the funny thing about this channel is that it always flew under my radar because i thought by the graphics in the thumbnails that it wouldn't dive too deep into the topics. I guess I'll never judge a book by its cover again. Real nice vid, keep it up!
Just found your channel and I think it's heavily underrated. Keep making more videos plz, even tho I don't do security stuff myself I find it really interesting and your explanations are super easy to understand for noobs like me too. Love it!
I swear i've heard someone jokingly say "CRLF injection" before, and although i've seen that fuck with UI only intended for single lines (chat text boxes in some games, Muck for example and you can impersonate others in chat), but i never thought it would be an actual security vulnerability in a real application that can actually cause damage without another human element lol
So remember when connecting to random URLs: Either bind your client to an IP which only has public internet access (i.e. via firewall settings); Use a client library which has an option to only connect to public addresses (or can do so via an access control callback); Or funnel all the requests through a proxy which denies access to any internal addresses.
Thank you for these explanations. I was waiting for a video on this type of problem. Your diagrams and your speech (rather slow) are a plus for me which sucks in English: ').
I think it's the hacky way around having proper abstractions for modules/extensions in your codebase. Want to have a middleware system without properly defining the interfaces? No problem, just give your users a hook that's passed into the eval() function as it processes requests! Problem solved!
@@P4INKiller un Européen* één Europeaan* und Europäer* un Europeo* un Europeista* un European* um Eurpeu* ktoś Europejczyk* (idk my Polish sucks ?) Unu Eŭropujo/Unu Eŭropio* And sorry mates I dont have keyboard for Czech, Ukrainian, etc.
at 12:53 you are giving redis port 6379 but in terminal when you check at 13:18 port number is 1337 that it is connected to could you please explain this
port 1337 is what the "outside" ncat server listens to, and as he said in 12:58, this was just the proof of concept. He sent this instruction to the redis server on port 6479: "Execute the linux ID command (returns current shell user-id or short UID) and post the result to the ncat server running on port 1337"
One of the reasons you should enable password authentication on your Redis and separate your automation from your environments. Here is one of the biggest risk in some companies, having a central user that has admin access to an entire Kubernetes or ECS cluster. If the credentials or token of this user becomes compromised, the attacker will essentially have full control over your entire cluster. We should probably also separate hackers into 2 categories: - People who want to do damage - People who want to gather valuable information *Hacker (Gatherer)* Large quantities of categorized accurate data is extremely valuable. Many companies big or small store general user data, such as overall sales data to determine which products does a majority of their clients like and try to cater to the larger audience. There are usually big data based systems that uses these datasets to build statistical models to help make sense of a majority of this data. Now for the hacker gathering data, if they somehow got a hold of these datasets, they could sell it to the competitors of the company they stole from, thus now using that data to push specific products out to the same customers faster, making themselves look better. A strange strategic tactic of stealing another company's customer base. *Hacker (Attacker)* The common malicious Attacker could attempt a similar thing but with a different route. They can simply be paid by a company to shut down or to compromise their competitors. For one if they somehow got access to those same datasets, they could simply permanently delete that data, crippling the vision of the competitor. When a company does not know whats happening in their own sales, they may bring out products that the clients won't buy, costing the competitor insane amounts of lost revenue. Or if the attacker somehow got access to the system, they could be paid by a company to simply cripple critical systems of their competitor. If the competitor can't make sales or has a crappy service, then the customer base would most likely flock to whatever works. *Conclusion* Think of it this way, if you suddenly can't use Google, what other search engine would you use? Probably bing or duckduckgo, right?
3:07 “there is an old talk, but still great” Talk is from Jan 9, 2020 👀 … one really has to awe that in tech we move so fast that a year old talk is considered old. Borderline outdated. Now the doctors office that happily works with best practices learned at college 15 years ago needs to defend against this world. 😅 ehm… yeah, my bet is on black
Along side the newline injection vulnerability, it seems Redis should abort the connection the moment it gets an invalid line. This likely would have also prevented this particular exploit.
When I was still a teenager I found out that a website I used for an online game could be used to send e-mails to anyone AS anyone registered on the website. I never reported it because it never occurred to me how big of a deal that is at the time, and I forgot to write down how I did it, which goes against the whole "it's not science if you don't write it down" belief I've been operating on for the past 16 or so years ;/
Isn't the JSONified class also insecure deserialization? Ruby executes whatever it sees in the function of that class, so that is insecure deserialization right? The complete vulnerability chain in this case would then be SSRF + CRLF + Insecure Deserialization
Your content is really good , also animation is great. It'll be great if you make a video on how you research all this thing , how to approach the research and what sources are best.
ok, so... just route all "external-origin" url requests through adapters that only lead directly outside ... ? - essentially, through the "public-ip router" ...
yeah, in fact, no need to error-pronely sanitize my urls - just load them all through a proxy which runs outside of the internal network. ... I think that solves it perfectly.
yo bro ho does every body got free websites.. of course not every one have wifi and money so how can they create a server for free.. please answer my question and tell me how can I build a server (linux) for free
Self generated code execution is considered a extremely useful feature in interpretive languages, and I don't see it disappearing. However one does wonder if it's a fools errand arising out of lazy thinking. You can add a lot of power for very little effort this way but the unnoticed security envelope (usually) requiring executable code to sit in OS protected memory is bypassed in any kind of interpreter. This violates the implied security model of the Von-Neuman/Harvard architectures. So the security model never taking into account interpreters is actually responsible for the problem to start with. Browsers should never have been enabled to run interpreted scripts either (go ahead and laugh, but I'm deadly serious). I was pretty amazed when HTML appeared in the 1980s as uncompiled & unencrypted, but when Netscape introduced Javascript I pretty well fell off my chair. My suspicions were confirmed when I subsequently learned HTML was invented by a self taught non-computer professional. The danger of interpreters were already quite apparent to me after just 4 months into my IT career on the DecSystem-10. The TECO editor (aka 'vi') used a privileged operation that could allow TECO code to receive passwords in a fake login attempt. Only a privileged program like TECO could do this, but TECO was an editor with its own interpretive language. All SSRFs work this same way. Interpreters that allow (new) code execution are a really really bad idea. There is simply no need for it, although, its makes a FEW difficult things much much easier without having to write code for, at the expense of violating the fundamental computer architecture security model.
This is the BEST explanation of SSRF I've ever heard and I finally understand it now. Thank you.
Means a lot, thanks!
That's debatable
@@RAGHAVENDRASINGH17 then debate
@@algorythmis4805 Where Link to the talk you mentioned in video
This channel is heavily underrated
Holy fucking shit yes
It's like LiveOverflow, but before they went to shit.
@@NanoTrasen what went wrong with them? :/
@@NanoTrasen since when liveoverflow went to shit?
@@manuyel4845 ikr like wut does he mean?
the funny thing about this channel is that it always flew under my radar because i thought by the graphics in the thumbnails that it wouldn't dive too deep into the topics. I guess I'll never judge a book by its cover again. Real nice vid, keep it up!
I love this videos. Every time I see one I understand around 30% of what he's saying but I'm still watching 'till the end.
Just found your channel and I think it's heavily underrated. Keep making more videos plz, even tho I don't do security stuff myself I find it really interesting and your explanations are super easy to understand for noobs like me too. Love it!
Lmao the LiveTL guy
Hi
I swear i've heard someone jokingly say "CRLF injection" before, and although i've seen that fuck with UI only intended for single lines (chat text boxes in some games, Muck for example and you can impersonate others in chat), but i never thought it would be an actual security vulnerability in a real application that can actually cause damage without another human element lol
Hi terrain!
who needs cr lf when you have && and ; :lol
Muck
muck
Great video, thank's for introducing SSRFs in a practical, hands on and easy to understand way.
Really great video. I love your editing skills, so slick, nice job.
11:50 rubocop reported that line for a reason apparently.
This one is definitely make my day...!
It kinda ruined my day
this channel is as good as it gets man, props
So remember when connecting to random URLs: Either bind your client to an IP which only has public internet access (i.e. via firewall settings); Use a client library which has an option to only connect to public addresses (or can do so via an access control callback); Or funnel all the requests through a proxy which denies access to any internal addresses.
Envoy proxy is good for this, supports mTLS and access control.
I don't know why you guys stopped making such content. You were doing great. I am a fan. The way this channel goes on to explain, it is awesome
I was in the middle of this video, but I set it down and when I came back, the video was off youtube. Glad to see its back so I can finish it lmao
Amazing work my brother! Lots of Love! Keep making awesome contents like this.
FINALLY guys he uploaded!
Cool video, and your english is terrific. I almost didn’t notice that you weren’t a native english speaker.
Thank you for these explanations. I was waiting for a video on this type of problem. Your diagrams and your speech (rather slow) are a plus for me which sucks in English: ').
I'm constantly surprised by the amount of languages and frameworks that allow executing any string you give them
just webdev things
I think it's the hacky way around having proper abstractions for modules/extensions in your codebase. Want to have a middleware system without properly defining the interfaces? No problem, just give your users a hook that's passed into the eval() function as it processes requests! Problem solved!
I have been waiting for a new video from this channel. Very good content and explanation, nice animation and voice
Your channel has helped me out greatly. Tysm!
You give me such LiveOverflow vibes haha
I like it
Good vid bud, thanks for making it! And have a nice day
This is top tier contents, keep it up!!!!
Probably the Best Explanation So far, Thanks bud
Este compa es la pinga, me fascinan tus vídeos
I am from a software engineering background got interested in cybersecurity too now.
Keep it up! Love your videos
2:38 Hold-up a second. That’s a Python REPL, but my god it’s beautiful. How was this magic accomplished?!
Bpython Interpreter
@@PwnFunction Thank you so much. This is way more comfy than the stock interpreter. :D
@@liesdamnlies3372 If you do something like path = require("path") in the node repl you get some minimal documentation (e.g. just a list of methods)
Awesome as usual like Fireship 😁
"Kinda like, you know, when you were young and you want those beers but you were underage"
No, sir, I dont. I'm an European
Europe ftw
_A_ European.
@@P4INKiller un Européen* één Europeaan* und Europäer* un Europeo* un Europeista* un European* um Eurpeu* ktoś Europejczyk* (idk my Polish sucks ?) Unu Eŭropujo/Unu Eŭropio*
And sorry mates I dont have keyboard for Czech, Ukrainian, etc.
@@sugiii9616 европјанец(this is in macedonian,idk about other slavic)
@@fitmotheyap Thank you sir! I know how to read your alphabet for 2 weeks hehe 😎😎
I love your videos. keep your work up it's amazing.
Excellent explanation earned my follow!
Really enjoying your channel my friend. Keep it up
Oh my, this was an insightful one :D
Great video my friend! ❤️
at 12:53 you are giving redis port 6379 but in terminal when you check at 13:18 port number is 1337 that it is connected to
could you please explain this
port 1337 is what the "outside" ncat server listens to, and as he said in 12:58, this was just the proof of concept.
He sent this instruction to the redis server on port 6479:
"Execute the linux ID command (returns current shell user-id or short UID) and post the result to the ncat server running on port 1337"
This video somehow shows as uploaded 6 months ago. Good explanation
where are the comments?
Bro, you're a legend.
One of the reasons you should enable password authentication on your Redis and separate your automation from your environments.
Here is one of the biggest risk in some companies, having a central user that has admin access to an entire Kubernetes or ECS cluster. If the credentials or token of this user becomes compromised, the attacker will essentially have full control over your entire cluster.
We should probably also separate hackers into 2 categories:
- People who want to do damage
- People who want to gather valuable information
*Hacker (Gatherer)*
Large quantities of categorized accurate data is extremely valuable. Many companies big or small store general user data, such as overall sales data to determine which products does a majority of their clients like and try to cater to the larger audience.
There are usually big data based systems that uses these datasets to build statistical models to help make sense of a majority of this data.
Now for the hacker gathering data, if they somehow got a hold of these datasets, they could sell it to the competitors of the company they stole from, thus now using that data to push specific products out to the same customers faster, making themselves look better. A strange strategic tactic of stealing another company's customer base.
*Hacker (Attacker)*
The common malicious Attacker could attempt a similar thing but with a different route. They can simply be paid by a company to shut down or to compromise their competitors.
For one if they somehow got access to those same datasets, they could simply permanently delete that data, crippling the vision of the competitor. When a company does not know whats happening in their own sales, they may bring out products that the clients won't buy, costing the competitor insane amounts of lost revenue.
Or if the attacker somehow got access to the system, they could be paid by a company to simply cripple critical systems of their competitor. If the competitor can't make sales or has a crappy service, then the customer base would most likely flock to whatever works.
*Conclusion*
Think of it this way, if you suddenly can't use Google, what other search engine would you use?
Probably bing or duckduckgo, right?
Finally a new video :D
Quality content
Hello, I would like to know if there is a way to predict the semi-random numbers to get profits from betting applications and semi-crash??😢
Keep it up that's amazing thank you
cool! very inresting, i feel a little smarter already, thx ;)
Great content, subbed! 🐧
Welcome back
Hope you fine and dandy?
I'm good, hope you're well too
I finally understand why Roblox doesn’t allow requests to their own domain through Roblox game servers.
How did you get the docs in your Python REPL at 2:44?
Finally you are back ☺️
YOU ARE THE REAL MVP.
Excellent video!
awesome job man
Any chance you can cover the Twitch hack? Would be nice to get some more info there
3:07 “there is an old talk, but still great” Talk is from Jan 9, 2020 👀 … one really has to awe that in tech we move so fast that a year old talk is considered old. Borderline outdated. Now the doctors office that happily works with best practices learned at college 15 years ago needs to defend against this world. 😅 ehm… yeah, my bet is on black
That video was re-uploaded in 2020, but the first video surfaced in 2017. You can also see "2017" in the top left corner ;)
@@PwnFunction Ok ok, fine its 4 instead of 2 years - still far off 15 years 😬….. 🐌
Where are the videos? Did you forgot you have a channel? I'm waiting new content :(
Along side the newline injection vulnerability, it seems Redis should abort the connection the moment it gets an invalid line. This likely would have also prevented this particular exploit.
hey man we are waiting for the binary exploitation series !
we must become 'Pro Jedi 1337 samurai ninja Warrior'
a guy made a video of bed trapping someone but he forgot to censor about 1 or more frame(s), the guy is lucky i wont use his (idk what) for any bad
the netcat technique was great, would u make a video on all the use cases it enables ?
When I was still a teenager I found out that a website I used for an online game could be used to send e-mails to anyone AS anyone registered on the website. I never reported it because it never occurred to me how big of a deal that is at the time, and I forgot to write down how I did it, which goes against the whole "it's not science if you don't write it down" belief I've been operating on for the past 16 or so years ;/
Great content!
can you demo how we bypass ssl pinning windows application?
All the comments are gone :(
At least the video is back!
Great video, thank you.
Isn't the JSONified class also insecure deserialization? Ruby executes whatever it sees in the function of that class, so that is insecure deserialization right? The complete vulnerability chain in this case would then be SSRF + CRLF + Insecure Deserialization
if i had found this channel when i was highschool i'd have ended up going to juve
Old talk ?? It was like 16 months old when this vid was made
Your content is really good , also animation is great. It'll be great if you make a video on how you research all this thing , how to approach the research and what sources are best.
Which of the Community Guidelines did this allegedly violate?
Shush....
Same question
He said there was a joke that violated guidelines that has been removed
@@hipster2283 What was the joke?
@@Sparkette not sure, the video got taken down before I watched it
my brain is to dumb to process this
Redis does not requires authentication ?
i died when u compared sitting out side of the liqour store to ssrf
As a hello-world engineer, I cannot fully get what this video means, but I know this is good. What should I learn in order to understand this video?
Cn I ask you what's the tool that you used for the diagram In 1:52 ?
Finally waited so long for this video
you have such quality content but you should upload more
Agree
What tool do I need to make visualization like the one at 1:53?
that's awesome!
ok, so... just route all "external-origin" url requests through adapters that only lead directly outside ... ? - essentially, through the "public-ip router" ...
yeah, in fact, no need to error-pronely sanitize my urls - just load them all through a proxy which runs outside of the internal network. ... I think that solves it perfectly.
Back from the dead!
sigh ... Why the heck are SSRFs are still possible? It's 2022 for ducks sake!
this is helpful
Im new to this stuff and learning, but what is the difference between an SSRF and a CSRF? Thanks for the knowledge!
SS = Server Side
CS = Cross Site
Stok sent me, you got my sub.
yo bro ho does every body got free websites.. of course not every one have wifi and money so how can they create a server for free.. please answer my question and tell me how can I build a server (linux) for free
Self generated code execution is considered a extremely useful feature in interpretive languages, and I don't see it disappearing. However one does wonder if it's a fools errand arising out of lazy thinking. You can add a lot of power for very little effort this way but the unnoticed security envelope (usually) requiring executable code to sit in OS protected memory is bypassed in any kind of interpreter. This violates the implied security model of the Von-Neuman/Harvard architectures. So the security model never taking into account interpreters is actually responsible for the problem to start with.
Browsers should never have been enabled to run interpreted scripts either (go ahead and laugh, but I'm deadly serious). I was pretty amazed when HTML appeared in the 1980s as uncompiled & unencrypted, but when Netscape introduced Javascript I pretty well fell off my chair. My suspicions were confirmed when I subsequently learned HTML was invented by a self taught non-computer professional.
The danger of interpreters were already quite apparent to me after just 4 months into my IT career on the DecSystem-10. The TECO editor (aka 'vi') used a privileged operation that could allow TECO code to receive passwords in a fake login attempt. Only a privileged program like TECO could do this, but TECO was an editor with its own interpretive language. All SSRFs work this same way. Interpreters that allow (new) code execution are a really really bad idea. There is simply no need for it, although, its makes a FEW difficult things much much easier without having to write code for, at the expense of violating the fundamental computer architecture security model.
01:18
that takes screenshots of other websites? how do you do this?
Easiest way is to use a headless browser. Checkout pptr.dev project.
@@PwnFunction thanks its easy to use
“I just learned ruby last night” LMAOO hard flex
Dumb question and not really related to the topic but: Is there a tool to make isometric graphs like at around 2:00? That looks pretty neat.
Great video as always! Could you please send the link of the github repo with the SSRF examples?
Are you interested in working for the monero research labs?
Awesome 👏🏻
Wait that outro... It sounds... Familiar...
What does this mean for it's ipo day
Man, I like these flaps.
like blind sql / http header injection?
I miss the old drawing style videos
Where is your intro? It was awesome.