Hi. Oh man. I've tried to give me some eggs. Will sweep to go. So I gotta, I gotta market discovery question for you. I got into just thinking about how the dark web is structured over the weekend and just learning the Tor protocol, I guess, or whatever. And in that and and I think all of it lives on just kinda one weird little protocol or whatever else that I can do better than that. Like I could make, I can make it to our network. But the debate, well, that's the majority of their control, but the NSA, yeah, that's what I was thinking is that the input, the output that they're kind of crowdsourcing a subnet as I was just thinking about data, whatever and, and and I think that says a stego descended on the screen. But they got the wrong thing. There we go. Good JD. Yeah. I went, I went to a museum in Warsaw. And they had all these posters from during communists occupied Poland. And they were talking about how the artists would send subversive messages through the posters that would make it pass the censors eyes, but would communicate to their folks or whatever, right? Like they're kind of accustomed to being occupied. And so that's why in that kind of government censorship model or whatever to be like, okay, so let me throw a message in there. As long as it's not a very sophisticated thing I did. But my question for you, sorry, the market question is, does that feel too far adrift from Web App Security? Talking like a secret private networks and steganography and stuff, or is that a little bit more network security? And you trust your network security class to teach you that stuff well. Okay. So just just curious, you know, like I feel like last spring I made my secure software design class, just pure X86 exploitation. And that came to mixed reviews in the sense that like, are they really loved it or you're like, This is not secure software design and fairness. So so are you getting what you paid for? That's the question. So I was a little bit shocked that you guys wanted to do write-ups. And I'm and I'm happy about that or whatever. But it wasn't wasn't quite what I expected. So I did two things for this. One, I collected all the challenges in one place. So I'd like to be able to say to, you know, some hot shot high schoolers like, Oh, really good. Alright, well here go to website that profit into slash CTF and show me what you got or whatever, right, So just little skill set. And so that's nice. You can go to website that prompted into slash CTF and I'll just try to collect those. I did mark my interpretation of easy, medium, or hard for where I think you guys are. Just clearly, if you started trying out these flags on problem 1, it got a little frustrating for you and maybe you never tried again. Don't be that guy. Like don't don't give up on that first start with the first one was intentionally hard just to see. Do we have any JDs out there, right. I got one, maybe two. So that's my collection. So in terms of showing you the walkthroughs, here's my thinking. I collected them into like categories probably based on difficulty, in my opinion. So these these early escape room ones, escape. Have you guys been through an escape room in real life? You'd go in and there's sunblock and some clues and stuff or whatever else. And, and to me and maybe I should just introduce like why I care about web CTF and maybe I've done that enough like CTF thing is a microcosm of the skills it takes to be a good pen tester, the skills it takes to be a good security engineer. And it's very meritocracy base. You just get good at that. You get the job. Like it's it's a no anonymized Internet score board or whatever that teaches you exactly what most matters in a way that's very hands-on and things like that, so on. If there's anything wrong, it's that it's it's only a weekend instead of like some sort of six-week project to break something or whatever where it might be an industry, but, um, but that's good for my IRA glass video perspective of you just need to do a huge volume of work to kind of close the gap between where you are and where you think you could be. So so I love CTFs for undergrads, just love them. So when you're doing a web CTF, it is different than doing crypto CTFs. And it's different than doing X86 ETFs. And, and I don't admire web CTFs quite as much as I should being the professor of this class. And the reason is that in web land, I am sniffing around it does feel like an escape room. The first step is sort of forensics of my situation and taking stock of everything that might be there. And I kinda collect all the things that it could be. That's a very different experience than if you give me the source code. I look at the source code, I know exactly what you're doing, I know exactly what's supposed to be secure. And I know exactly the vulnerability is my job is just to go through that, right? So to crypto problem, I get all the source code. So to me, Web has this extra element of security by obscurity or whatever, which is a little bit guessing. Like it's a little bit annoying. Because I like crypto and it's very straightforward, it's very mathy. But the flip side of that is that the web well, okay. Web bug bounties are most bug bounties. It it is. Everything you ever do is on a website, et cetera, et cetera. And that is what it's kind of like when you go into a situation, you don't have the source code, you don't have everything. Even X86, it's somewhere in between where I have an executable. By haven't executable, I know exactly what is going to do. It doesn't, you don't change the source code of a or the machine code of an executable. But websites, you're funny, you know, and, and that's true in real life. So getting good webs up these early problems are designed to kinda help you out with that basic, just take stock of your world, right? And you guys with just learning stuff. So I'm almost tempted not to show you these. But maybe I can I know you guys are the ones who voted for CTF write-up. So I need some like nodding or, or hands or something to say, should we look at one of the basic or the fast enough there? Fast enough. So let's just take a look. So we'll keep this list up. All right, This one's hard, but this one is one of these. Obviously just kinda it's in the notes. It wasn't even like its own stand-alone flag add or anything else like that. So what do you do if you're going to analyze the security of a website? Probably step one is just inspect, View Page Source, look at the console, whatever. And honestly if you just did that, There's the first flag staring you in the face, right? So, so like that, we had to do to solve lag 1, It's just look at the source code and you solved it. Okay, Cool. Not really much of a security thing other than to say, Hey, the world, it's deeper than just the surface level of your website. There's code behind your websites. Okay, cool, you guys, I'll get that. Grownups. That's fine. All right. So that's that's, you know, it's hard to talk about that without just giving it away. Fine. All right. Next one. I'm doing these roughly in order of difficulty if you'd rather me just tackle the ones that are hardest. So that's actually something I don't have a feel for it. So because the class Culture kind of on the, on the flag bragged channel, one person solves it, then, you know, most days nobody else will solve it, right? So like rats, I wasn't the first one, right? Which is a pretty high standard because there's a lot of you are whatever. So you tell me, did have you guys been solving these on your own and just not bragging about it in the flat brag because it's like I was going brag about that one or whatever or or or is all of it interesting? Possibly. Okay. All right. So I was just going to do them in order of increasing difficulty, but I could do the opposite. I could go in order of decreasing difficulty because those are the ones that are most confusing to you or whatever Casey knotted for decreasing difficulty, would you rather that? Okay. Malik, I2, are they representative? Yes. Okay. So so we're gonna go decreasing difficulty, forget this order. That's fine. So that's easy peasy. This probably two or three of these that I think are just kind of scripting. How well can you script things like that? I think is really important, right? And probably these ones are a little bit closer to a scripting meets Web kind of thing, right? So, so let's talk about that. These are all pretty straightforward, straightforward, straightforward, right? So this one is kind of the beginning of something that you could start to script. You can actually debug it, or you could scripted or whatever. So it's clear that in this thing, these are mostly the active things. They're probably ascii values, the sorting algorithms a little bit funky. My job is to go through this and, and parse out which ones matter which ones don't. So I think it's easier to solve this by just debugging the code then by something else. But I think if I had to do it with scripting, because that's a valuable skill. I'd probably, I could do in JavaScript. Probably. I just sort of grab my crop out from here and end reg exit it. If I'm not gonna do it with the through the front door. So I could copy and paste this. Go into Python, drop that in and have you guys ever use Beautiful Soup? So you can use Beautiful Soup to just parse URLs and things are or HTML. Or honestly you could just filter for data activists. Yeah, You know what, maybe, maybe it's better just to do this in jQuery right where it stands. Let's see. Yeah, I'm going to copy and paste it already. I want atom. Plop, right? Here's this guy. Web security. That's fine. It will just call this like raw HTML. Now, this is way overkill for this problem is really simple problem or whatever. But in terms of like scripting web stuff, one of the things you need to do, you need be able to send a web request from Python, and you'd be able to parse HTML with Python. Those are two useful skills in your life that you should use all the time. Because if you're doing web scrapers like doing semantic analysis on whether or not the headlines and Medium.com or positive or negative about a particular topic or whatever. That's a startup that people will pay you for whatever, right? Like, like any of those things are just cool little tricks to do so. Come on. All right, so what would I call it, write HTML. So it's been a while since I've imported BeautifulSoup. All right, fine. I do hate it when it does that. By reline modules get all messed up, right? And so just, just nonsense isn't like going through my history of commands so as you can control are hunting for whether or not I've recently import BeautifulSoup? Yes. Yes. Yeah, exactly. So that's why this is valuable, right? So it's not, isn't that the flag itself mattered. So I'm just gonna look for my Beautiful Soup import line or whatever. I think it's from import BeautifulSoup from BS for something like that. From BS for import BeautifulSoup. Sounds good. Let's try it. Yep, there we go. Cool. So I want to open raw HTML. Read. Everybody has their own little preferences for how they open files. But everybody should be good at opening files and reading them and writing them and all that crap like that. Right. So like if you're not do that a bunch of times, just by just doing crazy problems. Okay, cool. That looks right. So now I think I can do Beautiful Soup dot. One of the things I love about IPython is that I can kinda tab complete. And that tells me, you know, what's in there. I'd be looking at documentation stuff. I think I'm looking for Beautiful Soup again, I thought a BeautifulSoup, BeautifulSoup of the thing. Maybe I could just do that. Yeah, Okay, cool soup equals that. So that is called the BeautifulSoup thing on that HTML. And now it's parsed it as HTML to kind of give me each of the tags and stuff or whatever. And so now I've got this like programmatic way to go through and get each value is like it's sort of filter or things like that. So I could say, you know, soup dot. Well, I could do find all take a look at the documentation. So I could say soup dot find all where at her equals what I call it data active at. Probably this isn't JavaScript, so I need to do this. And here's the question. Will it be true or will it be true? Let's find out, okay, the other one. No. All right, fine. Now Python, Python's like that but maybe maybe my soup didn't like render correctly. So yeah. Crap. Okay. That's nice. So it's got some there that it sees as the text. How about children? List okay. Soup that children. Who That's why did that error. Okay. All right. So what if I make a list out of that? Oh, maybe I need to specify like LI. Yeah, I probably mess around with this a bit, but this isn't how to actually do it, but this is a nice thing to do, is set up sort of a programmatic parse through. Oh, there's a different find. All That's interesting. I wonder. All right. I did prepare, but this wasn't what I imagine saying. First, 0, 0, it's going to be different order so that so I think I could say extracts listed tag objects. I'm actually given criteria. I could specify the name of the tag, okay? Okay, what if what if I did find all name equals LI? Yes, there we go. There we go. Okay, cool. I can work with that now. Now filter through and find the thing. So, so like, you know, vowels equals that vowels 0, let's say x equals this thing. Now it's sort of see like what, what can I get out of x adders. We're going to look at cool. So, so now I think I can do the rest. I can kinda, I could just map lambda. You guys do this by the way, like I think, I think they're killing it. You know. I didn't move on to Python 3 with the rest of the world. I mean, I know it, whatever, but it sucks for crypto. So if I have to do something in production, fine, but when I'm hacking for myself, I still prefer Python 2 because of this moment. Map lambda. That's the most useful thing in the world and do it every single time I'm in a Python script. Not map like this. It's all crap. Now. I mean, it's fine. It's just like ten times longer. So yeah, but you young folks are apologists. That's cool. Alright, so let's say, let's say like x dot adders, data active, X dot adders, data ID, and maybe x dot text. Let's see if that works. I should totally, what did I call it? Bells? Bells. Look at that. Okay, now I've just got a list of tuples or whatever. And now the rest is, is whatever. Easy, I guess. Yeah. I just get any value out of that. I think maybe not. Right. So okay. I don't think I need to finish it off at this point. Maybe I could just sort your list it out. You want instant things are blah, blah, blah. Okay. Maybe you tell me. Alright. So now that's not exactly, that's sort of in this campus just like can I code something? It's better to just debug the JavaScript because that was like the lecture at the time or whatever. And it's way faster than what I just did. But it's nice to parse through HTML and Python sometimes, especially if I like fetch it from the Internet. I'm going to fill Marie.com and got my stuff and and fetch through. Okay. So let's take a look at a couple more of those in that flavor. This one I would, I would put in that same camp is debug test 2 or whatever. You know, it was. This was the first time that we had like a lecture that whenever two days. So I wanted something that's very similar and feel I didn't need to go to a completely new topic or something like that. And so here's its kinda, can you parse through and turn these into binary? You can pretty quickly realized that you see something that feels a binary. Check every eight character and see if it's 0, you know, and that, that tells you if it's ascii. So let's just sort of a flavor for it ascii kinda, you're going to feel like 0, 1, 1, 0, 1, 0 kind of early on. And every ascii OCT tuplet up to OK tuple. I don't know the word for that. But so if I grab kind of a to these at a time and it looks very similar at the start of my eight. Then that tells me it's ascii. Your instinct should always be to check, ask if you've got binary, whatever or things like that. So now, I mean, honestly at this point, you could probably just copy and paste this into a text editor and just do like a Find Replace, and then throw into cyber chef. One of the things I say about CT effing, which is why I thought they want to have a lecture like this. You sure you want, I will actually give, maybe it's the art of learning how to learn or it's you have to like kinda farting around right at it. And one of the things I like about it is that most of your education stuff, It's very sanitized. And here's, it's like, hey, here's a wide open thing. Go figure it out. As you can figure out in a 100 different ways, right? It's very wide open. So nothing about what I'm saying is canonical in any way. That's why I like it. All right. So I'm going to Ctrl find, replace this with 0 because they think it's ascii. Find all, replace all. Let's get the other guy fined or place or get like newline characters is get them that here. If you don't find a new, encourage you to find about point that I don't know what to call it, but that's what I call it. And now I've got binary and I can just go to one of my favorite little things in the world. Cyber chef. Do this in Python two or whatever, but you know why? And you see I get a little magic one just tells me there's my black Cool. All right, so you get something and you want to figure out, Hey, I think this is actually like sensible text. There you go. Enjoy your sensible text. Alright. I think I might have another one that's in this kind of coding misc camp. I can, I, I feel like mince raft is sort of in that flame that camp. These two are probably missed coding, but with a little bit of web, so I'll move on. Yeah. Yeah. So that's what I was going to do next, right. So I think, I think, I think this is a really important skill for you in this class. And that is to say, you figured out something. There's some fishy little thing going on. And you have to fuss through all the things they've got. You need to set up a script that's going to ping it in some way. And if that service is going to shut down, if it, if they're paying attention to the number of pings of certain kind, then you might have to pretend to be a little bit more human than you are, right? So you might have to make your script, you know, blend in with normal traffic or whatever, right? I didn't make anything like that yet. But even as we do Minecraft, you might end up with too many requests from Firebase or whatever if you'd like to quick about it, as you might have to wait and do it again. So so so Tyler's questions, very sensible. And it's this, all right, mince wrapped. Let's look at it because remember mints, we have to look. I designed this as part 1 of the single-page app conversation, which I thought was really important for you guys wearing a discord. Because you all need things. By the way, I want to say from in my heart, I want to spend more time here in lecture doing what I think you most need out of office hours at this moment, which is you guys are probably struggling with your Discord on, on dumb little things, right? I've had for interactions with students where they're losing three hours of time to just like a semantic bug, right? That, that happens when you're young in a new field or whatever. You can get really embittered by that, don't get better. But just DM me, right? Yeah. Because because I've been through the woods on that a lot. I'd be like, Hey, let's solve this in five minutes. So you don't spend three hours, right? So, and I'd like to do that in lecture because that's what you need, right the second to finish off that project which is due in like a week or two or whatever. And I don't really know how to like ostensibly cell no. I did like debugging lectures whenever you weren't quite ready to maybe go back and washes debugging lectures or something. I've got little solutions, everything, everywhere. But you're probably facing all sorts of problems that are just slight variations of what you've seen or whatever. I don't know if you've got ideas for how I can, you know, like maybe if you email me bugs that you're facing or something like that and I can go through like student actually, I never took me email but DME bugs it, you're facing or whatever. And I can go through Wednesday and be like, Here's the student here's a student budget is assumed bucks, something like that maybe, but but I don't know. Maybe you feel like that's fine. We can keep going and security will be okay on the project. So I don't know how you feel. Okay, you're fine. We don't need to go back and solve these things. You'll solve them yourself. Don't spend three hours getting like sad, right? So if you find yourself, know, it's okay to be sad. It's okay, just like short the whole spectrum of human emotions. But if you're, if you really get stuck, talk to me, talk to each other, whatever, that kind of thing. So Minster afterwards designs mostly to demo a single-page app that has an infinite number. It's an infinite world. I can go wherever I want to go. I don't know if you've found the limits of Minecraft yet or anything like that. But I can go to whatever coordinates I want to. It took a second, fair to say you found nothing? But it's yeah. But that's cool and I can just move around. It's a really dumb sandbox world where there's only one thing in the entire world. But to make it a worthy flag, I of course just decided these are going to move locations once a minute. It just, just to add the coding challenge part of it. So if I sit here and refresh, it's at the end. If you look at this, the letter n, pages zeros is go to court to 80 6th 2007, 450 to hurry. If I refresh again, there are different chords now. If I type them in 47, 45 for slash negative 17818, I can go there and I got I got the letter I on page one. So clearly he's going to spell out Ninja, you know, and, and the, the books, they're going to move every minute. All right. So the books move once a minute. The first book is always at 000. Tyler's question is not very sensible. 1, which is, how do I go about coding that? Because this is going to load slowly, you know, there's, there's a thing here, whatever. And, and so in that model view controller sense, What do I do if I go to do a web thing? First thing I do is inspect source, right? First thing I'm gonna do is just look at the page source. Okay, So how does this do what it does? So I've got a Firebase database. When the DOM content is loaded, it splits the pathname into parts, changes the path name. It does push state, pop state, that's interesting. But it reads it from the path, writes it to the path. Fine. And this is the magic line you kinda need, right? So to say in my Firebase database, there's core. And then it can be x-coordinate, underscore y coordinate. Ok. That maybe there's one other part I might need. Oh, that's a little bit annoying. Sweet. No, it's not awesome. Okay, cool. I want, I want this. So if I've got this URL, if I'm right, then 0 underscore 0 dot JSON is the opening. Okay? So now I've got the JSON object that represents the first book. And it tells me the character, index and the coordinates in the next book as a key. So all I really have to do is just hit that URL. Grabbed down the key, adjust my URL and go again. But I've gotta go through 30 those or whatever in a minute. So I got two seconds per request. Okay. So might be a little bit of a race like I might get cut off in the middle of it or something or whatever. But if I write that Python scripts, that's going to take care of me. So let's do it. This is a valuable thing for you to, to do. Some in Python. Got this one cool. It's clear, I like to import requests is a nice handy little library that will let me do web requests from Python. Very useful. So let's say that I want to maybe write it as a function. So one, Let's see. Baseline equals this guy. Okay? And I'm gonna put percent S in here. So what I could do is, is I want to just see it work once. And I can look at my documentation requests and figure this out and and things like that. But basically it's going to be request dot get well, baseline percent 0 underscore 0. All right. That did a thing and gave me a response. Okay, and I think I can even do res.json. Okay, cool. So I have now made the first request programmatically. The rest should be child's play roughly, but let's do it real quick. Git book. Oh, I'll say pages. It's possible that I'm gonna like repeat myself a bunch. The pages aren't, the characters shouldn't change with the flag, right? So like Ninja or whatever, it will always be Ninja. So I might want to do this where if ever I've had it before. I don't have to go after and get it again, but we'll just see. So I might say def, get next. We call a function that takes in chords res equals request dot, get baseline percent chords. And I guess I could say, oh, yeah, thank you. Thank you. I've got them key bindings on which is going to save me from my up arrow being busted. Up there. I miss my up arrow. Christmas will get myself a new laptop. And how did this look at, kinda look like this? So I want to say Pages dot append object. Just sort of store that. And we'll say like next, cords equals the objects square bracket n. But will you there? That's fine. So I'm just looking at this to be like, Hey, what's the next thing that I'm gonna get out of that object. I've got it, whatever. Now I've got an x cords and I'll go and just return next chords. I'm just throwing that in the pages here. So I'd probably get a lot of duplicates. It might be a little bit annoying, but I should probably do that as a dictionary on the flag index. So I'm just like flag index. Here's your current value until I've got them all. But badly public speaking wisely, three of you care about this at this moment, which is okay. But, you know, it's a little awkward from that perspective. It's like, Okay, Sorry. I don't know how to make it more interesting. I think I think it's really interesting, but it's not it's not good public speaking. All right, so so we'll say like, I don't know, I'll say temp equals get next of 0, underscore 04, blank in range, I don't know, 50 or something. We'll say. At temp equals get next of TMP. All right. So that didn't work. Okay. That did work. Got it. Got it. Got it. Got it. Okay. Now, yeah, I must have by the speed of it, I wasn't fast enough, right? So Okay, okay. We got, well, that's looking good. Looking good. Ninja, love in my block game. Yo done. All right, cool. So yeah, great. At one minute. Code is fast. Network requests, not too many things like that. All right, so the takeaways from that guy are this, this is fricking, great. The request library is just so nice because I can just do all the web stuff is if I'm in Python, whatever, and be done with that. So takeaways that it's a good question. And that's what I would call it a brute force web one, right? So what are some of the other brute force web ones we did? We had the profanity filter and the only username kinda guys. These are very similar, right? There's an API, you can do it. I go immediately to Python and then just like run my code that way, I forget the web interface and what's immediately, I think Tyler solve this through the web interface that first or whatever. It's fine. It's fine. I just, I would do it with Python in that other way because like trusted more symptoms. So this is, this is playing with you who are in that algorithms class, that, that this is a login search. So one of the things, it's a little bit annoying to me, the way that I structured this part of the reason I want to go to the Python. Yeah. Yeah. So part of why I wanted to do this one in Python is that once you get the concept already, like she's talking about the concept of the problem. I put in a string. I put an a. It says I'm below. I put in Z. It says I'm above. Hi, there I can, in essence, I want to find the spot where it goes from below to above. Okay, So the letter N was the first letter of this thing. That's what I just learned, right? And now I can go to like an a submit and z. Submit. And M is above, and F is below. Yeah, I suspect it's ninja. H I, J is above. Okay, Cool. But given that I'm a, I'm an algorithm's geek, like I'm a math PhD. I like algorithmic design. I like practical Applied Complexity Theory. So doing this one this way makes me want to fall asleep. I don't want to do it this way. And the reason I don't want to do it this way is that think about the cost of this. Let's say that there's like 30 characters in that thing, right? With each of those characters into and maybe five or six web requests, something like that before I pause that thing now, why is the 5 or 6? If there's 26 letters and I'm trying which might not be letters, there's also characters and stuff like that. So let's maybe it's 50 these I'm trying every try, I should cut the options in half. So if I go in with an M, it says it is above that. I know it's in the first half of the alphabet or whatever. And if it's above, or if M is below, and if in the back half of the alphabet. So if I split in half every time the range of things and playing with that becomes log n cost prime. That's the, that's the name for that binary search, binary search. But in doing it this way, it's not going to be log n. This is going to be sort of kind of n times log k, where k is the size of my character set. But it's binary search, so it should be log n, right? So I'm not going to really get the login unless I'm throwing an integer at it. So for me, just being the crypto guy that I am, I want to do this problem with integers and say, if I map an integer to a character string, find me the correct integer overall. Instead of doing this kind of very human way. And if I go to human way, I'm going to go through 30 searches of like five or six each or maybe 10, eat something like I'm I've been sitting here for 300 attempts. I do it the other way. I'd be done in 10 attempts, you know. So so I didn't do that. But the way I want to do it is like this. Inspect view page source. It's a post to slash username, the test word. Okay, So I want to get this thing going to go over to my IPython. Since the person we've had to do a requests, dot post, this thing. I'll say percent S and then do percent. And it was quote, usernames slash a. Okay. 40 for alright, and that's not good. Username. Thank you. Okay. And that'll let me go ahead and save the resin object. All right, direction below. So I've now done a programmatic hit of that thing. So now I really want to do is say like kinda, well, I'll just show you this once. I love this little utility, which is long two bytes. So here's the number 555 as bytes. And so and I can go back and forth or whatever. So now all I have to do is just say there is a number that represents a flag. I can kinda make it like a fake flag. Ninja stuff here, whatever. And you kinda get a feel for how big that number is. So I could say bytes too long of that flag. So this is that thing is an integer. So my number is gonna be somewhere in that range. And so I just want to kind of give it a number in that area and write a little binary search and let it go nuts and finding the number. Rather than worry about characters like, Oh, so he also human, right? There's a valuable lesson somewhere in that, which is that when I was starting to learn how to code, the first thing I did, I wanted to write a Sudoku solver. All right, I'm going to go to my Sudoku solver. You're tempted to solve it like a human would. You know, you're like, all right, I can cancel these possibilities and there's this thing or whatever you're trying to eliminate human style. And that's not what a computer is. A computer is not a human, right? Computers are really good at stupid stuff a trillion times a second. So whenever possible, think like a computer, not a human when you're writing your computer stuff, right? Because if you try to make the computer think like a human Pat's world where machine learning and crap or whatever. And it's 30 years where computers are caught up, do enough things, whatever, versus maybe just brute force it in the way that the computer thinks you're going to have more success. So just philosophically, that's fine. Okay, So binary search, that's cool. That's this thing. Cool. I got more time than I thought. All right. So the Firebase rules ones, I totally want to show you my, you know, like I I think this might be my favorite web flag of ever written. You know, I just love this one. It, it captures a lot of things that I like and in the world. So, so I have probably written on them that are maybe four of them that are Firebase rules-based flags. Actually. You tell me what are those ones? It's a Firebase rules-based one is is this guy. My security rules are cool. How many of you solve this one? And not even the three people who actually did solve it even put their hands up for that, Okay, Okay. Fine. Let's talk this on them rather than my favorite one. So This was thinking about and teaching about like good intentions and the road to hell and all that. So this, this has two perfectly secure things, but I'd really used for real clients, but when they're mixed in just the wrong way, it falls apart. One of my favorite lessons of CTF thing is that type of humility, which is to say I could write that. And if I wrote that, my clients will be vulnerable. And when you realized that the thing that you would naturally right, is vulnerable because it's there and a CTF or whatever, it, it forces you to like hold on. I need to take this more seriously. Hey, like what people will die if I deploy this. So okay. So this is me about humility, but like look at that. Let's look at that a little bit cleaner, I guess. Prettify JSON. Best JSON pretty print online. Hook. It remembers me. Go. All right, so just to see this. Okay. Looking at it this way, I can see that the top rules are saying any user can write to their key in the database and write and read from their key in the database. And you can register with this app and get your own little user key. But there's a flat key. And if you go to that flat, you're not allowed to overwrite it, fine. But you can read it. If under your unique ID, under rolls, under the key admin, there is any value. All right, So if under users your name, your unique ID, roles, admin, it says anything, true, high part, whatever. Then it will let you read the flag. Okay. So how do I deal with that? Probably one subtlety that I didn't say in class because the class hasn't been about the flags yet, like the class statement about dab in the flags are theirs. So you know what? I do want to talk security, just a little contract for the future. That if I'm going

cpeg472-010-20211011-090501.mp4

From Pasquale Zingo October 11, 2021

18 plays 0 comments You unliked the media.

Video Created by UD Capture Classroom Recording in Brown 101 on 2021-10-11 09:05:00.

Tags: 21fcpeg472010

Appears In: Web App Security 2021

Comments

Add a comment