1 00:00:00,180 --> 00:00:03,399 [Music] 2 00:00:07,700 --> 00:00:10,700 thank you 3 00:00:20,990 --> 00:00:29,238 [Music] 4 00:00:37,160 --> 00:00:40,218 all right 5 00:00:47,280 --> 00:00:49,460 foreign 6 00:01:16,760 --> 00:01:19,020 last night I found the high security one 7 00:01:19,020 --> 00:01:20,880 so I hadn't basically cemented to my 8 00:01:20,880 --> 00:01:22,439 arrest today to get people to like come 9 00:01:22,439 --> 00:01:24,479 and take them off of me so if they say 10 00:01:24,479 --> 00:01:26,479 difficult they mean what they're saying 11 00:01:26,479 --> 00:01:29,340 anyway so uh I'm gonna be talking about 12 00:01:29,340 --> 00:01:32,479 headers today 13 00:01:33,360 --> 00:01:35,340 made the slide deck two years ago 14 00:01:35,340 --> 00:01:37,799 thankfully due to covet there's not two 15 00:01:37,799 --> 00:01:39,720 of me up here 16 00:01:39,720 --> 00:01:41,880 um used to live in Chicago used to work 17 00:01:41,880 --> 00:01:44,220 as an app set consultant at rapid seven 18 00:01:44,220 --> 00:01:46,439 now I measure it right at seven move to 19 00:01:46,439 --> 00:01:48,299 Texas got a cowboy hat edited under my 20 00:01:48,299 --> 00:01:49,799 picture 21 00:01:49,799 --> 00:01:52,380 um I like doing lock picking not well at 22 00:01:52,380 --> 00:01:54,899 it clearly uh SDR smoked food home 23 00:01:54,899 --> 00:01:56,880 brewing I just like hotties so if you 24 00:01:56,880 --> 00:01:59,640 guys like that too let me know 25 00:01:59,640 --> 00:02:00,299 um 26 00:02:00,299 --> 00:02:02,040 yeah 27 00:02:02,040 --> 00:02:04,140 So today we're going to focus primarily 28 00:02:04,140 --> 00:02:06,540 on HTTP response headers so last night 29 00:02:06,540 --> 00:02:08,399 David uh you Allman I believe how you 30 00:02:08,399 --> 00:02:12,180 say it did an SMTP talk so it was uh ehl 31 00:02:12,180 --> 00:02:15,540 low hello is that you that was really 32 00:02:15,540 --> 00:02:17,099 good for mail headers I'm gonna focus on 33 00:02:17,099 --> 00:02:18,239 what you're going to see for web 34 00:02:18,239 --> 00:02:20,840 applications 35 00:02:22,980 --> 00:02:24,900 so what happened 36 00:02:24,900 --> 00:02:27,000 if you headers do even if you're not 37 00:02:27,000 --> 00:02:28,739 technical you know the 404 is because 38 00:02:28,739 --> 00:02:30,300 you see it constantly 39 00:02:30,300 --> 00:02:31,739 but when we're trying to convey State 40 00:02:31,739 --> 00:02:35,040 you'll see 200 you'll see 403 418 I'm a 41 00:02:35,040 --> 00:02:37,739 teapot the 403 401s those are probably 42 00:02:37,739 --> 00:02:40,620 the kind of testers in the room 43 00:02:40,620 --> 00:02:44,160 um they also suck cookies and form 44 00:02:44,160 --> 00:02:46,920 control browser framing cross-site 45 00:02:46,920 --> 00:02:49,140 scripting controls and the like but they 46 00:02:49,140 --> 00:02:52,579 especially tend to over share 47 00:02:52,620 --> 00:02:54,599 so when I think about over sharing we're 48 00:02:54,599 --> 00:02:56,340 thinking market share so when you have 49 00:02:56,340 --> 00:02:58,340 people putting out headers such as 50 00:02:58,340 --> 00:03:03,060 Apache 2.4 or Ubuntu 1804 or 0.204 I'm 51 00:03:03,060 --> 00:03:04,680 getting old 52 00:03:04,680 --> 00:03:06,900 um different versions of PHP it was a 53 00:03:06,900 --> 00:03:08,459 PHP that has to laugh at me now if you 54 00:03:08,459 --> 00:03:10,140 want to take a moment 55 00:03:10,140 --> 00:03:13,140 nothing come on all right 56 00:03:13,140 --> 00:03:15,120 um dot net for example so all these 57 00:03:15,120 --> 00:03:17,640 people who manufacture software want to 58 00:03:17,640 --> 00:03:19,080 know what their Market penetration is 59 00:03:19,080 --> 00:03:22,019 helps with funding helps with I don't 60 00:03:22,019 --> 00:03:23,400 know it's kind of cool if I had more 61 00:03:23,400 --> 00:03:24,420 than one percent of people in the world 62 00:03:24,420 --> 00:03:27,440 using anything I built 63 00:03:29,519 --> 00:03:31,260 so right here is an actual actual shot 64 00:03:31,260 --> 00:03:34,319 of the default PHP ionite configuration 65 00:03:34,319 --> 00:03:36,659 you'll see exposed PHP is turned on what 66 00:03:36,659 --> 00:03:38,220 that does it says hey everybody I'm 67 00:03:38,220 --> 00:03:40,080 running PHP and this is the version that 68 00:03:40,080 --> 00:03:41,220 I'm using 69 00:03:41,220 --> 00:03:43,200 they also assess Americans and no 70 00:03:43,200 --> 00:03:44,519 security threat in any way but it makes 71 00:03:44,519 --> 00:03:46,500 it possible to determine if your server 72 00:03:46,500 --> 00:03:49,200 is running PHP or not 73 00:03:49,200 --> 00:03:51,480 now if you haven't wondered besides 74 00:03:51,480 --> 00:03:53,400 paying for a procurement and scope of 75 00:03:53,400 --> 00:03:54,659 work and all that good stuff what is the 76 00:03:54,659 --> 00:03:57,859 first step of a security audit 77 00:03:58,440 --> 00:04:01,080 what do you guys recount it is 78 00:04:01,080 --> 00:04:03,060 felt pretty proud of that one 79 00:04:03,060 --> 00:04:04,860 um reconnaissance so when you go and 80 00:04:04,860 --> 00:04:07,080 look at a web server and it says PHP 81 00:04:07,080 --> 00:04:09,959 version 8. the first thing that you're 82 00:04:09,959 --> 00:04:10,860 probably going to do with that 83 00:04:10,860 --> 00:04:13,019 information is take it 84 00:04:13,019 --> 00:04:14,640 to Google 85 00:04:14,640 --> 00:04:18,298 so my first language was PHP 5.1.6 which 86 00:04:18,298 --> 00:04:21,839 was before dinosaurs were invented 87 00:04:21,839 --> 00:04:25,199 um and that one has six different CVS 88 00:04:25,199 --> 00:04:26,520 running against it I think version of 89 00:04:26,520 --> 00:04:29,040 PHP has 633. 90 00:04:29,040 --> 00:04:30,300 so if you're over sharing information 91 00:04:30,300 --> 00:04:31,979 you can take that information straight 92 00:04:31,979 --> 00:04:33,240 to Google and instantly find 93 00:04:33,240 --> 00:04:34,740 vulnerabilities 94 00:04:34,740 --> 00:04:37,320 now a lot of folks think okay cool 95 00:04:37,320 --> 00:04:38,699 that's security throughout security 96 00:04:38,699 --> 00:04:40,440 hiding that information if you're right 97 00:04:40,440 --> 00:04:42,300 but that's a good thing if you have any 98 00:04:42,300 --> 00:04:44,940 sort of incident detection software in 99 00:04:44,940 --> 00:04:45,960 place 100 00:04:45,960 --> 00:04:47,820 are you going to detect somebody who's 101 00:04:47,820 --> 00:04:49,320 sitting there banging on your server 102 00:04:49,320 --> 00:04:50,520 trying to figure out what you're running 103 00:04:50,520 --> 00:04:54,900 or somebody who found a nice CVSs V10 or 104 00:04:54,900 --> 00:04:58,139 basically 10 severity to get directly 105 00:04:58,139 --> 00:05:00,540 into your server that was probably a lot 106 00:05:00,540 --> 00:05:03,360 better of an aid attack 107 00:05:03,360 --> 00:05:05,720 so like I'm picking on PHP 108 00:05:05,720 --> 00:05:07,400 iis.net 109 00:05:07,400 --> 00:05:09,960 nginx Apache all these different web 110 00:05:09,960 --> 00:05:12,180 servers in several languages 111 00:05:12,180 --> 00:05:14,940 they also have CVS as well although 112 00:05:14,940 --> 00:05:16,919 nginx at present has very few of them at 113 00:05:16,919 --> 00:05:18,360 least based on my research if he has 114 00:05:18,360 --> 00:05:20,639 them differently let me know but 115 00:05:20,639 --> 00:05:22,979 so casual Googling got me to that uh 116 00:05:22,979 --> 00:05:25,758 that answer 117 00:05:26,340 --> 00:05:28,080 so I'm going to be uh reintroduce myself 118 00:05:28,080 --> 00:05:29,880 again now apparently for the third time 119 00:05:29,880 --> 00:05:31,500 I also built a site called header 120 00:05:31,500 --> 00:05:33,080 inspector.com 121 00:05:33,080 --> 00:05:36,300 and I also like hearing ATMs 122 00:05:36,300 --> 00:05:37,740 I thought that was a clever photo for 123 00:05:37,740 --> 00:05:39,419 this 124 00:05:39,419 --> 00:05:41,100 it was actually pretty heavy and I 125 00:05:41,100 --> 00:05:44,300 didn't even have the safe on me 126 00:05:44,520 --> 00:05:46,199 so how do we inspect headers so the 127 00:05:46,199 --> 00:05:47,880 started out is for Rapid seven I was 128 00:05:47,880 --> 00:05:50,100 writing a Blog on HTTP headers and I 129 00:05:50,100 --> 00:05:52,560 decided to write a script that would go 130 00:05:52,560 --> 00:05:55,020 and just pull out a bunch of headers and 131 00:05:55,020 --> 00:05:56,280 collect them and aggregate the 132 00:05:56,280 --> 00:05:57,539 information 133 00:05:57,539 --> 00:05:59,340 so that started up fine but then I 134 00:05:59,340 --> 00:06:00,720 realized this was actually kind of 135 00:06:00,720 --> 00:06:02,100 useful 136 00:06:02,100 --> 00:06:05,160 so first thing I did is I changed it so 137 00:06:05,160 --> 00:06:06,900 I was doing just a head request 138 00:06:06,900 --> 00:06:08,400 what pulled out a bunch of sites 139 00:06:08,400 --> 00:06:10,380 realized that not anybody supports had 140 00:06:10,380 --> 00:06:12,960 requests which returned Just Tires 141 00:06:12,960 --> 00:06:15,539 I was hitting 405 406 and so not 142 00:06:15,539 --> 00:06:17,280 implemented method not allowed things 143 00:06:17,280 --> 00:06:18,360 like that 144 00:06:18,360 --> 00:06:20,400 and so I ended up doing something to 145 00:06:20,400 --> 00:06:22,080 change it back to get which increased 146 00:06:22,080 --> 00:06:23,400 how much data I was pulling down every 147 00:06:23,400 --> 00:06:25,139 time I had a site and stored everything 148 00:06:25,139 --> 00:06:27,780 in SQL 149 00:06:27,780 --> 00:06:29,400 thank you 150 00:06:29,400 --> 00:06:31,080 um the first scoring system I built if 151 00:06:31,080 --> 00:06:33,240 you had a header set I would give you a 152 00:06:33,240 --> 00:06:34,500 point if you didn't I would take a point 153 00:06:34,500 --> 00:06:35,639 away 154 00:06:35,639 --> 00:06:37,080 the problem with that is I was giving 155 00:06:37,080 --> 00:06:39,560 you a point if you had something like 156 00:06:39,560 --> 00:06:42,660 cfp headers set which is good I was 157 00:06:42,660 --> 00:06:44,220 taking away a point if you didn't have 158 00:06:44,220 --> 00:06:45,960 cash control and those two are just not 159 00:06:45,960 --> 00:06:48,479 on the same tier at all CSP headers will 160 00:06:48,479 --> 00:06:49,560 get into what those are if you're not 161 00:06:49,560 --> 00:06:51,300 familiar already 162 00:06:51,300 --> 00:06:53,280 so I figured it into a weighted system 163 00:06:53,280 --> 00:06:55,560 so now I can say cookies are less 164 00:06:55,560 --> 00:06:58,560 important or now cash controller that's 165 00:06:58,560 --> 00:07:00,900 important and individual attributes 166 00:07:00,900 --> 00:07:03,539 carry a certain weight as well 167 00:07:03,539 --> 00:07:07,199 and who here has actually wrote PHP 168 00:07:07,199 --> 00:07:10,280 okay we're doing four or five people 169 00:07:10,280 --> 00:07:13,500 php.net docs how many times have you 170 00:07:13,500 --> 00:07:15,600 seen people do user land reinventions of 171 00:07:15,600 --> 00:07:17,160 the exact same thing like hey here's the 172 00:07:17,160 --> 00:07:18,660 echo function and here's my userland 173 00:07:18,660 --> 00:07:20,880 implementation of that 174 00:07:20,880 --> 00:07:23,460 everybody does it so I decided I was 175 00:07:23,460 --> 00:07:25,199 going to invent my own request Handler 176 00:07:25,199 --> 00:07:26,819 or browser a client or how you want to 177 00:07:26,819 --> 00:07:29,400 call that to go and pull down this 178 00:07:29,400 --> 00:07:31,740 information for people's sites 179 00:07:31,740 --> 00:07:34,740 that was a bad idea it was it was very 180 00:07:34,740 --> 00:07:36,479 problematic and so I ended up just 181 00:07:36,479 --> 00:07:38,160 moving to Kernel he was php's curl 182 00:07:38,160 --> 00:07:40,680 library to just go and pull things down 183 00:07:40,680 --> 00:07:43,380 also if you know PHP well enough 184 00:07:43,380 --> 00:07:45,240 um it's not very good at synchronous 185 00:07:45,240 --> 00:07:47,759 calls so pulling down sites I was doing 186 00:07:47,759 --> 00:07:50,460 one at a time or having multiple request 187 00:07:50,460 --> 00:07:54,318 handlers go in cold out this information 188 00:07:54,800 --> 00:07:57,780 I also modularized it so I made a nice 189 00:07:57,780 --> 00:08:00,300 little class instead of my giant 190 00:08:00,300 --> 00:08:02,880 procedural monolithic script I pounded 191 00:08:02,880 --> 00:08:04,919 out to get things done so I made it a 192 00:08:04,919 --> 00:08:06,240 little bit prettier 193 00:08:06,240 --> 00:08:08,039 where it stores the actual base it 194 00:08:08,039 --> 00:08:09,960 stores all the functions it handles all 195 00:08:09,960 --> 00:08:12,380 the output scoring output text messages 196 00:08:12,380 --> 00:08:14,880 so if you go and run it The Messengers 197 00:08:14,880 --> 00:08:16,199 are coming out of that code right there 198 00:08:16,199 --> 00:08:19,340 for cookies at least 199 00:08:19,740 --> 00:08:22,740 foreign 200 00:08:22,940 --> 00:08:25,979 Direction there we go 201 00:08:25,979 --> 00:08:27,720 so if you live in northern Northern 202 00:08:27,720 --> 00:08:29,340 Hawaii or maybe even talk to Wisconsin I 203 00:08:29,340 --> 00:08:31,860 have no idea how big com that is uh I 204 00:08:31,860 --> 00:08:34,020 used to set a couple of sites that I 205 00:08:34,020 --> 00:08:35,880 worked for powered by Hunter's comment I 206 00:08:35,880 --> 00:08:38,099 thought it was pretty clever so there is 207 00:08:38,099 --> 00:08:39,779 a billion dollar chicagoland-based 208 00:08:39,779 --> 00:08:41,700 company running X powered by ComEd 209 00:08:41,700 --> 00:08:44,099 inside of their headers on some pages 210 00:08:44,099 --> 00:08:46,760 not all of them 211 00:08:47,399 --> 00:08:49,860 so by the Numbers uh what I did is I 212 00:08:49,860 --> 00:08:51,320 went and 213 00:08:51,320 --> 00:08:54,420 aggregated the Mazda 500 which is pretty 214 00:08:54,420 --> 00:08:56,100 accurate pretty up to date 215 00:08:56,100 --> 00:08:58,740 and the Alexa top million of course you 216 00:08:58,740 --> 00:09:00,180 can't really get a current copy of that 217 00:09:00,180 --> 00:09:01,800 or at least I wasn't clever enough to so 218 00:09:01,800 --> 00:09:03,440 I went to GitHub found an old version 219 00:09:03,440 --> 00:09:07,500 and I ran that through my uh to my tool 220 00:09:07,500 --> 00:09:10,220 so I ran 675 221 00:09:10,220 --> 00:09:13,800 973 a number so you did reps 222 00:09:13,800 --> 00:09:16,200 uh found two bad languages we're talking 223 00:09:16,200 --> 00:09:19,080 profanities and the database was 14 gigs 224 00:09:19,080 --> 00:09:20,100 in size 225 00:09:20,100 --> 00:09:21,660 well I don't have to represent my house 226 00:09:21,660 --> 00:09:24,000 anymore because I I just I guess I'm not 227 00:09:24,000 --> 00:09:25,620 in that chair anymore so all this is in 228 00:09:25,620 --> 00:09:26,760 digital ocean 229 00:09:26,760 --> 00:09:29,640 and I crashed my uh droplet 230 00:09:29,640 --> 00:09:31,680 so I let this thing run overnight woke 231 00:09:31,680 --> 00:09:33,420 up in the morning my data was gone 232 00:09:33,420 --> 00:09:34,740 thankfully I already had everything 233 00:09:34,740 --> 00:09:36,480 pretty much backed up ready to go and I 234 00:09:36,480 --> 00:09:37,920 was able to restart it 235 00:09:37,920 --> 00:09:39,660 and expand the droplet but that was 236 00:09:39,660 --> 00:09:41,100 Learning lesson don't let things run 237 00:09:41,100 --> 00:09:42,480 overnight but just like grab things from 238 00:09:42,480 --> 00:09:44,459 the interwebs 239 00:09:44,459 --> 00:09:47,779 and it was very cheap droplet 240 00:09:48,300 --> 00:09:50,519 so what do I mean by bad languages 241 00:09:50,519 --> 00:09:53,459 we got some edgy ones in there some uh 242 00:09:53,459 --> 00:09:56,339 server and I don't know maybe they so if 243 00:09:56,339 --> 00:09:58,200 you look at uh 244 00:09:58,200 --> 00:10:00,060 some sites your request with 245 00:10:00,060 --> 00:10:02,160 digitalocean they'll see the as where 246 00:10:02,160 --> 00:10:03,839 it's coming from and they'll just block 247 00:10:03,839 --> 00:10:05,040 it they're like hey I don't want you 248 00:10:05,040 --> 00:10:06,300 requesting my stuff because you're 249 00:10:06,300 --> 00:10:07,500 probably attacking me they're probably 250 00:10:07,500 --> 00:10:08,519 right 251 00:10:08,519 --> 00:10:10,440 so I'm guessing these response however 252 00:10:10,440 --> 00:10:12,300 put there as a response to them having 253 00:10:12,300 --> 00:10:14,640 malicious activity in the past I have no 254 00:10:14,640 --> 00:10:18,080 idea but it was entertaining nonetheless 255 00:10:20,459 --> 00:10:22,260 so just like nobody's streaking through 256 00:10:22,260 --> 00:10:23,519 the room right now although it would 257 00:10:23,519 --> 00:10:25,200 make my talk a lot more interesting 258 00:10:25,200 --> 00:10:27,440 interesting uh indecent exposure so 259 00:10:27,440 --> 00:10:30,959 93.42 of what the websites out of skin 260 00:10:30,959 --> 00:10:32,820 these top million sites 261 00:10:32,820 --> 00:10:35,100 we're exposing what server they're 262 00:10:35,100 --> 00:10:36,540 running 263 00:10:36,540 --> 00:10:38,700 so that's that's pretty high and it's 264 00:10:38,700 --> 00:10:41,160 also probably skewed for a few reasons 265 00:10:41,160 --> 00:10:43,380 one Apache does not let you remove the 266 00:10:43,380 --> 00:10:46,800 server colon Apache header 267 00:10:46,800 --> 00:10:49,740 so that's part one part two is that if 268 00:10:49,740 --> 00:10:51,360 I'm responding to see cloudflare Cloud 269 00:10:51,360 --> 00:10:54,899 flare runs a lot of the West currently 270 00:10:54,899 --> 00:10:57,120 that is also counted as a server header 271 00:10:57,120 --> 00:10:58,680 I didn't go through and like pick this 272 00:10:58,680 --> 00:11:00,779 one should count this one should 273 00:11:00,779 --> 00:11:04,500 language version 34.28 of those we're 274 00:11:04,500 --> 00:11:06,720 exposing what server software they are 275 00:11:06,720 --> 00:11:09,300 running so php.net whatever else 276 00:11:09,300 --> 00:11:11,279 via X powered by 277 00:11:11,279 --> 00:11:13,620 and finally the OS versions of Ubuntu 278 00:11:13,620 --> 00:11:15,420 windows or whatever else people use for 279 00:11:15,420 --> 00:11:20,100 computers uh is showing up 38.75 of the 280 00:11:20,100 --> 00:11:21,720 93 percent 281 00:11:21,720 --> 00:11:23,880 so I mean that's kind of a lot right I 282 00:11:23,880 --> 00:11:25,920 mean these are all large web 283 00:11:25,920 --> 00:11:27,120 applications sharing this information 284 00:11:27,120 --> 00:11:29,880 I'm not scanning geocities 285 00:11:29,880 --> 00:11:32,459 a couple left sorry 286 00:11:32,459 --> 00:11:34,860 this hair used to be full right here 287 00:11:34,860 --> 00:11:37,680 that's how old like geocities is 288 00:11:37,680 --> 00:11:39,720 um so I've seen ciphertown last night or 289 00:11:39,720 --> 00:11:42,360 the night before I think that a 44.29 290 00:11:42,360 --> 00:11:46,620 fail now is that a problem 291 00:11:46,620 --> 00:11:49,620 probably not I mean cycle doesn't host 292 00:11:49,620 --> 00:11:53,160 PCI HIPAA fur Bond much pii I mean the 293 00:11:53,160 --> 00:11:55,019 pii it does have is the speakers names 294 00:11:55,019 --> 00:11:57,300 and like I'm cool if you put my name in 295 00:11:57,300 --> 00:12:00,360 there so that's not that important now 296 00:12:00,360 --> 00:12:02,160 if you're Amazon account or your bank is 297 00:12:02,160 --> 00:12:04,560 sitting there without hsts header set or 298 00:12:04,560 --> 00:12:08,239 similar that's probably an issue 299 00:12:09,959 --> 00:12:13,160 so what can we do about it 300 00:12:15,540 --> 00:12:18,300 you can suppress the headers 301 00:12:18,300 --> 00:12:20,820 so what you do is you telepathy hey 302 00:12:20,820 --> 00:12:23,459 don't leak my server signature what that 303 00:12:23,459 --> 00:12:25,920 does it says okay cool your directory 304 00:12:25,920 --> 00:12:28,680 listing Pages your 404 403 don't say 305 00:12:28,680 --> 00:12:32,579 Apache 2.4 about 2204 right 306 00:12:32,579 --> 00:12:35,040 you also tell PHP or the languages not 307 00:12:35,040 --> 00:12:38,339 to link the X powered by that's cool 308 00:12:38,339 --> 00:12:40,140 um fun fact I had to move this side 309 00:12:40,140 --> 00:12:41,640 around a couple times and up until a 310 00:12:41,640 --> 00:12:43,079 couple days ago I actually had directory 311 00:12:43,079 --> 00:12:45,600 indexing turned on on this box 312 00:12:45,600 --> 00:12:47,040 so you kind of like stolen my sweet 313 00:12:47,040 --> 00:12:48,600 images which are all pretty light and 314 00:12:48,600 --> 00:12:50,880 handcrafted but yeah that was uh that 315 00:12:50,880 --> 00:12:53,279 was a fun security finding if I own like 316 00:12:53,279 --> 00:12:55,320 what happens if I do take the file off 317 00:12:55,320 --> 00:12:57,720 and just look at that 318 00:12:57,720 --> 00:13:00,300 cool so uh Apache as I mentioned is a 319 00:13:00,300 --> 00:13:02,279 rule breaker the only way to remove sir 320 00:13:02,279 --> 00:13:06,180 call an Apache out of the headers is to 321 00:13:06,180 --> 00:13:07,500 recompile it 322 00:13:07,500 --> 00:13:09,600 or if you run behind a reverse proxy or 323 00:13:09,600 --> 00:13:10,980 something else to mask it but then at 324 00:13:10,980 --> 00:13:12,060 that point is it really the direct 325 00:13:12,060 --> 00:13:14,040 server probably not 326 00:13:14,040 --> 00:13:16,440 uh IIs engine X 327 00:13:16,440 --> 00:13:18,420 any other server tend to allow you to 328 00:13:18,420 --> 00:13:21,920 remove it which is nice 329 00:13:24,120 --> 00:13:27,180 also headers are there to inform so 330 00:13:27,180 --> 00:13:30,120 whether it's HTTP s or not content 331 00:13:30,120 --> 00:13:33,120 sources refer headers and frame ability 332 00:13:33,120 --> 00:13:36,320 who knows that image 333 00:13:36,360 --> 00:13:37,920 all right all right we've got some two 334 00:13:37,920 --> 00:13:40,620 frame Roger Rabbit I'm uh in my later 335 00:13:40,620 --> 00:13:42,720 30s and I still freak out think about 336 00:13:42,720 --> 00:13:45,000 the acid scene because what I'm talking 337 00:13:45,000 --> 00:13:47,339 about it's pretty rough and I think it 338 00:13:47,339 --> 00:13:50,420 was like four when I saw that 339 00:13:50,880 --> 00:13:52,380 all right so the first one this is 340 00:13:52,380 --> 00:13:53,820 probably one of the more boring ones so 341 00:13:53,820 --> 00:13:54,899 you're definitely familiar with this 342 00:13:54,899 --> 00:13:57,180 cast control and pragma these headers 343 00:13:57,180 --> 00:13:58,800 are from the 90s they've gone around 344 00:13:58,800 --> 00:14:00,180 forever 345 00:14:00,180 --> 00:14:01,620 um what this does it tells things 346 00:14:01,620 --> 00:14:04,500 between the web server serving it and 347 00:14:04,500 --> 00:14:07,260 you if it isn't how they should catch it 348 00:14:07,260 --> 00:14:08,880 for how long so for example when you 349 00:14:08,880 --> 00:14:11,220 make a request to a server there might 350 00:14:11,220 --> 00:14:13,560 be caching as part of that language or 351 00:14:13,560 --> 00:14:15,000 there might be something at the edge 352 00:14:15,000 --> 00:14:17,639 like AJ proxy or some sort of caching 353 00:14:17,639 --> 00:14:20,040 uh proxy there right 354 00:14:20,040 --> 00:14:22,620 your ISP might have a proxy that caches 355 00:14:22,620 --> 00:14:24,180 that as well especially if it's AOL 356 00:14:24,180 --> 00:14:26,940 browser in about 2003. they used to do a 357 00:14:26,940 --> 00:14:29,339 lot of that back before https 358 00:14:29,339 --> 00:14:31,260 your local cash you might have squid 359 00:14:31,260 --> 00:14:32,519 maybe you're in the middle of nowhere 360 00:14:32,519 --> 00:14:33,959 and you have HughesNet and you're just 361 00:14:33,959 --> 00:14:35,639 trying to catch all these images 362 00:14:35,639 --> 00:14:37,680 that way when you re-request them you're 363 00:14:37,680 --> 00:14:39,120 not requesting that logo a bunch of 364 00:14:39,120 --> 00:14:41,459 times it makes sense 365 00:14:41,459 --> 00:14:43,800 and finally your browser is cached 366 00:14:43,800 --> 00:14:46,500 so if we're trying to cash your banking 367 00:14:46,500 --> 00:14:47,820 information 368 00:14:47,820 --> 00:14:49,860 that's probably a bad thing we want you 369 00:14:49,860 --> 00:14:51,480 to make fresh requests every time you're 370 00:14:51,480 --> 00:14:52,980 looking for that information but if it's 371 00:14:52,980 --> 00:14:55,320 an image like a logo or whatever kind of 372 00:14:55,320 --> 00:14:57,300 images you might like on the internet it 373 00:14:57,300 --> 00:14:58,500 might be better to Cache into their 374 00:14:58,500 --> 00:15:01,220 search quicker 375 00:15:04,139 --> 00:15:06,959 another one is hsts or HTTP strict 376 00:15:06,959 --> 00:15:08,940 Transport Security so when you request a 377 00:15:08,940 --> 00:15:12,360 web application traditionally you hit 378 00:15:12,360 --> 00:15:14,699 Port 80. whether you like it or not it 379 00:15:14,699 --> 00:15:17,339 goes support 80 Sam's browsing such as I 380 00:15:17,339 --> 00:15:20,820 do differently that part 80 says hey we 381 00:15:20,820 --> 00:15:22,800 like security go to 443 now you're on 382 00:15:22,800 --> 00:15:25,459 the secure protocol https 383 00:15:25,459 --> 00:15:27,000 hsts 384 00:15:27,000 --> 00:15:28,620 something nice where it informs a 385 00:15:28,620 --> 00:15:30,240 browser I don't ever want you to support 386 00:15:30,240 --> 00:15:33,720 the HTTP request for this duration of 387 00:15:33,720 --> 00:15:34,800 time 388 00:15:34,800 --> 00:15:36,600 so let's get a look at what that looks 389 00:15:36,600 --> 00:15:39,120 like that's a typical nice header that's 390 00:15:39,120 --> 00:15:41,760 my header that's why I call it nice 391 00:15:41,760 --> 00:15:44,220 um max save Sharon is in seconds and 392 00:15:44,220 --> 00:15:47,399 sets two years so for two years from the 393 00:15:47,399 --> 00:15:49,440 last request I can't change my site to 394 00:15:49,440 --> 00:15:52,620 http which is cool because I really 395 00:15:52,620 --> 00:15:55,639 don't plan on changing that 396 00:15:55,860 --> 00:15:57,500 um I also include sub domains so 397 00:15:57,500 --> 00:15:59,760 www.henry inspector how to inspector 398 00:15:59,760 --> 00:16:02,040 psych.com whatever else it is are all 399 00:16:02,040 --> 00:16:04,680 encompassed in this hsts setting 400 00:16:04,680 --> 00:16:06,300 and we do pre-loading so I'm going to 401 00:16:06,300 --> 00:16:07,560 jump back aside to the one with the 402 00:16:07,560 --> 00:16:08,699 image 403 00:16:08,699 --> 00:16:10,459 that's 404 00:16:10,459 --> 00:16:12,899 hstspreelab.org so Google runs that and 405 00:16:12,899 --> 00:16:14,339 what that does is it allows you to 406 00:16:14,339 --> 00:16:15,720 pre-load 407 00:16:15,720 --> 00:16:17,459 and hard code 408 00:16:17,459 --> 00:16:20,399 your site into a list that they'll use 409 00:16:20,399 --> 00:16:23,399 when you're looking for https sites 410 00:16:23,399 --> 00:16:25,500 so that's cool because now they know 411 00:16:25,500 --> 00:16:27,360 right off the bat as soon as you get a 412 00:16:27,360 --> 00:16:30,620 request it's already secure 413 00:16:33,899 --> 00:16:36,060 content security policy this one's huge 414 00:16:36,060 --> 00:16:38,839 this one replaces a lot of older ones 415 00:16:38,839 --> 00:16:41,519 xss protection if you guys remember that 416 00:16:41,519 --> 00:16:42,600 one that was kind of an Internet 417 00:16:42,600 --> 00:16:45,420 Explorer this ask one 418 00:16:45,420 --> 00:16:47,279 um what this does it says can I inline 419 00:16:47,279 --> 00:16:48,660 my script so if you're familiar with how 420 00:16:48,660 --> 00:16:50,699 a cross-site scripting attack works a 421 00:16:50,699 --> 00:16:51,959 lot of times you'll start the URL bar 422 00:16:51,959 --> 00:16:54,720 and it will affect the pages style sheet 423 00:16:54,720 --> 00:16:57,360 or JavaScript or something similar to 424 00:16:57,360 --> 00:16:59,459 allow cookies after whatever else you're 425 00:16:59,459 --> 00:17:00,959 going for 426 00:17:00,959 --> 00:17:03,480 if you tell that I can inline code 427 00:17:03,480 --> 00:17:06,240 through the CSP that's going to fix that 428 00:17:06,240 --> 00:17:08,040 problem for you 429 00:17:08,040 --> 00:17:10,140 you can also specify what sources it 430 00:17:10,140 --> 00:17:11,699 comes from so for example if I'm using 431 00:17:11,699 --> 00:17:13,559 Google fonts 432 00:17:13,559 --> 00:17:15,480 you can specify that here if I'm not 433 00:17:15,480 --> 00:17:17,699 we'll do in one of the third parties you 434 00:17:17,699 --> 00:17:19,319 use Google fonts probably not important 435 00:17:19,319 --> 00:17:21,419 but if they're saying Bob's evilsite.com 436 00:17:21,419 --> 00:17:24,299 which I don't know and then hosting a 437 00:17:24,299 --> 00:17:28,199 bad font there I can inject that I don't 438 00:17:28,199 --> 00:17:29,460 know I don't know what attack factors 439 00:17:29,460 --> 00:17:31,020 exist we have fonts but I'm sure they 440 00:17:31,020 --> 00:17:34,140 exist because computers 441 00:17:34,140 --> 00:17:35,880 um let's see what else 442 00:17:35,880 --> 00:17:38,520 so you have options for blocking which 443 00:17:38,520 --> 00:17:40,860 means if this if there's a violation of 444 00:17:40,860 --> 00:17:43,260 your CSP it will block that request so 445 00:17:43,260 --> 00:17:45,360 if I'm trying to go off site to get a 446 00:17:45,360 --> 00:17:47,220 font or an image or a script or a style 447 00:17:47,220 --> 00:17:48,299 sheet 448 00:17:48,299 --> 00:17:51,500 it will just block that 449 00:17:52,740 --> 00:17:54,240 I'm jumping a little ahead in my head 450 00:17:54,240 --> 00:17:55,020 here 451 00:17:55,020 --> 00:17:56,820 um 452 00:17:56,820 --> 00:17:59,100 which is certainly helpful it's 453 00:17:59,100 --> 00:18:00,660 difficult for me to 100 inspect though 454 00:18:00,660 --> 00:18:03,539 so my site doesn't go very far into that 455 00:18:03,539 --> 00:18:05,700 because how do I know what resources 456 00:18:05,700 --> 00:18:07,559 your site needs unless I literally call 457 00:18:07,559 --> 00:18:09,480 your entire site at that point like I 458 00:18:09,480 --> 00:18:11,220 don't know the laws I don't have time to 459 00:18:11,220 --> 00:18:12,600 build a crawler that's going to do all 460 00:18:12,600 --> 00:18:14,220 of that information 461 00:18:14,220 --> 00:18:15,720 and give away for free because the 462 00:18:15,720 --> 00:18:16,919 site's free like I'm not trying to make 463 00:18:16,919 --> 00:18:19,100 money 464 00:18:20,100 --> 00:18:22,380 so here's Facebook's content security 465 00:18:22,380 --> 00:18:25,140 policy that's kind of a wreck 466 00:18:25,140 --> 00:18:26,940 but it works you can see inside there I 467 00:18:26,940 --> 00:18:29,940 used different colors the default Source 468 00:18:29,940 --> 00:18:32,520 says I don't care what type of request 469 00:18:32,520 --> 00:18:34,380 it is these are safe domains so Facebook 470 00:18:34,380 --> 00:18:37,260 FBC the end whatever else 471 00:18:37,260 --> 00:18:39,660 images are a little bit smaller uh 472 00:18:39,660 --> 00:18:41,600 you'll see in we've got images connect 473 00:18:41,600 --> 00:18:45,660 connect is for XML HTTP request and 474 00:18:45,660 --> 00:18:47,880 similar or if you're using uh whatever 475 00:18:47,880 --> 00:18:50,039 jQuery uses to do requests I'm drawing 476 00:18:50,039 --> 00:18:51,600 the blanket right now but it helps 477 00:18:51,600 --> 00:18:53,280 suggest where that is allowed to connect 478 00:18:53,280 --> 00:18:55,520 to 479 00:18:56,580 --> 00:18:58,559 content security policy Dash report 480 00:18:58,559 --> 00:19:00,840 naturally just knocks on you right it 481 00:19:00,840 --> 00:19:02,640 doesn't actually stop the attack 482 00:19:02,640 --> 00:19:04,380 so if your organization is trying to 483 00:19:04,380 --> 00:19:07,440 roll out CSP headers and you are very 484 00:19:07,440 --> 00:19:08,940 opinionated about how you roll it up but 485 00:19:08,940 --> 00:19:10,140 you don't know your application well 486 00:19:10,140 --> 00:19:12,539 it's just been a break for people 487 00:19:12,539 --> 00:19:14,280 you put it in report only it's going to 488 00:19:14,280 --> 00:19:16,320 take a nice Json blob lab it over the 489 00:19:16,320 --> 00:19:18,720 fence to a URL that you specify you 490 00:19:18,720 --> 00:19:21,240 could track that and then use that to 491 00:19:21,240 --> 00:19:22,799 later on 492 00:19:22,799 --> 00:19:24,539 go through and say Hey you know I need 493 00:19:24,539 --> 00:19:26,280 to adjust or add these domains or I keep 494 00:19:26,280 --> 00:19:28,140 on getting attacked by this ipu whatever 495 00:19:28,140 --> 00:19:30,740 it might be 496 00:19:32,880 --> 00:19:34,740 extreme options so a little fun 497 00:19:34,740 --> 00:19:36,960 backstory back a long time ago I decided 498 00:19:36,960 --> 00:19:39,120 to make an in-browser operating system 499 00:19:39,120 --> 00:19:40,679 which we all know is just kind of a joke 500 00:19:40,679 --> 00:19:43,260 especially with JavaScript assembly 501 00:19:43,260 --> 00:19:45,000 there's probably something you can do I 502 00:19:45,000 --> 00:19:46,980 quite literally made a text editor with 503 00:19:46,980 --> 00:19:49,260 the text area I made a calculator and I 504 00:19:49,260 --> 00:19:52,380 made a browser with a frame and a little 505 00:19:52,380 --> 00:19:54,240 input box 506 00:19:54,240 --> 00:19:56,820 and I realized that I could go and hit 507 00:19:56,820 --> 00:19:58,559 all these geocity sites no problem they 508 00:19:58,559 --> 00:19:59,580 would get framed in my little web 509 00:19:59,580 --> 00:20:01,620 browser no problem but what I couldn't 510 00:20:01,620 --> 00:20:03,539 do is Google I couldn't figure out why I 511 00:20:03,539 --> 00:20:05,100 can't type google.com and pull up in my 512 00:20:05,100 --> 00:20:07,320 fake little browser well back then 513 00:20:07,320 --> 00:20:08,760 Google was setting it where you could 514 00:20:08,760 --> 00:20:10,679 not frame their site 515 00:20:10,679 --> 00:20:12,179 so when you frame a site what you could 516 00:20:12,179 --> 00:20:13,919 potentially do is use absolute 517 00:20:13,919 --> 00:20:16,320 positioning of elements to put input 518 00:20:16,320 --> 00:20:19,020 boxes over the top of login elements 519 00:20:19,020 --> 00:20:21,480 so if somebody is trying to it's called 520 00:20:21,480 --> 00:20:23,940 click jacking right if you go in there 521 00:20:23,940 --> 00:20:25,620 and try to log into a site you're like 522 00:20:25,620 --> 00:20:26,820 oh cool this looks like the default 523 00:20:26,820 --> 00:20:28,799 login but it goes to my site 524 00:20:28,799 --> 00:20:32,160 that's a problem so you have two options 525 00:20:32,160 --> 00:20:34,200 for extreme options 526 00:20:34,200 --> 00:20:35,760 you have deny and you have the same 527 00:20:35,760 --> 00:20:37,919 origin deny means nobody could frame it 528 00:20:37,919 --> 00:20:39,059 that's probably what you're going to use 529 00:20:39,059 --> 00:20:42,059 unless it's you know 20 years ago 530 00:20:42,059 --> 00:20:43,799 or you have same origin meaning your 531 00:20:43,799 --> 00:20:45,419 site can 532 00:20:45,419 --> 00:20:46,860 frame it but if you don't have that 533 00:20:46,860 --> 00:20:48,120 excited at all everybody can frame your 534 00:20:48,120 --> 00:20:50,299 site 535 00:20:50,760 --> 00:20:52,440 something else that I mentioned in a 536 00:20:52,440 --> 00:20:53,940 previous slide 537 00:20:53,940 --> 00:20:58,020 RFC 6648 says that the to drop the X 538 00:20:58,020 --> 00:21:00,720 prefix from non-standard headers 539 00:21:00,720 --> 00:21:03,600 because standards are like the xkcd 540 00:21:03,600 --> 00:21:05,880 uh cartoon 541 00:21:05,880 --> 00:21:07,860 we have technical debt versus a best 542 00:21:07,860 --> 00:21:09,780 practice of problems so this header 543 00:21:09,780 --> 00:21:11,700 still has an X before even though since 544 00:21:11,700 --> 00:21:16,460 2012 they said to drop the X on it 545 00:21:16,919 --> 00:21:19,620 refer policy so this one is interesting 546 00:21:19,620 --> 00:21:21,000 because traditionally what you would do 547 00:21:21,000 --> 00:21:23,460 is you would go to a website click a 548 00:21:23,460 --> 00:21:25,200 link so think in terms of forums or 549 00:21:25,200 --> 00:21:27,419 Facebook or whatever and it will go to 550 00:21:27,419 --> 00:21:29,280 another site and it will share where you 551 00:21:29,280 --> 00:21:31,200 just came from 552 00:21:31,200 --> 00:21:33,720 if you're on Dodge bank.com forward 553 00:21:33,720 --> 00:21:35,760 slash account number and then I decided 554 00:21:35,760 --> 00:21:37,919 to click off there to go somewhere else 555 00:21:37,919 --> 00:21:39,659 they would theoretically have your 556 00:21:39,659 --> 00:21:41,460 account number now there are some 557 00:21:41,460 --> 00:21:42,900 exceptions there but if it was going 558 00:21:42,900 --> 00:21:45,179 from the https site to http or to 559 00:21:45,179 --> 00:21:47,039 another https it would not send those 560 00:21:47,039 --> 00:21:48,659 headers over which is 561 00:21:48,659 --> 00:21:50,520 nice 562 00:21:50,520 --> 00:21:52,140 nowadays you can actually be a bit 563 00:21:52,140 --> 00:21:55,380 opinionated on it so no referrer says I 564 00:21:55,380 --> 00:21:57,539 don't care nobody should suddenly refer 565 00:21:57,539 --> 00:21:59,940 from my site to anywhere else 566 00:21:59,940 --> 00:22:01,380 a lot of people build security 567 00:22:01,380 --> 00:22:03,299 applications and say oh my check refer 568 00:22:03,299 --> 00:22:04,740 and make sure this request came from my 569 00:22:04,740 --> 00:22:06,600 domain you want to use like cross-site 570 00:22:06,600 --> 00:22:08,760 requests Mercury tokens for that you 571 00:22:08,760 --> 00:22:09,960 don't want to use headers because 572 00:22:09,960 --> 00:22:13,559 they're pretty simple to spoof 573 00:22:13,559 --> 00:22:15,120 um you can start to strict origin one 574 00:22:15,120 --> 00:22:16,740 cross origin that's not only a mouthful 575 00:22:16,740 --> 00:22:18,000 I think it's about a terabyte to send 576 00:22:18,000 --> 00:22:20,940 over the wire but it's still shorter 577 00:22:20,940 --> 00:22:23,340 than the content security policy 578 00:22:23,340 --> 00:22:26,039 but this is a default setting today so 579 00:22:26,039 --> 00:22:28,020 don't send it to a protocol that is less 580 00:22:28,020 --> 00:22:30,000 secure than the one you're currently on 581 00:22:30,000 --> 00:22:33,720 so https down to http 582 00:22:33,720 --> 00:22:36,299 and finally unstable URL so just like 583 00:22:36,299 --> 00:22:38,880 PHP we got to have a very unsafe 584 00:22:38,880 --> 00:22:42,059 dangerous option LOL security it's got 585 00:22:42,059 --> 00:22:43,799 like Oprah with headers you get a header 586 00:22:43,799 --> 00:22:45,299 if you get a header and you know it just 587 00:22:45,299 --> 00:22:47,700 pans out to everybody 588 00:22:47,700 --> 00:22:49,880 foreign 589 00:22:50,600 --> 00:22:53,280 policy so I just came across this site 590 00:22:53,280 --> 00:22:55,799 last night when I was bird watching 591 00:22:55,799 --> 00:22:57,900 it's a bad joke 592 00:22:57,900 --> 00:22:59,820 um controls what features your site 593 00:22:59,820 --> 00:23:01,440 actually needs to use when you use it 594 00:23:01,440 --> 00:23:04,260 right those permissions policy.com site 595 00:23:04,260 --> 00:23:05,820 actually does a great job of building a 596 00:23:05,820 --> 00:23:07,200 permissions policy so if your site 597 00:23:07,200 --> 00:23:09,299 doesn't need to access my camera 598 00:23:09,299 --> 00:23:11,220 you can specify that inside of the 599 00:23:11,220 --> 00:23:12,179 headers 600 00:23:12,179 --> 00:23:14,760 then when later somebody is attacking 601 00:23:14,760 --> 00:23:15,900 your site or doing something to your 602 00:23:15,900 --> 00:23:18,059 site to manipulate what it's requesting 603 00:23:18,059 --> 00:23:20,100 the headers already specified they can't 604 00:23:20,100 --> 00:23:22,140 go and exceeded look for GPS locations 605 00:23:22,140 --> 00:23:23,520 or cameras or whatever else your site 606 00:23:23,520 --> 00:23:26,059 May request 607 00:23:27,299 --> 00:23:29,820 so this one will say hey accelerometer 608 00:23:29,820 --> 00:23:31,679 autoplay and Battery how to play for 609 00:23:31,679 --> 00:23:34,860 some content types you are allowed to be 610 00:23:34,860 --> 00:23:37,080 used by the site however the camera is 611 00:23:37,080 --> 00:23:38,340 not allowed 612 00:23:38,340 --> 00:23:40,320 now Facebook metaverse Instagram 613 00:23:40,320 --> 00:23:43,020 whatever they call it today 614 00:23:43,020 --> 00:23:44,940 um likes access cameras regardless I'm 615 00:23:44,940 --> 00:23:46,380 sure that they probably allowed their 616 00:23:46,380 --> 00:23:49,679 commissions policy if they have one but 617 00:23:49,679 --> 00:23:52,880 that's what that one's for 618 00:23:53,400 --> 00:23:55,919 all right so useful header attributes so 619 00:23:55,919 --> 00:23:59,100 I talked primarily about just headers 620 00:23:59,100 --> 00:24:00,480 now when you think in terms of cookies 621 00:24:00,480 --> 00:24:02,400 there are three attributes inside of 622 00:24:02,400 --> 00:24:06,059 every size expires in value and 623 00:24:06,059 --> 00:24:07,980 key right 624 00:24:07,980 --> 00:24:10,919 first one is HTTP only 625 00:24:10,919 --> 00:24:13,020 that one is a weird name book because 626 00:24:13,020 --> 00:24:14,640 you think like who's going to use HTTP 627 00:24:14,640 --> 00:24:16,740 only cookies 628 00:24:16,740 --> 00:24:19,740 that does allow https as well I should 629 00:24:19,740 --> 00:24:21,299 be clear about that what that doesn't 630 00:24:21,299 --> 00:24:24,299 allow you to do is document.cookie to go 631 00:24:24,299 --> 00:24:26,280 and pull a cookie out of a browser so it 632 00:24:26,280 --> 00:24:28,260 enforces that is only sent across HTTP 633 00:24:28,260 --> 00:24:29,880 protocol 634 00:24:29,880 --> 00:24:32,580 not a not through JavaScript that helps 635 00:24:32,580 --> 00:24:34,799 with crossover closing across a 636 00:24:34,799 --> 00:24:36,900 scripting where people are trying to 637 00:24:36,900 --> 00:24:39,320 steal cookies 638 00:24:39,539 --> 00:24:42,360 the next one is secure that one is https 639 00:24:42,360 --> 00:24:44,159 only which they don't call it that it's 640 00:24:44,159 --> 00:24:47,220 called secure it because standards 641 00:24:47,220 --> 00:24:49,080 so this one will only allow your cookie 642 00:24:49,080 --> 00:24:51,960 to be transmitted over https so if some 643 00:24:51,960 --> 00:24:53,700 parts of your web application are HTTP 644 00:24:53,700 --> 00:24:56,159 for example if you have a good old mixed 645 00:24:56,159 --> 00:24:58,320 content or the site is secure but you 646 00:24:58,320 --> 00:24:59,600 have an image that isn't secure 647 00:24:59,600 --> 00:25:01,679 traditionally that cookie would have 648 00:25:01,679 --> 00:25:03,539 been sent along with that and for if 649 00:25:03,539 --> 00:25:05,280 anybody doesn't know what a cookie is or 650 00:25:05,280 --> 00:25:06,960 session is is basically your driver's 651 00:25:06,960 --> 00:25:09,299 license from the interwebs so I can send 652 00:25:09,299 --> 00:25:11,640 along somebody can identify you as your 653 00:25:11,640 --> 00:25:13,260 current session or state within the 654 00:25:13,260 --> 00:25:14,280 application 655 00:25:14,280 --> 00:25:16,200 so that's kind of a problem because if I 656 00:25:16,200 --> 00:25:19,020 could post an image to a site and pull 657 00:25:19,020 --> 00:25:21,600 your cookie and your cook is transmitted 658 00:25:21,600 --> 00:25:24,360 as part of that I could potentially get 659 00:25:24,360 --> 00:25:26,640 into your account 660 00:25:26,640 --> 00:25:28,440 and finally the same site this one's 661 00:25:28,440 --> 00:25:31,320 viewer it's not used as often what that 662 00:25:31,320 --> 00:25:33,059 does is it controls how cookies are 663 00:25:33,059 --> 00:25:35,460 propagated between requests 664 00:25:35,460 --> 00:25:37,860 so if I'm going from Bob's Bank to Bob's 665 00:25:37,860 --> 00:25:38,820 Bank 666 00:25:38,820 --> 00:25:40,740 that cookie is going to persist when I 667 00:25:40,740 --> 00:25:42,539 land on that second page 668 00:25:42,539 --> 00:25:45,779 if I'm going from Bob's evil Bank to 669 00:25:45,779 --> 00:25:47,279 Bob's Bank 670 00:25:47,279 --> 00:25:49,260 then I have same sites at the strings 671 00:25:49,260 --> 00:25:50,700 what will happen is it will actually 672 00:25:50,700 --> 00:25:52,620 remove those cookies so it will be set 673 00:25:52,620 --> 00:25:55,320 to a not plugged in page 674 00:25:55,320 --> 00:25:58,760 any questions on that so far 675 00:25:59,039 --> 00:26:00,600 I'm doing towards the end so you start 676 00:26:00,600 --> 00:26:03,900 thinking about questions okay 677 00:26:03,900 --> 00:26:07,039 difficult ones too 678 00:26:07,440 --> 00:26:09,299 so what's next what am I going to what 679 00:26:09,299 --> 00:26:10,860 am I planning for the future of this it 680 00:26:10,860 --> 00:26:12,600 has been stagnating for a little while 681 00:26:12,600 --> 00:26:14,400 now 682 00:26:14,400 --> 00:26:15,659 um it has 683 00:26:15,659 --> 00:26:17,400 been saying for about two years but I 684 00:26:17,400 --> 00:26:19,440 want to build in an API it already has a 685 00:26:19,440 --> 00:26:21,059 fully functional API under the sheets I 686 00:26:21,059 --> 00:26:23,299 just neglected adult Swagger dot for it 687 00:26:23,299 --> 00:26:25,020 anybody who works with security 688 00:26:25,020 --> 00:26:27,179 orchestration or automates things which 689 00:26:27,179 --> 00:26:28,860 is probably everybody who's a developer 690 00:26:28,860 --> 00:26:31,020 probably some security folks 691 00:26:31,020 --> 00:26:33,659 probably a lot if I do folks you could 692 00:26:33,659 --> 00:26:35,340 send automatic requests and just pull 693 00:26:35,340 --> 00:26:36,900 this thing continuously or anytime you 694 00:26:36,900 --> 00:26:38,940 do deployment and go and check and see 695 00:26:38,940 --> 00:26:40,679 how are our headers if we forget 696 00:26:40,679 --> 00:26:41,820 something do we forget to turn off 697 00:26:41,820 --> 00:26:45,620 directory indexing like I did in mind 698 00:26:45,779 --> 00:26:46,860 um what else 699 00:26:46,860 --> 00:26:48,419 so it's getting beyond the better host 700 00:26:48,419 --> 00:26:51,539 what it is if you post a request to this 701 00:26:51,539 --> 00:26:53,159 it doesn't check the URL you've given it 702 00:26:53,159 --> 00:26:56,159 goes to the base host requests that and 703 00:26:56,159 --> 00:26:59,640 checks those headers it was easier to 704 00:26:59,640 --> 00:27:02,400 basically contain the flow of where we 705 00:27:02,400 --> 00:27:04,679 were going so if I wanted to see okay 706 00:27:04,679 --> 00:27:06,240 every time you make a request your score 707 00:27:06,240 --> 00:27:07,679 gradually goes up which you would be 708 00:27:07,679 --> 00:27:08,700 surprised at how often that actually 709 00:27:08,700 --> 00:27:10,080 happens and people actually use this as 710 00:27:10,080 --> 00:27:12,299 a tool to fix things 711 00:27:12,299 --> 00:27:13,980 um I can check that if I'm getting a 712 00:27:13,980 --> 00:27:15,600 bunch of random URLs you might be 713 00:27:15,600 --> 00:27:17,340 handling different parts or subdomains 714 00:27:17,340 --> 00:27:18,840 or scripts on your site differently 715 00:27:18,840 --> 00:27:21,179 which would impact results 716 00:27:21,179 --> 00:27:22,980 also does this support any sort of 717 00:27:22,980 --> 00:27:24,539 internal requests currently I might make 718 00:27:24,539 --> 00:27:27,059 a Chrome extension I might not but 719 00:27:27,059 --> 00:27:29,220 right now if you have inter or company 720 00:27:29,220 --> 00:27:31,919 dot local I can't get to that because 721 00:27:31,919 --> 00:27:33,600 it's not facing the internet unless you 722 00:27:33,600 --> 00:27:35,340 like I don't know want me to come visit 723 00:27:35,340 --> 00:27:37,799 you on your VPN 724 00:27:37,799 --> 00:27:39,900 you probably don't want that either 725 00:27:39,900 --> 00:27:42,299 um I won't go much beyond the header 726 00:27:42,299 --> 00:27:43,620 inspection with it because there are gas 727 00:27:43,620 --> 00:27:45,419 tools my cafe around seven I'm not 728 00:27:45,419 --> 00:27:46,980 spamming but they make a pretty good 729 00:27:46,980 --> 00:27:49,260 Dash tool themselves 730 00:27:49,260 --> 00:27:52,740 so uh you can always dig into that 731 00:27:52,740 --> 00:27:54,600 and finally better to find permissions 732 00:27:54,600 --> 00:27:56,039 policy so I feel like we could probably 733 00:27:56,039 --> 00:27:57,539 do a lot more work with that already 734 00:27:57,539 --> 00:27:58,980 instead of just saying you have it it's 735 00:27:58,980 --> 00:28:00,480 great and move on 736 00:28:00,480 --> 00:28:02,460 but it falls into the same category as 737 00:28:02,460 --> 00:28:04,080 content security policy where it's kind 738 00:28:04,080 --> 00:28:05,820 of hard to check 739 00:28:05,820 --> 00:28:07,440 what you're actually using with a new 740 00:28:07,440 --> 00:28:09,179 robot application if you don't specify 741 00:28:09,179 --> 00:28:11,039 it 742 00:28:11,039 --> 00:28:13,700 Chicago 743 00:28:15,600 --> 00:28:17,279 might be a little quick be a little 744 00:28:17,279 --> 00:28:18,659 quick but 745 00:28:18,659 --> 00:28:21,120 cool any questions 746 00:28:21,120 --> 00:28:23,039 any thoughts anybody want to make fun of 747 00:28:23,039 --> 00:28:24,860 PHP with me 748 00:28:24,860 --> 00:28:28,320 I love it by the way 749 00:28:28,320 --> 00:28:31,260 that's not even one it's because it's 750 00:28:31,260 --> 00:28:32,520 lunch 751 00:28:32,520 --> 00:28:34,200 it's doing you got to show up to my talk 752 00:28:34,200 --> 00:28:36,320 well I appreciate that 753 00:28:36,320 --> 00:28:38,880 there's no extra questions or anything 754 00:28:38,880 --> 00:28:41,100 else that's pretty much all I have on 755 00:28:41,100 --> 00:28:44,240 hunters for today 756 00:28:46,760 --> 00:28:49,879 thank you 757 00:29:13,400 --> 00:29:16,700 right here 758 00:29:19,980 --> 00:29:22,980 foreign