0:00:26
hey everyone welcome back to uh
0:00:30
billboard and fix with your raw coders
0:00:33
tinashe and tori today
0:00:36
um how are you feeling tori
0:00:38
feeling pretty good how about you tanesh
0:00:41
yeah feeling good man
0:00:42
um yeah we hardly get to the show
0:00:56
and i was trying to figure out
0:00:58
oh how do i spell that how do i spell
0:01:09
that's what my autocomplete told me okay
0:01:14
let's listen through it
0:01:18
uh where's zanus um
0:01:21
zayn is uh i think he's busy tonight so
0:01:25
yeah so sorry jumped in thanks to that
0:01:32
so i'll just run the acknowledgement of
0:01:37
i begin today by acknowledging the
0:01:39
traditional custodians of the land on
0:01:41
which we gather today and pay my
0:01:43
respects to the elders past present and
0:01:45
future i extend their respect to
0:01:48
aboriginal and torres strait islander
0:01:59
i'll chuck on some music as well
0:02:02
what are you what are you thinking today
0:02:04
uh sorry what sort of music you want to
0:02:06
pick a letter or do you want to just
0:02:22
all right rock it up rock and roll
0:02:27
that's a tasty rip
0:02:38
you're probably more up to date than i
0:02:40
am what i what have we got today
0:02:55
we were about to test the websocket ping
0:02:59
pong like heartbeat implementation and
0:03:05
was about to deploy it but then it was
0:03:07
already late so we just
0:03:15
okay wow you guys already
0:03:19
if you want to we could take today and
0:03:21
do something else if you want
0:03:24
it could be wild now
0:03:34
i have nothing in mind so
0:03:40
i am very interested as to how gekko did
0:03:42
those attacks though if uh
0:03:46
you want to look into that then
0:03:49
uh yeah for sure man um let's do it
0:03:54
cool that's that's interesting
0:03:56
that's yeah that's very interesting to
0:04:01
um hey guys dave by the way
0:04:03
yeah hey thanks for joining
0:04:09
is that side up right now tori i believe
0:04:13
it is down but i'm not sure i think zayn
0:04:27
uh yeah it's it's it's down
0:04:32
maybe maybe he just put the
0:04:36
bucket to private or
0:04:38
unshared it i don't know
0:04:44
i can't even share my screen tory
0:04:46
because of that that issue that zayn and
0:04:48
i have being on the mac
0:04:51
oh zane managed to fix it i don't know
0:04:54
yeah you just have to restart uh so you
0:04:56
have to go into settings and then untick
0:04:59
it tick it back and then restart google
0:05:01
chrome i can do that if you like or did
0:05:02
you want to up to you if you want to
0:05:04
share your screen you want to
0:05:07
do it go for it i'm happy either way
0:05:12
um in that case give me
0:05:29
so when are you when are you heading out
0:05:31
on on on wednesday is that your last
0:05:34
yeah yeah that's right cool it's
0:05:36
definitely last show nice
0:05:40
i heard you planning to
0:05:43
to do a stream on your own is that
0:05:50
maybe sometime later but i'm i'm not
0:05:53
planning anything in the near term
0:05:59
if you're thinking i will definitely
0:06:01
invite you on though
0:06:05
i'll be glad to come on man
0:06:08
will it be same sort of style
0:06:10
building a project or
0:06:16
probably just like
0:06:19
if if i was gonna have a show
0:06:24
then i don't know i would probably just
0:06:26
do different formats
0:06:28
just like different
0:06:30
maybe one day building a small project
0:06:34
maybe there's a bigger project
0:06:38
but i don't think i would continuously
0:06:40
build like a very large project i'd
0:06:42
probably just do like lots of little
0:06:44
stuff or just have
0:06:46
just have fun talking
0:06:48
or making jokes or something like that
0:06:52
just not not take it too seriously but
0:06:55
also get to like meet people and learn
0:06:57
stuff that sounds fun to me
0:07:08
okay give me one sector of people
0:07:24
these guys need to give me permission
0:07:44
wow this thing takes forever then
0:08:14
i'll entertain the crowd while you were
0:08:20
the huge crowd i just stared at
0:08:26
observe a moment of silence
0:08:40
let me maybe we can put the side up
0:08:44
i think i don't know i think that's
0:08:45
gonna be yeah yeah i think the pen i
0:08:48
think the pen tester is here
0:08:52
yeah i think i think the pen testers
0:08:54
here they can help us out the
0:09:02
special audience member
0:09:24
yeah it is very interesting do you
0:09:27
mention something about like um
0:09:31
what do you think it could be right
0:09:44
um on the front end
0:09:46
usually one of the most common ways
0:09:59
like the inner html
0:10:05
so setting the inner using inner html to
0:10:15
like attach something to the dom right
0:10:19
that's where like if you're not
0:10:22
extremely careful with that method then
0:10:26
it's very easy to exploit
0:10:28
because you can just
0:10:33
script and attach that script tag to the
0:10:36
dom and then it will be executed if
0:10:40
you've just written a malicious script
0:10:45
or non-malicious one whatever
0:10:49
doesn't always have to be for nefarious
0:10:53
but yeah usually that's like a common
0:10:56
exploitation i i think i'm not super
0:10:59
experienced on security or anything my
0:11:02
knowledge is quite limited but
0:11:05
from what i understand in a framework
0:11:07
like react for instance
0:11:16
stuff is handled for you in the
0:11:17
framework so that like you don't
0:11:20
accidentally do it and actually in react
0:11:27
inner html like the method inner html
0:11:31
then it's they actually
0:11:36
dangerously set inner html
0:11:39
it's called dangerously yeah interesting
0:11:43
because they want you to know like you
0:11:45
sure you're doing this
0:11:51
here we're using jquery
0:11:55
and i am not entirely certain but jquery
0:11:59
might have some vulnerabilities
0:12:02
um in it or there's or there's something
0:12:06
we're doing too that
0:12:08
we can look through our code to see
0:12:10
where we're using this
0:12:14
i don't know if there's other like easy
0:12:24
like attack surfaces for like just doing
0:12:29
ss attack like from a dom method but i
0:12:32
know inner html is one of those and then
0:12:35
on the back end which is something i
0:12:37
don't i've never actually
0:12:40
um done because i usually just work on
0:12:43
front end but that would be like
0:12:45
sanitizing the back end
0:12:47
right with maybe some sanitization
0:12:51
so that when you're getting
0:12:57
post put delete requests whatever it is
0:13:01
to the backend to store in the database
0:13:04
or in our case like also with the
0:13:08
when we're sending messages from one
0:13:10
client to another client then we want to
0:13:14
any of that is is not some malicious
0:13:24
how gekko was exactly doing this if he
0:13:29
creating notes and then saving them in
0:13:31
dynamodb or if he was just simply like
0:13:37
using the websockets to just create a
0:13:41
every other client is getting it and
0:13:44
running that script tag when you get it
0:13:47
but essentially it's a script tag
0:13:52
okay are you are you familiar at all
0:13:59
cross size scripting
0:14:02
oh i should have prefaced that then i'm
0:14:04
not super like i don't know that much
0:14:07
it's pretty common um vulnerability
0:14:11
um but basically and there's like
0:14:16
different names for the different
0:14:26
like targets of the attack but
0:14:32
like the way he's doing it is basically
0:14:40
if you go to let's see if we can
0:14:42
reproduce it actually that'll be fun
0:14:45
yeah that'll be really cool
0:15:22
let's hope jackdab doesn't
0:15:26
crash our browsers
0:15:35
test one two three so i'm gonna go to
0:15:37
the same board too
0:15:43
and then let's see if i can send you
0:15:51
i'm going to create a new
0:15:56
oh that's weird why am i getting access
0:16:02
oh i need the index okay nevermind
0:16:39
can you send me the link to the board
0:16:43
you're getting access tonight
0:16:46
no i'm getting nothing i'm getting a
0:16:58
okay put it in the chat
0:17:04
pass one two three
0:17:27
okay i should be in
0:17:30
so i just created a no
0:17:50
and you can see it just says hi finash
0:17:56
yes yes i can see it okay
0:18:16
work i don't know i think
0:18:19
i don't know how to do this but let's
0:18:24
okay so let's say i sent something i
0:18:26
don't know if this is obviously it
0:18:28
didn't work because it would have
0:18:31
created that alert message right
0:18:39
there's probably another way to write it
0:18:43
this is executable because maybe the way
0:18:46
i have it right now is not
0:18:51
but that's kind of like the
0:18:56
um and then you don't have to write an
0:18:58
alert like you could do like
0:19:01
you know what what happened to you guys
0:19:03
the other day you got redirected so you
0:19:05
could do like window location history
0:19:09
and then like update your browser's like
0:19:12
window history and then
0:19:14
like have you go to the site or
0:19:18
yeah wow that's really cool um
0:19:27
how did he like yeah
0:19:29
what did he do to make it
0:19:34
so it executed as well you know what i
0:19:42
yeah what you were saying is a bit
0:19:45
do you know like what you would have
0:19:47
done like additionally
0:19:49
um have any assuming i'm assuming he did
0:19:53
something along these lines
0:19:59
um but maybe there's another way that
0:20:03
makes the script executable
0:20:06
um i'm not 100 certain on that
0:20:22
yeah i don't know i'd have to look i
0:20:23
actually have to look it up
0:20:36
too bad i didn't save it because like
0:20:39
when he did this like heart attack
0:20:43
the websocket messages and the in the
0:20:47
in the chrome dev tools and i could see
0:20:49
the text on the note was the script tag
0:20:54
data and then like new audio which is
0:20:59
the way you create a new audio
0:21:02
object and then it was like playing
0:21:10
wave file like online some wave
0:21:13
repository part sounds
0:21:24
it's probably it's probably actually on
0:21:26
youtube but i don't know if you can see
0:21:28
my screen or not on youtube
0:21:36
when you sent us the video
0:21:39
i saw i did see that that fart dot wave
0:21:46
i did see that file
0:21:53
so yeah i guess you're on the right
0:21:59
like it's probably not far off like what
0:22:14
yeah so for instance here's like a
0:22:17
here's like a list
0:22:19
of like different payloads
0:22:27
there's also resources on on the bottom
0:22:30
that are useful too for like preventing
0:22:36
cross-site scripting vulnerability yeah
0:22:45
and i think this one in particular would
0:22:47
be called dom based
0:22:50
but i'm not 100 sure about that
0:22:54
i think it's don i think it's called dom
0:22:58
okay but like say say to let's say
0:23:01
somebody somebody who's a naughty like a
0:23:09
s they they made notes they saved them
0:23:11
to the database right
0:23:13
and then when somebody loads the notes
0:23:16
on the from when they go to the boards
0:23:19
it executes these scripts and then it
0:23:24
like one of the simpler simpler
0:23:27
ways and easier ways is like
0:23:34
like execute a script and then it like
0:23:37
goes to some website
0:23:39
and then that website is like malicious
0:23:42
and then it like steals like [ __ ] from
0:23:46
from your browser maybe a cookie or
0:23:58
yeah if it was on like a banking website
0:24:00
let's say for instance like they could
0:24:02
even run a script that could send a
0:24:06
to like their api or something if
0:24:12
maybe log your password or your username
0:24:23
do you listen to um darknet diaries by
0:24:31
it sounds interesting though
0:24:33
it's a podcast about like they talk
0:24:41
security vulnerabilities and
0:24:44
things that happen
0:24:49
on the internet like you know where
0:24:53
somebody has like kind of exploited
0:24:55
um the system more you know
0:24:58
to get information that sort of thing
0:25:00
it's very interesting podcast
0:25:03
yeah that sounds pretty interesting
0:25:14
yeah let's try saving it and then see if
0:25:16
you reload it if it executes
0:25:44
yeah something that's actually an issue
0:25:46
is that the some of the notes disappear
0:25:52
that's the saving issue
0:25:56
that's something that's really worth
0:25:58
looking into i think
0:26:01
uh yeah i think i think yeah well that's
0:26:05
another show man you'll have to come
0:26:13
well that's interesting though because
0:26:15
now those script tags actually got
0:26:18
yeah that's the i've noticed that yeah
0:26:21
that's why that's why i just wanted to
0:26:22
do it again to see oh
0:26:25
that's an issue but anyways the script
0:26:32
yeah that's very interesting
0:27:05
hopefully it's saved
0:27:11
yeah it didn't save
0:27:24
let me uh let me see if i can dig up on
0:27:30
how that or actually if we look in
0:27:33
dynamodb i wonder if any of the notes
0:27:35
are saved with those
0:27:39
i don't know which board it was though
0:27:46
yeah that's oh yeah keyword is part
0:28:00
first let me look at this one
0:28:06
yeah it removes the script part of it i
0:28:14
maybe jquery does some of it or maybe
0:28:16
dynamodb i don't know
0:28:29
well i'm going to the youtube and see if
0:28:32
i can track it down
0:28:37
i don't like i said though i don't know
0:28:40
showed it on my screen
0:28:44
zayn was having a good time though
0:29:00
oh i think i will be able to see it
0:29:08
i don't know i think i got there oh here
0:29:14
so yeah all it was was
0:29:29
him creating a card
0:29:34
if you want i'll uh
0:29:37
here i'll send you
0:29:41
this with the time
0:29:46
uh start at yeah there we go okay and
0:29:52
there so you can see
0:29:55
there in the youtube
0:30:01
the text that he's um
0:30:05
got in the note when he creates a card
0:30:07
and it is a script tag
0:30:20
console log oh he changed console log to
0:30:31
oh because he's trying to just remove
0:30:35
any console log ability
0:30:39
oh so he's running
0:30:46
jquery on a particular
0:30:49
on the id of the card that was created
0:30:55
oh he's hiding the card
0:31:04
and then it's the new audio part that's
0:31:07
like the audio api from the browser
0:31:13
that is just playing it and there's
0:31:15
nothing special about the script tag
0:31:24
so i don't know why our script tag is
0:31:30
hmm writing the card and then
0:31:34
why is he doing these two things though
0:31:38
equals the function and console clear
0:31:50
mess with your dev tools so that you
0:31:54
can't log or clear the console is my
0:32:03
is my guess but i'm not 100
0:32:08
if you just if you have like preserve
0:32:11
log in your dev tools then that does
0:32:16
like it won't clear your preserved log
0:32:18
in your console which i always have that
0:32:22
so i was like yeah
0:32:25
that's why i can see what's going on
0:32:31
where's that where's the preserved logs
0:32:35
uh if you go to the console and then
0:32:41
if you go to dev tools
0:32:45
there's an option to select preserve log
0:33:06
if do you have an option yeah there you
0:33:08
go preserve lock yeah go to the settings
0:33:10
yeah that drop yeah
0:33:42
the other thing he could have been doing
0:33:49
are all the ids of the card the same
0:33:51
yeah so if you look at the video all the
0:33:53
card ids are the same it's one two three
0:33:57
so he could also just be sending these
0:33:59
directly through postman or something
0:34:02
just like the object
0:34:05
oh okay or or pie socket or something
0:34:10
so we could we could try that too
0:34:14
you think it'd make a difference yeah
0:34:15
let's try it but maybe because maybe
0:34:18
when you when you type the note like
0:34:20
maybe jquery does some
0:34:23
sanitization of the input
0:34:33
i'm not super familiar with jquery
0:35:17
i'll just get it off screen
0:35:26
zane probably wouldn't be too pleased
0:35:28
that we're looking into this on show
0:35:32
right because in case in case somebody
0:35:34
else kind of copies
0:35:41
well so far so good maybe it's a good
0:35:43
time because it's friday night
0:35:51
hopefully we find out and fix it soon
0:35:54
and then nobody else will
0:36:01
yeah well i think ultimately
0:36:03
it'll have to happen
0:36:05
via the back end because
0:36:16
the back end to just send
0:36:23
like there's no validation for the
0:36:27
so like anybody can just open up the
0:36:30
and just start sending messages
0:36:35
if they're already just all they have to
0:36:37
do is just connect to the board via the
0:36:40
save their connection id
0:36:45
right in the browser and then you just
0:36:47
start sending messages either through
0:36:50
the console or just like through like pi
0:36:53
socket or whatever
0:36:56
or like a tool like a penetration tool
0:37:01
i'm sure a bot can do the same thing
0:37:20
so we need i'll just try again for a sec
0:37:34
um we need post right
0:38:24
hey could you do me a favor finish and
0:38:26
just create a new card
0:38:29
or just on the board
0:38:31
yeah all you have to do is just create
0:38:33
one i think it'll send me a message
0:38:38
send you a message
0:38:40
yeah through the console i mean it will
0:38:42
like i think i'll get a message
0:38:45
in my console if you just create a note
0:38:51
maybe your websocket timed out
0:39:10
i'm thinking i'll get a message and then
0:39:17
yeah i did okay thank you yep
0:39:21
all right now i can just like basically
0:39:36
i can just actually send it through the
0:39:39
console because i know the function to
0:39:41
dispatch the message
0:39:44
which is called dispatch message
0:39:47
which will send the websocket and i'm
0:39:49
already connected to the websocket
0:39:52
okay so i just need to copy this
0:39:56
can i have a locator if you don't mind
0:39:58
oh yeah yeah sorry
0:40:03
all right let me share my screen here
0:40:14
all right uh can you uh allow my screen
0:40:18
uh yeah yeah okay sure okay so when you
0:40:26
note log to my console because i guess
0:40:29
we're logging these
0:40:31
and then here is the data that got
0:40:34
logged which is the action is create
0:40:37
and the data is the car data right with
0:40:41
right so i'm just gonna call i'm just
0:40:46
um copy this object
0:40:50
and then i'm gonna go
0:40:54
take that object and i'm gonna write
0:41:12
all right because um
0:41:14
because i'm polite
0:41:16
unless you want unless you want some
0:41:24
all right let's say
0:41:35
all right let's save that
0:41:38
what happened i don't know
0:41:46
yeah i'm missing this
0:41:57
can can you do two different types of uh
0:42:00
of quotation in javascript like do one
0:42:03
with one and then the other one with two
0:42:07
yeah i think that might be the reason
0:42:11
yeah yeah yeah that saved it right all
0:42:13
right now dispatch
0:42:19
i don't remember what the parameters are
0:42:32
websocket message action
0:42:42
it will get the board id for me so
0:42:45
i think this should work without me
0:42:48
doing anything because we have the
0:42:52
oh but we don't have the okay so this
0:42:54
this actually needs to get changed to
0:42:58
from data to message i think
0:43:05
i think this has to be message
0:43:21
and then let's try sending this
0:43:24
card see if that actually works
0:43:28
oh wow yeah it works
0:43:30
that is cool you got a high cash
0:43:33
yeah i did and i don't because it's not
0:43:38
i uh weird thing is that i
0:43:42
oh i'll just share my screen for one
0:43:46
um i'll send another one
0:43:50
you see i got this whole thing though
0:44:01
so that's different then
0:44:13
so it didn't it didn't work then
0:44:17
it didn't say hi finesse
0:44:23
let's send the whole
0:44:26
but i think you're on the right track
0:44:35
that you're using that seems like it's
0:44:39
on the right lines
0:44:43
um okay let me look i'll look back at
0:44:52
then i gotta figure out how what this
0:45:00
i thought it would look the same as i
0:45:02
send it but i don't remember the code
0:45:06
[ __ ] you'll scream
0:45:16
so this is getting
0:45:20
used probably a lot
0:45:29
oh maybe the action is supposed to be
0:45:35
all right where's the one this is delete
0:45:37
so this is delete card
0:45:49
this is edit a card
0:45:56
credit card so the action is not oh so
0:46:00
the there's an action inside the map i
0:46:03
think i kept this because of what was
0:46:07
um the existing code and i think this
0:46:10
worked some reason that i can't remember
0:46:13
with the existing code so inside here we
0:46:16
have the message and that's where we
0:46:19
with the data so the action in here
0:46:22
inside the message body
0:46:24
is create card and then the data is the
0:46:26
data for the for the note to be created
0:46:30
and then when you receive that
0:46:32
that's basically going to get
0:46:35
looped through the code on the other
0:46:37
side and create the card with that
0:46:44
i think i get what you mean
0:46:46
because this this is being
0:46:48
i create a card it sends a message
0:46:51
yeah i kept the data the same so that
0:46:55
it gets received on the other side by
0:46:58
you for instance then
0:47:00
it's basically going to run this
0:47:01
function with with the information from
0:47:05
which is the id text the x y position
0:47:09
the rotation of the card the color and
0:47:11
the type which i think is
0:47:13
sticky note or something else
0:47:18
basically creates that card right there
0:47:29
does something else with this i think
0:47:31
which is why i kept it
0:47:33
because i think this
0:47:35
send action maybe does something i don't
0:47:38
remember it's been a while
0:47:40
this was already here this stuff was
0:47:42
already here oh here's the function i
0:47:45
was looking for so this this function up
0:47:47
here draw a new car this was already
0:47:50
just like basically creates the new card
0:47:54
in the dawg that you see
0:47:56
with the text and all the stuff that
0:47:58
came from the parameters
0:48:03
i think i just need
0:48:12
modify that again because it was
0:48:15
actually just fine the way it was with
0:48:25
unexpected identifier again
0:48:36
okay this should be data
0:48:39
there we go hopefully that wow
0:48:42
oh it did save it okay and then dispatch
0:48:49
here is the action which is default i
0:48:55
and then let's see if this works
0:49:20
and then this is the message
0:49:28
which this has the action and the data
0:49:31
on it so that should be okay
0:49:35
all right did anything happen to you
0:49:38
yes it did and exactly
0:49:49
isn't that fun though
0:49:50
yeah i can imagine all the things you
0:49:54
that's sick yeah i could you could
0:49:56
probably send a script to mine bitcoin
0:49:58
on your like browser right there
0:50:04
that's pretty sick
0:50:07
yeah that's awesome like how did he or
0:50:10
how would somebody know though like um
0:50:12
you just test you just test you just
0:50:15
that's what pen testing is about you
0:50:18
just have your tools right and then you
0:50:20
just press the buttons and do different
0:50:22
options and it just maybe it runs
0:50:24
through a whole list
0:50:28
trying to escape characters or something
0:50:31
because let's say you wrote your own
0:50:36
function to say hey like if somebody
0:50:38
sends a script tag remove it well
0:50:41
there's probably like other ways too to
0:50:45
your method of trying to remove it
0:50:48
and then they can just like circumvent
0:50:52
get it working again or some other
0:50:54
vulnerability so that's why there's like
0:50:56
sanitization libraries for this type of
0:50:59
where like it's a whole library
0:51:04
trying to remove any any malicious code
0:51:13
in the server right when it's received
0:51:17
like you're saying it will look through
0:51:20
see it will basically look through
0:51:23
the message yeah like it'll look through
0:51:26
the data that it received in the back
0:51:29
and then it will go through it and and
0:51:33
basically removing any malicious code
0:51:36
that or whatever else
0:51:40
somebody could be trying to do
0:51:43
but i've never i've actually never used
0:51:46
i've never used it because i don't do
0:51:52
but imagine if somebody two like they
0:51:56
i don't know if dynamodb does anything
0:51:58
by default but imagine if you save
0:52:01
something in dynamodb like a whole
0:52:07
yeah in a note like i think you have 400
0:52:10
kilobytes per note like
0:52:13
you could run like a whole application
0:52:22
sorry like with this with what you just
0:52:24
did like does it have to be only run
0:52:27
in the console or can we
0:52:29
could you do it like
0:52:31
i don't know like tied to like what i
0:52:33
mean is directly creating it here it has
0:52:40
so it it looks like
0:52:47
then i think i think alvin
0:52:51
i didn't write like the whole front end
0:52:53
so i don't know but i the note is
0:52:55
created with jquery
0:52:57
and another jquery library so i'm
0:53:10
library kind of handles some
0:53:12
sanitization for you
0:53:15
like the front end library like react
0:53:17
for instance is the framework like
0:53:19
that'll handle like sanitization of
0:53:27
from what i understand for you like you
0:53:30
don't really have to think about it but
0:53:33
of course there's always like
0:53:35
new vulnerabilities that could pop up
0:53:37
and have to be patched or something
0:53:41
yeah yeah that makes sense um i did
0:53:44
notice in the code though that
0:53:54
header the name of the board
0:53:56
if you look at the client-side code
0:54:09
and if you go to line
0:54:25
you'll see that that
0:54:29
is using inner html
0:54:37
in the console could you can actually
0:54:40
change the implementation of this
0:54:45
because this function is available
0:54:48
so you're saying you would do something
0:54:54
so like let's say you wrote a script
0:55:10
get bored by id okay so it's getting the
0:55:15
so actually this could be funny
0:55:18
if you change the name of the board in
0:55:21
dynamodb or something to be like a
0:55:25
when it sets it when it sets the inner
0:55:27
html like you can run that script tag
0:55:39
i think this is getting the board id
0:55:41
from dynamodb is what i'm assuming
0:55:46
by the board id and then it's setting
0:55:49
that in the board heading which is the
0:55:51
title of the board so anytime you use
0:55:55
that's when you can be incredibly
0:55:57
vulnerable to these like xss attacks
0:56:04
it will change the board name
0:56:07
right too do we have that functionality
0:56:09
i don't know if we do
0:56:17
if we created a new board
0:56:19
and named it like script tag blah blah
0:56:21
blah blah blah alert hi tori or hi
0:56:24
finish i wonder if it'll
0:56:26
run that alert when you load the board
0:56:29
page the question is
0:56:31
whether dynamodb will do anything for
0:56:36
oh okay that's cool we can quickly test
0:56:48
that's about it right
0:56:52
and then when you load it like it should
0:56:54
go get the board by the id
0:56:57
and set that board name
0:57:00
but it didn't run it huh
0:57:08
yeah it didn't run it
0:57:20
well i think i think there is a way with
0:57:23
inner hd inner html is like
0:57:27
if i remember correctly is like pretty
0:57:38
not really sure myself but
0:57:46
there's a board here
0:57:59
why did i not see the board
0:58:31
i wonder if dynamodb did some escaping
0:58:35
of of the characters or something
0:58:44
because i'm like reading an article and
0:58:46
it seems like that that should work
0:58:51
unless there was a tiny typo we didn't
0:58:59
it's gonna be all these script tags
0:59:18
you can you can't find that board in
0:59:23
no i couldn't actually
0:59:38
cannot read i don't know why i can't
0:59:40
save it either the password's correct
0:59:49
dispatch websocket message is not valid
1:00:01
refresh your page or something
1:00:09
clear the did you close
1:00:11
close the dev tools
1:00:18
it shouldn't make a difference right i
1:00:21
i wonder if you accidentally like
1:00:28
this is on the live page though
1:00:34
no i mean in the well you can override
1:00:36
them in the console
1:00:39
oh you mean like that oh i'll go and
1:00:42
input needle then and then
1:00:47
well if you close the dev tools and
1:00:48
refresh the page you should you'll be
1:00:58
it's kind of like when you edit the css
1:01:05
oh yeah i get what you mean yeah but i
1:01:08
already did that so
1:01:36
you see this story failed to reload
1:01:39
this ever responded with the status of
1:01:40
all i feel like it doesn't allow you
1:01:44
i feel like maybe maybe dynamodb doesn't
1:01:46
allow it we've made it angry
1:01:55
yeah let me let me just try different
1:01:58
name just to be sure
1:02:30
yeah yeah it doesn't allow it that's
1:02:34
what what doesn't it allow
1:02:36
um the script tags
1:02:40
yeah it doesn't allow you to do it and
1:02:42
then so i've just tried this one it
1:02:47
that's pretty cool it protects you
1:02:54
that's pretty nice then
1:02:59
all right sorry i'm should we call it a
1:03:09
uh wait could you just go back to that
1:03:25
you had to do it yeah
1:03:30
that's what i was doing the last three
1:03:32
minutes i was like oh let me find
1:03:37
so you just me was just sending a bunch
1:03:41
like it was crazy my cheeks hurt man
1:03:53
oh it's fun it's a it's such a funny you
1:03:55
know it's i'm glad it was such a fun way
1:03:58
to learn about security
1:04:02
that's very interesting like i didn't
1:04:03
didn't know it's possible
1:04:06
uh yeah it's pretty cool huh yeah
1:04:08
pretty scary too when like you create
1:04:10
your own application
1:04:14
like oh man i hope
1:04:16
i was so nervous about that whenever i'm
1:04:19
developing an application i'm like
1:04:23
but of course nobody nobody uses
1:04:26
anything it's just me
1:04:34
yeah it's things you don't really think
1:04:36
about you know like
1:04:39
yeah you never really think about it
1:04:42
but um i wonder if you can do it on the
1:04:44
actual like on the original scramble to
1:04:49
maybe with some effort you'd be able to
1:04:51
figure yeah maybe with some effort yeah
1:04:53
like these like tools like
1:04:57
like these pen testing tools
1:05:00
uh for for instance which are just like
1:05:03
a suite of tools like a penetration
1:05:06
whip up their tools or
1:05:09
and that would just be like the starting
1:05:11
point and then they can just like
1:05:13
literally go through the checklist of
1:05:15
tools like scanning
1:05:19
scanning like different parts of the
1:05:21
page with known vulnerabilities like
1:05:25
and just checking for things on your
1:05:30
or through your whole website kind of
1:05:34
a mostly automated way and i'm sure bots
1:05:37
can pretty much do the same thing
1:05:41
and then of course like that would
1:05:43
probably just be the first layer like
1:05:45
people know like what they're doing
1:05:50
you know these black hat white hat gray
1:05:52
hat blah blah blah like and they're
1:05:54
smart because they know how to exploit
1:05:58
even in code like some of these
1:06:01
code exploitations i just i see them on
1:06:04
like depend about or
1:06:06
and i don't understand okay whatever
1:06:10
i don't know how you do that but cool
1:06:16
um i was listening to um
1:06:20
like darknet diaries today as well but
1:06:22
anyways that's this um
1:06:24
one of the podcasts we were talking
1:06:27
some people's like
1:06:30
obviously there's like people who find
1:06:32
this exploits and they're like
1:06:34
they're like good people who like um
1:06:38
who reveal it to the world and you know
1:06:39
that sort of thing but it's also like
1:06:46
they you know they sell it to to other
1:06:49
people for like a lot of money
1:06:53
yeah it's very interesting
1:07:00
the other thing too that's crazy is that
1:07:02
actually revealing an exploit
1:07:05
can actually put you in jeopardy
1:07:09
even if you're trying to be a good
1:07:12
um if if you know there's some
1:07:15
vulnerability or something and the
1:07:19
let's say the company doesn't have a bug
1:07:21
bounty for such thing you could actually
1:07:23
get in trouble even if you're just like
1:07:25
reporting it which is kind of nuts but
1:07:29
at the same time it kind of makes sense
1:07:32
you could like i could be going on
1:07:34
websites right now just like checking
1:07:39
and like technically i think in most
1:07:41
places that's illegal
1:07:44
at least to a certain extent so like
1:07:48
yeah kind of a gray area
1:07:54
interesting okay sorry um
1:08:00
call it a night for the show
1:08:02
cool thanks everyone for joining us on
1:08:04
uh another episode of bill break and fix
1:08:13
last episode for the time being
1:08:21
it was a fun one agreed um
1:08:25
yeah we all got to
1:08:27
fart sure part exploitation how the fire
1:08:31
you could explore the thought
1:08:39
what do we do to do it do we the use the
1:08:42
websocket function right essentially to
1:08:44
yeah we just send a the message in the
1:08:51
basically in short
1:08:53
the websocket gets sent to aws api
1:08:57
with the message from the whatever we're
1:08:59
sending it and then that spins up our
1:09:02
lambda which then gets that message
1:09:05
takes the text from the note or whatever
1:09:08
other things we're sending
1:09:10
and then it gets all the connection ids
1:09:14
in the database who are connected to
1:09:16
that particular board and then
1:09:18
broadcasts that message to all of them
1:09:23
none of it is sanitized and it's all
1:09:26
open it's not authenticated so you could
1:09:28
send whatever you want in there
1:09:33
so actually that's really on our part
1:09:34
that's something we need to fix don't we
1:09:36
like um oh yeah yeah
1:09:46
one for the for the jira board
1:09:49
so yeah guys if you want to check out
1:09:52
more of this and you know when we get to
1:09:57
make sure you join us um
1:09:59
same time same place and
1:10:08
thanks everyone have a great night
1:10:14
oh good job man turn it up
