Coding Blocks - PagerDuty’s Security Training for Engineers, Penultimate
Episode Date: January 18, 2022We're pretty sure we're almost done and we're definitely all present for the recording as we continue discussing PagerDuty's Security Training, while Allen won't fall for it, Joe takes the show to a d...ark place, and Michael knows obscure, um, stuff.
Transcript
Discussion (0)
You're listening to Coding Blocks, episode 176.
Subscribe to us on iTunes, Spotify, Stitcher, wherever you like to find your podcasts.
Man, I hope we're there after all this.
It's been like eight years.
I hope we're there.
Let's put it that way.
It's been a minute.
I hope.
Yeah.
And you can visit us at codingblocks.net where you can find our show notes, examples, discussions,
and more.
Send your feedback, questions, and rants to comments at codingblocks.net.
And do you like the Birdie site?
The one that you can do when you're like,
I don't know, just sitting
around wanting to waste time on it.
I don't know. I don't know.
When do people use Twitter? I don't know. I use
it too much. Anyway, if you like to use
Twitter, like I like to use Twitter, you like
LittleBlueBird, you can follow us on Twitter
at CodingBlocks. I forget what we're doing now.
We have a website that we can find all our
other links to
other apps at the top of the page.
I'm Joe Zach.
They're called dillies, I thought.
Oh, that's what it was.
That's okay. That's why it felt weird.
I'm Michael Outlaw.
This is our first time recording.
I'm Alan Underwood.
This episode is sponsored by Datadog, the cloud-scale monitoring and analytics platform for end-to-end visibility into modern applications.
And Linode.
Simplify your infrastructure and cut your cloud bills in half with Linode's Linux virtual machines.
And Shortcut, formerly known as clubhouse.
You shouldn't have to project manage your project management.
All right.
So,
uh,
we're back to,
uh,
talk about pager duty security training.
So,
you know,
I think we'll definitely,
definitely,
I promise we're going to wrap it up this next episode.
I like what you did there.
All right.
And so as we like to do,
we like to say thank you to those
who left us a new review.
And so we got one.
It's going to be really difficult,
so bear with me.
There's a lot of vowels and consonants in this one.
You can say this nickname.
Thank you.
I have a feeling this was made specifically for Mike.
I had a feeling like they wanted me to be the one to read that one.
Yeah, definitely.
Yeah.
You know, I thought about something, too.
At the top, when I mentioned we've been doing this for eight years,
should we start planning now for like what we'll do
for like the 10 year anniversary
do we need to like you know go
ahead and start planning that out now and it'd be
like how we're getting through this pager duty
you know like eventually we'll be like okay now we're done
that five year anniversary show
kicked my butt though I don't know if I can handle
it did we have a five year
dude what
oh my gosh he's messing with me wow I thought it kicked my butt if I can handle it. Did we have a five-year? Dude, what?
Oh my gosh.
He's messing with me.
Wow, I thought it kicked my butt.
I remember the 100 one.
I remember that being like a big milestone.
We're coming up on 200.
We'll get there by like 2023 or something.
Yeah, it's definitely not this year.
No.
But you know what is this year?
It's that way.
This year is the game Jam.
Again, coming up January 21st to 24th.
It's coming up real quick.
If you were listening to the episode the day it drops,
you got a couple days to sign up.
Go do it.
It's going to be amazing. And would you guys like to be the first to hear the first?
Well, I guess it depends on you.
Anyway, it doesn't matter.
Would you like to hear the five themes that we're looking at?
I would like to be the first to hear the top five themes.
And if I'm not the first, then let's just move on.
Okay.
Well, I don't know.
I'm so confused.
You know, I got up too early today.
But I won't.
That sounds like a you problem
why are you making it my problem yeah it's everybody problem when i don't get enough
sleep unfortunately why am i such a jerk tonight
well do you remember do you remember how we picked the theme last time
we did on twitch i don't remember either but we did on twitch uh like at basically midnight as soon as
the jam opened up but we picked the final theme and said go did we and yeah no that didn't happen
yeah okay well that's what we're gonna do this year so you're ready and uh what we did is uh we
we brought it down to five themes and so the the voting for these is just ended by the time you're listening to this.
And these are the top five in no particular order.
So the final game jam theme is going to be one of these.
Failure is the option.
Oh,
nice.
A link to the somewhere.
That was cool.
Trust.
Nothing.
Love it.
Can't stop.
And it's following me.
Oh,
it likes all those.
Yeah.
Yeah.
It's great.
There are a lot of good ones that just barely missed it.
I think I voted for at least half of those.
Yeah.
Good.
I don't think I did for any of them.
I don't remember.
Yeah.
I like them.
I mean, Alan only
just voted an hour ago, so
all of his votes are still fresh on his mind.
That's right.
I never said
I was not a procrastinator.
Hey, we'll have the link to
that game jam. This is your first jam.
Perfect one. Sign up. Try it.
If you only have an hour,
you can find something something make a little
text adventure um find some sort of existing framework and pop your own text into it last
year we talked about like cookie clicker has a framework where you can kind of take it and
modify their stuff it's a couple other like text adventures you can start with a unity tutorial
and branch off um you know there's options if you don't have a lot of time or if you want to
um call in sick to work and do it for 24
hours a day like i'm gonna do uh then you could do that too whatever you want to do it's all good
it's all gravy all right are we streaming on twitch are we doing youtube what's what's the plan
oh that's a good question i was gonna do twitch now i'm questioning things
i always question things all right can i vote again on these uh
these top five because i don't see that yet yeah if you haven't voted yet
you want the link no no should there be like a new vote for the of those five
oh no so the last five we pull a random oh it's just gonna be okay yep so now these are the five
so you know what to kind of you know get your brain going on it's going to be one of these five
and then we'll finally pick it and then oh wait so the voting didn't matter no no it did so we
started with like almost 50 themes we did a round of voting. We cut it down to half. And then now we've, we're going from like 15 or so down to five.
Okay.
The final one.
And these are all submitted.
You know,
I should,
uh,
I should have told you who submitted each one of these,
but these are all sent by,
uh,
people.
Oh,
you know what?
I know.
Okay.
I didn't vote for the second round because when you originally,
uh, put it out there, it acted like I had already voted and wouldn't let me vote.
Oh, yeah. I think I made a mistake when I created the poll.
So, oops.
See, that's why I waited. So I could actually vote on things that people would care about later.
I should have done that. Why didn't I procrastinate the one time?
So I'll give you one sec.
I'm going to say who submitted each of these.
So Dave, super good.
Dave did.
Failure is the option.
Love it.
Link to the somewhere.
Probably go son games.
Nice.
He did the robot game last year.
We had to fix the robots.
Oh, yeah.
Remember that one?
Yep.
Trust nothing. Another Dave. Super good dave with super good ideas yep you pull it uh guess who can't stop is is it super
good dave yep okay full it again and the final one is following me guess who? Micro G. Super good, Dave. It was Dave.
Dave.
He's made them all.
Yeah, so three of them.
Yeah.
That's awesome.
Wait.
You only listed him in Prodigal Games.
That was it?
Yeah, that was four of them.
The Mathema chicken strikes again.
I told you.
Watch out, I'm sleepy.
Watch out. You know, there's like sleep where you can like fall a out, I'm sleepy. Watch out.
There's sleep where you can fall asleep any second.
And there's sleep where you ain't going to fall asleep.
You're just going to fall over and knock stuff over and ruin your life.
That's where you're at.
Yeah.
Let's go.
I've had those.
All right, so Game Jam, definitely this weekend. I think the three of us will be streaming on some platform.
Um,
I had one,
one thing to bring up here that is a bit of a side tangent,
but I have to bring it up because hold on tangent alert.
Right.
We haven't even started the show.
Um,
this has nothing to do with coding or anything related to it whatsoever,
but we were talking about something.
One of my favorite topics the other
day costco right i think it was actually us three talking hold on wait let me properly
introduce you're listening to costco blocks that's right so i mentioned that they had some
pork rinds there that were amazing and outlaws like yeah i like pork rinds but there's also
have you ever heard of these dots pretzels oh my my gosh. And I was like, no, I haven't.
He's like, you got to try them.
I was like, okay, fine.
And it was, it was a fleeting thought, right?
Well, I'm walking through Walmart the other day, not Costco.
Um, and there's an end cap that has these dots pretzels.
And I was like, Hey, outlaw said I need to grab a bag of these.
So I do.
I grabbed the original flavor right like that's
the flavor to get so so here's the thing and this is what this is what i need to um let everybody
know out there because when when outlaw was like yo you need to try these pretzels i'm like it's a
freaking pretzel like everybody's like alan shut up about pretzels like who cares about pretzels
it's a pretzel like i mean they only get so good right yeah totally man let me tell you something
they're ridiculous like you'll eat one and you'll be like oh this this is gonna be a problem
i'm not even kidding you that bag of pretels, I let my kids have some of them.
The whole bag was gone the first time it was opened.
And I was like, what in the world?
Now, the only problem I have with them is they have MSG in them,
which is probably why you can't stop eating them.
There's other vowels and consonants in there, too,
if it makes you feel any better.
You know, and here's the thing, too, is it's like a resealable bag but that's just you know you're not really gonna need it yeah you're not gonna
need it like it was they are they are seriously good and i hope i'm not overselling this because
you know it's like when somebody told me about a funny movie like meet the parents or whatever
they told me it was so funny you watched it and i was like yeah but then i watched it again later
and i was like okay yeah it was pretty funny. My expectations were too high.
So I hope I haven't done that to anybody, you know?
Okay.
I mean, you're, you're going to try those pretzels and you're gonna be like, you were
right.
They're amazing.
They're good.
But the problem with movies though, and this is why like, I hate to hear anybody's review
or opinion of a movie period is because of exactly what you just said.
Yeah.
Where like,
you know, somebody,
somebody will say like,
Oh,
it was so hilarious.
I mean like people were rolling on the floors laughing or whatever.
Right.
And it like sets some kind of expectation.
Like if they say,
even if they say like,
Oh,
it was such a great movie.
Right.
Like I don't even want to know that because then like I'm going to expect
greatness.
And if it doesn't live up to that then
i'm going to be disappointed for me the movie was something about mary oh yes everybody that i i i
was late to go see that in a theater when it came out and everybody raved about how hilarious that
movie was and by the time i got to see it i'm like well yeah i mean it had some funny parts but i don't i don't
understand yes yeah all right so tangent done i guess i guess we can step into the uh content now
um so let's just make a show about tangents yes tangent blocks oh all right so the first thing that we're going to jump in here i think on page
three of the pager duty manual is this is cross cross-site scripting we are awful yeah also known
as xss so if you've ever seen that anywhere it's cross-site scripting. And the gist of this is you're what people are
attempting to do is inject snippets of code onto web pages that other people will be, be viewing
and be affected by. And so the thing about these, and I know all three of us have seen these and
it's kind of crazy what you can do with some of this stuff. Um, but this could basically allow an attacker to have access to everything that a
user does on a page.
So every keystroke they enter,
um,
everywhere they click on the page,
everywhere they move their mouse,
what they,
what they hover over,
what they do.
Like,
um,
if somebody injects a script that's,
that's good enough on the page,
they can track all that stuff.
Well,
think about too,
what,
what else the script could do that your user has the ability to do,
but maybe you don't want to like hitting that transfer funds button or
hitting that, you know, doing some other nefarious action.
So, you know, the, the telltale test we used to this used to be for this,
you'd try to do like an alert.
So if someone else loads the page, you see an alert,
that meant you could have done anything.
And it would have been as if it came from that person's browser.
I kind of view this as like the little Bobby tables for HTML, right?
Like you're trying to get someone else's browser to interpret something as code that you entered in somewhere. Yeah. And,
and the way that this is typically done, because some people that haven't encountered this or never had to need to
think about it,
they're like,
well,
how is anybody going to inject code into my page?
Well,
if you think about blogs out there or shopping sites,
like tons of shopping sites or whatever,
if they leave,
if you can leave a review on it or you can post a comment somewhere or, you know, whatever, if there's a way for you to
enter information that will then show up again later on somebody's page,
that's where this stuff can happen. And that's where it does happen most of the time.
Yeah. If they are, if they aren't careful about how they render that content back out and if they let it just be raw and you might
have code in it then you could just do something like a script alert statement and you know say
hi and that's that that's that's uh you know if they're being nice and they didn't do anything
bad right it could get a lot worse yeah i. I mean, they, they even mentioned in the
pager duty stuff that, you know, you could potentially get access to the session cookies
for that user. Like let's say that a user's logged into a site. If you can get access to the cookies,
a lot of times that means you can get access to the session token, which means that you can then
impersonate that user and, and do bad things, right? Like,
like Jay-Z said,
you know,
buy something or,
or,
or do something else that's,
that's malicious.
So the potential for harm is actually pretty high with cross site scripting.
Hey,
just give me your cookie.
I'll go in and do this stuff for you.
Right.
Exactly.
Yeah.
I don't even have to script it.
I'll just,
I'll log in as you,
you know,
like effectively log in as you. And yeah. And, and so just, just as a thought there,
you might be thinking, well, I mean, that's not really that big of a deal. So what you have access
to the session cookie, like what you're going to script everything on the site. No, a lot of times
what people do is they might, if, if they can get access to somebody's session that way on it,
they'll post that information over to their own server, right?
And then they'll have some sort of reverse shell or something running to where they can
see that data as it comes in, and then they can try to do something bad with it, right?
Like there's a lot of tools out there that allow people to do these things,
but it's crazy the amount of stuff that you can do if you can get access to somebody's
session and you can, and you have scripts to be able to shoot that off anywhere you want.
But Alan, here's what I'm going to do, uh, on your input, I'm just going to like
write a regular expression to go looking for these tags. And I'm just going to like sanitize my,
the input before I save it. And that'd be good enough, right?
Oh, you win. No, it wins the internet, right? No, if, if only it were so easy. I mean, that's,
that's the thing. I mean, I think we've talked about this in years past, like there have been
some crazy hacks and like JavaScript where people don't even write any code. Like they'll,
they'll do some characters that'll get interpreted as code.
So how are you going to reg,
reg X that thing,
right?
Like there's,
there's just too many things to be able to,
to,
you know,
put something on an okay list that you can check that way.
You just can't do it,
but you should sanitize things,
right?
Like you should do your best to sanitize them as they're coming in,
but that can't be your last line of defense you can do weird things like combos so like you've
your first name and last name but like half the script over here and half the script over there
you know just weird stuff well you guys remember back in the days of asp and cold fusion and all
that kind of stuff where where you were basically writing basically writing your HTML and then in the value fields or
whatever,
like in a text area,
let's say,
or in the value field,
you would just say,
Hey,
output the value that came from the database or something,
right?
Like that's what everybody did back in the day.
And that's when these cross site scripting things started coming into play.
So the answer is,
okay,
you sanitize things
coming in as best as you could, but when you go to display it back on your page, you need to encode
all the characters on the page so that a less than sign isn't treated like a less than sign,
right? It's encoded as, I don't even remember what it was, ampersand, LT, semicolon or something,
so that it will display exactly as the user put it in there,
but it won't be executed by the browser.
That was the game Never Have I Ever.
Just look for ampersands and replace them with ampersand AMP colon.
Right.
I mean, we've all done so.
Well, I mean, I guess people have been around long enough.
Nowadays, it seems like a lot of the tooling and a lot of libraries and frameworks out
there do a lot of this stuff for you.
But what's interesting is pager duty called out.
One of the things that they're,
they're using Ember,
right?
I think they said,
did they really recall that?
Yeah,
they're,
they're using Ember. And so they use the handlebar
syntax and they said, if you want to encode output, you use double handlebars, but if you
triple handlebar it, then it executes it. It doesn't encode it. So you've actually got to
be careful about it. Right? So the point is a lot of these frameworks and a lot of these libraries
and things out there have things built in to help you with this and make it very easy for you to do.
Just be aware that you need to do that, right?
Never.
And they call it out.
If somebody inputs something to your site, never, ever, ever let it get pushed back out unencoded.
Just you can't let it get pushed back out unencoded just you can't let it happen i've noticed on modern
frameworks like they uh still give you the ability to just output whatever you got in there but they
make it really hard the guy was a react had the one that was like set dangerous in uh in our html
and angular has another way of doing it too where it's like they make sure that you know that it's
not a good thing to do i mean but that's still what we do there, right?
You got to live on the danger zone, right?
Well, yeah.
I mean, how do you think I know?
That's right.
Makes sense.
Checks out.
You know what's interesting is this used to be a big deal mainly for HTML, right?
It was when you were pushing back out the viewable content.
But now you have to worry about it in basically every layer of what creates a web page.
So your HTML, you need to make sure you're encoding that.
Your JavaScript, right?
Like if you're taking in values from some sort of REST server implementation somewhere,
a lot of times when you make those calls,
you can tell it, you know, that it's safe to execute or not. And you should basically err
on the side of caution and not let it, uh, and then CSS, right? Like CSS used to be just like
the static thing, but now you can embed script type things in it. Um everything that you can put on a web page, you need to make sure you know
how to handle outputting that data back that you're getting, which is crazy. I mean, man,
I remember when things were so much simpler. Yeah. I was just thinking like, I liked it way
better back then. Well, maybe I'm just evil. I was thinking at it from the point of view of like if i had a time machine i could make a billion dollars with all the stuff i know now right
yeah seriously i mean i'd be totally evil but you know worth it yeah um they they also call out hey
use a library for encoding the chances are they've been vetted, they've been done well. And by vetted, I mean usually if you're using a library,
if it's open source or if it's something that's paid,
there's either a group of people supporting it
or there's a lot of people in the community that have looked at this
and tested it and made sure everything's good.
But, go ahead.
Well, and this is why I love Log4J.
Too soon.
At least,
you know,
if you,
uh, if you,
uh,
had a,
had a problem there because everyone in the world was letting you know,
like every,
everything,
like every alarm,
every alert,
every scanner.
Jay,
you found out quick.
I suppose I should put my phone on.
Do not disturb,
huh?
It seems like I would have figured that out.
Rookie mistake.
Um,
so what they said though,
and this,
this makes sense,
right?
And we've mentioned this before.
Yes.
Use a library.
Use something that,
that has a good backing behind it,
but that doesn't mean that you get to wash your hands of it,
right?
You still need to be aware of what's going on and make sure you're familiar with what they're doing to help protect
your assets. I mean, I make the joke about log4j, but the real truth of it is, is that
all of us build applications that are built on the shoulders of other giants that are like
open source giants, right? Log4j, OpenSSL or whatever, right?
And, you know, occasionally there are problems that are found in these big,
you know, open source packages.
So, you know, that doesn't, you know, even if they are wildly popular,
that doesn't necessarily mean that they're going to be, you know,
zero bug free, right?
Yeah.
You know, it just means that, you know, zero bug free. Right. Yeah. You know, it just means that, uh, you know,
you're probably, at least you're not reinventing the wheel. You're probably, you know, mostly vetted by a larger community that's already vetted some, you know, aspect that, you know,
but still try to do your best. I mean, it's, it's a double-edged sword, right? Like you use,
use the popular ones like log for J because they're used by a lot of people.
The goods, the good thing about that is when this vulnerability came out, like it was news
everywhere. And so you did get the alert pretty quick. The downside to it is because it is used everywhere. The attack surface
is massive, right? So, so they can just go out and, and try and hit everything. So I don't know.
I don't think there's a good answer to, to this kind of stuff. If you roll your own, do you think
it's going to be that much better than, than what, you know, thousands of people have spent thousands
of hours doing? Probably not. So, you know, just keep your eyes
on things and make sure you're aware of what's going on. The last thing that they mentioned here
is there is another way to handle some of this cross-site scripting, and that's with the content
security policy. We didn't dig into this deeper on there, but if I remember right, these are things that you can do.
I don't remember if it's in the browser via headers or what,
but it's a way to lock down what content can do.
Right.
So it's another way to tightly control it.
Yeah.
I believe,
um,
lighthouse will find that one.
If you run like a lighthouse on your website,
I think it will. And I think it'll make suggestions too. Yeah. Lighthouse will find that, won't it? If you run like a Lighthouse on your website?
I think it will.
And I think it'll make suggestions too.
Yeah.
I just clicked into even just the security tab in Chrome and it's like letting me know how this website is doing.
Cool.
This episode is sponsored by Datadog,
the unified monitoring platform for full visibility
into all of your serverless functions.
Troubleshoot performance issues faster by seamlessly navigating between logs,
lambda metrics, and distributed request traces all within one unified platform.
Datadog provides real-time screen boards and service mapping,
so you can get complete observability into your service environments.
And you know, I like to talk about Datadog's visualizations,
but sometimes it's great to not have to go and look for things.
And so Datadog has a ton of different notifications that you can set up
on all the different metrics and integrations that they offer.
And so you can set this stuff up and forget about it.
And then if there's a problem, you get that notification,
you can log in, dive in,
figure out what's going on very quickly,
which is pretty nice to have that peace of mind
without having to go and check something
every five seconds to see if it's still working.
How about this?
This one's crazy.
Honestly, they just added this new feature.
I wouldn't have thought about this one,
but they have a new blog article, which, by the way, the Datadog blog is fantastic.
Use Datadog's new GitHub action to add synthetic testing to your workflows.
I mean, Datadog has them.
What don't they have at this point?
Now they have synthetic testing for your CI and CD process.
Start your monitoring today with a free 14-day trial and receive a free Datadog T-shirt after creating one dashboard.
Go ahead and visit Datadog HQ dot com slash coding blocks.
Again, that's a Datadog HQ dot com slash coding blocks to learn more about how Datadog can help you optimize your serverless environment.
All right, so the next one up that they had is kind of interesting.
This one's called CSRF. It's cross-site request forgery.
And this one's interesting because this is more about just trying to fool people.
So tricking someone into doing something that they
didn't want to do, or they didn't even know that they were doing. So they had a couple of examples,
and this is where just as somebody who is an honest developer, you probably don't even think
about stuff like this, right? And this is, it's, it's the people that are trying to find ways to
break into things and to, and to make people's lives harder.
They are super creative.
So one of the examples was they took the the SRC attribute of an image tag and they point it to a log out page of a site.
And the interesting thing that go ahead. Well, I was going to say it was important to note that they're using the cross site
scripting capability to take advantage of the cross site request forgery.
Yeah.
In this example.
Oh,
in this example they were,
because they were,
they were uploading an image or,
or setting an image tag,
right?
Yeah.
They were basically,
it was basically like a forum and they were like,
instead of putting in a comment, they were writing in the image uh you know tag manually and setting the
source to what you were saying and again this isn't super malicious but basically this would
be an annoying thing so when it would try and go to load this image that image is going to make a
get request to the slash logout, right? Because that's
what they put in for the source of the image. And so what would happen is when you load that page,
you're logged into the, to the forum, but then you're immediately logged out, right? So that's
by far not the worst thing that could ever happen. But the fact that somebody even thought about doing that is really interesting
right by far this is my april fool's already in plan right now this is my favorite trick
i don't want to know who the uh the recipient's going to be of that
um now here's what's interesting is they said, well just imagine if they didn't point to a
logout, um, imagine if they pointed to something that was way, way worse, something like a delete
account or, or, or an order page or something, right? Like if they had done something like that,
they could still get away with it. And, and the people would have no idea what was going on,
right? Because they would have just idea what was going on right because
they would have just thought that they hit a forum page and all of a sudden things are happening
so yeah i forgot to um forgot to bring up where uh xss uh and csrfr on uh the owasp oh yeah and so
got that up here and i probably shut it down on accident.
So let's see here.
Control shift T.
Yep.
Sorry about that.
Oh, my gosh.
Things are named a little bit differently.
So I'm looking for what category it is.
And surprised not to see it.
I will say.
Okay.
Oh, go ahead. The OWASP site is not as easy to navigate as it
once was yeah for sure have you noticed that too yeah and uh part of it is because every couple
years they come out with like a new list and so part of like the their job and the kind of
i'm supposed to say is like telling you how things have changed and how it's moved. And it just confuses everything.
There's just a lot of like verbiage on there about like where it used to be,
you know,
where they got the info from.
So here's the deal.
So,
uh,
cross site scripting used to be number seven in 2017 of the top 10.
What they did is they made injection kind of more general
and they now consider cross-site scripting to be
a kind of injection attack. So they've combined
it and now it's at 3.
So really high.
Yeah. And they don't break
out cross-site request
forgery, but they do have a new
category this year, which is
at number 10 called server-side
request forgery. And I haven't Googled to see
what the difference is between those. So I'm curious to see if
that's the same thing or is it only has to do with the server side?
I don't know.
SSRF or CSRF. The second example
they had here was kind of interesting and kind of evil is they put a button.
You have a button on there that you think is going to do one thing, but it does another.
Right.
So you as somebody put put something on the page and they think that they're going to, I don't know, view the details of something, but then it goes and deletes something, right? It kind of switches it out behind you.
That is another example of this cross-site request forgery.
Okay. So I did look that up, by the way. Server-side request forging is all about getting
the server to run some arbitrary script or getting this it's about triggering the server and to do something well the cross-site script uh
or the rf request the one we're talking about has to do with getting the triggering the user
doing something and running something so just different targets with similar similar attacks
okay so it you know that's interesting because it sounds like if that's what's going on
there, that the way to fix this would work in both situations almost. So I guess let's, let's
go ahead and talk about that. Like, how would you, how would you make it to where that image
that had the bad source in there couldn't do what it needed to do.
And the one thing that they said that they use is a synchronizer token.
And this is interesting.
So basically, there were a few things that came in here,
and I don't know if I put it in here in any particular order. But like I mentioned, that image tag is basically doing a
get request to go get the image information from the server, right? And one of the things that
they mentioned was just don't allow get requests to do anything like actionable, right? If there's
a get request, it should only be reading things. And that, that was kind of the general notion
around it. So obviously a logout is not just reading something that's an action to, to basically
kill a user session. So if, if you were to disallow that logout to be called from a get,
then you'd be good. Um, that, that image thing wouldn't have
affected you. But then to go further, this whole synchronization token was, they said, Hey,
anything to where you do need an action, don't use the get, you're either going to use a post
or something else like that. And then what they said is for all your forms, all of your forms on
the site, you're going to have a hidden field on there that
embeds the synchronized token. Then when the call to the server is made to do whatever action it is
that's being requested, it'll compare the token ID that was sent from the form and compare it to
the actual user's session token on the server. And if they don't match, it just aborts, right?
So it's a lot of work, right?
Like, I mean, that's not a small amount of work.
Let's say that you got 100 forms on your website.
I mean, and that's not just adding hidden fields to your forms.
That's also making every one of your endpoints,
your REST endpoints or whatever, honor those things and know how to use them properly, right? Like, that's also making every one of your endpoints, your rest endpoints or whatever,
honor those things and know how to use them properly, right? Like that's not tiny.
This is where like I was thinking through from an implementation point of view where it's like
it's nice to have things like aspects where you could just apply an aspect or, you know, to your
API on the server side so that it could like authenticate or verify that, you know, to your API on the server side
so that it could, like, authenticate or verify that, you know,
is the token present and valid?
Yes.
Okay.
Then let the rest of it.
And that way, like, you could keep the API business logic free of that clutter, right,
that's going to be, you know, repetitive or whatever.
Yeah, that's a good call out.
Aspects would be amazing for that.
Um,
a couple of the things that I skipped over while I was going through this is
things that you should be aware of with these tokens is they should be
cryptographically strong,
random values.
And what that means is you can't just use,
you know,
math dot Rand.
That's not good enough.
Um,
Java has a, uh, oh man what's it called
library strong frame strong random i think or something strong it's it's one of those um
but but there are libraries in in most of your major platforms for getting a truly cryptographically
strong random value and so you want to use that kind of stuff so that it can't be guessed.
That's,
that's the gist of it.
I like how,
when I tried to trigger you,
you wouldn't,
you wouldn't let it affect you at all.
You're like,
no,
not falling for your like library framework engine,
you know,
stop with that madness.
They're all the same.
It doesn't matter.
It's a helper function.
Helper library. A manager?
Yeah. Utility.
You know what's funny?
I was watching
a video on
Java security
like cryptographic type stuff.
As you do because you know
it's a Tuesday.
That's right
yeah man let me tell you that stuff will not keep your eyeballs open um so so i'm watching this
and dude goes in and he's really good he's a great instructor but he goes in and he's like we're going to create a an asymmetric uh utility class and i was like no no don't do it why why wouldn't you just make a
specific class like why has it got to be a utility and every method was static and i'm like i know i
give up whatever he has a certain set of skills.
Naming things is not one of them.
And in fairness,
I don't think any of us have that skill.
Yeah.
I don't think any developer does.
So, um,
Oh,
back,
back to the tokens.
They should never be shared with anybody else because if you do,
then you break that whole,
you know,
trust thing that's going there.
Um,
and then they also call out again, a lot of these libraries, frameworks, engines,
all that stuff out there. They probably have some of this built in this anti-forgery thing. Um,
I forget which platform they were using, but there was actually an anti-forgery setting in the thing that would
allow them to sort of automate some of this, right? So, so the aspect oriented would be amazing
if whatever you're using doesn't already have this stuff built in. So like a lot of the web
servers and whatnot out there, they probably have something that allows you to do this fairly easy. And then the last thing, man, so they mentioned that you should
make the gets not be able to change the state. So web crawlers, we all know how web crawlers work,
right? Like they'll say a link and then they try to follow the link because when you follow the
link, then you're going to find more links and you want to follow those links, right? So that's
basically what Google does and being in Yahoo and all those, all those companies out there that are crawling websites to find out their content.
They follow these links.
Well, apparently there have been cases where people had links for like deleting accounts and doing things like that.
The links would be on the pages.
The web crawler would follow that link and actually delete the accounts, right?
Because they weren't using like a delete verb or some other verb.
They were using regular gets.
And so it just toasted a bunch of data on the site.
So, you know, that's probably a good enough reason right there not to use the gets for every
single thing that you got yeah uh one other thing i want to mention so i was reading about uh the
cross uh cross site request forgeries and a wasp actually dropped them from the top 10 in 2017
so i went and looked to see if they had to combine into another category or something
and they actually didn't.
What they did is they said that cross-site request forgeries have basically been kind of down in occurrences because frameworks and whatnot have gotten better.
Tools have gotten better and just kind of preventing this by default.
And the incidents and the CWEs, you know, the vulnerabilities and stuff that they were seeing just, it wasn't that severe.
And so this one just dropped off the list.
And so it's still a problem, but it's just not in the top 10 worst problems.
Interesting.
But I mean,
because it's highly dependent on cross site scripting,
right.
In order to be able to even do it,
or am I wrong?
Like how else are you going to inject,
you know,
you, you, the idea is that you have to be able to inject it into the page as code how are you doing that right and so cross-site scripting
was the was the way yeah well so cross-site scripting was still at number three though
right because it was an injection injection. Yeah.
Considered part of an injection.
I think,
I think what's gotten better though,
is this whole notion that there's already the session token in place that
these frameworks enable for you so that if they don't get them on that
request,
then it just automatically aborts it for you.
Like you don't have to think about it anymore.
It'd be my guess.
Hmm.
So use the framework.
That's right.
This episode is sponsored by Linode.
Simplify your infrastructure and cut your cloud bills in half with Linode's Linux virtual machines.
Develop,
deploy and scale your modern applications
faster and easier. Whether you're developing a personal project or managing larger workloads,
you deserve simple, affordable, and accessible cloud computing solutions.
Get started on Linode today with $100 in free credit for listeners of Coding Blocks.
You can find all the details at linode.com slash coding blocks.
Linode has data centers around the world with simple and consistent pricing regardless of the location.
And Linode are experts at running Linux, which is fantastic if you're trying to do any sort of cloud computing.
It's great for running small websites.
I ran a site on there for years for like $5 a month.
And I've also run Kubernetes up there.
It's really great and it's been working fantastic.
And it works exactly like it should.
And their console is amazing.
My favorite part, far and away, is the marketplace, though.
Because if you're ever just a little bored,
you'll be like, oh, I wonder what other technologies are out there.
There's so many technologies that they have available
with just a click of a button that you could deploy on Linode.
And some of these, like some of these you know,
you're like, okay, Prometheus I'm aware of,
RabbitMQ I'm aware of, but you're like, magic spam.
I mean, I can guess what it does,
but like I haven't heard of that one before.
What about guacamole?
Like, yum, but how do you deploy that on linux apparently they know how there's
a whole bunch of easy things just literally click on it you're like hey i want to i want to deploy
server wand i didn't even know what server wand was but you click on it boom there it is choose
the data center nearest you you also receive 24 by 7 by 365 human support with no tiers or handoffs, regardless of your plan size.
You can choose shared and dedicated compute instances or you can pay your $100 in free credit on S3 compatible object storage, managed Kubernetes, and more.
If it runs on Linux, it runs on Linode.
Visit linode.com slash codingblocks.
That's L-I-N-O-D-E.com slash codingblocks. That's l-i-n-o-d-e
dot com slash codingblocks
and click on the create free
account button to get started.
Okay, so I guess
we're still doing this
then like a
country DJ. Oh,
country DJ. I was about to do the other
country DJ.
Which country?
Like,
I'm talking about like...
Welcome to my website. I am Borat.
I don't even know. I can't even do it.
What about like when you cross
the Alabama line going west on 20?
Yeah, there we go.
Yeah, we're talking country.
We may have to get Alan to do this one.
Hey, why?
Why me?
Some profiling there.
That's why.
That's what just happened.
It's that California accent.
Yeah, that's right.
I can do this if you want.
Sure.
Let's hear it.
I want to hear it.
Dear listeners, we appreciate you listening to this year podcast we truly couldn't do it without
all you all you out there so if you get a chance please head to www.codingblocks.net
slash review and we've got links up there that will, that will take you to different places where you can leave your reviews.
There's even this place here on Spotify.
If you've heard of that,
they've got this thing now where you can leave reviews up there.
I couldn't find it.
I actually went up there.
I went look for,
I was going to put the link up on that review page.
I couldn't find it.
Nowhere's.
So,
yeah,
I mean,
if I can find it, I'll put it up there but but at any rate if you
if you haven't already we do we really appreciate that feedback so if you go up there and leave us
a review we greatly appreciate it dear listeners and uh we would like to take a moment to recognize
our new sponsors stp and uh cletus's chicken pit stop on by you don't even need a coupon or anything uh it's just good
chicken that's right come on down i just feel like this is getting worse you sold yourself
short outlaw hey you did a pretty good southern voice there that was great that's so much more
than i'd hoped for although like i'm ready to make a donation now maybe we should drop the reviews and move straight to patreon like that's gonna sell right there
okay well uh only if you can tell me the movie where that i was referencing and then maybe
i'll consider it how's that probably deliverance
well you took it to a dark place man I'll consider it. How's that? Probably Deliverance. Deliverance.
Well, you took it to a
dark place, man.
So it's got to be Ricky Bobby then.
I don't know.
How big is it?
No.
If I told you that you
were closer with your first guess,
how's that?
Need a minute?
Think about it.
I'll never get it.
I'll never guess it.
Yeah, I won't either.
I was thinking of Stroker Ace with burnt Reynolds.
I've never heard of it.
What?
Oh my gosh.
Yeah.
I think,
well,
no,
Lonnie Anderson was also in that movie,
I think.
Yeah. What? Yeah. movie, I think. Yeah.
What?
Wow, deep cut.
So super deep cut, yeah.
You're welcome, internet.
Why do you know that quote?
Oh, I didn't say it.
It wasn't a quote from the movie.
It was just like that's what I was thinking of because that was where the chicken pit came from.
I was like, why do you know that? Yeah, I still
got nothing there. I don't know why I
know that. I don't have a good answer for
why I know that. Just, I know
obscure crap. That was like
one of them.
Alright, so
okay, how about this? For more
obscure crap, how many seconds are
in a year?
Depends. All of of them take a guess i don't know um there's 3600 in an hour man i don't know 50 i can go back back for seconds indefinitely. He says 50 million.
What do you say, Joe?
More or less?
You're infinite, so more.
Okay, you're both wrong.
There's 12.
There's January 2nd.
There's February 2nd.
There's March 2nd.
I like it.
You're welcome.
All right.
So with that, we head into my favorite portion of the show.
Survey says.
All right.
So a few episodes back, we were all super excited.
Like Apple just made their big announcement.
And we asked, what's your favorite feature on the new MacBook Pro?
And your choices were the return of the function keys.
Bye, Touch Bar. Pro and your choices were the return of the function keys by touch bar.
Got to think by Felicia when you say that.
The MagSafe charger.
Love proprietary cables.
Or I need an SD card slot, not a USB card reader that requires a USB A to C dongle. or that shape that harkens back to those early 2000s MacBooks,
or obviously it's all about that M1 Max, 10 CPU cores, 32 GPU cores, this.
Or that I don't need to buy or enable a TPM 2.0 module to run the latest OS.
Wait, Apple had another announcement?
And lastly, the notch!
Okay, so episode 176, so to Tutco's trademark rules of engagement,
Jay-Z, you were first.
Okay, yeah, i love mine um so i thought it would
be the touch bar but there's something about the mag safe that's just kind of fun too you know but
also that one x is nice i'm gonna say i'm to say the these function keys
with
25%
that's too low
it's the return of the function keys there's no question
the MagSafe charger
is also very appealing because
I've bent the hooey
out of my
power cables that go into my
MacBooks.
But it's going to be the return of the function keys.
I'm going to go 40%.
Okay.
So trying to price is right.
Rule win this.
I see what you're doing here.
Jay-Z says function key return of the function keys for 25%.
Alan says return of the function keys for 25%. Alan says return of the function keys for 40%.
You're both wrong.
What?
What?
No, it was obviously all about
that M1 Max.
Really?
That was 36% of the vote.
That was number
one.
Do you care to take a gander at what number two was?
The notch.
The notch?
No, the SD card slot.
SD card slot?
Now, if you guys aren't going to take this serious, we'll just move on.
What are we doing?
Come on.
The notch?
The SD card slot?
Come on.
Wait, Apple happened to on. The function keys.
Jay-Z just got it.
What was it?
Wait, Apple had another announcement?
Yeah.
Burn.
Burn.
So I'll share another.
So I gave you one dad joke already.
I'll give you another dad joke if you would like one.
We always like them.
It depends.
So a friend of mine that I used to work with a long time ago, I was catching up with him.
Turns out he used to write dad jokes for some websites. And so he pointed me to his site that he had,
or where some of his jokes were.
So this one's courtesy of him.
So what do they call Miley Cyrus in Canada?
Is this safe for consumption here?
I have no idea.
Kilometry Cyrus. Very nice. consumption here i have no idea kilometry cyrus
very nice miley kilometry got it
watching the gears move there in real time that was great
uh yeah that was pretty bad all right so wait bad hold up that was pretty bad. All right. So wait, bad. Hold up.
That was pretty good.
All right.
So for this year's this year's, we're only going to do one survey this year and this is it.
Get ready.
No.
For this episode's survey, we ask for this year's game jam.
You are super prepared.
Been practicing all year.
I am ready. Or i'll figure something out
or oh my god i have no idea what i'm doing
should we answer these now
i mean if you want to but I don't think you should.
I'll wait.
I'll tell you, I am super hyped.
Well, yeah.
I mean, Jay-Z's been like, you know, every day, three times a day, he's on Twitch.
He's probably going to come out of the gate with the next Halo or something.
Oh, no.
I promise you that's not going to happen. I'm not good.
I don't know what I'm doing, but I'm so excited
that I'm literally shaking
sometimes.
It'll be the next Call of Duty, then.
Ah.
I don't know. I think it might be a while
before.
I would be happy with Frogger.
The next Doom.
I'm giving you something here, man.
Take it. Run with it.
Doom's the best one you mentioned.
Oh, okay.
Doom Eternal.
Doom Infinite Internal Advanced Warfare.
They release on the third year of the three-year series yeah this episode is sponsored by shortcut
have you ever really been happy with your project management tool most are either too simple for a
growing engineering team to manage everything or too complex for anyone to want to use them
without constant prodding shortcut is different though different though, because it's worse.
Wait, wait, wait, wait.
No, we mean it's better.
Shortcut is project management built specifically for software teams
and they're fast, intuitive, flexible, powerful,
and many other nice positive adjectives.
And here are some highlights.
We got team-based workflows.
Individual teams can use Shortcut's default workflows
or customize them to match
the way they work. Org-wide goals and roadmaps. The work in these workflows is automatically tied
into larger company goals. It takes one click to move from a roadmap to a team's work to individual
updates and vice versa. Tight VES integrations. Whether you use GitHub, GitLab, or Bitbucket, Shortcut ties directly to them so you can update progress from the command line.
Keyboard-friendly interface. The rest of Shortcut is just as keyboard-friendly with their power bar, allowing you to do virtually anything without touching your mouse. Throw it in the trash.
Iterations planning. Set weekly priorities and then let Shortcut run the schedule for you with accompanying
burndown charts and other reporting.
Give it a try at shortcut.com slash coding blocks.
Again, that's shortcut.com slash coding blocks.
Shortcut, because you shouldn't have to project manage your project management.
All right. So back into this, uh, pager duty
stuff, the next one that they had on the list was click jacking. And you know, I've heard this term
before, but I'd never really knew what it was. Was there anything in here that you guys had like
heard of, but not seeing like this was one for me. So remember click checking from kind of a long time ago i had to
take some security course or something on it i thought it was just kind of a cool cool thing
and uh actually my the stack overflow question that i'm most excited about that will check uh
click checking uh and it wasn't the one that was like high was highest rated but i basically wrote
a question stack overflowing saying like what are the security concerns that one might have when using an iframe
and i was like i want to see a list of every reason that you should not use an iframe
considering using it somewhere i want to know what i'm signing up for and uh click jacking was like
the main concern that came up and even then it was kind of weak it was like just use
the iframe it's fine the idea was that you like you had an iframe imagine that looks like the rest
of the website and so if someone could get the iframe in there make it look like the rest of
your website then you may think that you're doing something on that website but actually you're
doing it somewhere else and somewhere else might you know log you into your bank or something so
you know you think you're clicking login for bank
america.com but it's actually bank of america.co.cn or something and you click login it you know that
button actually goes out to some other url that's not even looks like the you know the one you're
going to whatever and so it can make you do things that you aren't intending. Yeah, the example that they give is where
you end up purchasing something that you didn't intend to purchase.
Oh yeah, like purchase the item next to it or an invisible item.
Yeah, it was really weird.
It was basically using ifr frames as an overlay to another site to do those
pass through clicks,
like what you're talking about,
right?
Like it was really bizarre.
And again,
it's just people that have bad intentions,
like they get really creative with stuff,
right?
Like who thought,
Hey,
let me just make this like a layer on my page that,
that will.
Honestly, the amount of effort that they put into doing something bad, it's like, well, if you would just put that skill to good, like, imagine what you could do.
Well, I mean, dude, if they sold a million widgets on eBay doing their thing.
Yeah, and that's why they don't listen to me.
They're like, I'm on my yacht, man. Like, you're sitting there doing a podcast. I mean, I'm whatever. Yeah, and that's why they don't listen to me. They're like, I'm on my yacht, man.
You're sitting there doing a podcast.
I'm like, whatever.
Yeah, exactly.
Not that the podcast isn't yacht-worthy.
I don't want to... Yeah.
Yeah.
Not trying to be too self-deprecating about it.
But clearly, the yacht's coming.
That's right.
It's on order, probably.
Another thousand years of this will be there.
Not with this new click-jacking skill I've got.
That's right.
That's right.
So another thing that they said is, besides the ifrrame thing is this whole notion that there'll be a window and you'll go to click on something in that window and move the window real quick and you'll accidentally click on something else. Right.
Like, so that's another form of click jacking. It's just it's kind of silly, but I suppose it all works. Right. Otherwise, it wouldn't be this thing that we're even talking about.
I was going to say it wouldn't be a thing if it didn't work. Right.
So now there are some really simple ways to deal with this right now.
And as a matter of fact, these, I think, are enabled on a lot of browsers now out of the box.
I want to say that Chrome bit me a couple of years ago with this.
Not while I was trying to click jack anybody.
To be clear.
Speaking from experience. Right. Um, not while I was trying to click Jack, anybody, let's be clear. Um, I was trying to use it, right?
Um, I think I was actually trying to use Google maps in an iframe and it wouldn't let me do it because of the, the X frame option.
So there is an HTTP header called X dash frame dash options that you can set to either
same origin or deny.
And basically what that means is you'll only allow iframes from the same domain
that the main page was hosted on,
or it won't even allow the iframe to load anything at all.
Right.
And,
and we've got a link to the Mozilla developer docs on this so that if,
if you need this,
then there you go,
you got it.
And then iframes were kind of annoying though,
when you would load in like other,
like,
I mean,
it was like a hack that we used to do back,
you know,
when we would watch stroke or ACE,
but,
but,
uh,
you know,
like,
because the,
you,
like you didn't have control if you were like putting in something from another domain. Right. And so, you know, like, because the, you, you, like, you didn't have control if you were like putting in
something from another domain. Right. And so, you know, like in your maps example,
then the user could be like, Oh, let me also just click on this Google search button. And now I'm
like, yeah, I still see your app is in there, but now I'm so totally somewhere else that you didn't
intend. Yeah. It could get frustrating. I remember using iframes as like the poor man's
Ajax back in the day. So before Ajax requests were really a thing, right? Like this whole async call,
you could post something to an iframe so that your page didn't go anywhere, but it would,
you know, do something on the back end and it would happen to often a frame that nobody else
saw. So like there were bunches of reasons to use it back in the day, but I can't actually
think of any great ones anymore, honestly, other than things like Google maps that force you to
kind of do things that way, but you know, whatever. All right. And then this last one that we're going
to cover on this episode is called account enumeration.
And what's funny is what we're going to describe here is completely different than what I thought it was going to be when I first read the header.
So I'll tell you what I thought it was.
Was, you know, like any time that you went to a website and show account number and then one, two, three, four, five, or whatever at the top, I thought what they were going to be talking about is somebody just scripting and saying, all right, now do one, two, three, four,
five, one, two, three, four, six, one, two, three, four, seven, et cetera. Right. And try and go through it like that. But that's not what they were saying. There's was actually way more
interesting. So the whole notion here is they're still trying to extract information from a website,
whether it be user information, customer information, whatever.
But check this out.
The one that they did is they were doing failed logins on a login form.
And they'd enter in a username, let's say, you know, Alan, and go to log in.
And if that took three or four seconds, then they knew that
they had a valid username. If they put in Alan one, two, three, and it came back in like half a
second, they knew that it wasn't a legit account because what the assumption is it found Alan in
the database. So it knew it had a match. Then it went through the hashing algorithm to hash the password that was passed in.
And that may take X amount of seconds, depending on the entropy and all that kind of stuff.
So you knew that a longer feedback cycle meant that you actually hit a real account.
So now you know there's a person named Alan in the system.
I always knew this one as phishing.
Like this was another phishing, a way to phish the site to whether or not it had the account or not.
I always thought phishing was trying to extract it from a user, though.
I guess like when I originally heard about phishing, okay, so there is the phishing type that you're thinking of where like you send the user an, uh, an email or something like that.
But like there was, I remember back in the day there was like, I mean, maybe I'm making it up
where there was like a different type of fishing where it was like, you're trying to glean
information from the site. Like even if like in this example that you're talking about, like you're
doing it based on like how long the response takes. But where I originally learned about this type of thing,
it was not it was had to deal with the display messages that you might come back with.
So if you put in like in your example, Alan and some bogus password and it says you entered in an invalid username,
then you knew that Alan automatically wasn't a user. Whereas if Joe did it and he put in some
kind of, you know, you put in Joe with some kind of bogus password and it says invalid password,
then you knew that Joe was a valid user, but not the right password.
Yeah. Or you would say like you do and it's like hey joe that was your old
password uh try again or here's a hint or something like that and that used to be rampant
i think in an outlaw i actually remember what you're talking about and i think the reason they
called it fishing is because it related to go fish which is the idea that you would ask in and they
would either tell you know give it to you or say go fish like the old game and obviously like one
fishing term kind of overtook the other so i don't think you really hear that anymore but i do
kind of recall that oh that's interesting yeah i hadn't heard of it referred to that way but it
makes sense and and actually what you just mentioned outlaw that whole thing of you know
hey uh we didn't invalid username or a invalid password.
One of the things that they called out is you should do your level best to make sure that the flow for not finding an account,
not finding a password,
make sure they all give the same messaging,
right?
So that you don't let people know that,
Hey,
Oh,
you stumbled on Michael as,
as a real user.
Like people should have no
idea. Like one of the things that's common that we've been seeing a lot, I'd say probably almost
as a practice now, standard practices. If you put something in and you go and say, Hey, forgot
password, you know, email, it'll say, Hey, if we have an email address, it's going to get sent,
right? Like that's perfect. It doesn't verify that it
exists. Doesn't, doesn't say that it doesn't. It's just, Hey, if it's there, then you'll get
something. If not, you know, bye. So yeah, like you, you getting zero feedback on it.
There was a, another thing too, that like, you know, now, um, I think it's at least standard
pride, common practice. At least it seems to be in the sites that I go to where it'll ask for the user and the password on the same page.
Because anytime I ever see it where they ask for the username first and then you click a next button, I'm like, I think you're going to be doing something wrong, aren't you?
Because depending on whether or not I entered in a good one or not,
I might get a different message on the next page, huh?
But you know who does that also?
Google.
Go to log in to an account on Google,
and it'll tell you to enter in the username first,
and then it'll take you to the next page to where you do something.
Yeah. Yeah.
Well,
so I'm,
yeah,
I'm with you though.
Cause I've always had the same thought.
Like anytime that Google does it,
I'm like,
really,
should you be letting people know that that exists?
Like this seems wrong.
But I mean,
at least with Google though,
I'm willing to forgive them.
Probably like,
well,
every Gmail account known to man,
I'm sure they already exist. So, you well, every Gmail account known to man, I'm sure it already exists.
So,
you know,
that's true.
What's the point?
Oh,
we have multiple email addresses on,
you go to sign up and you're like,
I don't remember which one it is.
You try to sign up with what you think it is.
And it's like,
if you had an account that wouldn't be the password.
And you're like,
yeah,
but is it,
is it this one?
No,
for real.
Count the seconds.
That's why you should use a password manager.
Well, that's another thing that annoys me, though, too,
is that sites that do the, you know,
let me ask for your email first and then your password,
usually the password managers are problematic for those types of sites.
LastPass has gotten better at it.
I have noticed over time it's gotten much better.
If you choose from the dropdown on the first page, then it usually fills in the proper
password on the second.
Still don't love it, but whatever.
It does.
It tries to put it in weird places.
It does.
It does.
They did call out one other thing, and I remember seeing more of this back in the day, and I'm sure it still happens with like enterprise type software.
But a lot of times clients or customers or whatever would have their own subdomain to a site, right?
So let's say that you have your Shopify site, just as an example.
I don't know that this happens there.
Say what? AWS was an example. Oh don't know that this happens there. Say what?
AWS was an example.
Oh, they did too, didn't they?
Yeah, to the console.
Yeah. So, you know, alan.aws.whatever, you know, that would be the domain name. And they were
saying that they had something on their site like that, the PagerDuty stuff. And the problem is
they ended up having to walk this line
of what's a good user experience versus what's secure, right? So if you were to go to alan.pager
duty.com, if it existed, you'd be presented with a login page, right? Well, what if, what if alan.pager
duty.com didn't exist? What should you do then? Should you still display the login page so that people couldn't glean that
there's not an Allen customer or,
or what if Allen does exist,
but he made a typo,
right?
Right.
Like,
do you show him a fake login?
And that's what they said is ultimately it.
When you try and get too cute or smart with some of that stuff, you end up increasing customer support calls because somebody did fat finger it and type it in wrong.
And they're going to log in and they're like, I know I use the right username password, but it's not letting me in.
And so now they call support and sports like, oh, yeah, you didn't type in your domain properly.
So, you know, it's that's a tougher one, I think, but just be aware that you do
sometimes have to walk the line of, Hey, what's a good user experience versus, you know, what's
the absolute most secure way to be. I mean, and it's real easy to like hear this and be like,
well, just have a simple login page. And then based on the login, you'd redirect them to their subdomain.
But what about in like line of business applications or whatever, where the, the customer
wants to have a branded experience. And so they want that login page. They want their employees
to know like right away, it's, it's branded for them. And we've all worked on software like that,
right? Where, where customers paid for
software and they wanted to customize the, customize the entire look of it. And it was
usually subdomain based. So yeah, I mean, sometimes there's just not a real good clear
cut answer and that might be one of them, but just know that that could reveal information
to potential, you know, bad actors trying to get information out of there. But I mean,
sometimes you just got to deal with it.
I mean,
basically everything about this account enumeration section was all about being
careful or mindful of like, if you're, you know,
try not to leak information. And if you are,
you're doing it because you like that's the way it is right
so just log an example like you know you needed to do it because you wanted to be able to support
a branded experience or something like that right yeah oh and on the hashing thing right like we
mentioned that you know it might take three seconds for a real account and, you know, no time for a fake one. They even mentioned, well,
the way to mitigate that is for a non-found user account, just hash the password anyways,
just like you would if it had been a real one. And so it takes the same amount of time. So when
it comes back, you can't differentiate between the real account and the non-account, right?
So there's ways to fake it. It's not a great, it seems kind of dumb, but it can actually help make your site more secure.
Well, also it would slow down an attacker too.
It would. Yeah, sure.
Yeah. I mean, it works to your benefit. So yeah, I think we got time to like do some more pages
because otherwise people are going to think that one of us was absent for this recording if we
stop now. So yeah, let's
just go on. I say we go on.
All in favor of going on.
Or wrap it up here.
All right. So we'll have a bunch
of links to some resources
we like. And this one, obviously
PagerDuty is going to get called
out. You might even see an OWASP link
in there. I don't know.
I'm just thinking out loud.
Um,
and with that,
we head into Alan's favorite portion of the show.
It's the tip of the week.
Yeah.
I feel like already gave away my best one with the dots pretzels.
Um,
but I guess,
I guess I'll come up with,
they are.
So I guess I'll come up with a few others.
So I've been
looking at doing some side stuff, uh, and more or less, it's been like trying to find like good
places to host static pages. And it's shocking to me how few resources are for that. At any rate,
when I was looking for that, I came across this, which is Jamstack for free from Cloudflare.
And if you haven't heard of Cloudflare, you probably should have because they're one of the biggest edge caching companies in the world, I believe, at this point.
But they have a product called pages.cloudflare.com.
I shouldn't laugh. I shouldn't. That's rude of me.
That's fine. That's fine. I just learned, learned me how to talk today. So, so, so if you go up here though, what they allow you to do is something similar to Netlify to where you can set up a Jamstack type thing,
and they will host it for free on their own edge network. So you can have your static content with,
with pipelines there. So this is really cool. And Cloudflare really is an amazing company and
they offer some awesome services. So I would go check that out for sure. And then another thing, I don't even
know how I stumbled on this. I think Outlaw, we were trying to come up with a survey for this
particular episode. We were talking about the game jam stuff. And I was like, he had said
something about various game engines. And I did a search and I'd never even seen this one before.
So Amazon had their own game engine and it was called Lumberyard.
Well, it no longer exists or I guess it's being deprecated in favor of this other one called O3DE, which stands for Open 3D Engine.
And from what I can gather, this actually came from another open source project, which was Open3D Foundation or something.
I can't remember.
O3DF, I believe, is what it was.
But at any rate, Amazon has gotten behind this other company, and they've created this O3DE.org.
And so it actually looks really legit, like super strong.
You can create AAA games with high-fidelity simulations. It's a, you can create triple a games with high fidelity
simulations. It's got all kinds of 3d modeling tools, um, integrates with your favorite cloud
services. I'm sure AWS is up there somewhere. Um, but yeah, so maybe, maybe if you're looking
into this, uh, this, this might be another option for you you is this what you're going to use for your
game engine i'm i'm considering it i mean like you know jay-z's going the tried and true route
with unity you know why not go something fringe and more frustrating so but it'll support a
you know a billion concurrent users so that's right. That's all you need, man. Until somebody makes a routing change in the AWS environment.
I will tell you this.
Check this out.
There's one thing about this that is really nice compared to something like Unity or some of the other ones.
It's licensed under the Apache 2.0.
So that's actually really strong.
It's free, completely free.
You can use this thing and build games.
So, um, really interesting.
Thought it was worth bringing up.
Hopefully, uh, I mean, after they see my game, they might be like, eh, not you.
We're going to make this guy pay.
We're going to take this back.
Yeah.
We want, we want, we want to get paid for being associated.
That's right.
Yeah. It looks really good. And i've never heard of that one i was curious about the cloud flare though like why uh why you
didn't just immediately go straight to netlify like what like what so it i don't honestly i think
i was just searching for good static hosting places and, and there
was a top 10 list as there are for everything in Google nowadays, which is almost irritating.
I used to love them.
Now I hate those top 10 lists, but I think on the same page where it had Netlify, it
had mentioned this one and I was like, Oh, that's interesting.
I didn't know they had that.
Right.
So that's, that's really it.
We've talked about Netlify a lot on this.
So if there's an alternative that you want to check it out, this is one.
You know what's worse about those top 10 results, though,
is when it's like the domain.
Top 10 static web page sites.com
or top 10 static web page sites for 2022.com.
2022.com. 2022.com.
Man, it drives me insane.
I'm like, oh, that sounds like a reliable source.
Right?
Yeah, no, they drive me absolutely crazy.
But yeah, that's actually how it came up.
I mean, we've talked about Netlify and I saw this and I was like,
oh man, Cloudflare's got another offering out there?
I mean, they're a nice, trusted company.
So that's really...
I mean, it looks pretty much identical to like how the netlify offering works well you know what's cool
so i don't want to go too deep into this but what's interesting about this too is i think
i think we've mentioned this in the past i want to say that we have so cloudflare didn't love
containers right because they said that containers were too heavy for what they were.
And so they created their own thing called Cloudflare Workers, which are like just little tiny threads that run things. integrate tightly into this is if you do need some server side stuff, you can buy into their
cloudflare worker platform, which I guess is something similar to like an AWS Lambda or an
Azure functions or something like that. So, um, it ties nicely into that. So if you do need some
sort of server side, it's in there and, and because they've got all that available to you,
this is a really nice all-in-one platform if you wanted to do that.
I see.
Cool.
Very cool.
All right.
And so I've got two.
And unfortunately, I forgot.
Okay, let me start from the beginning.
Andrew Diamond, wonderful source of tips.
We know him.
We love him.
Once, Al and I had dinner with him.
That's pretty cool.
That's been many a moon ago.
Yep.
I think he might have been like 14 at the time or something.
I don't know.
It was weird.
Maybe we shouldn't.
Anyway, so he gave me two great tips.
One I completely forgot.
I'm sorry, Andrew.
If you hear this, let me know what it was.
The other one, though, I had bookmarked.
And so have you ever debugged CSS by just adding a stupid border to something,
like making it like two pixels red so you can just see what the heck the layout is
and try to figure out what's going on?
If you've used CSS, the answer is yes.
Yeah.
And, you know, of course, there's probably better ways to do that, whatever.
But, like, that's how you do it, right?
So I mentioned that. And he he said don't ever use border you should use outline instead you ever used outline never heard of it so it's the same thing but the border is on the
inside so it doesn't skew the rest of the page borders on the outside so if you had a one pixel
or two pixel border actually knocks everything off by a total of four pixels,
right?
Two for each side,
but not outline.
Same thing.
So same syntax,
just outlines at a border.
Next time you're doing that.
Oh,
that's really good.
Yep.
Yeah.
And go ahead.
Uh,
I remember when like this came up in like the Slack channel,
I think it was.
Cause I don't remember which,
which episode was,
cause we had talked about something similar to this back in the day.
There was like a free code camp article.
I think it was that where somebody had given the code for a bookmark clip
that you could set.
And if you click that, then you would, it was like,
I created one called debug CSS and it would like turn on borders,
you know, and, and set everything. I'm trying to find it now.
It's like, I could like go back and reference it.
I'll see if I can find it, but probably not.
You just did it. That's very cool.
The free code camp one.
No,
no,
the,
uh,
the outline.
Oh yeah.
And I do have one other tip though that I have to share.
And,
uh,
I'm not going to say online cause it involves a dirty word.
Um,
but we'll have the link in the show notes.
Maybe we'll hide it somewhere.
But, uh, have you ever been on twitter youtube maybe playing a game on your phone and seen uh in an ad for a mobile game maybe a mafia game or you know maybe a garden game or something
and you watch the ad and you're like what what did I just see? It's like strangely inappropriate.
It's like hinting at weird things.
You're not even sure what it means,
but it just makes you feel uncomfortable.
Like there's no way you're going to play that game.
Like we've all been there,
right?
Probably.
Oh my gosh.
Okay.
Well,
I guess I'm hanging out in some weird places,
but there's,
uh,
there are a lot of games out there
being advertised and the ads for these games are just crazy and i'm i'm not gonna even try to
try to explain about if you ever seen the ads for the games like mafia city or um
merge mansion or lily's garden was the first one I saw. Um, they're just weird and it's bad.
And so if you like watching weird and bad things like I do,
uh,
then,
uh,
there's a subreddit for really bad mobile game ads that you can just go and
look at all these and just exclaim aloud.
Like,
what are they thinking?
Uh,
it's like,
it's like crappy mobile game ads, but, you know, replace.
Another expletive in there instead of crappy.
The one that comes to mind, though, for me, though,
is it looks like one of those, like, bejeweled type, you know,
where you're, like, trying to match the things, like a Candy Crush.
But it's, like, the Royal match or something like that.
I forget what it is.
Like that one comes up every time on like different games that I play.
I'm like,
how much is the developers for this game?
Like how much are they paying for advertising?
Cause they keep showing me the same ridiculous ads for the same game that I
have absolutely zero interest in.
And I've never once clicked into it.
Like, why do you keep showing it to me?
Have you ever seen the ones where it's like,
you'll have to like, there'll be like a little scene
and be like maybe a person and a monster
and some gold or something.
And the person pulls a little pin
and the lava falls on the treasure and melts the treasure.
And then they open another pin and the monster kills them.
And you're like, why don't you just open this one first?
Go click that game and buy it.
It's stuff like that, except it's like the weirder ones.
And I'll just tell you.
So real quickly, there's one called Lily's Garden.
That was one of the first ones.
And some of the ads, you have to watch a bunch of different ads
because to get the whole story, you need to watch several ads.
But the first kind of ones, it is like a woman in her wedding dress.
She's crying and she gets dropped off her house and like her house burns down.
And then she goes to grandma's house and grandma sets her up with a garden and like life seems to be getting better.
But then grandma gets arrested.
And as she's driving away in the cop car, she puts her hand up on the glass and says, you're next.
And you're like, what? And then you see the gameplay and it's you're next you're like what and then you see
the gameplay and it's like a match three like bejeweled what yeah so there's just a ton of
these and they're they're amazing and it's kind of like um you ever watch like ads from the 80s
or like you can find actually um those kmart uh tapes people have recorded uh tapes from like
old kmarts department stores and the music they would play.
And it includes like the ads that do play in like the 80s and 90s.
And you can go and listen to them on like YouTube or whatever.
I do not.
Okay.
Well, there's another tip for you.
It's amazing.
You're welcome.
So I don't know that that's what i was thinking the downside is is that we just gave
like these crappy games all this free advertising by even talking about them we did yeah that's why
they do it i guess it is it where we just fell victim to it and it worked so i'm tempted now
now it's worse knowing that they won okay oh and Oh, and I did find it, by the way.
It was episode 81.
It was my tip of the week.
And I put a link for you guys in the show notes there for the free code camp.
Did you say episode one?
81.
81.
Yeah.
And the author of the article on free code camp, he was talking about using outline for it, but he provided the code that you could use as a bookmarklet, which, you know, you want to talk about inject outlines and, and, uh, it would layer in color on top of it.
So you could see like if something was, uh, you know, in the background or in the forefront of all the different layers. Yeah. So pretty nice. Um, all right. So, uh, you know how we are with
cheese sheets, right? Like Like, that's pretty cool.
So, I found one since we've been talking about OWASP so much.
OWASP has a cheat sheet series.
I tried to say that 10 times fast.
And every time you fail, you take a drink.
And it'll be a lot of fun.
Trust me.
So, at any rate, they have a cheat sheet series. And you can go there and you can see all the different cheat sheets and it'll say like, okay, to, you know, here's
the Ajax security cheat sheet and it'll have, uh, you know, recommendations like use inner text
instead of dot inner HTML. Uh, you know, things like that, like, you know, you know, things like that. Like, you know, you know, tons of different like sections. If you,
if it's a,
you scroll through the page quite a lot for the different categories of things
that they have in there.
So this looks like better than their regular navigation.
And surprisingly,
it's not part,
it's,
this is,
this is in its own subdomain.
So this is a different thing.
This is pretty good, man.
Yeah.
Yeah, you want to deal with file uploads,
and it has a whole list of like,
here's the threats that you need to be aware of.
And your security posture as it relates to like the possibly malicious files you
might be getting right.
And how to deal with it.
Yeah.
So it's good stuff.
So,
um,
all right.
So with that,
ah,
dang,
they're still going to think that somebody was absent.
Um,
Alan,
don't you have like 18 more tips we can make up for this time gap?
All right.
Usually,
usually.
Well,
uh,
we hope you enjoyed this.
This is,
uh,
you know,
part three of this,
uh,
pager duty talk.
I'm sure that they didn't talk about it as long as we've talked about it.
But,
uh,
yeah.
So be sure to subscribe to us on iTunes,
Spotify,
Stitcher,
you know,
wherever you like to find your,
your podcast.
I'm sure we're there.
Uh,
when,
next time you stop by the chicken pit,
be sure to say hi and, pit, be sure to say hi.
And be sure to leave us a review.
You can find some helpful links.
I'm sure Alan has updated this site with the latest one now.
It's www.codingblocks.net slash review.
Hey, and while you're up there at codingblocks.net, check out our show notes, examples, discussions, and more.
And send your feedback, questions, and rants to our Slack.
And make sure to follow us on Twitter at CodingBlocks, and send us
any weird mobile ads that you've seen,
because we super dig them.
And by we,
we mean Joe.
Yes, Joe.