Escape Security Flaws

Rate this content
Bookmark

An elevator pitch for security - yay! I know, security is often frustrating or even annoying. But we all work in tech and at some point, security always becomes a topic. Let's discover a real-world security flaw and what we can learn from it to prevent such incidents. It's gonna be fun, I promise. 

7 min
08 Dec, 2023

AI Generated Video Summary

The Talk discusses web security and the importance of strong code protection. It highlights a vulnerability where a weak five-digit numeric code was used, allowing easy access to sensitive content. The speaker emphasizes the need for throttling as a mechanism to prevent attacks. The company implemented throttling and blocked access to photos to improve security. However, stronger code and additional measures, such as limiting access to specific IP addresses and timeframes, are still needed.

1. Introduction to Web Security

Short description:

Hello, my name is Hendrik. Today, I want to talk about web security. I accidentally got access to some spicy content due to weak code protection. A five-digit numeric code was used, making it easy to generate codes. Throttling is an important mechanism to prevent attacks, but it wasn't implemented.

So, hello, my name is Hendrik. And before I start, I need to disappoint you just a little bit because I won't talk about React today. And even worse, I want to talk about web security. So I hope you can enjoy my talk.

So I want to tell a story or share a story with you where I accidentally, and I promise accidentally got access to some pretty spicy content of like photos where people showed off posts with sex toys or even consumed alcohol. So what has happened? Well, back in October 2022, I visited an escape room with some friends. And so after the experience, the staff member came to us and did a group photo.

So in our case, it was just a boring group photo. And so after that, they gave us a little piece of paper that looked like that. And so on the piece of paper, there was our randomly generated code as well as the date of the experience, right? So the experience was super handy. So you would just go on the website, enter your code and boom, you can find the photos you can easily access and loan them and share with your friends. So great user experience. What could possibly go wrong here?

Well, it's like maybe similar to the cat, right? So imagine you have a room and you want to protect the room. So the solution is, well, you just close the door and your room is safe, right? Until the cat understands how to use the door handle. So coming back to my story, basically, I was the cat and I was playing around with the door handle and see how it works. So it turns out, actually, they used a pretty weak code to protect the photos, right? So it was a five digit numeric code, meaning we had only 90,000 possible codes per day. And I'm pretty sure every one of you could easily write a script to generate codes. And so the only thing you have to do is you just write another script and submitting the form over and over and over again, and just hoping you would find an actual code. Yeah, maybe that's what I did. And it turns out it works. And so just as a quick comparison, you can see it here on the table. If you would just use a six digit numeric code, you would already increase the complexity to 900,000 codes. And for me, it's always like, think about it. If you would sit in our product design meeting, at some point you have to decide, okay, what kind of code are we going to use? And they chose a five digit numeric one. Just imagine they would have chosen the six digit or even included alphanumeric, they would have increased the complexity quite a lot.

So even if you have like the strongest code on earth, if you give me enough compute, probably money and time, I could still try my best to find random codes. So another mechanism we need in place is throttling. So throttling means if you get a lot of traffic coming from the same IP address, you probably at some point want to limit the traffic or block the IP address completely. And that's a pretty strong mechanism to prevent attacks. And so guess what? They didn't implement any throttling.

2. Improving Security Measures

Short description:

There was no door or door handle, making the room easily accessible. After discovering sensitive content, I shared my findings with the company. They implemented throttling and blocked access to photos, improving security. However, stronger code is still needed. Traffic must now come from different IP addresses and access to photos is limited to a specific timeframe.

So basically, that means there was no door, there was no door handle, basically the room was open and I could just break in without any problems. Well, it was aboard me on a Sunday and I realized, oh, hell, it's actually serious here. And also I mentioned that I found some spicy content because, that's because they also have a so-called party escape room experience where you can have some intimate private moments with your friends. And basically with the rest of the world, right? So I was like, okay, I need to share my findings somehow with the company. And so that's what I did. And a couple of weeks later, they reacted. And so at least they implemented throttling and also blocked access to all the photos. So they improved the security a little bit. Still, I would still suggest to implement stronger code, but at least it's now harder to attack the service because now the traffic would need to come from different IP addresses. And also you can only get access to the photos from the last 14 days, 7 days, I don't know the exact number. So they definitely improved it.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk here.
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Can we get rid of passwords yet? They make for a poor user experience and users are notoriously bad with them. The advent of WebAuthn has brought a passwordless world closer, but where do we really stand?
In this talk we'll explore the current user experience of WebAuthn and the requirements a user has to fulfill for them to authenticate without a password. We'll also explore the fallbacks and safeguards we can use to make the password experience better and more secure. By the end of the session you'll have a vision for how authentication could look in the future and a blueprint for how to build the best auth experience today.
React Advanced Conference 2021React Advanced Conference 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Modern frontend frameworks like React are well thought-of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real-world.
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
All languages are or were vulnerable to some kind of threat. I’m part of the Node.js Security team and during the year 2022, we've performed many Security Releases and some of them were really hard to think about.
Did you know you can make money by finding critical vulnerabilities in Node.js? In this talk, I’ll show you 5 ways you can have hacked Node.js and how the Node.js team deals with vulnerabilities.
JSNation Live 2021JSNation Live 2021
9 min
Securing Node.js APIs with Decentralised Identity Tokens
Authentication and Authorization are serious problems. We often dedicate a lot of time to craft powerful APIs but overlook proper security measures. Let's solve it with Magic using a key-based identity solution built on top of DID standard, where users’ identities are self-sovereign leveraging blockchain public-private key pairs. In this talk, we’ll look at proper ways to secure our Node.js APIs with Decentralised Identity Tokens. We’ll go from learning what Decentralised Identity standards are, how the users’ identities are self-sovereign leveraging blockchain public-private key pairs, why they’re the future of API security, and to put theory into practice we will build a real-world implementation using Node.js where I’ll show common best practices.

Workshops on related topic

React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
WorkshopFree
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.
TestJS Summit 2021TestJS Summit 2021
111 min
JS Security Testing Automation for Developers on Every Build
WorkshopFree
As a developer, you need to deliver fast, and you simply don't have the time to constantly think about security. Still, if something goes wrong it's your job to fix it, but security testing blocks your automation, creates bottlenecks and just delays releases...but it doesn't have to...

NeuraLegion's developer-first Dynamic Application Security Testing (DAST) scanner enables developers to detect, prioritise and remediate security issues EARLY, on every commit, with NO false positives/alerts, without slowing you down.

Join this workshop to learn different ways developers can access Nexploit & start scanning without leaving the terminal!

We will be going through the set up end-to-end, whilst setting up a pipeline, running security tests and looking at the results.

Table of contents:
- What developer-first DAST (Dynamic Application Security Testing) actually is and how it works
- See where and how a modern, accurate dev-first DAST fits in the CI/CD
- Integrate NeuraLegion's Nexploit scanner with GitHub Actions
- Understand how modern applications, APIs and authentication mechanisms can be tested
- Fork a repo, set up a pipeline, run security tests and look at the results
DevOps.js Conf 2022DevOps.js Conf 2022
32 min
Passwordless Auth to Servers: hands on with ASA
WorkshopFree
These days, you don't need a separate password for every website you log into. Yet thanks to tech debt and tradition, many DevOps professionals are still wrangling a host of SSH keys to access the servers where we sometimes need to be. With modern OAuth, a single login and second factor to prove your identity are enough to securely get you into every service that you're authorized to access. What if SSHing into servers was that easy? In this workshop, we'll use Okta's Advanced Server Access tool (formerly ScaleFT) to experience one way that the dream of sending SSH keys the way of the password has been realized.
- we'll discuss how ASA works and when it's the right tool for the job- we'll walk through setting up a free trial Okta account to use ASA from, and configuring the ASA gateway and server on Linux servers- we'll then SSH into our hosts with the ASA clients without needing to supply an SSH key from our laptops- we'll review the audit logs of our SSH sessions to examine what commands were run