Few days ago I attended the IPC in Munich (International PHP Conference). After having visited some interesting sessions, I experienced that sometimes the little things are the most important and significant ones.
My first experience with Bower and Node.js
Just at the first day I had to notice, that you should never forget to use the flag “-g” when installing Bower (a package manager for Node.js) via npm. Otherwise Bower will not be installed on your machine for global access and is simply not ready for being used at the command line. I was never in touch with this tool before and maybe I was too busy to get node.js installed on Windows, that I missed this tiny but important detail. Nearly getting crazy about this issue, Robin Böhm (one of the Speaker of the AngularJs session) gave me this crucial hint.
filteredString = originText.replace(/(</?script>)/ig,"");
reliable undesired “script” tags out of an user input but is absolutely useless if the hackers learn from our failure to secure web pages and enters „<scr<script>ipt>“. The code snippet above will remove the “<script>” in the middle and that will lead to another “<script>” tag which was cut in two pieces. With respect to the above example the solution is quite simple: apply the sanitize routine as often as the returned value is different to the input value.
Pixel Perfect Timing Attack
Another impressing and equally awesome topic was the new kind of HTML5 attack called Pixel Perfect Timing. By the help of the new HTML5 functions even a small pixel is enough to steal sensitive data or read the browser history. The trick behind is based on the fact, that it takes different time to display a pixel in the various colors. This information will be gathered by the HTML5 API “requestAnimationFrame”. With this timing information the hacker can create an optical clone of your screen and convert this information back to text by using OCR software.
It’s an upload, not a download…
While this example appears to be somewhat thrilling, it creates a certain overhead what makes it rather difficult to use in the broad field. But this technical effort is not needed if you force a user to upload a whole directory and so get sensitive data handed on a silver platter by using a simple trick. Just use
<input type="file" id="file_input" webkitdirectory="" directory="">
in an authentic context of download of a very interesting tool which asks the user for a download directory. But in reality the code snippet opens a folder dialog for the selection of an upload directory, how it is unobtrusive mentioned in the caption of the dialog. Thus, the content of the destination folder for the download will be transferred easily and without any further notification to the web server.
To minimize potential damage you should never select a directory as a download directory that contains confidential files or subdirectories with confidential files (e.g. your desktop). In equal measure we have to force ourselves to take a closely look to any web site, dialogs and dialog captions. Now, we must think twice before confirming the download of any file or any other action.
The most famous little difference
Yes, I have learned that differences may be small but significant: even the “small” but significant difference between men and women. As a woman attending a PHP conference you worship no queues in front of the lady’s restroom in between two sessions. You also enjoy the easy access to the salads buffet. But when attending a party where free beer is served, waiters consequently can ignore women, because women are not expected to drink beer.
What a pity… In that respect – I guess – the difference isn’t that big. 😉