WHAT COULD GO WRONG?

@BenedekGagyi

What is security?

Engineering

Process

Knowledge/
experience

Round 1

"Why would I host images? There are tons of sites for that on the internet.
What could go wrong?"

Round 1

<img src="{user.profilePic}" />
imgur.com/123
imgur.com/123

XSS - Cross site scripting

" onload="alert(':(') 
<img src="" onload="alert(':(')" />

XSS - Cross site scripting

Use (context aware) sanitisation

Fix 1

?

Knowledge/
experience

Process

Engineering

"Fine, I'll sanitise all the inputs. I'll even check, if the input is a proper URL!
What could go wrong?"

Round 2

https://site.com/add-admin?id=123

OSRF - Onsite request forgery

<img src="...

Malicious
link

</html>
<html>

Page

OSRF - Onsite request forgery

Fix 2

Use "complex" HTTP methods
(POST*, PUT, PATCH, DELETE)

Use some kind of tokens

Engineering

Process

Knowledge/
experience

?

Round 3

"Ugh, this URL thing is hard. I'll just host them myself.I'll even check if the file extension is an image (PNG, JPG, SVG etc.).
What could go wrong?"

MIME Type sniffing

<html>
  <script>
  	alert(':(');
  </script>
</html>
profile-picture.png

MIME Type sniffing

Content-Type: image/png
X-Content-Type-Options: nosniff

Fix 3

?

Knowledge/
experience

Process

Engineering

"OK, got it, I'll set that friggin header.
What could go wrong?"

Round 4

Polyglot files

// ...... GIF file data ...... //
// ...... JAR file data ...... //
profile-picture.gif
Gifar

Polyglot files

How to determine file type:

  • Extension based validation

  • Magic byte detection

  • File signature validation

// ...... GIF file data ...... //
// ...... JAR file data ...... //

Fix 4

Use a well established open-source library for validation.

Engineering

Process

Knowledge/
experience

?

Round 5

"Hold up. Do I really need to use a third-party library? I can write my own just as well.
What could go wrong?"

Fix 5

"You don't have to be mean. Third party library it is.
What could go wrong?"

Round 6

Supply Chain Poisoning

Liran Tal

OWASP

Supply Chain Poisoning

Supply Chain Poisoning

event-stream
flatmap-stream
867,232

RCE - Remote Code Execution

RCE - Remote Code Execution

Fix 6

npm audit
yarn audit

?

Knowledge/
experience

Process

Engineering

Do we need to
continue?

  • XSS is reeeeeeeally deep

  • Where do you store the images?

  • How are you handling image metadata?

What about the process?

The πŸ’ΈcostπŸ’Έ of
security

  • Engineer time/Opportunity cost

  • Non-requested features

  • Education/Talent acquisition

  • External services

πŸ›΄ 🚲 πŸš—

πŸ›΄

Security code-review

  • No dedicated person: team responsibility

  • βœ…βœ… instead of βœ…

  • Change of mindset is key

  • Might require extra education

  • Realise threats before the implementation starts

  • 2-3 hour long ceremony for any new complex feature

  • Great for cross-pollination of ideas

  • Won't work without at least one expert

Threat modelling

🚲

πŸš—

Bug-bounty program

  • The only true measure

  • Internal vs External

  • Bounties quantify security

  • Enormous engineering effort

  • Strong cooperation with PR/marketing is required

Knowledge/
experience

Process

Engineering

THANK YOU!

@BenedekGagyi

What could go wrong?

By Benedek Gagyi

What could go wrong?

  • 432