WHAT COULD GO WRONG?

@BenedekGagyi

What is security?

Engineering

Process

Knowledge/
experience

Round 1

"Why would I host images? There are tons of sites for that on the internet.
What could go wrong?"

Round 1

<img src="{user.profilePic}" />

imgur.com/123

imgur.com/123

XSS - Cross site scripting

" onload="alert(':(')

<img src="" onload="alert(':(')" />

XSS - Cross site scripting

Use (context aware) sanitisation

Fix 1

?

Knowledge/
experience

Process

Engineering

"Fine, I'll sanitise all the inputs. I'll even check, if the input is a proper URL!
What could go wrong?"

Round 2

https://site.com/add-admin?id=123

OSRF - Onsite request forgery

<img src="...

Malicious
link

</html>

<html>

Page

OSRF - Onsite request forgery

Fix 2

Use "complex" HTTP methods
(POST*, PUT, PATCH, DELETE)

Use some kind of tokens

Engineering

Process

Knowledge/
experience

?

Round 3

"Ugh, this URL thing is hard. I'll just host them myself.I'll even check if the file extension is an image (PNG, JPG, SVG etc.).
What could go wrong?"

MIME Type sniffing

<html>
  <script>
  	alert(':(');
  </script>
</html>

profile-picture.png

MIME Type sniffing

Content-Type: image/png

X-Content-Type-Options: nosniff

Fix 3

?

Knowledge/
experience

Process

Engineering

"OK, got it, I'll set that friggin header.
What could go wrong?"

Round 4

Polyglot files

// ...... GIF file data ...... //
// ...... JAR file data ...... //

profile-picture.gif

Gifar

Polyglot files

How to determine file type:

Extension based validation
Magic byte detection
File signature validation

// ...... GIF file data ...... //
// ...... JAR file data ...... //

Fix 4

Use a well established open-source library for validation.

Engineering

Process

Knowledge/
experience

?

Round 5

"Hold up. Do I really need to use a third-party library? I can write my own just as well.
What could go wrong?"

Fix 5

"You don't have to be mean. Third party library it is.
What could go wrong?"

Round 6

Supply Chain Poisoning

Liran Tal

OWASP

Supply Chain Poisoning

event-stream

flatmap-stream

867,232

RCE - Remote Code Execution

Fix 6

npm audit

yarn audit

?

Knowledge/
experience

Process

Engineering

Do we need to
continue?

XSS is reeeeeeeally deep
Where do you store the images?
How are you handling image metadata?

What about the process?

The 💸cost💸 of
security

Engineer time/Opportunity cost
Non-requested features
Education/Talent acquisition
External services

🛴 🚲 🚗

🛴

Security code-review

No dedicated person: team responsibility
✅✅ instead of ✅
Change of mindset is key
Might require extra education

Realise threats before the implementation starts
2-3 hour long ceremony for any new complex feature
Great for cross-pollination of ideas
Won't work without at least one expert

Threat modelling

🚲

🚗

Bug-bounty program

The only true measure
Internal vs External
Bounties quantify security
Enormous engineering effort
Strong cooperation with PR/marketing is required

WHAT COULD GO WRONG?

@BenedekGagyi

What is security?

Engineering

Process

Knowledge/ experience

Round 1

"Why would I host images? There are tons of sites for that on the internet. What could go wrong?"

Round 1

XSS - Cross site scripting

XSS - Cross site scripting

Use (context aware) sanitisation

Fix 1

?

Knowledge/ experience

Process

Engineering

"Fine, I'll sanitise all the inputs. I'll even check, if the input is a proper URL! What could go wrong?"

Round 2

OSRF - Onsite request forgery

Malicious link

Page

OSRF - Onsite request forgery

Fix 2

Use "complex" HTTP methods (POST*, PUT, PATCH, DELETE)

Use some kind of tokens

Engineering

Process

Knowledge/ experience

?

Round 3

"Ugh, this URL thing is hard. I'll just host them myself.I'll even check if the file extension is an image (PNG, JPG, SVG etc.). What could go wrong?"

MIME Type sniffing

MIME Type sniffing

Fix 3

?

Knowledge/ experience

Process

Engineering

"OK, got it, I'll set that friggin header. What could go wrong?"

Round 4

Polyglot files

Polyglot files

How to determine file type:

Extension based validation

Magic byte detection

File signature validation

Fix 4

Use a well established open-source library for validation.

Engineering

Process

Knowledge/ experience

?

Round 5

"Hold up. Do I really need to use a third-party library? I can write my own just as well. What could go wrong?"

Fix 5

"You don't have to be mean. Third party library it is. What could go wrong?"

Round 6

Supply Chain Poisoning

Liran Tal

OWASP

Supply Chain Poisoning

Supply Chain Poisoning

RCE - Remote Code Execution

RCE - Remote Code Execution

Fix 6

?

Knowledge/ experience

Process

Engineering

Do we need to continue?

XSS is reeeeeeeally deep

Where do you store the images?

How are you handling image metadata?

What about the process?

The 💸cost💸 of security

Engineer time/Opportunity cost

Non-requested features

Education/Talent acquisition

External services

Knowledge/
experience

"Why would I host images? There are tons of sites for that on the internet.
What could go wrong?"

Knowledge/
experience

"Fine, I'll sanitise all the inputs. I'll even check, if the input is a proper URL!
What could go wrong?"

Malicious
link

Use "complex" HTTP methods
(POST*, PUT, PATCH, DELETE)

Knowledge/
experience

"Ugh, this URL thing is hard. I'll just host them myself.I'll even check if the file extension is an image (PNG, JPG, SVG etc.).
What could go wrong?"

Knowledge/
experience

"OK, got it, I'll set that friggin header.
What could go wrong?"

Knowledge/
experience

"Hold up. Do I really need to use a third-party library? I can write my own just as well.
What could go wrong?"

"You don't have to be mean. Third party library it is.
What could go wrong?"

Knowledge/
experience

Do we need to
continue?

The 💸cost💸 of
security

Knowledge/
experience