brainlet

protip: college isn't just about learning programming, it's also about meeting people to work on projects with and network with and all that good stuff

can't do that using www.gaymediocrefreecodeschool.cum

>>21

t. no-degree brainlet

*PhD brainlet

it's also about meeting people to work on projects with and network

No, it isn't.

>>21
data formats aren't programming, dolt

>>22

PhD

Good for you. Still doesn't invalidate what I said.

No, it isn't.

You're completely wrong on that.

College is useful for meeting people, is it not? To say that you can learn computer science outside of college doesn't mean college isn't worth it. Maybe you're jaded since you're probably drowning in debt from undergrad and a master's and a PhD, but so far my undergrad experience has been great. I've studied abroad and met tons of people and worked on websites and apps with cool people I never would have met otherwise. Can't do that with man pages or Youtube tutorials. Sure, there's Meetup or Craiglist, but they kind of suck by comparison.

>>23
How are data formats not related to programming? Ever made a Node backend? Express and Mongoose and JSON schema and all that. That actually is programming. The way you structure your data affects how you program shit.

Programming is more than just opening an IDE and writing some gay Lisp code. Programming is changing, gramps.

>>24

Good for you. Still doesn't invalidate what I said.

It does actually. You claimed that I have no degree.

College is useful for meeting people, is it not?

Yes, meeting professors if you want to go to academia afterwards.

and worked on websites and apps with cool people I never would have met otherwise

IRC, FOSS communities, etc..

Welp. Mr PhD over here has a PhD, therefore you can't meet people in college. And meeting people in college isn't important. QED. I've been owned by that flawless logic. Clearly only a highly intelligent person with a PhD could construct an amazing argument like that.

>>26
And don't you forget it either!

Can I still use md5?

>>28
depends
it's fast but insecure
still useful in places where bcrypt or whatever is too computationally intensive

>>28

A 2013 attack by Xie Tao, Fanbao Liu, and Dengguo Feng breaks MD5 collision resistance in 2^18 time. This attack runs in less than a second on a regular computer.[2]
MD5 is prone to length extension attacks.
It can still be used as a checksum to verify data integrity, but only against unintentional corruption.

>>30
so basically, the good thing about md5 is that it's a quick checksum algorithm -- making sure file transfers didn't fuck up, or things like that -- areas in trust zones where you're not concerned about security because something else handled security beforehand

the bad thing is that it's too quick for security

the large checksum collider

I'm assuming "length extension attacks" means padding a file to get one checksum to be identical to another, due to the pigeonhole principle

An NVIDIA GeForce 8800 Ultra can calculate more than 200 million hashes per second.[19]

MD5 uses the Merkle–Damgård construction, so if two prefixes with the same hash can be constructed, a common suffix can be added to both to make the collision more likely to be accepted as valid data by the application using it. Furthermore, current collision-finding techniques allow to specify an arbitrary prefix: an attacker can create two colliding files that both begin with the same content.

The non-linear function has only a 32-bit output, so it's more like four 32 bit hashes chained together

>>32
Remember when the Q6600 and 8800GT were /g/'s official hardware recommendations?

I never had an 8800 Ultra, but I did have an 8800GTX.

Damn, I'm getting old. Where did the time go?

lol
Aand, the non-linear function is compressing at 4:1 (5:1 counting the input), so there will be 2^96 colliding input states for a given 32 bit output

you could probably just drop a block of input and it would be secure enough, given it isn't used for anything too sensitive or valuable

Wait, no, it's already 3:1, and 2^64.. And only using a weak non-linear function(s)

MAKE MY NON-LINEAR FUNCTION WEAK, DADDY

>>31

I'm assuming "length extension attacks" means padding a file to get one checksum to be identical to another, due to the pigeonhole principle

no, that would be 'collision'. length extension is for situations in which someone makes a pseudo-HMAC by concatenating a message with a secret key and hashing that. in theory, you shouldn't be able to modify the message because you wouldn't be able to recalculate hash, but you actually can find hash of secret key + message + your message in some specific hashing functions (mostly the ones based on Merkle-Damgard)

here's an explanation: https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks

H(b, c, d) = b xor c xor d
I'm pretty sure that's not even nonlinear, and the others are all similarly bit-aligned
And then it does three consecutive additions mod 2^32, which should cancel to one addition?
Finally, a rotation and another addition

Not sure if replacing the block C input with a constant will actually help all that much, but maybe a little

Uhhh... can't you just create collisions directly through the mod 2^32 input addition though..?

1 chosen variant round + 3 dummy rounds + 4x 32bit addition attack rounds

There's a slight obfuscation in the first attack round, where it adds in the unique B state after a rotation, but the collision gets stored in state B

Then it's just a subtraction for three rounds..?
I don't think that rote plus addition is going to add too much difficulty

>>26

therefore you can't meet people in college

Not what I said.

>>29,30
It only has some collision attacks, it does not have any important preimage attacks.

Hardened Md5-2
Drop the block C nl input, and xor the data input into state C

inb4 collisions everywhere

>>41
are you actually trolling? there's no need for better-than-bruteforce preimage attacks when bruteforce is fast as fuck.

collide with my dubs!

\(H(10, H(10, H(00, i_0) \oplus H(01, i_1)) \oplus H(11, H(00, i_2) \oplus H(01, i_3)))\)
for H = chacha12 or whatever

Good luck brute-forcing \(2^{123}\) md5 evaluation in order to achieve a preimage within this aeon. You know that this is similar to the security provided by AES 256, right? Edited on 11/06/2018 13:37.

>>43↵
Good luck brute-forcing \(2^123\) within this aeon. You know that this is similar to the security provided by AES 256, right?
Good luck brute-forcing \(2^{123}\) md5 evaluation in order to achieve a preimage within this aeon. You know that this is similar to the security provided by AES 256, right?

>>46
IHBT and I'm ashamed of even replying to you

>>47
Please never work for anything security related.

>>48
on the other hand, I hope you do work for security-related stuff and put that 'secure' MD5 everywhere. its's is just like AES!

Ah, so it does do four rounds of each input, lol
It'd be swiss cheese otherwise

>>49
You are on a web security thread, how can you not know the difference between preimage and collision attacks? And how can you claim that brute-forcing through a \(2^{128}\) sized-set be fast?
Sure, tell me how in this case it is less safe than AES.

>>21
What type of people should one befriend, and how?
Extroverted looking people, by means of kindness and cock sucking?

>>52

How? Food, drinking, clubs, group projects, study groups, etc. I have met friends while studying abroad (other people from the same uni who were studying abroad with me). I have gotten close to a few professors. I hang out with my coworkers. I still stay in touch with old high school friends. I go to events on campus. I go to meet ups and user groups. I meet people on Twitter and in my uni’s slack team and we get together for extracurricular stuff or studying for tests.

People I meet introduce me to other people. I have made apps and websites with people. I go to the gym with my friends. I have roommates. I move every now and then and get new roommates.

I use most major social media platforms. I invite people to hang out using group chats. I add people even if we’re not really close. I come up with group projects we can do, instead of just hanging out and talking and doing nothing. I go out to eat a lot. I study in the library instead of my apartment. I join clubs, even if I quit them later. I email people even if there isn’t much of a chance of it leading to anything.

I even get invited to parties every now and then, though I am far from a social butterfly. I am not the life of the party and sometimes I am awkward. But I still put myself out there.

I am going to start teaching someone web development soon. I talk to people in my classes. I ask questions in my lectures. I go to office hours.

All these opportunities were possible thanks to me going back to college. But you can still do some of these things even without college. It’s harder though. College makes it easy to make friends and useful acquaintances. It’s not just about learning differential equations and object oriented programming and databases and shit. The social aspect is the most important for your career and personal development.

I would not describe myself as extroverted. I think I am rather quiet and reserved. But you have to put yourself out there, even if it’s uncomfortable. Sometimes, you will meet extroverted people. But sometimes it’s useful to get close to introverted people too, due to their skill sets or connections.!i fail with my social interactions sometimes. Some people don’t get along with me, some people think I am awkward. But fear of failure can’t hold you back. That is way too self-limiting.

No man is an island. We are not lone wolves. We need to be a part of some kind of community, or even multiple communities.

I also give people rides or help them with things if they need it. People remember things like that.

>No man is an island. We are not lone wolves. We need to be a part of some kind of community, or even multiple communities.
Everyone's expendable and no-one has a real friend.
I believe at heart everyone's a killer.

*pukes*

>>51
here's a thing: preimage resistance doesn't mean much in the context in which MD5 was used. if you have a database full of MD5'd passwords, just being able to quickly but non-exhaustively bruteforce short ASCII strings is enough to extract a lot of cleartexts (it wouldn't be if people used truly random and unique passwords, but this isn't realistic unless everyone uses a password manager). that's why we use dedicated password hashing algorithms.

the other way people used MD5 in crypto was in certificates, and this was obviously vulnerable to collisions. it was even exploited in the wild by the Flame malware: https://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf

tl;dr not having known preimage attacks doesn't make it suitable for cryptographic uses

>>57

preimage resistance doesn't mean much in the context in which MD5 was used

Preimage resistance means a lot actually.

just being able to quickly but non-exhaustively bruteforce short ASCII strings is enough to extract a lot of cleartexts

MD5
Don't use shitty short passwords? You only need 20 characters (0-9a-zA-Z) to reach 128 bits of security.
In fact, if your hashed password has been leaked, what is the point of protecting the actual password? Chances are that the rest of the information about your account have been leaked and tampered with. This is why you should use public key authentication instead.

the other way people used MD5 in crypto was in certificates, and this was obviously vulnerable to collisions

Collisions in certificates only matter if you need to sign someone else's data (such as in OpenPGP and in cases with CAs). It is not an issue if you are a CA and you generate the certificate yourself, it is not an issue if you use OpenPGP + MD5 and never sign other people's keys, it is not an issue if you use a self-signed certificate.

https://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf

The issue here was that the generated certificate was attacked-controlled (a common issue when you rely on a 3rd party CA) and was signed by MS afterwards. We know that MD5's collision resistance is broken so it was a stupid move by MS to use it for something that needed collision resistance.

Meanwhile MD5 is totally safe for things like self-signed certificates and password hashing. It is also safe if used with any algorithm that only needs preimage resistance such as Ed25519 or SPHINCS(+).

>>58

Don't use shitty short passwords? You only need 20 characters (0-9a-zA-Z) to reach 128 bits of security.

when you have to use 56789 different passwords with 242475889 different retarded rules about what constitues a valid password, some of them will end up short and shitty unless your're are using a password manager. but that has some usability-related caveats too.

In fact, if your hashed password has been leaked, what is the point of protecting the actual password? Chances are that the rest of the information about your account have been leaked and tampered with. This is why you should use public key authentication instead.

most places on the internet and even on the corporate intranets don't use pubkey though. mym'am SSH on a remote server does, but how many things accessible through a browser have that option?

Meanwhile MD5 is totally safe for things like self-signed certificates and password hashing. It is also safe if used with any algorithm that only needs preimage resistance such as Ed25519 or SPHINCS(+).

I'd rather use specialized password-hashing functions which were designed to be bruteforce-resistant. scrypt, bcrypt, argon2. in fact, their're are also pretty good for generating symmetric keys from passwords

>>59

but that has some usability-related caveats too.

The only caveat is that some sites do not let the firefox password manager work correctly because they think that they are smart or some shit.

most places on the internet and even on the corporate intranets don't use pubkey though

They should then. We should make password authentication as insecure and painful as possible so they end up forced to use pk authentication.

how many things accessible through a browser have that option?

Until very recently client-side certificates in TLS leaked shit like username and other stuff. I suggest we purge TLS once we make the move to client side public keys.

scrypt, bcrypt, argon2

All except script and pbkdf2 are cancerous shitware, the mainstream argon2 implementation does not even follow their own standard and ends up with a different result. Not to mention that there are outstanding security issues with it for years that were ignored by its creators. Not to also mention that it uses BLAKE2 which is yet another Zooko scamware and downgrade from BLAKE or SHA-3 and other Keccak/sponge based constructions.

bcrypt.. do people still use that in this day and age?

As for script and pbkdf2, you can use MD5 with them.

MD6 would have been good because merkle trees are good, I love trees, I breed with trees. Non-parallel constructions like MD are shite and spread AIDS. They are the reason why we have length extension attacks. Yet we are stuck with these.

>>60

The only caveat is that some sites do not let the firefox password manager work correctly because they think that they are smart or some shit.

the other caveat is that you need to have an OS running to run a password manager, so you need a separate password for OS and/or for disk encryption. my employer has bullshit rules for domain password, which is obviously used for the OS, and I don't think there's a good way of using a manager for that

Until very recently client-side certificates in TLS leaked shit like username and other stuff. I suggest we purge TLS once we make the move to client side public keys.

I agree, TLS is shit.

>As for script and pbkdf2, you can use MD5 with them.
but why not use sha3 with them?

>>61

so you need a separate password for OS and/or for disk encryption

OS/Disk encryption does not provide authentication - that will not protect you from software nor hardware keyloggers. This is one more reason why we should move to pk crypto.

but why not use sha3 with them?

Performance or compatibility reasons? I would not know, I use PBKDF2 with 2^16 rounds + SHAKE256 for mine.

>>62
OS/Disk encryption still requires a way to input the key, and having key derived from a password through a password derivation function is a decent enough compromise