|
Cybernetic Vermin posted:for most of its existence (changed in ios 8 iirc) ios did not let apps run javascript with jit, by disallowing embedding scripting engines and only providing interpreted execution in the ui toolkit webview. as the interpreter most likely does every indirect branch from the same code (the code implementing that bytecode) it will not be possible to seed branch prediction. steve saw this coming~ this is how every platform should implement JavaScript, for those who wish to turn it on, so people stop pretending web pages are apps
|
#
?
Jan 12, 2018 06:45
|
|
|
|
| # ? May 23, 2024 22:37 |
|
|
BangersInMyKnickers posted:PCI does have teeth and there's a website where you can report poo poo like that please report it, it will cause a roller derby org—an awful one, too, USARS—to feel pain maybe also see if the forums’ own WindyMan will report on it to shame them (even though he’s a USARS booster)
|
|
#
?
Jan 12, 2018 06:49
|
|
|
anthonypants posted:nordvpn is one of those public vpn services with a single pre-shared key for each and every connection. that psk is "nordvpn". if you're not using it for security and you just want to watch netflix or whatever it's fine every time I see it all I can think is “it’s my VPN, Nord-style”
|
|
#
?
Jan 12, 2018 07:01
|
|
|
mrmcd posted:Personally though, I have a VPN box in France because my two kinks are EU cookie warnings and making my nsa case officer deal with French bureaucrats all day. A good post, quoted for a good page.
|
|
#
?
Jan 12, 2018 07:40
|
|
|
re: secure chat, how does Wickr hold up?
|
|
#
?
Jan 12, 2018 08:57
|
|
|
tavis posted:Note: I regularly encounter users who don't accept that websites can access services on localhost or their intranet. These users understand that services bound to localhost are only accessible to software running on the local machine, and that their browser is running on the local machine - but somehow believe that accessing a website "transfers" execution somewhere else. It doesn't work like that, but this is a common source of confusion. 
|
|
#
?
Jan 12, 2018 09:49
|
|
|
lol if you let javscript run by default
|
|
#
?
Jan 12, 2018 09:53
|
|
|
posting on the yospos page
|
|
#
?
Jan 12, 2018 10:14
|
|
|
eschaton posted:this is how every platform should implement JavaScript, for those who wish to turn it on, so people stop pretending web pages are apps webassembly is a mistake
|
|
#
?
Jan 12, 2018 12:08
|
|
|
NFX posted:web is a mistake
|
|
#
?
Jan 12, 2018 12:17
|
|
|
NFX posted:webassembly is a mistake I really don’t get why they don’t make a bytecode for webpages that all weblangs can compile to?
|
|
#
?
Jan 12, 2018 12:53
|
|
|
wait so if I have a database or webapp running on localhost, some random javascript from the web can access that and download data and then send it back to wherever? gently caress me of course it can. that's absolutely horrifying.
|
|
#
?
Jan 12, 2018 13:00
|
|
|
MALE SHOEGAZE posted:wait so if I have a database or webapp running on localhost, some random javascript from the web can access that and download data and then send it back to wherever? that was the first CVE for riak back in 2012, a web page could contain a form that POSTed a mapreduce job to riak's http interface (and run arbitrary erlang code) if your local app disconnects when receiving any HTTP request that’s what you want
|
|
#
?
Jan 12, 2018 13:14
|
|
|
MALE SHOEGAZE posted:wait so if I have a database or webapp running on localhost, some random javascript from the web can access that and download data and then send it back to wherever? no, unless you configure the local service to permit it, via CORS headers E: similarly, something awful dot calm can't fire off a request to gmail and get your mail. cross-origin requests aren't permitted to read responses into script unless the site explicitly opts into it Subjunctive fucked around with this message at 13:38 on Jan 12, 2018 |
|
#
?
Jan 12, 2018 13:24
|
|
|
Subjunctive posted:no, unless you configure the local service to permit it, via CORS headers gee i wonder how most webservers are configured. for that matter, shouldn't anything on a vpn be accessible in this manner as well? I suppose that's why you put everything behind an ssh bastion DONT THREAD ON ME fucked around with this message at 13:36 on Jan 12, 2018 |
|
#
?
Jan 12, 2018 13:30
|
|
|
i need to start reading this thread
|
|
#
?
Jan 12, 2018 13:36
|
|
|
MALE SHOEGAZE posted:gee i wonder how most webservers are configured. uh, what web servers are configured with permissive CORS? repeating my edit: similarly, something awful dot calm can't fire off a request to gmail and get your mail. cross-origin requests aren't permitted to read responses into script unless the site explicitly opts into it localhost isn't special, and shouldn't be
|
|
#
?
Jan 12, 2018 13:39
|
|
|
Subjunctive posted:uh, what web servers are configured with permissive CORS? sorry, i didn't mean to say that apache/nginx allow permissive cors, but rather ye old rails app trying to integrate with a SPA running on node.
|
|
#
?
Jan 12, 2018 13:44
|
|
|
MALE SHOEGAZE posted:sorry, i didn't mean to say that apache/nginx allow permissive cors, but rather ye old rails app trying to integrate with a SPA running on node. sure, how are most of them configured? if you're running rails anywhere (including localhost, which would be an odd choice I think) then having open CORS means you can get hit by an arbitrary site. it has nothing to do with localhost
|
|
#
?
Jan 12, 2018 13:46
|
|
|
you'd probably have rails running on localhost on a dev machine, possibly without a real proxy in front?
|
|
#
?
Jan 12, 2018 13:52
|
|
|
Didn't we just see a bug report on a service with permissive CORS running on localhost?
|
|
#
?
Jan 12, 2018 13:53
|
|
|
ohgodwhat posted:Didn't we just see a bug report on a service with permissive CORS running on localhost? sure, but it'd be the same bug if it were running on whatever.com, which also happens. a browser won't just bridge arbitrary origins, an explicit software-level (vs configuration) secfuck is required
|
|
#
?
Jan 12, 2018 13:55
|
|
|
Subjunctive posted:sure, but it'd be the same bug if it were running on whatever.com, which also happens. a browser won't just bridge arbitrary origins, an explicit software-level (vs configuration) secfuck is required yeah i wasn't trying to imply otherwise. disabling cors is ridiculously common in dev environments, I think because people don't realize what I just realized.
|
|
#
?
Jan 12, 2018 13:56
|
|
|
Subjunctive posted:sure, but it'd be the same bug if it were running on whatever.com, which also happens. a browser won't just bridge arbitrary origins, an explicit software-level (vs configuration) secfuck is required Of course, stuff like "not validating that the hostname in the request is 'localhost'" counts a secfuck in this context - the browser will happily send requests to 127.0.0.1 if some other (potentially attacker-controlled) DNS name is resolving to that.
|
|
#
?
Jan 12, 2018 14:02
|
|
|
Subjunctive posted:no, unless you configure the local service to permit it, via CORS headers does CORS prevent js-triggered or user-initiated form submissions from happening, or just their result being visible to js?
|
|
#
?
Jan 12, 2018 14:07
|
|
|
so does my dumb brain understand correctly that if I disable CORS on some server listening on my local machine, it makes it possible for random javascripts to query that server? which is basically bad but does not straight up guarantee getting owned unless the server itself is somehow vulnerable? and the next level secfuck is somehow that DNS can be messed with to make dumbass software request things from malicious sources and it will work because CORS is disabled?
|
|
#
?
Jan 12, 2018 14:16
|
|
|
Just noticed an interesting exploit in an Android payments promotion they're doing with Visa in the UK. Although it's meant to give you vouchers and stuff when you pay for items using Visa, instead it gives you vouchers every time you select Visa as a payment method via the radio button on the UI, so you can just alternate between payment methods to get a bunch of free vouchers and never actually buy anything.
|
|
#
?
Jan 12, 2018 14:16
|
|
|
Chalks posted:Just noticed an interesting exploit in an Android payments promotion they're doing with Visa in the UK. I'm not seeing where you can come to that conclusion from the link you gave. The site specifically states "you’ll get an envelope each time you use it [VISA] with Android Pay for the next 30 days". I mean the context seems fairly clear that it needs to be a transaction. Do you have another site spelling it out or a working demo?
|
|
#
?
Jan 12, 2018 14:25
|
|
|
Penisface posted:so does my dumb brain understand correctly that if I disable CORS on some server listening on my local machine, it makes it possible for random javascripts to query that server? which is basically bad but does not straight up guarantee getting owned unless the server itself is somehow vulnerable? as far as I understand it's the other way around - if there's no CORS policy present in the localhost site headers, the browser will not allow javascript to communicate with it the problem with electrum was that it had a CORS policy set, and it was set to "allow anyone"
|
|
#
?
Jan 12, 2018 14:32
|
|
|
Please, for the love of god, don't share Project Veritas, a group known for editing and lying out their rear end. Much obliged. https://rationalwiki.org/wiki/James_O%27Keefe quote:O'Keefe's investigations have thus far been exclusively focused on doing heavily-slanted attack pieces against organizations or individuals considered to be liberal, and these efforts have made him a conservative media favorite.
|
|
#
?
Jan 12, 2018 14:38
|
|
|
CommieGIR posted:Please, for the love of god, don't share Project Veritas, a group known for editing and lying out their rear end. Much obliged. on the one hand, project veritas is garbage and lol at posting the link on the other hand, do you think anything in the text on that image is incorrect? AT BEST, they're not logging passwords, just literally everything else. and we all know twitter isn't an at best company (i didn't click the link so if there's something inside it that changes the whole context, lol nm)
|
|
#
?
Jan 12, 2018 14:49
|
|
|
mrmcd posted:Personally though, I have a VPN box in France because my two kinks are EU cookie warnings and making my nsa case officer deal with French bureaucrats all day. that's kind of hot
|
|
#
?
Jan 12, 2018 14:50
|
|
|
EVGA Longoria posted:on the one hand, project veritas is garbage and lol at posting the link I meant more: Find another source. Veritas has a poo poo reputation for making poo poo up and taking quotes out of context, so they are unreliable as a source of information and anything they post/share is heavily suspect. CommieGIR fucked around with this message at 15:17 on Jan 12, 2018 |
|
#
?
Jan 12, 2018 14:59
|
|
|
CommieGIR posted:I meant more: Find another source. Veritas as a poo poo reputation for making poo poo up and taking quotes out of context, so they are unreliable as a source of information and anything they post/share is heavily suspect. that's reasonable i'm gonna continue assuming all websites are not actually deleting data, tracking log ins, and letting employees log in as the users
|
|
#
?
Jan 12, 2018 15:00
|
|
|
ymgve posted:as far as I understand it's the other way around - if there's no CORS policy present in the localhost site headers, the browser will not allow javascript to communicate with it thanks! my basic understanding is that the default CORS policy on any sane software should be only to allow same origin.. so "disable CORS" in male shoegaze's post would mean loving around with that to allow testing some javascripts or something
|
|
#
?
Jan 12, 2018 15:05
|
|
|
Penisface posted:thanks! bitcoin software is not sane software
|
|
#
?
Jan 12, 2018 15:16
|
|
|
EVGA Longoria posted:i'm gonna continue assuming all websites are not actually deleting data, tracking log ins, and letting employees log in as the users Oh, naturally, by all means. I assume that already.
|
|
#
?
Jan 12, 2018 15:17
|
|
|
yeah just remember that XSRFs take other forms too, like nothing stops a malicious site from making a hidden <form> that POSTs to your site and automatically submitting it; that submission will carry your cookies. or if you have an endpoint that performs side-effecting GETs and takes parameters via query string then an <img> pointing at that script with some query params will do it without even requiring any javascript to be involved. this GET also carries your cookies. typical workaround for the POST thing is to embed a copy of the auth cookie in every HTML form and always validate it on the server. this is work though so people often don't do it. typical work around for endpoints with side-effecting responses to GET is uhh don't do that
|
|
#
?
Jan 12, 2018 15:22
|
|
|
Cocoa Crispies posted:does CORS prevent js-triggered or user-initiated form submissions from happening, or just their result being visible to js? forms can be submitted cross-origin, but results aren't visible. this is where CSRF comes from, and the use of request tokens. many frameworks already handle that stuff for you. all the origin architecture around form submission predates CORS by...a decade? it would actually be a huge pain to change even if you could wave a wand on compatibility, because post-to-other-server-when-non-submit-button-pressed is a very common and useful pattern CORS shouldn't prevent any user-initiated action, fwiw ymgve posted:as far as I understand it's the other way around - if there's no CORS policy present in the localhost site headers, the browser will not allow javascript to communicate with it correct
|
|
#
?
Jan 12, 2018 15:29
|
|
|
|
| # ? May 23, 2024 22:37 |
|
|
also this puts the burden of restricting on the browser, so if you have a non-sane browser, like IE5 for some reason, you might still be vulnerable
|
|
#
?
Jan 12, 2018 15:39
|
|